Merge pull request #245 from stefanprodan/release-6.3.2

Release v6.3.3
2026-04-07 03:26:54 +00:00 · 2023-02-03 12:28:34 +02:00 · 2023-02-03 12:25:11 +02:00 · 2023-02-03 12:23:00 +02:00 · 2023-02-03 12:19:26 +02:00 · 2023-02-03 11:52:05 +02:00
87 changed files with 2683 additions and 1190 deletions
--- a/.cosign/README.md
+++ b/.cosign/README.md
@@ -0,0 +1,39 @@
+# Podinfo signed releases
+
+Podinfo deployment manifests are published to GitHub Container Registry as OCI artifacts
+and are signed using [cosign](https://github.com/sigstore/cosign).
+
+## Verify the artifacts with cosign
+
+Install the [cosign](https://github.com/sigstore/cosign) CLI:
+
+```sh
+brew install sigstore/tap/cosign
+```
+
+Verify a podinfo release with cosign CLI:
+
+```sh
+cosign verify -key https://raw.githubusercontent.com/stefanprodan/podinfo/master/cosign/cosign.pub \
+ghcr.io/stefanprodan/podinfo-deploy:latest
+```
+
+## Download the artifacts with crane
+
+Install the [crane](https://github.com/google/go-containerregistry/tree/main/cmd/crane) CLI:
+
+```sh
+brew install crane
+```
+
+Download the podinfo deployment manifests with crane CLI:
+
+```console
+$ crane export ghcr.io/stefanprodan/podinfo-deploy:latest -| tar -xf - 
+
+$ ls -1
+deployment.yaml
+hpa.yaml
+kustomization.yaml
+service.yaml
+```
--- a/.cosign/cosign.pub
+++ b/.cosign/cosign.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEST+BqQ1XZhhVYx0YWQjdUJYIG5Lt
+iz2+UxRIqmKBqNmce2T+l45qyqOs99qfD7gLNGmkVZ4vtJ9bM7FxChFczg==
+-----END PUBLIC KEY-----
--- a/.github/actions/helm/Dockerfile
+++ b/.github/actions/helm/Dockerfile
@@ -1,6 +0,0 @@
-FROM stefanprodan/alpine-base:latest
-
-COPY entrypoint.sh /entrypoint.sh
-RUN chmod +x /entrypoint.sh
-
-ENTRYPOINT ["/entrypoint.sh"]
--- a/.github/actions/helm/action.yml
+++ b/.github/actions/helm/action.yml
@@ -1,15 +0,0 @@
-name: 'helm'
-description: 'A GitHub Action to run helm commands'
-author: 'Stefan Prodan'
-branding:
-  icon: 'command'
-  color: 'blue'
-inputs:
-  helm-version:
-    description: Helm version to use
-    required: true
-runs:
-  using: 'docker'
-  image: 'Dockerfile'
-  args:
-    - ${{ inputs.helm-version }}
--- a/.github/actions/helm/entrypoint.sh
+++ b/.github/actions/helm/entrypoint.sh
@@ -1,24 +0,0 @@
-#!/usr/bin/env bash
-
-set -o errexit
-set -o pipefail
-
-HELM_VERSION=$1
-BIN_DIR="$GITHUB_WORKSPACE/bin"
-
-main() {
-  mkdir -p ${BIN_DIR}
-  tmpDir=$(mktemp -d)
-
-  pushd $tmpDir >& /dev/null
-
-  curl -sSL https://get.helm.sh/helm-v${HELM_VERSION}-linux-amd64.tar.gz | tar xz
-  cp linux-amd64/helm ${BIN_DIR}/helm
-
-  popd >& /dev/null
-  rm -rf $tmpDir
-}
-
-main
-echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
-echo "$RUNNER_WORKSPACE/$(basename $GITHUB_REPOSITORY)/bin" >> $GITHUB_PATH
--- a/.github/actions/kubeconform/action.yml
+++ b/.github/actions/kubeconform/action.yml
@@ -0,0 +1,38 @@
+name: Setup kubeconform
+description: A GitHub Action for running kubeconform commands
+author: Stefan Prodan
+branding:
+  color: blue
+  icon: command
+inputs:
+  version:
+    description: "kubeconform version e.g. 0.5.0 (defaults to latest stable release)"
+    required: false
+  arch:
+    description: "arch can be amd64 or arm64"
+    required: true
+    default: "amd64"
+runs:
+  using: composite
+  steps:
+    - name: "Download binary to the GH runner cache"
+      shell: bash
+      run: |  
+        ARCH=${{ inputs.arch }}
+        VERSION=${{ inputs.version }}
+
+        if [ -z $VERSION ]; then
+          VERSION=$(curl https://api.github.com/repos/yannh/kubeconform/releases/latest -sL | grep tag_name | sed -E 's/.*"([^"]+)".*/\1/' | cut -c 2-)
+        fi
+        
+        BIN_URL="https://github.com/yannh/kubeconform/releases/download/v${VERSION}/kubeconform-linux-${ARCH}.tar.gz"
+        BIN_DIR=$RUNNER_TOOL_CACHE/kubeconform/$VERSION/$ARCH
+        
+        if [[ ! -x "$BIN_DIR/kind" ]]; then
+          mkdir -p $BIN_DIR
+          cd $BIN_DIR
+          curl -sL $BIN_URL | tar xz
+          chmod +x kubeconform
+        fi
+        
+        echo "$BIN_DIR" >> "$GITHUB_PATH"
--- a/.github/policy/kubernetes.rego
+++ b/.github/policy/kubernetes.rego
@@ -1,51 +0,0 @@
-package kubernetes
-
-name = input.metadata.name
-
-kind = input.kind
-
-is_service {
-	input.kind = "Service"
-}
-
-is_deployment {
-	input.kind = "Deployment"
-}
-
-is_pod {
-	input.kind = "Pod"
-}
-
-split_image(image) = [image, "latest"] {
-	not contains(image, ":")
-}
-
-split_image(image) = [image_name, tag] {
-	[image_name, tag] = split(image, ":")
-}
-
-pod_containers(pod) = all_containers {
-	keys = {"containers", "initContainers"}
-	all_containers = [c | keys[k]; c = pod.spec[k][_]]
-}
-
-containers[container] {
-	pods[pod]
-	all_containers = pod_containers(pod)
-	container = all_containers[_]
-}
-
-containers[container] {
-	all_containers = pod_containers(input)
-	container = all_containers[_]
-}
-
-pods[pod] {
-	is_deployment
-	pod = input.spec.template
-}
-
-pods[pod] {
-	is_pod
-	pod = input
-}
--- a/.github/policy/rules.rego
+++ b/.github/policy/rules.rego
@@ -1,43 +0,0 @@
-package main
-
-import data.kubernetes
-
-name = input.metadata.name
-
-# Deny containers with latest image tag
-deny[msg] {
-	kubernetes.containers[container]
-	[image_name, "latest"] = kubernetes.split_image(container.image)
-	msg = sprintf("%s in the %s %s has an image %s, using the latest tag", [container.name, kubernetes.kind, kubernetes.name, image_name])
-}
-
-# Deny services without app label selector
-service_labels {
-  input.spec.selector["app"]
-}
-deny[msg] {
-  kubernetes.is_service
-  not service_labels
-  msg = sprintf("Service %s should set app label selector", [name])
-}
-
-# Deny deployments without app label selector
-match_labels {
-  input.spec.selector.matchLabels["app"]
-}
-deny[msg] {
-  kubernetes.is_deployment
-  not match_labels
-  msg = sprintf("Service %s should set app label selector", [name])
-}
-
-# Warn if deployments have no prometheus pod annotations
-annotations {
-  input.spec.template.metadata.annotations["prometheus.io/scrape"]
-  input.spec.template.metadata.annotations["prometheus.io/port"]
-}
-warn[msg] {
-  kubernetes.is_deployment
-  not annotations
-  msg = sprintf("Deployment %s should set prometheus.io/scrape and prometheus.io/port pod annotations", [name])
-}
--- a/.github/workflows/cve-scan.yml
+++ b/.github/workflows/cve-scan.yml
@@ -5,19 +5,27 @@ on:
    branches:
      - 'master'

+permissions:
+  contents: read
+
 jobs:
  trivy:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
      - name: Build image
        id: build
        run: |
          IMAGE=test/podinfo:${GITHUB_SHA}
          docker build -t ${IMAGE} .
          echo "::set-output name=image::$IMAGE"
-      - name: Scan image
-        uses: docker://docker.io/aquasec/trivy:latest
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
        with:
-          args: --cache-dir /var/lib/trivy --no-progress --exit-code 1 --severity MEDIUM,HIGH,CRITICAL ${{ steps.build.outputs.image }}
+          image-ref: ${{ steps.build.outputs.image }}
+          format: table
+          exit-code: "1"
+          ignore-unfixed: true
+          vuln-type: os,library
+          severity: CRITICAL,HIGH
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -6,26 +6,32 @@ on:
    branches:
      - 'master'

+permissions:
+  contents: read
+
 jobs:
  kind-helm:
    strategy:
      matrix:
        helm-version:
-          - 3.5.0
+          - v3.11.0
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
      - name: Setup Kubernetes
-        uses: engineerd/setup-kind@v0.5.0
+        uses: helm/kind-action@v1.5.0
+        with:
+          version: v0.17.0
+          cluster_name: kind
      - name: Build container image
        run: |
          ./test/build.sh
          kind load docker-image test/podinfo:latest
      - name: Setup Helm
-        uses: ./.github/actions/helm
+        uses: azure/setup-helm@v3
        with:
-          helm-version: ${{ matrix.helm-version }}
+          version: ${{ matrix.helm-version }}
      - name: Deploy
        run: ./test/deploy.sh
      - name: Run integration tests
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -2,30 +2,44 @@ name: release

 on:
  push:
-    tags: '*'
+    tags:
+      - '*'
+
+permissions:
+  contents: write # needed to write releases
+  id-token: write # needed for keyless signing
+  packages: write # needed for ghcr access

 jobs:
  release:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
+      - uses: sigstore/cosign-installer@main
+      - uses: fluxcd/flux2/action@main
+      - name: Setup Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.19.x
+      - name: Setup Helm
+        uses: azure/setup-helm@v3
+        with:
+          version: v3.10.3
      - name: Setup QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
        with:
          platforms: all
      - name: Setup Docker Buildx
        id: buildx
-        uses: docker/setup-buildx-action@v1
-        with:
-          buildkitd-flags: "--debug"
+        uses: docker/setup-buildx-action@v2
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.GHCR_TOKEN }}
      - name: Login to Docker Hub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
@@ -36,30 +50,55 @@ jobs:
          if [[ $GITHUB_REF == refs/tags/* ]]; then
            VERSION=${GITHUB_REF/refs\/tags\//}
          fi
-          echo ::set-output name=BUILD_DATE::$(date -u +'%Y-%m-%dT%H:%M:%SZ')
-          echo ::set-output name=VERSION::${VERSION}
-      - name: Publish multi-arch image
-        uses: docker/build-push-action@v2
+          echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
+          echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
+          echo "REVISION=${GITHUB_SHA}" >> $GITHUB_OUTPUT
+      - name: Generate images meta
+        id: meta
+        uses: docker/metadata-action@v4
        with:
+          images: |
+            docker.io/stefanprodan/podinfo
+            ghcr.io/stefanprodan/podinfo
+          tags: |
+            type=raw,value=${{ steps.prep.outputs.VERSION }}
+            type=raw,value=latest
+      - name: Publish multi-arch image
+        uses: docker/build-push-action@v3
+        with:
+          sbom: true
+          provenance: true
          push: true
          builder: ${{ steps.buildx.outputs.name }}
          context: .
-          file: ./Dockerfile
+          file: ./Dockerfile.xx
+          build-args: |
+            REVISION=${{ steps.prep.outputs.REVISION }}
          platforms: linux/amd64,linux/arm/v7,linux/arm64
-          tags: |
-            docker.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }}
-            docker.io/stefanprodan/podinfo:latest
-            ghcr.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }}
-          labels: |
-            org.opencontainers.image.title=${{ github.event.repository.name }}
-            org.opencontainers.image.description=${{ github.event.repository.description }}
-            org.opencontainers.image.source=${{ github.event.repository.html_url }}
-            org.opencontainers.image.url=${{ github.event.repository.html_url }}
-            org.opencontainers.image.revision=${{ github.sha }}
-            org.opencontainers.image.version=${{ steps.prep.outputs.VERSION }}
-            org.opencontainers.image.created=${{ steps.prep.outputs.BUILD_DATE }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+      - name: Publish Helm chart to GHCR
+        run: |
+          helm package charts/podinfo
+          helm push podinfo-${{ steps.prep.outputs.VERSION }}.tgz oci://ghcr.io/stefanprodan/charts
+          rm podinfo-${{ steps.prep.outputs.VERSION }}.tgz
+      - name: Publish Flux OCI artifact to GHCR
+        run: |
+          flux push artifact oci://ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }} \
+            --path="./kustomize" \
+            --source="${{ github.event.repository.html_url }}" \
+            --revision="${GITHUB_REF_NAME}/${GITHUB_SHA}"
+          flux tag artifact oci://ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }} --tag latest
+      - name: Sign OCI artifacts
+        env:
+          COSIGN_EXPERIMENTAL: 1
+        run: |
+          cosign sign docker.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }}
+          cosign sign ghcr.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }}
+          cosign sign ghcr.io/stefanprodan/charts/podinfo:${{ steps.prep.outputs.VERSION }}
+          cosign sign ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }}
      - name: Publish base image
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v3
        with:
          push: true
          builder: ${{ steps.buildx.outputs.name }}
@@ -71,15 +110,30 @@ jobs:
        uses: stefanprodan/helm-gh-pages@master
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Publish config artifact
+        run: |
+          flux push artifact oci://ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }} \
+            --path="./kustomize" \
+            --source="${{ github.event.repository.html_url }}" \
+            --revision="${GITHUB_REF_NAME}/${GITHUB_SHA}"
+          flux tag artifact oci://ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }} --tag latest
+      - name: Sign config artifact
+        run: |
+          echo "$COSIGN_KEY" > /tmp/cosign.key
+          cosign sign -key /tmp/cosign.key ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }}
+          cosign sign -key /tmp/cosign.key ghcr.io/stefanprodan/podinfo-deploy:latest
+        env:
+          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
+          COSIGN_KEY: ${{secrets.COSIGN_KEY}}
      - uses: ./.github/actions/release-notes
      - name: Generate release notes
        run: |
          echo 'CHANGELOG' > /tmp/release.txt
          github-release-notes -org stefanprodan -repo podinfo -since-latest-release >> /tmp/release.txt
      - name: Publish release
-        uses: goreleaser/goreleaser-action@v1
+        uses: goreleaser/goreleaser-action@v3
        with:
          version: latest
-          args: release --release-notes=/tmp/release.txt
+          args: release --release-notes=/tmp/release.txt --skip-validate
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -6,38 +6,70 @@ on:
    branches:
      - 'master'

+permissions:
+  contents: read
+
+env:
+  KUBERNETES_VERSION: 1.26.0
+
 jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
      - name: Restore Go cache
-        uses: actions/cache@v1
+        uses: actions/cache@v3
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
          restore-keys: ${{ runner.os }}-go-
      - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v3
        with:
-          go-version: 1.15.x
+          go-version: 1.19.x
+      - name: Setup kubectl
+        uses: azure/setup-kubectl@v3
+        with:
+          version: v${{ env.KUBERNETES_VERSION }}
+      - name: Setup kubeconform
+        uses: ./.github/actions/kubeconform
+      - name: Setup Helm
+        uses: azure/setup-helm@v3
+        with:
+          version: v3.10.3
+      - name: Setup CUE
+        uses: cue-lang/setup-cue@main
      - name: Run unit tests
        run: make test
+      - name: Validate Helm chart
+        run: |
+          helm lint ./charts/podinfo/
+          helm template ./charts/podinfo/ | kubeconform -strict -summary -kubernetes-version ${{ env.KUBERNETES_VERSION }}
+      - name: Validate Kustomize overlay
+        run: |
+          kubectl kustomize ./kustomize/ | kubeconform -strict -summary -kubernetes-version ${{ env.KUBERNETES_VERSION }}
+      - name: Generate CUE definitions
+        run: make cue-mod
+      - name: Verify CUE formatting
+        working-directory: ./cue
+        run: |
+          cue fmt .
+          status=$(git status . --porcelain)
+          [[ -z "$status" ]] || {
+            echo "CUE files are not correctly formatted"
+            echo "$status"
+            git diff
+            exit 1
+          }
+      - name: Validate CUE
+        working-directory: ./cue
+        run: |
+          cue vet --all-errors --concrete .
+          cue gen | kubeconform -strict -summary -skip=ServiceMonitor -kubernetes-version ${{ env.KUBERNETES_VERSION }}
      - name: Check if working tree is dirty
        run: |
          if [[ $(git diff --stat) != '' ]]; then
            echo 'run make test and commit changes'
            exit 1
          fi
-      - name: Validate Helm chart
-        uses: stefanprodan/kube-tools@v1
-        with:
-          command: |
-            helmv3 template ./charts/podinfo | kubeval --strict
-      - name: Validate kustomization
-        uses: stefanprodan/kube-tools@v1
-        with:
-          command: |
-            kustomize build ./kustomize | kubeval --strict
-            kustomize build ./kustomize | conftest test -p .github/policy -
--- a/.gitignore
+++ b/.gitignore
@@ -19,4 +19,5 @@ release/
 build/
 gcloud/
 dist/
-bin/
+bin/
+cue/cue.mod/gen/
--- a/4
+++ b/4
@@ -1,4 +1,4 @@
-FROM golang:1.15-alpine as builder
+FROM golang:1.19-alpine as builder

 ARG REVISION

@@ -18,7 +18,7 @@ RUN CGO_ENABLED=0 go build -ldflags "-s -w \
    -X github.com/stefanprodan/podinfo/pkg/version.REVISION=${REVISION}" \
    -a -o bin/podcli cmd/podcli/*

-FROM alpine:3.12
+FROM alpine:3.17

 ARG BUILD_DATE
 ARG VERSION
--- a/Dockerfile.base
+++ b/Dockerfile.base
@@ -1,4 +1,4 @@
-FROM golang:1.15
+FROM golang:1.19

 WORKDIR /workspace

--- a/Dockerfile.xx
+++ b/Dockerfile.xx
@@ -0,0 +1,53 @@
+ARG GO_VERSION=1.19
+ARG XX_VERSION=1.1.0
+
+FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
+
+FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine as builder
+
+# Copy the build utilities.
+COPY --from=xx / /
+
+ARG TARGETPLATFORM
+ARG REVISION
+
+RUN mkdir -p /podinfo/
+
+WORKDIR /podinfo
+
+COPY . .
+
+RUN go mod download
+
+ENV CGO_ENABLED=0
+RUN xx-go build -ldflags "-s -w \
+    -X github.com/stefanprodan/podinfo/pkg/version.REVISION=${REVISION}" \
+    -a -o bin/podinfo cmd/podinfo/*
+
+RUN xx-go build -ldflags "-s -w \
+    -X github.com/stefanprodan/podinfo/pkg/version.REVISION=${REVISION}" \
+    -a -o bin/podcli cmd/podcli/*
+
+FROM alpine:3.17
+
+ARG BUILD_DATE
+ARG VERSION
+ARG REVISION
+
+LABEL maintainer="stefanprodan"
+
+RUN addgroup -S app \
+    && adduser -S -G app app \
+    && apk --no-cache add \
+    ca-certificates curl netcat-openbsd
+
+WORKDIR /home/app
+
+COPY --from=builder /podinfo/bin/podinfo .
+COPY --from=builder /podinfo/bin/podcli /usr/local/bin/podcli
+COPY ./ui ./ui
+RUN chown -R app:app ./
+
+USER app
+
+CMD ["./podinfo"]
--- a/52
+++ b/52
@@ -15,13 +15,20 @@ run:
 	--level=debug --grpc-port=9999 --backend-url=https://httpbin.org/status/401 --backend-url=https://httpbin.org/status/500 \
 	--ui-logo=https://raw.githubusercontent.com/stefanprodan/podinfo/gh-pages/cuddle_clap.gif $(EXTRA_RUN_ARGS)

+.PHONY: test
 test:
-	go test -v -race ./...
+	go test ./... -coverprofile cover.out

 build:
 	GIT_COMMIT=$$(git rev-list -1 HEAD) && CGO_ENABLED=0 go build  -ldflags "-s -w -X github.com/stefanprodan/podinfo/pkg/version.REVISION=$(GIT_COMMIT)" -a -o ./bin/podinfo ./cmd/podinfo/*
 	GIT_COMMIT=$$(git rev-list -1 HEAD) && CGO_ENABLED=0 go build  -ldflags "-s -w -X github.com/stefanprodan/podinfo/pkg/version.REVISION=$(GIT_COMMIT)" -a -o ./bin/podcli ./cmd/podcli/*

+tidy:
+	rm -f go.sum; go mod tidy -compat=1.19
+
+vet:
+	go vet ./...
+
 fmt:
 	gofmt -l -s -w ./
 	goimports -l -w ./
@@ -33,6 +40,13 @@ build-charts:
 build-container:
 	docker build -t $(DOCKER_IMAGE_NAME):$(VERSION) .

+build-xx:
+	docker buildx build \
+	--platform=linux/amd64 \
+	-t $(DOCKER_IMAGE_NAME):$(VERSION) \
+	--load \
+	-f Dockerfile.xx .
+
 build-base:
 	docker build -f Dockerfile.base -t $(DOCKER_REPOSITORY)/podinfo-base:latest .

@@ -58,16 +72,17 @@ push-container:
 version-set:
 	@next="$(TAG)" && \
 	current="$(VERSION)" && \
-	sed -i '' "s/$$current/$$next/g" pkg/version/version.go && \
-	sed -i '' "s/tag: $$current/tag: $$next/g" charts/podinfo/values.yaml && \
-	sed -i '' "s/tag: $$current/tag: $$next/g" charts/podinfo/values-prod.yaml && \
-	sed -i '' "s/appVersion: $$current/appVersion: $$next/g" charts/podinfo/Chart.yaml && \
-	sed -i '' "s/version: $$current/version: $$next/g" charts/podinfo/Chart.yaml && \
-	sed -i '' "s/podinfo:$$current/podinfo:$$next/g" kustomize/deployment.yaml && \
-	sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/webapp/frontend/deployment.yaml && \
-	sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/webapp/backend/deployment.yaml && \
-	sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/bases/frontend/deployment.yaml && \
-	sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/bases/backend/deployment.yaml && \
+	/usr/bin/sed -i '' "s/$$current/$$next/g" pkg/version/version.go && \
+	/usr/bin/sed -i '' "s/tag: $$current/tag: $$next/g" charts/podinfo/values.yaml && \
+	/usr/bin/sed -i '' "s/tag: $$current/tag: $$next/g" charts/podinfo/values-prod.yaml && \
+	/usr/bin/sed -i '' "s/appVersion: $$current/appVersion: $$next/g" charts/podinfo/Chart.yaml && \
+	/usr/bin/sed -i '' "s/version: $$current/version: $$next/g" charts/podinfo/Chart.yaml && \
+	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" kustomize/deployment.yaml && \
+	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/webapp/frontend/deployment.yaml && \
+	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/webapp/backend/deployment.yaml && \
+	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/bases/frontend/deployment.yaml && \
+	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/bases/backend/deployment.yaml && \
+	/usr/bin/sed -i '' "s/$$current/$$next/g" cue/main.cue && \
 	echo "Version $$next set in code, deployment, chart and kustomize"

 release:
@@ -75,5 +90,16 @@ release:
 	git push origin $(VERSION)

 swagger:
-	go get github.com/swaggo/swag/cmd/swag
-	cd pkg/api && $$(go env GOPATH)/bin/swag init -g server.go
+	go install github.com/swaggo/swag/cmd/swag@latest
+	go get github.com/swaggo/swag/gen@latest
+	go get github.com/swaggo/swag/cmd/swag@latest
+	cd pkg/api && $$(go env GOPATH)/bin/swag init -g server.go
+
+.PHONY: cue-mod
+cue-mod:
+	@cd cue && cue get go k8s.io/api/...
+
+.PHONY: cue-gen
+cue-gen:
+	@cd cue && cue fmt ./... && cue vet --all-errors --concrete ./...
+	@cd cue && cue gen
--- a/README.md
+++ b/README.md
@@ -7,24 +7,25 @@
 [![Docker Pulls](https://img.shields.io/docker/pulls/stefanprodan/podinfo)](https://hub.docker.com/r/stefanprodan/podinfo)

 Podinfo is a tiny web application made with Go that showcases best practices of running microservices in Kubernetes.
+Podinfo is used by CNCF projects like [Flux](https://github.com/fluxcd/flux2) and [Flagger](https://github.com/fluxcd/flagger)
+for end-to-end testing and workshops.

 Specifications:

 * Health checks (readiness and liveness)
 * Graceful shutdown on interrupt signals
 * File watcher for secrets and configmaps
-* Instrumented with Prometheus
-* Tracing with Istio and Jaeger
-* Linkerd service profile
+* Instrumented with Prometheus and Open Telemetry
 * Structured logging with zap 
 * 12-factor app with viper
 * Fault injection (random errors and latency)
 * Swagger docs
-* Helm and Kustomize installers
+* CUE, Helm and Kustomize installers
 * End-to-End testing with Kubernetes Kind and Helm
-* Kustomize testing with GitHub Actions and Open Policy Agent
 * Multi-arch container image with Docker buildx and Github Actions
-* CVE scanning with trivy
+* Container image signing with Sigstore cosign
+* SBOMs and SLSA Provenance embedded in the container image
+* CVE scanning with Trivy

 Web API:

@@ -75,7 +76,11 @@ To access the Swagger UI open `<podinfo-host>/swagger/index.html` in a browser.

 ### Install

-Helm:
+To install Podinfo on Kubernetes the minimum required version is **Kubernetes v1.23**.
+
+#### Helm
+
+Install from github.io:

 ```bash
 helm repo add podinfo https://stefanprodan.github.io/podinfo
@@ -86,23 +91,107 @@ helm upgrade --install --wait frontend \
 --set backend=http://backend-podinfo:9898/echo \
 podinfo/podinfo

-# Test pods have hook-delete-policy: hook-succeeded
-helm test frontend
+helm test frontend --namespace test

 helm upgrade --install --wait backend \
 --namespace test \
--set hpa.enabled=true \
+--set redis.enabled=true \
 podinfo/podinfo
 ```

-Kustomize:
+Install from ghcr.io:
+
+```bash
+helm upgrade --install --wait podinfo --namespace default \
+oci://ghcr.io/stefanprodan/charts/podinfo
+```
+
+#### Kustomize

 ```bash
 kubectl apply -k github.com/stefanprodan/podinfo//kustomize
 ```

-Docker:
+#### Docker

 ```bash
 docker run -dp 9898:9898 stefanprodan/podinfo
-```
+```
+
+### Continuous Delivery
+
+In order to install podinfo on a Kubernetes cluster and keep it up to date with the latest
+release in an automated manner, you can use [Flux](https://fluxcd.io).
+
+Install the Flux CLI on MacOS and Linux using Homebrew:
+
+```sh
+brew install fluxcd/tap/flux
+```
+
+Install the Flux controllers needed for Helm operations:
+
+```sh
+flux install \
+--namespace=flux-system \
+--network-policy=false \
+--components=source-controller,helm-controller
+```
+
+Add podinfo's Helm repository to your cluster and
+configure Flux to check for new chart releases every ten minutes:
+
+```sh
+flux create source helm podinfo \
+--namespace=default \
+--url=https://stefanprodan.github.io/podinfo \
+--interval=10m
+```
+
+Create a `podinfo-values.yaml` file locally:
+
+```sh
+cat > podinfo-values.yaml <<EOL
+replicaCount: 2
+resources:
+  limits:
+    memory: 256Mi
+  requests:
+    cpu: 100m
+    memory: 64Mi
+EOL
+```
+
+Create a Helm release for deploying podinfo in the default namespace:
+
+```sh
+flux create helmrelease podinfo \
+--namespace=default \
+--source=HelmRepository/podinfo \
+--release-name=podinfo \
+--chart=podinfo \
+--chart-version=">5.0.0" \
+--values=podinfo-values.yaml
+```
+
+Based on the above definition, Flux will upgrade the release automatically
+when a new version of podinfo is released. If the upgrade fails, Flux
+can [rollback](https://toolkit.fluxcd.io/components/helm/helmreleases/#configuring-failure-remediation)
+to the previous working version.
+
+You can check what version is currently deployed with:
+
+```sh
+flux get helmreleases -n default
+```
+
+To delete podinfo's Helm repository and release from your cluster run:
+
+```sh
+flux -n default delete source helm podinfo
+flux -n default delete helmrelease podinfo
+```
+
+If you wish to manage the lifecycle of your applications in a **GitOps** manner, check out
+this [workflow example](https://github.com/fluxcd/flux2-kustomize-helm-example)
+for multi-env deployments with Flux, Kustomize and Helm.
--- a/charts/podinfo/Chart.yaml
+++ b/charts/podinfo/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
-version: 5.1.4
-appVersion: 5.1.4
+version: 6.3.2
+appVersion: 6.3.2
 name: podinfo
 engine: gotpl
 description: Podinfo Helm chart for Kubernetes
@@ -10,3 +10,4 @@ maintainers:
  name: stefanprodan
 sources:
 - https://github.com/stefanprodan/podinfo
+kubeVersion: ">=1.23.0-0"
--- a/charts/podinfo/README.md
+++ b/charts/podinfo/README.md
@@ -1,16 +1,36 @@
 # Podinfo

-Podinfo is a tiny web application made with Go 
+Podinfo is a tiny web application made with Go
 that showcases best practices of running microservices in Kubernetes.

+Podinfo is used by CNCF projects like [Flux](https://github.com/fluxcd/flux2)
+and [Flagger](https://github.com/fluxcd/flagger)
+for end-to-end testing and workshops.
+
 ## Installing the Chart

-To install the chart with the release name `my-release`:
+The Podinfo charts are published to
+[GitHub Container Registry](https://github.com/stefanprodan/podinfo/pkgs/container/charts%2Fpodinfo)
+and signed with [Cosign](https://github.com/sigstore/cosign) & GitHub Actions OIDC.
+
+To install the chart with the release name `my-release` from GHCR:
+
+```console
+$ helm upgrade -i my-release oci://ghcr.io/stefanprodan/charts/podinfo
+```
+
+To verify a chart with Cosign:
+
+```console
+$ cosign verify ghcr.io/stefanprodan/charts/podinfo:<VERSION>
+```
+
+Alternatively, you can install the chart from GitHub pages:

 ```console
 $ helm repo add podinfo https://stefanprodan.github.io/podinfo

-$ helm upgrade -i my-release podinfo/podinfo 
+$ helm upgrade -i my-release podinfo/podinfo
 ```

 The command deploys podinfo on the Kubernetes cluster in the default namespace.
@@ -30,58 +50,61 @@ The command removes all the Kubernetes components associated with the chart and

 The following tables lists the configurable parameters of the podinfo chart and their default values.

-Parameter | Default | Description
--- | --- | ---
-`replicaCount` | `1` | Desired number of pods
-`logLevel` | `info` | Log level: `debug`, `info`, `warn`, `error`, `flat` or `panic`
-`backend` | `None` | Echo backend URL
-`backends` | `[]` | Array of echo backend URLs
-`cache` | `None` | Redis address in the format `<host>:<port>`
-`redis.enabled` | `false` | Create Redis deployment for caching purposes
-`ui.color` | `#34577c` |  UI color
-`ui.message` | `None` |  UI greetings message
-`ui.logo` | `None` |  UI logo
-`faults.delay` | `false` | Random HTTP response delays between 0 and 5 seconds
-`faults.error` | `false` | 1/3 chances of a random HTTP response error
-`faults.unhealthy` | `false` | When set, the healthy state is never reached
-`faults.unready` | `false` | When set, the ready state is never reached
-`faults.testFail` | `false` | When set, a helm test is included which always fails
-`faults.testTimeout` | `false` | When set, a helm test is included which always times out
-`h2c.enabled` | `false` | Allow upgrading to h2c
-`image.repository` | `stefanprodan/podinfo` | Image repository
-`image.tag` | `<VERSION>` | Image tag
-`image.pullPolicy` | `IfNotPresent` | Image pull policy
-`service.enabled` | `true` | Create a Kubernetes Service, should be disabled when using [Flagger](https://flagger.app)
-`service.type` | `ClusterIP` | Type of the Kubernetes Service
-`service.metricsPort` | `9797` | Prometheus metrics endpoint port
-`service.httpPort` | `9898` | Container HTTP port
-`service.externalPort` | `9898` | ClusterIP HTTP port
-`service.grpcPort` | `9999` | ClusterIP gPRC port
-`service.grpcService` | `podinfo` | gPRC service name
-`service.nodePort` | `31198` | NodePort for the HTTP endpoint
-`hpa.enabled` | `false` | Enables the Kubernetes HPA
-`hpa.maxReplicas` | `10` | Maximum amount of pods
-`hpa.cpu` | `None` | Target CPU usage per pod
-`hpa.memory` | `None` | Target memory usage per pod
-`hpa.requests` | `None` | Target HTTP requests per second per pod
-`serviceAccount.enabled` | `false` | Whether a service account should be created
-`serviceAccount.name` | `None` | The name of the service account to use, if not set and create is true, a name is generated using the fullname template
-`linkerd.profile.enabled` | `false` | Create Linkerd service profile
-`serviceMonitor.enabled` | `false` | Whether a Prometheus Operator service monitor should be created
-`serviceMonitor.interval` | `15s` | Prometheus scraping interval
-`ingress.enabled` | `false` | Enables Ingress
-`ingress.annotations` | `{}` | Ingress annotations
-`ingress.path` | `/*` | Ingress path
-`ingress.hosts` | `[]` | Ingress accepted hosts
-`ingress.tls` | `[]` | Ingress TLS configuration
-`resources.requests.cpu` | `1m` | Pod CPU request
-`resources.requests.memory` | `16Mi` | Pod memory request
-`resources.limits.cpu` | `None` | Pod CPU limit
-`resources.limits.memory` | `None` | Pod memory limit
-`nodeSelector` | `{}` | Node labels for pod assignment
-`tolerations` | `[]` | List of node taints to tolerate
-`affinity` | `None` | Node/pod affinities
-`podAnnotations` | `{}` | Pod annotations
+| Parameter                         | Default                | Description                                                                                                            |
+|-----------------------------------|------------------------|------------------------------------------------------------------------------------------------------------------------|
+| `replicaCount`                    | `1`                    | Desired number of pods                                                                                                 |
+| `logLevel`                        | `info`                 | Log level: `debug`, `info`, `warn`, `error`                                                                            |
+| `backend`                         | `None`                 | Echo backend URL                                                                                                       |
+| `backends`                        | `[]`                   | Array of echo backend URLs                                                                                             |
+| `cache`                           | `None`                 | Redis address in the format `tcp://<host>:<port>`                                                                      |
+| `redis.enabled`                   | `false`                | Create Redis deployment for caching purposes                                                                           |
+| `ui.color`                        | `#34577c`              | UI color                                                                                                               |
+| `ui.message`                      | `None`                 | UI greetings message                                                                                                   |
+| `ui.logo`                         | `None`                 | UI logo                                                                                                                |
+| `faults.delay`                    | `false`                | Random HTTP response delays between 0 and 5 seconds                                                                    |
+| `faults.error`                    | `false`                | 1/3 chances of a random HTTP response error                                                                            |
+| `faults.unhealthy`                | `false`                | When set, the healthy state is never reached                                                                           |
+| `faults.unready`                  | `false`                | When set, the ready state is never reached                                                                             |
+| `faults.testFail`                 | `false`                | When set, a helm test is included which always fails                                                                   |
+| `faults.testTimeout`              | `false`                | When set, a helm test is included which always times out                                                               |
+| `image.repository`                | `stefanprodan/podinfo` | Image repository                                                                                                       |
+| `image.tag`                       | `<VERSION>`            | Image tag                                                                                                              |
+| `image.pullPolicy`                | `IfNotPresent`         | Image pull policy                                                                                                      |
+| `service.enabled`                 | `true`                 | Create a Kubernetes Service, should be disabled when using [Flagger](https://flagger.app)                              |
+| `service.type`                    | `ClusterIP`            | Type of the Kubernetes Service                                                                                         |
+| `service.metricsPort`             | `9797`                 | Prometheus metrics endpoint port                                                                                       |
+| `service.httpPort`                | `9898`                 | Container HTTP port                                                                                                    |
+| `service.externalPort`            | `9898`                 | ClusterIP HTTP port                                                                                                    |
+| `service.grpcPort`                | `9999`                 | ClusterIP gPRC port                                                                                                    |
+| `service.grpcService`             | `podinfo`              | gPRC service name                                                                                                      |
+| `service.nodePort`                | `31198`                | NodePort for the HTTP endpoint                                                                                         |
+| `h2c.enabled`                     | `false`                | Allow upgrading to h2c (non-TLS version of HTTP/2)                                                                     |
+| `hpa.enabled`                     | `false`                | Enables the Kubernetes HPA                                                                                             |
+| `hpa.maxReplicas`                 | `10`                   | Maximum amount of pods                                                                                                 |
+| `hpa.cpu`                         | `None`                 | Target CPU usage per pod                                                                                               |
+| `hpa.memory`                      | `None`                 | Target memory usage per pod                                                                                            |
+| `hpa.requests`                    | `None`                 | Target HTTP requests per second per pod                                                                                |
+| `serviceAccount.enabled`          | `false`                | Whether a service account should be created                                                                            |
+| `serviceAccount.name`             | `None`                 | The name of the service account to use, if not set and create is true, a name is generated using the fullname template |
+| `serviceAccount.imagePullSecrets` | `[]`                   | List of image pull secrets if pulling from private registries.                                                         |
+| `securityContext`                 | `{}`                   | The security context to be set on the podinfo container                                                                |
+| `linkerd.profile.enabled`         | `false`                | Create Linkerd service profile                                                                                         |
+| `serviceMonitor.enabled`          | `false`                | Whether a Prometheus Operator service monitor should be created                                                        |
+| `serviceMonitor.interval`         | `15s`                  | Prometheus scraping interval                                                                                           |
+| `serviceMonitor.additionalLabels` | `{}`                   | Add additional labels to the service monitor                                                                           |
+| `ingress.enabled`                 | `false`                | Enables Ingress                                                                                                        |
+| `ingress.className `              | `""`                   | Use ingressClassName                                                                                                   |
+| `ingress.annotations`             | `{}`                   | Ingress annotations                                                                                                    |
+| `ingress.hosts`                   | `[]`                   | Ingress accepted hosts                                                                                                 |
+| `ingress.tls`                     | `[]`                   | Ingress TLS configuration                                                                                              |
+| `resources.requests.cpu`          | `1m`                   | Pod CPU request                                                                                                        |
+| `resources.requests.memory`       | `16Mi`                 | Pod memory request                                                                                                     |
+| `resources.limits.cpu`            | `None`                 | Pod CPU limit                                                                                                          |
+| `resources.limits.memory`         | `None`                 | Pod memory limit                                                                                                       |
+| `nodeSelector`                    | `{}`                   | Node labels for pod assignment                                                                                         |
+| `tolerations`                     | `[]`                   | List of node taints to tolerate                                                                                        |
+| `affinity`                        | `None`                 | Node/pod affinities                                                                                                    |
+| `podAnnotations`                  | `{}`                   | Pod annotations                                                                                                        |

 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,

@@ -105,13 +128,3 @@ $ helm install my-release podinfo/podinfo -f values.yaml

 > **Tip**: You can use the default [values.yaml](values.yaml)

-## Upgrading the chart
-
-### To =< 5.0.0
-
-Version 5.0.0 is a major update.
-
-* The chart now follows the new Kubernetes label recommendations:
-<https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/>
-
-The simplest way to update is to do a force upgrade, which recreates the resources by doing a delete and an install.
--- a/charts/podinfo/templates/NOTES.txt
+++ b/charts/podinfo/templates/NOTES.txt
@@ -1,7 +1,9 @@
 1. Get the application URL by running these commands:
 {{- if .Values.ingress.enabled }}
-{{- range .Values.ingress.hosts }}
-  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ . }}{{ $.Values.ingress.path }}
+{{- range $host := .Values.ingress.hosts }}
+  {{- range .paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+  {{- end }}
 {{- end }}
 {{- else if contains "NodePort" .Values.service.type }}
  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "podinfo.fullname" . }})
--- a/charts/podinfo/templates/deployment.yaml
+++ b/charts/podinfo/templates/deployment.yaml
@@ -34,7 +34,10 @@ spec:
        - name: {{ .Chart.Name }}
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          {{- if (or .Values.service.hostPort .Values.tls.hostPort) }}
+          {{- if .Values.securityContext }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          {{- else if (or .Values.service.hostPort .Values.tls.hostPort) }}
          securityContext:
            allowPrivilegeEscalation: true
            capabilities:
@@ -46,6 +49,9 @@ spec:
          command:
            - ./podinfo
            - --port={{ .Values.service.httpPort | default 9898 }}
+            {{- if .Values.host }}
+            - --host={{ .Values.host }}
+            {{- end }}
            {{- if .Values.tls.enabled }}
            - --secure-port={{ .Values.tls.port }}
            {{- end }}
@@ -67,7 +73,7 @@ spec:
            {{- if .Values.cache }}
            - --cache-server={{ .Values.cache }}
            {{- else if .Values.redis.enabled }}
-            - --cache-server={{ template "podinfo.fullname" . }}:6379
+            - --cache-server=tcp://{{ template "podinfo.fullname" . }}-redis:6379
            {{- end }}
            - --level={{ .Values.logLevel }}
            - --random-delay={{ .Values.faults.delay }}
@@ -130,8 +136,13 @@ spec:
              - check
              - http
              - localhost:{{ .Values.service.httpPort | default 9898 }}/healthz
-            initialDelaySeconds: 1
-            timeoutSeconds: 5
+            {{- with .Values.probes.liveness }}
+            initialDelaySeconds: {{ .initialDelaySeconds | default 1 }}
+            timeoutSeconds: {{ .timeoutSeconds | default 5 }}
+            failureThreshold: {{ .failureThreshold | default 3 }}
+            successThreshold: {{ .successThreshold | default 1 }}
+            periodSeconds: {{ .periodSeconds | default 10 }}
+            {{- end }}
          readinessProbe:
            exec:
              command:
@@ -139,8 +150,13 @@ spec:
              - check
              - http
              - localhost:{{ .Values.service.httpPort | default 9898 }}/readyz
-            initialDelaySeconds: 1
-            timeoutSeconds: 5
+            {{- with .Values.probes.readiness }}
+            initialDelaySeconds: {{ .initialDelaySeconds | default 1 }}
+            timeoutSeconds: {{ .timeoutSeconds | default 5 }}
+            failureThreshold: {{ .failureThreshold | default 3 }}
+            successThreshold: {{ .successThreshold | default 1 }}
+            periodSeconds: {{ .periodSeconds | default 10 }}
+            {{- end }}
          volumeMounts:
          - name: data
            mountPath: /data
--- a/charts/podinfo/templates/hpa.yaml
+++ b/charts/podinfo/templates/hpa.yaml
@@ -1,5 +1,5 @@
 {{- if .Values.hpa.enabled -}}
-apiVersion: autoscaling/v2beta2
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
  name: {{ template "podinfo.fullname" . }}
--- a/charts/podinfo/templates/ingress.yaml
+++ b/charts/podinfo/templates/ingress.yaml
@@ -1,43 +1,41 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "podinfo.fullname" . -}}
-{{- $ingressPath := .Values.ingress.path -}}
-apiVersion: networking.k8s.io/v1beta1
+{{- $svcPort := .Values.service.externalPort -}}
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: {{ $fullName }}
  labels:
    {{- include "podinfo.labels" . | nindent 4 }}
-{{- with .Values.ingress.annotations }}
+  {{- with .Values.ingress.annotations }}
  annotations:
-{{ toYaml . | indent 4 }}
-{{- end }}
-spec:
-{{- if .Values.ingress.tls }}
-  tls:
-  {{- range .Values.ingress.tls }}
-    - hosts:
-      {{- range .hosts }}
-        - {{ . | quote }}
-      {{- end }}
-      secretName: {{ .secretName }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
  {{- end }}
-{{- end }}
  rules:
-  {{- range .Values.ingress.hosts }}
-    - host: {{ . | quote }}
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
      http:
        paths:
-          - path: {{ $ingressPath }}
+          {{- range .paths }}
+          - path: {{ .path }}
+            pathType: {{ .pathType }}
            backend:
-              serviceName: {{ $fullName }}
-              servicePort: http
-  {{- end }}
-  {{- if not .Values.ingress.hosts }}
-    - http:
-        paths:
-          - path: {{ $ingressPath }}
-            backend:
-              serviceName: {{ $fullName }}
-              servicePort: http
-  {{- end }}
+              service:
+                name: {{ $fullName }}
+                port:
+                  number: {{ $svcPort }}
+          {{- end }}
+    {{- end }}
 {{- end }}
--- a/charts/podinfo/templates/service.yaml
+++ b/charts/podinfo/templates/service.yaml
@@ -5,6 +5,10 @@ metadata:
  name: {{ template "podinfo.fullname" . }}
  labels:
    {{- include "podinfo.labels" . | nindent 4 }}
+{{- with .Values.service.annotations }}
+  annotations:
+{{ toYaml . | indent 4 }}
+{{- end }}
 spec:
  type: {{ .Values.service.type }}
  ports:
--- a/charts/podinfo/templates/serviceaccount.yaml
+++ b/charts/podinfo/templates/serviceaccount.yaml
@@ -5,4 +5,8 @@ metadata:
  name: {{ template "podinfo.serviceAccountName" . }}
  labels:
    {{- include "podinfo.labels" . | nindent 4 }}
+{{- with .Values.serviceAccount.imagePullSecrets }}
+imagePullSecrets:
+  {{- toYaml . | nindent 2 }}
 {{- end -}}
+{{- end -}}
--- a/charts/podinfo/templates/servicemonitor.yaml
+++ b/charts/podinfo/templates/servicemonitor.yaml
@@ -5,11 +5,17 @@ metadata:
  name: {{ template "podinfo.fullname" . }}
  labels:
    {{- include "podinfo.labels" . | nindent 4 }}
+    {{- with .Values.serviceMonitor.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 spec:
  endpoints:
    - path: /metrics
      port: http
      interval: {{ .Values.serviceMonitor.interval }}
+  namespaceSelector:
+    matchNames:
+      - {{ .Release.Namespace }}
  selector:
    matchLabels:
      {{- include "podinfo.selectorLabels" . | nindent 6 }}
--- a/charts/podinfo/values-prod.yaml
+++ b/charts/podinfo/values-prod.yaml
@@ -1,15 +1,22 @@
-# Prod values for podinfo.
+# Production values for podinfo.
+# Includes Redis deployment and memory limits.

 replicaCount: 1
 logLevel: info
 backend: #http://backend-podinfo:9898/echo
 backends: []

+image:
+  repository: ghcr.io/stefanprodan/podinfo
+  tag: 6.3.2
+  pullPolicy: IfNotPresent
+
 ui:
  color: "#34577c"
  message: ""
  logo: ""

+# failure conditions
 faults:
  delay: false
  error: false
@@ -18,16 +25,10 @@ faults:
  testFail: false
  testTimeout: false

-h2c:
-  enabled: false
-
-image:
-  repository: ghcr.io/stefanprodan/podinfo
-  tag: 5.1.4
-  pullPolicy: IfNotPresent
-
+# Kubernetes Service settings
 service:
  enabled: true
+  annotations: {}
  type: ClusterIP
  metricsPort: 9797
  httpPort: 9898
@@ -36,6 +37,35 @@ service:
  grpcService: podinfo
  nodePort: 31198

+# enable h2c protocol (non-TLS version of HTTP/2)
+h2c:
+  enabled: false
+
+# enable tls on the podinfo service
+tls:
+  enabled: false
+  # the name of the secret used to mount the certificate key pair
+  secretName:
+  # the path where the certificate key pair will be mounted
+  certPath: /data/cert
+  # the port used to host the tls endpoint on the service
+  port: 9899
+  # the port used to bind the tls port to the host
+  # NOTE: requires privileged container with NET_BIND_SERVICE capability -- this is useful for testing
+  # in local clusters such as kind without port forwarding
+  hostPort:
+
+# create a certificate manager certificate (cert-manager required)
+certificate:
+  create: false
+  # the issuer used to issue the certificate
+  issuerRef:
+    kind: ClusterIssuer
+    name: self-signed
+  # the hostname / subject alternative names for the certificate
+  dnsNames:
+    - podinfo
+
 # metrics-server add-on required
 hpa:
  enabled: true
@@ -47,13 +77,13 @@ hpa:
  # average http requests per second per pod (k8s-prometheus-adapter)
  requests:

-# Redis address in the format <host>:<port>
+# Redis address in the format tcp://<host>:<port>
 cache: ""
 # Redis deployment
 redis:
  enabled: true
  repository: redis
-  tag: 6.0.8
+  tag: 7.0.7

 serviceAccount:
  # Specifies whether a service account should be created
@@ -61,27 +91,37 @@ serviceAccount:
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name:
+  # List of image pull secrets if pulling from private registries
+  imagePullSecrets: []
+
+# set container security context
+securityContext: {}
+
+ingress:
+  enabled: false
+  className: ""
+  annotations: {}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+  hosts:
+    - host: podinfo.local
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
+  tls: []
+  #  - secretName: chart-example-tls
+  #    hosts:
+  #      - chart-example.local

 linkerd:
  profile:
    enabled: false

+# create Prometheus Operator monitor
 serviceMonitor:
  enabled: false
  interval: 15s
-
-ingress:
-  enabled: false
-  annotations: {}
-    # kubernetes.io/ingress.class: nginx
-  # kubernetes.io/tls-acme: "true"
-  path: /*
-  hosts: []
-  #    - podinfo.local
-  tls: []
-  #  - secretName: chart-example-tls
-  #    hosts:
-  #      - chart-example.local
+  additionalLabels: {}

 resources:
  limits:
--- a/charts/podinfo/values-secure.yaml
+++ b/charts/podinfo/values-secure.yaml
@@ -1,127 +0,0 @@
-# Default values for podinfo.
-
-replicaCount: 1
-logLevel: info
-backend: #http://backend-podinfo:9898/echo
-backends: []
-
-ui:
-  color: "#34577c"
-  message: ""
-  logo: ""
-
-faults:
-  delay: false
-  error: false
-  unhealthy: false
-  unready: false
-  testFail: false
-  testTimeout: false
-
-h2c:
-  enabled: false
-
-image:
-  repository: ghcr.io/stefanprodan/podinfo
-  tag: 5.0.3
-  pullPolicy: IfNotPresent
-
-service:
-  enabled: true
-  type: ClusterIP
-  metricsPort: 9797
-  httpPort: 9898
-  externalPort: 9898
-  grpcPort: 9999
-  grpcService: podinfo
-  nodePort: 31198
-  # the port used to bind the http port to the host
-  # NOTE: requires privileged container with NET_BIND_SERVICE capability -- this is useful for testing
-  # in local clusters such as kind without port forwarding
-  hostPort:
-
-# enable tls on the podinfo service
-tls:
-  enabled: true
-  # the name of the secret used to mount the certificate key pair
-  secretName:
-  # the path where the certificate key pair will be mounted
-  certPath: /data/cert
-  # the port used to host the tls endpoint on the service
-  port: 9899
-  # the port used to bind the tls port to the host
-  # NOTE: requires privileged container with NET_BIND_SERVICE capability -- this is useful for testing
-  # in local clusters such as kind without port forwarding
-  hostPort:
-
-# create a certificate manager certificate
-certificate:
-  create: true
-  # the issuer used to issue the certificate
-  issuerRef:
-    kind: ClusterIssuer
-    name: self-signed
-  # the hostname / subject alternative names for the certificate
-  dnsNames:
-    - podinfo
-
-# metrics-server add-on required
-hpa:
-  enabled: false
-  maxReplicas: 10
-  # average total CPU usage per pod (1-100)
-  cpu:
-  # average memory usage per pod (100Mi-1Gi)
-  memory:
-  # average http requests per second per pod (k8s-prometheus-adapter)
-  requests:
-
-# Redis address in the format <host>:<port>
-cache: ""
-# Redis deployment
-redis:
-  enabled: false
-  repository: redis
-  tag: 6.0.8
-
-serviceAccount:
-  # Specifies whether a service account should be created
-  enabled: false
-  # The name of the service account to use.
-  # If not set and create is true, a name is generated using the fullname template
-  name:
-
-linkerd:
-  profile:
-    enabled: false
-
-serviceMonitor:
-  enabled: false
-  interval: 15s
-
-ingress:
-  enabled: false
-  annotations: {}
-    # kubernetes.io/ingress.class: nginx
-    # kubernetes.io/tls-acme: "true"
-  path: /*
-  hosts: []
-#    - podinfo.local
-  tls: []
-  #  - secretName: chart-example-tls
-  #    hosts:
-  #      - chart-example.local
-
-resources:
-  limits:
-  requests:
-    cpu: 1m
-    memory: 16Mi
-
-nodeSelector: {}
-
-tolerations: []
-
-affinity: {}
-
-podAnnotations: {}
--- a/charts/podinfo/values.yaml
+++ b/charts/podinfo/values.yaml
@@ -2,14 +2,21 @@

 replicaCount: 1
 logLevel: info
+host: #0.0.0.0
 backend: #http://backend-podinfo:9898/echo
 backends: []

+image:
+  repository: ghcr.io/stefanprodan/podinfo
+  tag: 6.3.2
+  pullPolicy: IfNotPresent
+
 ui:
  color: "#34577c"
  message: ""
  logo: ""

+# failure conditions
 faults:
  delay: false
  error: false
@@ -18,16 +25,10 @@ faults:
  testFail: false
  testTimeout: false

-h2c:
-  enabled: false
-
-image:
-  repository: ghcr.io/stefanprodan/podinfo
-  tag: 5.1.4
-  pullPolicy: IfNotPresent
-
+# Kubernetes Service settings
 service:
  enabled: true
+  annotations: {}
  type: ClusterIP
  metricsPort: 9797
  httpPort: 9898
@@ -40,6 +41,10 @@ service:
  # in local clusters such as kind without port forwarding
  hostPort:

+# enable h2c protocol (non-TLS version of HTTP/2)
+h2c:
+  enabled: false
+
 # enable tls on the podinfo service
 tls:
  enabled: false
@@ -54,7 +59,7 @@ tls:
  # in local clusters such as kind without port forwarding
  hostPort:

-# create a certificate manager certificate
+# create a certificate manager certificate (cert-manager required)
 certificate:
  create: false
  # the issuer used to issue the certificate
@@ -76,13 +81,13 @@ hpa:
  # average http requests per second per pod (k8s-prometheus-adapter)
  requests:

-# Redis address in the format <host>:<port>
+# Redis address in the format tcp://<host>:<port>
 cache: ""
 # Redis deployment
 redis:
  enabled: false
  repository: redis
-  tag: 6.0.8
+  tag: 7.0.7

 serviceAccount:
  # Specifies whether a service account should be created
@@ -90,27 +95,37 @@ serviceAccount:
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name:
+  # List of image pull secrets if pulling from private registries
+  imagePullSecrets: []
+
+# set container security context
+securityContext: {}
+
+ingress:
+  enabled: false
+  className: ""
+  annotations: {}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+  hosts:
+    - host: podinfo.local
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
+  tls: []
+  #  - secretName: chart-example-tls
+  #    hosts:
+  #      - chart-example.local

 linkerd:
  profile:
    enabled: false

+# create Prometheus Operator monitor
 serviceMonitor:
  enabled: false
  interval: 15s
-
-ingress:
-  enabled: false
-  annotations: {}
-    # kubernetes.io/ingress.class: nginx
-    # kubernetes.io/tls-acme: "true"
-  path: /*
-  hosts: []
-#    - podinfo.local
-  tls: []
-  #  - secretName: chart-example-tls
-  #    hosts:
-  #      - chart-example.local
+  additionalLabels: {}

 resources:
  limits:
@@ -125,3 +140,18 @@ tolerations: []
 affinity: {}

 podAnnotations: {}
+
+# https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+probes:
+  readiness:
+    initialDelaySeconds: 1
+    timeoutSeconds: 5
+    failureThreshold: 3
+    successThreshold: 1
+    periodSeconds: 10
+  liveness:
+    initialDelaySeconds: 1
+    timeoutSeconds: 5
+    failureThreshold: 3
+    successThreshold: 1
+    periodSeconds: 10
--- a/cmd/podinfo/main.go
+++ b/cmd/podinfo/main.go
@@ -2,7 +2,6 @@ package main

 import (
 	"fmt"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"strconv"
@@ -18,21 +17,23 @@ import (
 	"github.com/stefanprodan/podinfo/pkg/grpc"
 	"github.com/stefanprodan/podinfo/pkg/signals"
 	"github.com/stefanprodan/podinfo/pkg/version"
+	go_grpc "google.golang.org/grpc"
 )

 func main() {
 	// flags definition
 	fs := pflag.NewFlagSet("default", pflag.ContinueOnError)
-	fs.Int("port", 9898, "HTTP port")
+	fs.String("host", "", "Host to bind service to")
+	fs.Int("port", 9898, "HTTP port to bind service to")
 	fs.Int("secure-port", 0, "HTTPS port")
 	fs.Int("port-metrics", 0, "metrics port")
 	fs.Int("grpc-port", 0, "gRPC port")
 	fs.String("grpc-service-name", "podinfo", "gPRC service name")
-	fs.String("level", "info", "log level debug, info, warn, error, flat or panic")
+	fs.String("level", "info", "log level debug, info, warn, error, fatal or panic")
 	fs.StringSlice("backend-url", []string{}, "backend service URL")
 	fs.Duration("http-client-timeout", 2*time.Minute, "client timeout duration")
 	fs.Duration("http-server-timeout", 30*time.Second, "server read and write timeout duration")
-	fs.Duration("http-server-shutdown-timeout", 5*time.Second, "server graceful shutdown timeout duration")
+	fs.Duration("server-shutdown-timeout", 5*time.Second, "server graceful shutdown timeout duration")
 	fs.String("data-path", "/data", "data local path")
 	fs.String("config-path", "", "config dir path")
 	fs.String("cert-path", "/data/cert", "certificate path for HTTPS port")
@@ -51,7 +52,8 @@ func main() {
 	fs.Bool("unready", false, "when set, ready state is never reached")
 	fs.Int("stress-cpu", 0, "number of CPU cores with 100 load")
 	fs.Int("stress-memory", 0, "MB of data to load into memory")
-	fs.String("cache-server", "", "Redis address in the format <host>:<port>")
+	fs.String("cache-server", "", "Redis address in the format 'tcp://<host>:<port>'")
+	fs.String("otel-service-name", "", "service name for reporting to open telemetry address, when not set tracing is disabled")

 	versionFlag := fs.BoolP("version", "v", false, "get version number")

@@ -89,8 +91,6 @@ func main() {
 		if readErr := viper.ReadInConfig(); readErr != nil {
 			fmt.Printf("Error reading config file, %v\n", readErr)
 		}
-	}else{
-		fmt.Printf("Error to open config file, %v\n",fileErr)
 	}

 	// configure logging
@@ -135,9 +135,10 @@ func main() {
 	}

 	// start gRPC server
+	var grpcServer *go_grpc.Server
 	if grpcCfg.Port > 0 {
 		grpcSrv, _ := grpc.NewServer(&grpcCfg, logger)
-		go grpcSrv.ListenAndServe()
+		grpcServer = grpcSrv.ListenAndServe()
 	}

 	// load HTTP server config
@@ -155,8 +156,12 @@ func main() {

 	// start HTTP server
 	srv, _ := api.NewServer(&srvCfg, logger)
+	httpServer, httpsServer, healthy, ready := srv.ListenAndServe()
+
+	// graceful shutdown
 	stopCh := signals.SetupSignalHandler()
-	srv.ListenAndServe(stopCh)
+	sd, _ := signals.NewShutdown(srvCfg.ServerShutdownTimeout, logger)
+	sd.Graceful(stopCh, httpServer, httpsServer, grpcServer, healthy, ready)
 }

 func initZap(logLevel string) (*zap.Logger, error) {
@@ -238,7 +243,7 @@ func beginStressTest(cpus int, mem int, logger *zap.Logger) {
 			logger.Error("memory stress failed", zap.Error(err))
 		}

-		stressMemoryPayload, err = ioutil.ReadFile(path)
+		stressMemoryPayload, err = os.ReadFile(path)
 		f.Close()
 		os.Remove(path)
 		if err != nil {
--- a/cue/README.md
+++ b/cue/README.md
@@ -0,0 +1,58 @@
+# Podinfo CUE module
+
+This directory contains a [CUE](https://cuelang.org/docs/) module and tooling
+for generating podinfo's Kubernetes resources.
+
+The module contains a `podinfo.#Application` definition which takes `podinfo.#Config` as input.
+
+## Prerequisites
+
+Install CUE with:
+
+```shell
+brew install cue
+```
+
+Generate the Kubernetes API definitions required by this module with:
+
+```shell
+cue get go k8s.io/api/...
+```
+
+## Configuration
+
+Configure the application in `main.cue`:
+
+```cue
+app: podinfo.#Application & {
+	config: {
+		meta: {
+			name:      "podinfo"
+			namespace: "default"
+		}
+		image: tag: "6.1.3"
+		resources: requests: {
+			cpu:    "100m"
+			memory: "16Mi"
+		}
+		hpa: {
+			enabled:     true
+			maxReplicas: 3
+		}
+		ingress: {
+			enabled:   true
+			className: "nginx"
+			host:      "podinfo.example.com"
+			tls:       true
+			annotations: "cert-manager.io/cluster-issuer": "letsencrypt"
+		}
+		serviceMonitor: enabled: true
+	}
+}
+```
+
+## Generate the manifests
+
+```shell
+cue gen
+```
--- a/cue/cue.mod/module.cue
+++ b/cue/cue.mod/module.cue
@@ -0,0 +1 @@
+module: "github.com/stefanprodan/podinfo/cue"
--- a/cue/go.mod
+++ b/cue/go.mod
@@ -0,0 +1,23 @@
+module github.com/stefanprodan/podinfo/cue
+
+go 1.17
+
+require (
+	github.com/go-logr/logr v1.2.0 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/google/go-cmp v0.5.5 // indirect
+	github.com/google/gofuzz v1.1.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	golang.org/x/net v0.0.0-20211209124913-491a49abca63 // indirect
+	golang.org/x/text v0.3.7 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	k8s.io/api v0.23.5 // indirect
+	k8s.io/apimachinery v0.23.5 // indirect
+	k8s.io/klog/v2 v2.30.0 // indirect
+	k8s.io/utils v0.0.0-20211116205334-6203023598ed // indirect
+	sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect
+)
--- a/cue/go.sum
+++ b/cue/go.sum
@@ -0,0 +1,231 @@
+cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
+github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
+github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
+github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
+github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
+github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
+github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
+github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
+github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
+github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
+github.com/getkin/kin-openapi v0.76.0/go.mod h1:660oXbgy5JFMKreazJaQTw7o+X00qeSyhcnluiMv+Xg=
+github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
+github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
+github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
+github.com/go-logr/logr v1.2.0 h1:QK40JKJyMdUDz+h+xvCsru/bJhvG0UxvePV0ufL/AcE=
+github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
+github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
+github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8=
+github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
+github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
+github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
+github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
+github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
+github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
+github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
+github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
+github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
+github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g=
+github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2cUuW7uA/OeU=
+github.com/googleapis/gnostic v0.5.5/go.mod h1:7+EbHbldMins07ALC74bsA81Ovc97DwqyJO1AENw9kA=
+github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
+github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
+github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
+github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
+github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
+github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
+github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY=
+github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
+github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
+github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
+github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
+golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
+golang.org/x/net v0.0.0-20211209124913-491a49abca63 h1:iocB37TsdFuN6IBRZ+ry36wrkoV51/tl5vOWqkcPGvY=
+golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210831042530-f4d43177bf5e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
+golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200505023115-26f46d2f7ef8/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
+google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
+google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
+google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
+google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
+google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
+google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
+google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
+google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
+google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
+google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
+google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
+gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
+gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
+gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+k8s.io/api v0.23.5 h1:zno3LUiMubxD/V1Zw3ijyKO3wxrhbUF1Ck+VjBvfaoA=
+k8s.io/api v0.23.5/go.mod h1:Na4XuKng8PXJ2JsploYYrivXrINeTaycCGcYgF91Xm8=
+k8s.io/apimachinery v0.23.5 h1:Va7dwhp8wgkUPWsEXk6XglXWU4IKYLKNlv8VkX7SDM0=
+k8s.io/apimachinery v0.23.5/go.mod h1:BEuFMMBaIbcOqVIJqNZJXGFTP4W6AycEpb5+m/97hrM=
+k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
+k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
+k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
+k8s.io/klog/v2 v2.30.0 h1:bUO6drIvCIsvZ/XFgfxoGFQU/a4Qkh0iAlvUR7vlHJw=
+k8s.io/klog/v2 v2.30.0/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
+k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65/go.mod h1:sX9MT8g7NVZM5lVL/j8QyCCJe8YSMW30QvGZWaCIDIk=
+k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
+k8s.io/utils v0.0.0-20211116205334-6203023598ed h1:ck1fRPWPJWsMd8ZRFsWc6mh/zHp5fZ/shhbrgPUxDAE=
+k8s.io/utils v0.0.0-20211116205334-6203023598ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
+sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6 h1:fD1pz4yfdADVNfFmcP2aBEtudwUQ1AlLnRBALr33v3s=
+sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6/go.mod h1:p4QtZmO4uMYipTQNzagwnNoseA6OxSUutVw05NhYDRs=
+sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
+sigs.k8s.io/structured-merge-diff/v4 v4.2.1 h1:bKCqE9GvQ5tiVHn5rfn1r+yao3aLQEaLzkkmAkf+A6Y=
+sigs.k8s.io/structured-merge-diff/v4 v4.2.1/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4=
+sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
--- a/cue/main.cue
+++ b/cue/main.cue
@@ -0,0 +1,33 @@
+package main
+
+import (
+	podinfo "github.com/stefanprodan/podinfo/cue/podinfo"
+)
+
+app: podinfo.#Application & {
+	config: {
+		meta: {
+			name:      "podinfo"
+			namespace: "default"
+		}
+		image: tag: "6.3.2"
+		resources: requests: {
+			cpu:    "100m"
+			memory: "16Mi"
+		}
+		hpa: {
+			enabled:     true
+			maxReplicas: 3
+		}
+		ingress: {
+			enabled:   true
+			className: "nginx"
+			host:      "podinfo.example.com"
+			tls:       true
+			annotations: "cert-manager.io/cluster-issuer": "letsencrypt"
+		}
+		serviceMonitor: enabled: true
+	}
+}
+
+objects: app.objects
--- a/cue/main_tool.cue
+++ b/cue/main_tool.cue
@@ -0,0 +1,12 @@
+package main
+
+import (
+	"tool/cli"
+	"encoding/yaml"
+)
+
+command: gen: {
+	task: print: cli.Print & {
+		text: yaml.MarshalStream([ for x in objects {x}])
+	}
+}
--- a/cue/podinfo/app.cue
+++ b/cue/podinfo/app.cue
@@ -0,0 +1,26 @@
+package podinfo
+
+#Application: {
+	config: #Config
+
+	objects: {
+		service:    #Service & {_config:        config}
+		account:    #ServiceAccount & {_config: config}
+		deployment: #Deployment & {
+			_config:         config
+			_serviceAccount: account.metadata.name
+		}
+	}
+
+	if config.hpa.enabled == true {
+		objects: hpa: #HorizontalPodAutoscaler & {_config: config}
+	}
+
+	if config.ingress.enabled == true {
+		objects: ingress: #Ingress & {_config: config}
+	}
+
+	if config.serviceMonitor.enabled == true {
+		objects: serviceMonitor: #ServiceMonitor & {_config: config}
+	}
+}
--- a/cue/podinfo/config.cue
+++ b/cue/podinfo/config.cue
@@ -0,0 +1,41 @@
+package podinfo
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	corev1 "k8s.io/api/core/v1"
+)
+
+#Config: {
+	meta:           metav1.#ObjectMeta
+	hpa:            #hpaConfig
+	ingress:        #ingressConfig
+	service:        #serviceConfig
+	serviceMonitor: #serviceMonConfig
+
+	image: {
+		repository: *"ghcr.io/stefanprodan/podinfo" | string
+		pullPolicy: *"IfNotPresent" | string
+		tag:        string
+	}
+
+	cache?: string & =~"^tcp://"
+	backends: [...string]
+	logLevel: *"info" | string
+	replicas: *1 | int
+
+	resources: *{
+		requests: {
+			cpu:    "1m"
+			memory: "16Mi"
+		}
+		limits: memory: "128Mi"
+	} | corev1.#ResourceRequirements
+
+	selectorLabels: *{"app.kubernetes.io/name": meta.name} | {[ string]: string}
+	meta: annotations: *{"app.kubernetes.io/version": "\(image.tag)"} | {[ string]: string}
+	meta: labels:      *selectorLabels | {[ string]:  string}
+
+	securityContext?: corev1.#PodSecurityContext
+	affinity?:        corev1.#Affinity
+	tolerations?: [ ...corev1.#Toleration]
+}
--- a/cue/podinfo/deployment.cue
+++ b/cue/podinfo/deployment.cue
@@ -0,0 +1,110 @@
+package podinfo
+
+import (
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+)
+
+#Deployment: appsv1.#Deployment & {
+	_config:         #Config
+	_serviceAccount: string
+	apiVersion:      "apps/v1"
+	kind:            "Deployment"
+	metadata:        _config.meta
+	spec:            appsv1.#DeploymentSpec & {
+		if !_config.hpa.enabled {
+			replicas: _config.replicas
+		}
+		strategy: {
+			type: "RollingUpdate"
+			rollingUpdate: maxUnavailable: 1
+		}
+		selector: matchLabels: _config.selectorLabels
+		template: {
+			metadata: {
+				labels: _config.selectorLabels
+				if !_config.serviceMonitor.enabled {
+					annotations: {
+						"prometheus.io/scrape": "true"
+						"prometheus.io/port":   "\(_config.service.metricsPort)"
+					}
+				}
+			}
+			spec: corev1.#PodSpec & {
+				terminationGracePeriodSeconds: 15
+				serviceAccountName:            _serviceAccount
+				containers: [
+					{
+						name:            "podinfo"
+						image:           "\(_config.image.repository):\(_config.image.tag)"
+						imagePullPolicy: _config.image.pullPolicy
+						command: [
+							"./podinfo",
+							"--port=\(_config.service.httpPort)",
+							"--port-metrics=\(_config.service.metricsPort)",
+							"--grpc-port=\(_config.service.grpcPort)",
+							"--level=\(_config.logLevel)",
+							if _config.cache != _|_ {
+								"--cache-server=\(_config.cache)"
+							},
+							for b in _config.backends {
+								"--backend-url=\(b)"
+							},
+						]
+						ports: [
+							{
+								name:          "http"
+								containerPort: _config.service.httpPort
+								protocol:      "TCP"
+							},
+							{
+								name:          "http-metrics"
+								containerPort: _config.service.metricsPort
+								protocol:      "TCP"
+							},
+							{
+								name:          "grpc"
+								containerPort: _config.service.grpcPort
+								protocol:      "TCP"
+							},
+						]
+						livenessProbe: {
+							httpGet: {
+								path: "/healthz"
+								port: "http"
+							}
+						}
+						readinessProbe: {
+							httpGet: {
+								path: "/readyz"
+								port: "http"
+							}
+						}
+						volumeMounts: [
+							{
+								name:      "data"
+								mountPath: "/data"
+							},
+						]
+						resources: _config.resources
+						if _config.securityContext != _|_ {
+							securityContext: _config.securityContext
+						}
+					},
+				]
+				if _config.affinity != _|_ {
+					affinity: _config.affinity
+				}
+				if _config.tolerations != _|_ {
+					tolerations: _config.tolerations
+				}
+				volumes: [
+					{
+						name: "data"
+						emptyDir: {}
+					},
+				]
+			}
+		}
+	}
+}
--- a/cue/podinfo/hpa.cue
+++ b/cue/podinfo/hpa.cue
@@ -0,0 +1,55 @@
+package podinfo
+
+import (
+	autoscaling "k8s.io/api/autoscaling/v2"
+)
+
+#hpaConfig: {
+	enabled:     *false | bool
+	cpu:         *99 | int
+	memory:      *"" | string
+	minReplicas: *1 | int
+	maxReplicas: *1 | int
+}
+
+#HorizontalPodAutoscaler: autoscaling.#HorizontalPodAutoscaler & {
+	_config:    #Config
+	apiVersion: "autoscaling/v2"
+	kind:       "HorizontalPodAutoscaler"
+	metadata:   _config.meta
+	spec: {
+		scaleTargetRef: {
+			apiVersion: "apps/v1"
+			kind:       "Deployment"
+			name:       _config.meta.name
+		}
+		minReplicas: _config.hpa.minReplicas
+		maxReplicas: _config.hpa.maxReplicas
+		metrics: [
+			if _config.hpa.cpu > 0 {
+				{
+					type: "Resource"
+					resource: {
+						name: "cpu"
+						target: {
+							type:               "Utilization"
+							averageUtilization: _config.hpa.cpu
+						}
+					}
+				}
+			},
+			if _config.hpa.memory != "" {
+				{
+					type: "Resource"
+					resource: {
+						name: "memory"
+						target: {
+							type:         "AverageValue"
+							averageValue: _config.hpa.memory
+						}
+					}
+				}
+			},
+		]
+	}
+}
--- a/cue/podinfo/ingress.cue
+++ b/cue/podinfo/ingress.cue
@@ -0,0 +1,47 @@
+package podinfo
+
+import (
+	netv1 "k8s.io/api/networking/v1"
+)
+
+#ingressConfig: {
+	enabled: *false | bool
+	annotations?: {[ string]: string}
+	className?: string
+	tls:        *false | bool
+	host:       string
+}
+
+#Ingress: netv1.#Ingress & {
+	_config:    #Config
+	apiVersion: "networking.k8s.io/v1"
+	kind:       "Ingress"
+	metadata:   _config.meta
+	if _config.ingress.annotations != _|_ {
+		metadata: annotations: _config.ingress.annotations
+	}
+	spec: netv1.#IngressSpec & {
+		rules: [{
+			host: _config.ingress.host
+			http: {
+				paths: [{
+					pathType: "Prefix"
+					path:     "/"
+					backend: service: {
+						name: _config.meta.name
+						port: name: "http"
+					}
+				}]
+			}
+		}]
+		if _config.ingress.tls {
+			tls: [{
+				hosts: [_config.ingress.host]
+				secretName: "\(_config.meta.name)-cert"
+			}]
+		}
+		if _config.ingress.className != _|_ {
+			ingressClassName: _config.ingress.className
+		}
+	}
+}
--- a/cue/podinfo/service.cue
+++ b/cue/podinfo/service.cue
@@ -0,0 +1,44 @@
+package podinfo
+
+import (
+	corev1 "k8s.io/api/core/v1"
+)
+
+#serviceConfig: {
+	type:         *"ClusterIP" | string
+	externalPort: *9898 | int
+	httpPort:     *9898 | int
+	metricsPort:  *9797 | int
+	grpcPort:     *9999 | int
+}
+
+#Service: corev1.#Service & {
+	_config:    #Config
+	apiVersion: "v1"
+	kind:       "Service"
+	metadata:   _config.meta
+	spec:       corev1.#ServiceSpec & {
+		type:     _config.service.type
+		selector: _config.selectorLabels
+		ports: [
+			{
+				name:       "http"
+				port:       _config.service.externalPort
+				targetPort: "\(name)"
+				protocol:   "TCP"
+			},
+			{
+				name:       "http-metrics"
+				port:       _config.service.metricsPort
+				targetPort: "\(name)"
+				protocol:   "TCP"
+			},
+			{
+				name:       "grpc"
+				port:       _config.service.grpcPort
+				targetPort: "\(name)"
+				protocol:   "TCP"
+			},
+		]
+	}
+}
--- a/cue/podinfo/serviceaccount.cue
+++ b/cue/podinfo/serviceaccount.cue
@@ -0,0 +1,12 @@
+package podinfo
+
+import (
+	corev1 "k8s.io/api/core/v1"
+)
+
+#ServiceAccount: corev1.#ServiceAccount & {
+	_config:    #Config
+	apiVersion: "v1"
+	kind:       "ServiceAccount"
+	metadata:   _config.meta
+}
--- a/cue/podinfo/servicemonitor.cue
+++ b/cue/podinfo/servicemonitor.cue
@@ -0,0 +1,22 @@
+package podinfo
+
+#serviceMonConfig: {
+	enabled:  *false | bool
+	interval: *"15s" | string
+}
+
+#ServiceMonitor: {
+	_config:    #Config
+	apiVersion: "monitoring.coreos.com/v1"
+	kind:       "ServiceMonitor"
+	metadata:   _config.meta
+	spec: {
+		endpoints: [{
+			path:     "/metrics"
+			port:     "http-metrics"
+			interval: _config.serviceMonitor.interval
+		}]
+		namespaceSelector: matchNames: [_config.meta.namespace]
+		selector: matchLabels: _config.meta.labels
+	}
+}
--- a/deploy/bases/backend/deployment.yaml
+++ b/deploy/bases/backend/deployment.yaml
@@ -23,7 +23,7 @@ spec:
    spec:
      containers:
      - name: backend
-        image: ghcr.io/stefanprodan/podinfo:5.1.4
+        image: ghcr.io/stefanprodan/podinfo:6.3.2
        imagePullPolicy: IfNotPresent
        ports:
        - name: http
--- a/deploy/bases/backend/hpa.yaml
+++ b/deploy/bases/backend/hpa.yaml
@@ -1,4 +1,4 @@
-apiVersion: autoscaling/v2beta2
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
  name: backend
--- a/deploy/bases/cache/deployment.yaml
+++ b/deploy/bases/cache/deployment.yaml
@@ -13,7 +13,7 @@ spec:
    spec:
      containers:
        - name: redis
-          image: redis:6.0.1
+          image: redis:7.0.7
          imagePullPolicy: IfNotPresent
          command:
            - redis-server
--- a/deploy/bases/frontend/deployment.yaml
+++ b/deploy/bases/frontend/deployment.yaml
@@ -23,7 +23,7 @@ spec:
    spec:
      containers:
      - name: frontend
-        image: ghcr.io/stefanprodan/podinfo:5.1.4
+        image: ghcr.io/stefanprodan/podinfo:6.3.2
        imagePullPolicy: IfNotPresent
        ports:
        - name: http
--- a/deploy/bases/frontend/hpa.yaml
+++ b/deploy/bases/frontend/hpa.yaml
@@ -1,4 +1,4 @@
-apiVersion: autoscaling/v2beta2
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
  name: frontend
--- a/deploy/webapp/backend/deployment.yaml
+++ b/deploy/webapp/backend/deployment.yaml
@@ -25,7 +25,7 @@ spec:
      serviceAccountName: webapp
      containers:
      - name: backend
-        image: ghcr.io/stefanprodan/podinfo:5.1.4
+        image: ghcr.io/stefanprodan/podinfo:6.3.2
        imagePullPolicy: IfNotPresent
        ports:
        - name: http
--- a/deploy/webapp/frontend/deployment.yaml
+++ b/deploy/webapp/frontend/deployment.yaml
@@ -25,7 +25,7 @@ spec:
      serviceAccountName: webapp
      containers:
      - name: frontend
-        image: ghcr.io/stefanprodan/podinfo:5.1.4
+        image: ghcr.io/stefanprodan/podinfo:6.3.2
        imagePullPolicy: IfNotPresent
        ports:
        - name: http
--- a/go.mod
+++ b/go.mod
@@ -1,25 +1,90 @@
 module github.com/stefanprodan/podinfo

-go 1.15
+go 1.19

 require (
-	github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751
-	github.com/chzyer/logex v1.1.10 // indirect
-	github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e
-	github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1 // indirect
-	github.com/dgrijalva/jwt-go v3.2.0+incompatible
-	github.com/fatih/color v1.9.0
-	github.com/fsnotify/fsnotify v1.4.9
-	github.com/gomodule/redigo v1.8.2
+	github.com/chzyer/readline v1.5.1
+	github.com/fatih/color v1.14.1
+	github.com/fsnotify/fsnotify v1.6.0
+	github.com/golang-jwt/jwt/v4 v4.4.3
+	github.com/gomodule/redigo v1.8.9
 	github.com/gorilla/mux v1.8.0
-	github.com/gorilla/websocket v1.4.2
-	github.com/prometheus/client_golang v1.8.0
-	github.com/spf13/cobra v1.1.1
+	github.com/gorilla/websocket v1.5.0
+	github.com/prometheus/client_golang v1.14.0
+	github.com/spf13/cobra v1.6.1
 	github.com/spf13/pflag v1.0.5
-	github.com/spf13/viper v1.7.1
-	github.com/swaggo/http-swagger v0.0.0-20200308142732-58ac5e232fba
-	github.com/swaggo/swag v1.6.9
-	go.uber.org/zap v1.16.0
-	golang.org/x/net v0.0.0-20201027133719-8eef5233e2a1
-	google.golang.org/grpc v1.33.1
+	github.com/spf13/viper v1.15.0
+	github.com/swaggo/http-swagger v1.3.3
+	github.com/swaggo/swag v1.8.10
+	go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux v0.38.0
+	go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.38.0
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.38.0
+	go.opentelemetry.io/contrib/propagators/aws v1.13.0
+	go.opentelemetry.io/contrib/propagators/b3 v1.13.0
+	go.opentelemetry.io/contrib/propagators/jaeger v1.13.0
+	go.opentelemetry.io/contrib/propagators/ot v1.13.0
+	go.opentelemetry.io/otel v1.12.0
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.12.0
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.12.0
+	go.opentelemetry.io/otel/sdk v1.12.0
+	go.opentelemetry.io/otel/trace v1.12.0
+	go.uber.org/zap v1.24.0
+	golang.org/x/net v0.5.0
+	google.golang.org/grpc v1.52.3
+)
+
+// Fix CVE-2022-27664
+replace golang.org/x/net => golang.org/x/net v0.4.0
+
+// Fix CVE-2022-32149
+replace golang.org/x/text => golang.org/x/text v0.4.0
+
+// Fix CVE-2022-28948
+replace gopkg.in/yaml.v3 => gopkg.in/yaml.v3 v3.0.1
+
+require (
+	github.com/KyleBanks/depth v1.2.1 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/cenkalti/backoff/v4 v4.2.0 // indirect
+	github.com/cespare/xxhash/v2 v2.1.2 // indirect
+	github.com/felixge/httpsnoop v1.0.3 // indirect
+	github.com/go-logr/logr v1.2.3 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-openapi/jsonpointer v0.19.5 // indirect
+	github.com/go-openapi/jsonreference v0.20.0 // indirect
+	github.com/go-openapi/spec v0.20.6 // indirect
+	github.com/go-openapi/swag v0.19.15 // indirect
+	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0 // indirect
+	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/inconshreveable/mousetrap v1.0.1 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/magiconair/properties v1.8.7 // indirect
+	github.com/mailru/easyjson v0.7.6 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.17 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/pelletier/go-toml/v2 v2.0.6 // indirect
+	github.com/prometheus/client_model v0.3.0 // indirect
+	github.com/prometheus/common v0.37.0 // indirect
+	github.com/prometheus/procfs v0.8.0 // indirect
+	github.com/spf13/afero v1.9.3 // indirect
+	github.com/spf13/cast v1.5.0 // indirect
+	github.com/spf13/jwalterweatherman v1.1.0 // indirect
+	github.com/subosito/gotenv v1.4.2 // indirect
+	github.com/swaggo/files v0.0.0-20220610200504-28940afbdbfe // indirect
+	go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.12.0 // indirect
+	go.opentelemetry.io/otel/metric v0.35.0 // indirect
+	go.opentelemetry.io/proto/otlp v0.19.0 // indirect
+	go.uber.org/atomic v1.9.0 // indirect
+	go.uber.org/multierr v1.9.0 // indirect
+	golang.org/x/sys v0.3.0 // indirect
+	golang.org/x/text v0.5.0 // indirect
+	golang.org/x/tools v0.1.12 // indirect
+	google.golang.org/genproto v0.0.0-20221227171554-f9683d7f8bef // indirect
+	google.golang.org/protobuf v1.28.1 // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
--- a/kustomize/deployment.yaml
+++ b/kustomize/deployment.yaml
@@ -23,7 +23,7 @@ spec:
    spec:
      containers:
      - name: podinfod
-        image: ghcr.io/stefanprodan/podinfo:5.1.4
+        image: ghcr.io/stefanprodan/podinfo:6.3.2
        imagePullPolicy: IfNotPresent
        ports:
        - name: http
--- a/kustomize/hpa.yaml
+++ b/kustomize/hpa.yaml
@@ -1,4 +1,4 @@
-apiVersion: autoscaling/v2beta2
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
  name: podinfo
--- a/otel/Makefile
+++ b/otel/Makefile
@@ -0,0 +1,20 @@
+DC=docker-compose -f docker-compose.yaml
+
+.PHONY: help
+.DEFAULT_GOAL := help
+
+help:
+	@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
+
+stop: ## Stop all Docker Containers run in Compose
+	$(DC) stop
+
+clean: stop ## Clean all Docker Containers and Volumes
+	$(DC) down --rmi local --remove-orphans -v
+	$(DC) rm -f -v
+
+build: clean ## Rebuild the Docker Image for use by Compose
+	$(DC) build
+
+run: stop ## Run the Application
+	$(DC) up
--- a/otel/README.md
+++ b/otel/README.md
@@ -0,0 +1,37 @@
+# Tracing Demo
+
+The directory contains sample [OpenTelemetry Collector](https://github.com/open-telemetry/opentelemetry-collector)
+and [Jaeger](https://www.jaegertracing.io) configurations for a tracing demo.
+
+## Configuration
+
+The provided [docker-compose.yaml](docker-compose.yaml) sets up 4 Containers
+
+1. PodInfo Frontend on port 9898
+2. PodInfo Backend on port 9899
+3. OpenTelemetry Collector listening on port 4317 for GRPC
+4. Jaeger all-in-one listening on multiple ports
+
+## How does it work?
+
+The frontend pods are configured to call onto the backend pods. Both the podinfo
+pods are configured to send traces over to the collector at port 4317 using GRPC.
+The collector forwards all received spans to Jaeger over port 14250 and Jaeger
+exposes a UI over port `16686`.
+
+## Running it locally
+
+1. Start all the Containers
+```shell
+make run
+```
+2. Send some sample requests
+```shell
+curl -v http://localhost:9898/status/200
+curl -X POST -v http://localhost:9898/api/echo
+```
+3. Visit `http://localhost:16686/` to see the spans
+4. Stop all the containers
+```shell
+make stop
+```
--- a/otel/docker-compose.yaml
+++ b/otel/docker-compose.yaml
@@ -0,0 +1,35 @@
+version: '2'
+
+services:
+  podinfo_frontend:
+    build: ..
+    command: ./podinfo --backend-url http://podinfo_backend:9899/status/200 --otel-service-name=podinfo_frontend
+    environment:
+      - OTEL_EXPORTER_OTLP_TRACES_ENDPOINT=http://otel:4317
+    ports:
+      - "9898:9898"
+  podinfo_backend:
+    build: ..
+    command: ./podinfo --port 9899 --otel-service-name=podinfo_backend
+    environment:
+      - OTEL_EXPORTER_OTLP_TRACES_ENDPOINT=http://otel:4317
+    ports:
+      - "9899:9899"
+  otel:
+    command: --config otel-config.yaml
+    image: otel/opentelemetry-collector:0.41.0
+    ports:
+      - "4317:4317"
+    volumes:
+      - ${PWD}/otel-config.yaml:/otel-config.yaml
+  jaeger:
+    image: jaegertracing/all-in-one:1.29.0
+    ports:
+      - "5775:5775/udp"
+      - "6831:6831/udp"
+      - "6832:6832/udp"
+      - "5778:5778"
+      - "16686:16686"
+      - "14268:14268"
+      - "14250:14250"
+      - "9411:9411"
--- a/otel/otel-config.yaml
+++ b/otel/otel-config.yaml
@@ -0,0 +1,26 @@
+receivers:
+  otlp:
+    protocols:
+      grpc:
+      http:
+
+processors:
+
+exporters:
+  jaeger:
+    endpoint: jaeger:14250
+    tls:
+      insecure: true
+
+extensions:
+  health_check:
+  pprof:
+  zpages:
+
+service:
+  extensions: [health_check,pprof,zpages]
+  pipelines:
+    traces:
+      receivers: [otlp]
+      processors: []
+      exporters: [jaeger]
--- a/pkg/api/cache.go
+++ b/pkg/api/cache.go
@@ -1,8 +1,10 @@
 package api

 import (
-	"io/ioutil"
+	"fmt"
+	"io"
 	"net/http"
+	"net/url"
 	"time"

 	"github.com/gomodule/redigo/redis"
@@ -18,18 +20,22 @@ import (
 // @Tags HTTP API
 // @Accept json
 // @Produce json
+// @Param key path string true "Key to save to"
 // @Router /cache/{key} [post]
 // @Success 202
 func (s *Server) cacheWriteHandler(w http.ResponseWriter, r *http.Request) {
+	_, span := s.tracer.Start(r.Context(), "cacheWriteHandler")
+	defer span.End()
+
 	if s.pool == nil {
-		s.ErrorResponse(w, r, "cache server is offline", http.StatusBadRequest)
+		s.ErrorResponse(w, r, span, "cache server is offline", http.StatusBadRequest)
 		return
 	}

 	key := mux.Vars(r)["key"]
-	body, err := ioutil.ReadAll(r.Body)
+	body, err := io.ReadAll(r.Body)
 	if err != nil {
-		s.ErrorResponse(w, r, "reading the request body failed", http.StatusBadRequest)
+		s.ErrorResponse(w, r, span, "reading the request body failed", http.StatusBadRequest)
 		return
 	}

@@ -38,7 +44,7 @@ func (s *Server) cacheWriteHandler(w http.ResponseWriter, r *http.Request) {
 	_, err = conn.Do("SET", key, string(body))
 	if err != nil {
 		s.logger.Warn("cache set failed", zap.Error(err))
-		s.ErrorResponse(w, r, "cache set failed", http.StatusInternalServerError)
+		s.ErrorResponse(w, r, span, "cache set failed", http.StatusInternalServerError)
 		return
 	}

@@ -51,11 +57,15 @@ func (s *Server) cacheWriteHandler(w http.ResponseWriter, r *http.Request) {
 // @Tags HTTP API
 // @Accept json
 // @Produce json
+// @Param key path string true "Key to delete"
 // @Router /cache/{key} [delete]
 // @Success 202
 func (s *Server) cacheDeleteHandler(w http.ResponseWriter, r *http.Request) {
+	_, span := s.tracer.Start(r.Context(), "cacheDeleteHandler")
+	defer span.End()
+
 	if s.pool == nil {
-		s.ErrorResponse(w, r, "cache server is offline", http.StatusBadRequest)
+		s.ErrorResponse(w, r, span, "cache server is offline", http.StatusBadRequest)
 		return
 	}

@@ -79,11 +89,15 @@ func (s *Server) cacheDeleteHandler(w http.ResponseWriter, r *http.Request) {
 // @Tags HTTP API
 // @Accept json
 // @Produce json
+// @Param key path string true "Key to load from cache"
 // @Router /cache/{key} [get]
 // @Success 200 {string} string value
 func (s *Server) cacheReadHandler(w http.ResponseWriter, r *http.Request) {
+	_, span := s.tracer.Start(r.Context(), "cacheReadHandler")
+	defer span.End()
+
 	if s.pool == nil {
-		s.ErrorResponse(w, r, "cache server is offline", http.StatusBadRequest)
+		s.ErrorResponse(w, r, span, "cache server is offline", http.StatusBadRequest)
 		return
 	}

@@ -110,16 +124,31 @@ func (s *Server) cacheReadHandler(w http.ResponseWriter, r *http.Request) {
 	w.Write([]byte(data))
 }

-func (s *Server) startCachePool(ticker *time.Ticker, stopCh <-chan struct{}) {
+func (s *Server) getCacheConn() (redis.Conn, error) {
+	redisUrl, err := url.Parse(s.config.CacheServer)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse redis url: %v", err)
+	}
+
+	var opts []redis.DialOption
+	if user := redisUrl.User; user != nil {
+		opts = append(opts, redis.DialUsername(user.Username()))
+		if password, ok := user.Password(); ok {
+			opts = append(opts, redis.DialPassword(password))
+		}
+	}
+
+	return redis.Dial("tcp", redisUrl.Host, opts...)
+}
+
+func (s *Server) startCachePool(ticker *time.Ticker) {
 	if s.config.CacheServer == "" {
 		return
 	}
 	s.pool = &redis.Pool{
 		MaxIdle:     3,
 		IdleTimeout: 240 * time.Second,
-		Dial: func() (redis.Conn, error) {
-			return redis.Dial("tcp", s.config.CacheServer)
-		},
+		Dial:        s.getCacheConn,
 		TestOnBorrow: func(c redis.Conn, t time.Time) error {
 			_, err := c.Do("PING")
 			return err
@@ -140,8 +169,6 @@ func (s *Server) startCachePool(ticker *time.Ticker, stopCh <-chan struct{}) {
 		setVersion()
 		for {
 			select {
-			case <-stopCh:
-				return
 			case <-ticker.C:
 				setVersion()
 			}
--- a/pkg/api/chunked.go
+++ b/pkg/api/chunked.go
@@ -15,9 +15,13 @@ import (
 // @Tags HTTP API
 // @Accept json
 // @Produce json
+// @Param seconds path int true "seconds to wait for"
 // @Router /chunked/{seconds} [get]
 // @Success 200 {object} api.MapResponse
 func (s *Server) chunkedHandler(w http.ResponseWriter, r *http.Request) {
+	_, span := s.tracer.Start(r.Context(), "chunkedHandler")
+	defer span.End()
+
 	vars := mux.Vars(r)

 	delay, err := strconv.Atoi(vars["wait"])
@@ -27,7 +31,7 @@ func (s *Server) chunkedHandler(w http.ResponseWriter, r *http.Request) {

 	flusher, ok := w.(http.Flusher)
 	if !ok {
-		s.ErrorResponse(w, r, "Streaming unsupported!", http.StatusInternalServerError)
+		s.ErrorResponse(w, r, span, "Streaming unsupported!", http.StatusInternalServerError)
 		return
 	}

--- a/pkg/api/configs.go
+++ b/pkg/api/configs.go
@@ -3,6 +3,9 @@ package api
 import "net/http"

 func (s *Server) configReadHandler(w http.ResponseWriter, r *http.Request) {
+	_, span := s.tracer.Start(r.Context(), "configReadHandler")
+	defer span.End()
+
 	files := make(map[string]string)
 	if watcher != nil {
 		watcher.Cache.Range(func(key interface{}, value interface{}) bool {
--- a/pkg/api/delay.go
+++ b/pkg/api/delay.go
@@ -49,14 +49,18 @@ func (m *RandomDelayMiddleware) Handler(next http.Handler) http.Handler {
 // @Tags HTTP API
 // @Accept json
 // @Produce json
+// @Param seconds path int true "seconds to wait for"
 // @Router /delay/{seconds} [get]
 // @Success 200 {object} api.MapResponse
 func (s *Server) delayHandler(w http.ResponseWriter, r *http.Request) {
+	_, span := s.tracer.Start(r.Context(), "delayHandler")
+	defer span.End()
+
 	vars := mux.Vars(r)

 	delay, err := strconv.Atoi(vars["wait"])
 	if err != nil {
-		s.ErrorResponse(w, r, err.Error(), http.StatusBadRequest)
+		s.ErrorResponse(w, r, span, err.Error(), http.StatusBadRequest)
 		return
 	}

--- a/pkg/api/docs/docs.go
+++ b/pkg/api/docs/docs.go
@@ -1,22 +1,14 @@
-// GENERATED BY THE COMMAND ABOVE; DO NOT EDIT
+// Package docs GENERATED BY SWAG; DO NOT EDIT
 // This file was generated by swaggo/swag
-
 package docs

-import (
-	"bytes"
-	"encoding/json"
-	"strings"
+import "github.com/swaggo/swag"

-	"github.com/alecthomas/template"
-	"github.com/swaggo/swag"
-)
-
-var doc = `{
+const docTemplate = `{
    "schemes": {{ marshal .Schemes }},
    "swagger": "2.0",
    "info": {
-        "description": "{{.Description}}",
+        "description": "{{escape .Description}}",
        "title": "{{.Title}}",
        "contact": {
            "name": "Source Code",
@@ -110,6 +102,15 @@ var doc = `{
                    "HTTP API"
                ],
                "summary": "Get payload from cache",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Key to load from cache",
+                        "name": "key",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
                "responses": {
                    "200": {
                        "description": "OK",
@@ -131,8 +132,19 @@ var doc = `{
                    "HTTP API"
                ],
                "summary": "Save payload in cache",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Key to save to",
+                        "name": "key",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
                "responses": {
-                    "202": {}
+                    "202": {
+                        "description": "Accepted"
+                    }
                }
            },
            "delete": {
@@ -147,8 +159,19 @@ var doc = `{
                    "HTTP API"
                ],
                "summary": "Delete payload from cache",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Key to delete",
+                        "name": "key",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
                "responses": {
-                    "202": {}
+                    "202": {
+                        "description": "Accepted"
+                    }
                }
            }
        },
@@ -165,6 +188,15 @@ var doc = `{
                    "HTTP API"
                ],
                "summary": "Chunked transfer encoding",
+                "parameters": [
+                    {
+                        "type": "integer",
+                        "description": "seconds to wait for",
+                        "name": "seconds",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
                "responses": {
                    "200": {
                        "description": "OK",
@@ -188,6 +220,15 @@ var doc = `{
                    "HTTP API"
                ],
                "summary": "Delay",
+                "parameters": [
+                    {
+                        "type": "integer",
+                        "description": "seconds to wait for",
+                        "name": "seconds",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
                "responses": {
                    "200": {
                        "description": "OK",
@@ -299,7 +340,8 @@ var doc = `{
                "tags": [
                    "HTTP API"
                ],
-                "summary": "Panic"
+                "summary": "Panic",
+                "responses": {}
            }
        },
        "/readyz": {
@@ -384,6 +426,15 @@ var doc = `{
                    "HTTP API"
                ],
                "summary": "Status code",
+                "parameters": [
+                    {
+                        "type": "integer",
+                        "description": "status code to return",
+                        "name": "code",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
                "responses": {
                    "200": {
                        "description": "OK",
@@ -430,6 +481,15 @@ var doc = `{
                    "HTTP API"
                ],
                "summary": "Download file",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "hash value",
+                        "name": "hash",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
                "responses": {
                    "200": {
                        "description": "file",
@@ -606,49 +666,18 @@ var doc = `{
    }
 }`

-type swaggerInfo struct {
-	Version     string
-	Host        string
-	BasePath    string
-	Schemes     []string
-	Title       string
-	Description string
-}
-
 // SwaggerInfo holds exported Swagger Info so clients can modify it
-var SwaggerInfo = swaggerInfo{
-	Version:     "2.0",
-	Host:        "localhost:9898",
-	BasePath:    "/",
-	Schemes:     []string{"http", "https"},
-	Title:       "Podinfo API",
-	Description: "Go microservice template for Kubernetes.",
-}
-
-type s struct{}
-
-func (s *s) ReadDoc() string {
-	sInfo := SwaggerInfo
-	sInfo.Description = strings.Replace(sInfo.Description, "\n", "\\n", -1)
-
-	t, err := template.New("swagger_info").Funcs(template.FuncMap{
-		"marshal": func(v interface{}) string {
-			a, _ := json.Marshal(v)
-			return string(a)
-		},
-	}).Parse(doc)
-	if err != nil {
-		return doc
-	}
-
-	var tpl bytes.Buffer
-	if err := t.Execute(&tpl, sInfo); err != nil {
-		return doc
-	}
-
-	return tpl.String()
+var SwaggerInfo = &swag.Spec{
+	Version:          "2.0",
+	Host:             "localhost:9898",
+	BasePath:         "/",
+	Schemes:          []string{"http", "https"},
+	Title:            "Podinfo API",
+	Description:      "Go microservice template for Kubernetes.",
+	InfoInstanceName: "swagger",
+	SwaggerTemplate:  docTemplate,
 }

 func init() {
-	swag.Register(swag.Name, &s{})
+	swag.Register(SwaggerInfo.InstanceName(), SwaggerInfo)
 }
--- a/pkg/api/docs/swagger.json
+++ b/pkg/api/docs/swagger.json
@@ -99,6 +99,15 @@
                    "HTTP API"
                ],
                "summary": "Get payload from cache",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Key to load from cache",
+                        "name": "key",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
                "responses": {
                    "200": {
                        "description": "OK",
@@ -120,8 +129,19 @@
                    "HTTP API"
                ],
                "summary": "Save payload in cache",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Key to save to",
+                        "name": "key",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
                "responses": {
-                    "202": {}
+                    "202": {
+                        "description": "Accepted"
+                    }
                }
            },
            "delete": {
@@ -136,8 +156,19 @@
                    "HTTP API"
                ],
                "summary": "Delete payload from cache",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Key to delete",
+                        "name": "key",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
                "responses": {
-                    "202": {}
+                    "202": {
+                        "description": "Accepted"
+                    }
                }
            }
        },
@@ -154,6 +185,15 @@
                    "HTTP API"
                ],
                "summary": "Chunked transfer encoding",
+                "parameters": [
+                    {
+                        "type": "integer",
+                        "description": "seconds to wait for",
+                        "name": "seconds",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
                "responses": {
                    "200": {
                        "description": "OK",
@@ -177,6 +217,15 @@
                    "HTTP API"
                ],
                "summary": "Delay",
+                "parameters": [
+                    {
+                        "type": "integer",
+                        "description": "seconds to wait for",
+                        "name": "seconds",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
                "responses": {
                    "200": {
                        "description": "OK",
@@ -288,7 +337,8 @@
                "tags": [
                    "HTTP API"
                ],
-                "summary": "Panic"
+                "summary": "Panic",
+                "responses": {}
            }
        },
        "/readyz": {
@@ -373,6 +423,15 @@
                    "HTTP API"
                ],
                "summary": "Status code",
+                "parameters": [
+                    {
+                        "type": "integer",
+                        "description": "status code to return",
+                        "name": "code",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
                "responses": {
                    "200": {
                        "description": "OK",
@@ -419,6 +478,15 @@
                    "HTTP API"
                ],
                "summary": "Download file",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "hash value",
+                        "name": "hash",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
                "responses": {
                    "200": {
                        "description": "file",
--- a/pkg/api/docs/swagger.yaml
+++ b/pkg/api/docs/swagger.yaml
@@ -103,10 +103,17 @@ paths:
      consumes:
      - application/json
      description: deletes the key and its value from cache
+      parameters:
+      - description: Key to delete
+        in: path
+        name: key
+        required: true
+        type: string
      produces:
      - application/json
      responses:
-        "202": {}
+        "202":
+          description: Accepted
      summary: Delete payload from cache
      tags:
      - HTTP API
@@ -114,6 +121,12 @@ paths:
      consumes:
      - application/json
      description: returns the content from cache if key exists
+      parameters:
+      - description: Key to load from cache
+        in: path
+        name: key
+        required: true
+        type: string
      produces:
      - application/json
      responses:
@@ -128,10 +141,17 @@ paths:
      consumes:
      - application/json
      description: writes the posted content in cache
+      parameters:
+      - description: Key to save to
+        in: path
+        name: key
+        required: true
+        type: string
      produces:
      - application/json
      responses:
-        "202": {}
+        "202":
+          description: Accepted
      summary: Save payload in cache
      tags:
      - HTTP API
@@ -141,6 +161,12 @@ paths:
      - application/json
      description: uses transfer-encoding type chunked to give a partial response
        and then waits for the specified period
+      parameters:
+      - description: seconds to wait for
+        in: path
+        name: seconds
+        required: true
+        type: integer
      produces:
      - application/json
      responses:
@@ -156,6 +182,12 @@ paths:
      consumes:
      - application/json
      description: waits for the specified period
+      parameters:
+      - description: seconds to wait for
+        in: path
+        name: seconds
+        required: true
+        type: integer
      produces:
      - application/json
      responses:
@@ -231,6 +263,7 @@ paths:
  /panic:
    get:
      description: crashes the process with exit code 255
+      responses: {}
      summary: Panic
      tags:
      - HTTP API
@@ -285,6 +318,12 @@ paths:
      consumes:
      - application/json
      description: sets the response status code to the specified code
+      parameters:
+      - description: status code to return
+        in: path
+        name: code
+        required: true
+        type: integer
      produces:
      - application/json
      responses:
@@ -316,6 +355,12 @@ paths:
      consumes:
      - application/json
      description: returns the content of the file /data/hash if exists
+      parameters:
+      - description: hash value
+        in: path
+        name: hash
+        required: true
+        type: string
      produces:
      - text/plain
      responses:
--- a/pkg/api/echo.go
+++ b/pkg/api/echo.go
@@ -4,11 +4,14 @@ import (
 	"bytes"
 	"context"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
+	"net/http/httptrace"
 	"sync"

 	"github.com/stefanprodan/podinfo/pkg/version"
+	"go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace"
+	"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
 	"go.uber.org/zap"
 )

@@ -21,13 +24,19 @@ import (
 // @Router /api/echo [post]
 // @Success 202 {object} api.MapResponse
 func (s *Server) echoHandler(w http.ResponseWriter, r *http.Request) {
-	body, err := ioutil.ReadAll(r.Body)
+	ctx, span := s.tracer.Start(r.Context(), "echoHandler")
+	defer span.End()
+
+	body, err := io.ReadAll(r.Body)
 	if err != nil {
 		s.logger.Error("reading the request body failed", zap.Error(err))
-		s.ErrorResponse(w, r, "invalid request body", http.StatusBadRequest)
+		s.ErrorResponse(w, r, span, "invalid request body", http.StatusBadRequest)
 		return
 	}
 	defer r.Body.Close()
+
+	client := http.Client{Transport: otelhttp.NewTransport(http.DefaultTransport)}
+
 	if len(s.config.BackendURL) > 0 {
 		result := make([]string, len(s.config.BackendURL))
 		var wg sync.WaitGroup
@@ -35,7 +44,12 @@ func (s *Server) echoHandler(w http.ResponseWriter, r *http.Request) {
 		for i, b := range s.config.BackendURL {
 			go func(index int, backend string) {
 				defer wg.Done()
-				backendReq, err := http.NewRequest("POST", backend, bytes.NewReader(body))
+
+				ctx = httptrace.WithClientTrace(ctx, otelhttptrace.NewClientTrace(ctx))
+				ctx, cancel := context.WithTimeout(ctx, s.config.HttpClientTimeout)
+				defer cancel()
+
+				backendReq, err := http.NewRequestWithContext(ctx, "POST", backend, bytes.NewReader(body))
 				if err != nil {
 					s.logger.Error("backend call failed", zap.Error(err), zap.String("url", backend))
 					return
@@ -47,11 +61,8 @@ func (s *Server) echoHandler(w http.ResponseWriter, r *http.Request) {
 				backendReq.Header.Set("X-API-Version", version.VERSION)
 				backendReq.Header.Set("X-API-Revision", version.REVISION)

-				ctx, cancel := context.WithTimeout(backendReq.Context(), s.config.HttpClientTimeout)
-				defer cancel()
-
 				// call backend
-				resp, err := http.DefaultClient.Do(backendReq.WithContext(ctx))
+				resp, err := client.Do(backendReq)
 				if err != nil {
 					s.logger.Error("backend call failed", zap.Error(err), zap.String("url", backend))
 					result[index] = fmt.Sprintf("backend %v call failed %v", backend, err)
@@ -67,7 +78,7 @@ func (s *Server) echoHandler(w http.ResponseWriter, r *http.Request) {
 				}

 				// forward the received body
-				rbody, err := ioutil.ReadAll(resp.Body)
+				rbody, err := io.ReadAll(resp.Body)
 				if err != nil {
 					s.logger.Error(
 						"reading the backend request body failed",
@@ -96,3 +107,22 @@ func (s *Server) echoHandler(w http.ResponseWriter, r *http.Request) {
 		w.Write(body)
 	}
 }
+
+func copyTracingHeaders(from *http.Request, to *http.Request) {
+	headers := []string{
+		"x-request-id",
+		"x-b3-traceid",
+		"x-b3-spanid",
+		"x-b3-parentspanid",
+		"x-b3-sampled",
+		"x-b3-flags",
+		"x-ot-span-context",
+	}
+
+	for i := range headers {
+		headerValue := from.Header.Get(headers[i])
+		if len(headerValue) > 0 {
+			to.Header.Set(headers[i], headerValue)
+		}
+	}
+}
--- a/pkg/api/env.go
+++ b/pkg/api/env.go
@@ -15,5 +15,7 @@ import (
 // @Router /env [get]
 // @Success 200 {object} api.ArrayResponse
 func (s *Server) envHandler(w http.ResponseWriter, r *http.Request) {
+	_, span := s.tracer.Start(r.Context(), "envHandler")
+	defer span.End()
 	s.JSONResponse(w, r, os.Environ())
 }
--- a/pkg/api/headers.go
+++ b/pkg/api/headers.go
@@ -13,5 +13,7 @@ import (
 // @Router /headers [get]
 // @Success 200 {object} api.ArrayResponse
 func (s *Server) echoHeadersHandler(w http.ResponseWriter, r *http.Request) {
+	_, span := s.tracer.Start(r.Context(), "echoHeadersHandler")
+	defer span.End()
 	s.JSONResponse(w, r, r.Header)
 }
--- a/pkg/api/http.go
+++ b/pkg/api/http.go
@@ -8,6 +8,8 @@ import (
 	"time"

 	"github.com/stefanprodan/podinfo/pkg/version"
+	"go.opentelemetry.io/otel/codes"
+	"go.opentelemetry.io/otel/trace"
 	"go.uber.org/zap"
 )

@@ -33,27 +35,6 @@ func versionMiddleware(next http.Handler) http.Handler {
 	})
 }

-// TODO: use Istio tracing package
-// https://github.com/istio/istio/blob/master/pkg/tracing/config.go
-func copyTracingHeaders(from *http.Request, to *http.Request) {
-	headers := []string{
-		"x-request-id",
-		"x-b3-traceid",
-		"x-b3-spanid",
-		"x-b3-parentspanid",
-		"x-b3-sampled",
-		"x-b3-flags",
-		"x-ot-span-context",
-	}
-
-	for i := range headers {
-		headerValue := from.Header.Get(headers[i])
-		if len(headerValue) > 0 {
-			to.Header.Set(headers[i], headerValue)
-		}
-	}
-}
-
 func (s *Server) JSONResponse(w http.ResponseWriter, r *http.Request, result interface{}) {
 	body, err := json.Marshal(result)
 	if err != nil {
@@ -82,7 +63,7 @@ func (s *Server) JSONResponseCode(w http.ResponseWriter, r *http.Request, result
 	w.Write(prettyJSON(body))
 }

-func (s *Server) ErrorResponse(w http.ResponseWriter, r *http.Request, error string, code int) {
+func (s *Server) ErrorResponse(w http.ResponseWriter, r *http.Request, span trace.Span, error string, code int) {
 	data := struct {
 		Code    int    `json:"code"`
 		Message string `json:"message"`
@@ -91,6 +72,8 @@ func (s *Server) ErrorResponse(w http.ResponseWriter, r *http.Request, error str
 		Message: error,
 	}

+	span.SetStatus(codes.Error, error)
+
 	body, err := json.Marshal(data)
 	if err != nil {
 		w.WriteHeader(http.StatusInternalServerError)
--- a/pkg/api/index.go
+++ b/pkg/api/index.go
@@ -14,6 +14,9 @@ import (
 // @Router / [get]
 // @Success 200 {string} string "OK"
 func (s *Server) indexHandler(w http.ResponseWriter, r *http.Request) {
+	_, span := s.tracer.Start(r.Context(), "indexHandler")
+	defer span.End()
+
 	tmpl, err := template.New("vue.html").ParseFiles(path.Join(s.config.UIPath, "vue.html"))
 	if err != nil {
 		w.WriteHeader(http.StatusInternalServerError)
--- a/pkg/api/info.go
+++ b/pkg/api/info.go
@@ -18,6 +18,9 @@ import (
 // @Success 200 {object} api.RuntimeResponse
 // @Router /api/info [get]
 func (s *Server) infoHandler(w http.ResponseWriter, r *http.Request) {
+	_, span := s.tracer.Start(r.Context(), "infoHandler")
+	defer span.End()
+
 	data := RuntimeResponse{
 		Hostname:     s.config.Hostname,
 		Version:      version.VERSION,
--- a/pkg/api/mock.go
+++ b/pkg/api/mock.go
@@ -3,23 +3,25 @@ package api
 import (
 	"time"

+	"go.opentelemetry.io/otel/trace"
+
 	"github.com/gorilla/mux"
 	"go.uber.org/zap"
 )

 func NewMockServer() *Server {
 	config := &Config{
-		Port:                      "9898",
-		HttpServerShutdownTimeout: 5 * time.Second,
-		HttpServerTimeout:         30 * time.Second,
-		BackendURL:                []string{},
-		ConfigPath:                "/config",
-		DataPath:                  "/data",
-		HttpClientTimeout:         30 * time.Second,
-		UIColor:                   "blue",
-		UIPath:                    ".ui",
-		UIMessage:                 "Greetings",
-		Hostname:                  "localhost",
+		Port:                  "9898",
+		ServerShutdownTimeout: 5 * time.Second,
+		HttpServerTimeout:     30 * time.Second,
+		BackendURL:            []string{},
+		ConfigPath:            "/config",
+		DataPath:              "/data",
+		HttpClientTimeout:     30 * time.Second,
+		UIColor:               "blue",
+		UIPath:                ".ui",
+		UIMessage:             "Greetings",
+		Hostname:              "localhost",
 	}

 	logger, _ := zap.NewDevelopment()
@@ -28,5 +30,6 @@ func NewMockServer() *Server {
 		router: mux.NewRouter(),
 		logger: logger,
 		config: config,
+		tracer: trace.NewNoopTracerProvider().Tracer("mock"),
 	}
 }
--- a/pkg/api/panic.go
+++ b/pkg/api/panic.go
@@ -2,6 +2,7 @@ package api

 import (
 	"net/http"
+	"os"
 )

 // Panic godoc
@@ -10,5 +11,6 @@ import (
 // @Tags HTTP API
 // @Router /panic [get]
 func (s *Server) panicHandler(w http.ResponseWriter, r *http.Request) {
-	s.logger.Panic("Panic command received")
+	s.logger.Info("Panic command received")
+	os.Exit(255)
 }
--- a/pkg/api/server.go
+++ b/pkg/api/server.go
@@ -14,11 +14,12 @@ import (
 	"github.com/gomodule/redigo/redis"
 	"github.com/gorilla/mux"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
-	"github.com/spf13/viper"
 	_ "github.com/stefanprodan/podinfo/pkg/api/docs"
 	"github.com/stefanprodan/podinfo/pkg/fscache"
 	httpSwagger "github.com/swaggo/http-swagger"
 	"github.com/swaggo/swag"
+	sdktrace "go.opentelemetry.io/otel/sdk/trace"
+	"go.opentelemetry.io/otel/trace"
 	"go.uber.org/zap"
 	"golang.org/x/net/http2"
 	"golang.org/x/net/http2/h2c"
@@ -45,39 +46,42 @@ var (
 )

 type Config struct {
-	HttpClientTimeout         time.Duration `mapstructure:"http-client-timeout"`
-	HttpServerTimeout         time.Duration `mapstructure:"http-server-timeout"`
-	HttpServerShutdownTimeout time.Duration `mapstructure:"http-server-shutdown-timeout"`
-	BackendURL                []string      `mapstructure:"backend-url"`
-	UILogo                    string        `mapstructure:"ui-logo"`
-	UIMessage                 string        `mapstructure:"ui-message"`
-	UIColor                   string        `mapstructure:"ui-color"`
-	UIPath                    string        `mapstructure:"ui-path"`
-	DataPath                  string        `mapstructure:"data-path"`
-	ConfigPath                string        `mapstructure:"config-path"`
-	CertPath                  string        `mapstructure:"cert-path"`
-	Port                      string        `mapstructure:"port"`
-	SecurePort                string        `mapstructure:"secure-port"`
-	PortMetrics               int           `mapstructure:"port-metrics"`
-	Hostname                  string        `mapstructure:"hostname"`
-	H2C                       bool          `mapstructure:"h2c"`
-	RandomDelay               bool          `mapstructure:"random-delay"`
-	RandomDelayUnit           string        `mapstructure:"random-delay-unit"`
-	RandomDelayMin            int           `mapstructure:"random-delay-min"`
-	RandomDelayMax            int           `mapstructure:"random-delay-max"`
-	RandomError               bool          `mapstructure:"random-error"`
-	Unhealthy                 bool          `mapstructure:"unhealthy"`
-	Unready                   bool          `mapstructure:"unready"`
-	JWTSecret                 string        `mapstructure:"jwt-secret"`
-	CacheServer               string        `mapstructure:"cache-server"`
+	HttpClientTimeout     time.Duration `mapstructure:"http-client-timeout"`
+	HttpServerTimeout     time.Duration `mapstructure:"http-server-timeout"`
+	ServerShutdownTimeout time.Duration `mapstructure:"server-shutdown-timeout"`
+	BackendURL            []string      `mapstructure:"backend-url"`
+	UILogo                string        `mapstructure:"ui-logo"`
+	UIMessage             string        `mapstructure:"ui-message"`
+	UIColor               string        `mapstructure:"ui-color"`
+	UIPath                string        `mapstructure:"ui-path"`
+	DataPath              string        `mapstructure:"data-path"`
+	ConfigPath            string        `mapstructure:"config-path"`
+	CertPath              string        `mapstructure:"cert-path"`
+	Host                  string        `mapstructure:"host"`
+	Port                  string        `mapstructure:"port"`
+	SecurePort            string        `mapstructure:"secure-port"`
+	PortMetrics           int           `mapstructure:"port-metrics"`
+	Hostname              string        `mapstructure:"hostname"`
+	H2C                   bool          `mapstructure:"h2c"`
+	RandomDelay           bool          `mapstructure:"random-delay"`
+	RandomDelayUnit       string        `mapstructure:"random-delay-unit"`
+	RandomDelayMin        int           `mapstructure:"random-delay-min"`
+	RandomDelayMax        int           `mapstructure:"random-delay-max"`
+	RandomError           bool          `mapstructure:"random-error"`
+	Unhealthy             bool          `mapstructure:"unhealthy"`
+	Unready               bool          `mapstructure:"unready"`
+	JWTSecret             string        `mapstructure:"jwt-secret"`
+	CacheServer           string        `mapstructure:"cache-server"`
 }

 type Server struct {
-	router  *mux.Router
-	logger  *zap.Logger
-	config  *Config
-	pool    *redis.Pool
-	handler http.Handler
+	router         *mux.Router
+	logger         *zap.Logger
+	config         *Config
+	pool           *redis.Pool
+	handler        http.Handler
+	tracer         trace.Tracer
+	tracerProvider *sdktrace.TracerProvider
 }

 func NewServer(config *Config, logger *zap.Logger) (*Server, error) {
@@ -122,9 +126,6 @@ func (s *Server) registerHandlers() {
 	s.router.PathPrefix("/swagger/").Handler(httpSwagger.Handler(
 		httpSwagger.URL("/swagger/doc.json"),
 	))
-	s.router.PathPrefix("/swagger/").Handler(httpSwagger.Handler(
-		httpSwagger.URL("/swagger/doc.json"),
-	))
 	s.router.HandleFunc("/swagger.json", func(w http.ResponseWriter, r *http.Request) {
 		doc, err := swag.ReadDoc()
 		if err != nil {
@@ -137,6 +138,8 @@ func (s *Server) registerHandlers() {
 func (s *Server) registerMiddlewares() {
 	prom := NewPrometheusMiddleware()
 	s.router.Use(prom.Handler)
+	otel := NewOpenTelemetryMiddleware()
+	s.router.Use(otel)
 	httpLogger := NewLoggingMiddleware(s.logger)
 	s.router.Use(httpLogger.Handler)
 	s.router.Use(versionMiddleware)
@@ -149,9 +152,12 @@ func (s *Server) registerMiddlewares() {
 	}
 }

-func (s *Server) ListenAndServe(stopCh <-chan struct{}) {
+func (s *Server) ListenAndServe() (*http.Server, *http.Server, *int32, *int32) {
+	ctx := context.Background()
+
 	go s.startMetricsServer()

+	s.initTracer(ctx)
 	s.registerHandlers()
 	s.registerMiddlewares()

@@ -176,7 +182,7 @@ func (s *Server) ListenAndServe(stopCh <-chan struct{}) {

 	// start redis connection pool
 	ticker := time.NewTicker(30 * time.Second)
-	s.startCachePool(ticker, stopCh)
+	s.startCachePool(ticker)

 	// create the http server
 	srv := s.startServer()
@@ -192,41 +198,7 @@ func (s *Server) ListenAndServe(stopCh <-chan struct{}) {
 		atomic.StoreInt32(&ready, 1)
 	}

-	// wait for SIGTERM or SIGINT
-	<-stopCh
-	ctx, cancel := context.WithTimeout(context.Background(), s.config.HttpServerShutdownTimeout)
-	defer cancel()
-
-	// all calls to /healthz and /readyz will fail from now on
-	atomic.StoreInt32(&healthy, 0)
-	atomic.StoreInt32(&ready, 0)
-
-	// close cache pool
-	if s.pool != nil {
-		_ = s.pool.Close()
-	}
-
-	s.logger.Info("Shutting down HTTP/HTTPS server", zap.Duration("timeout", s.config.HttpServerShutdownTimeout))
-
-	// wait for Kubernetes readiness probe to remove this instance from the load balancer
-	// the readiness check interval must be lower than the timeout
-	if viper.GetString("level") != "debug" {
-		time.Sleep(3 * time.Second)
-	}
-
-	// determine if the http server was started
-	if srv != nil {
-		if err := srv.Shutdown(ctx); err != nil {
-			s.logger.Warn("HTTP server graceful shutdown failed", zap.Error(err))
-		}
-	}
-
-	// determine if the secure server was started
-	if secureSrv != nil {
-		if err := secureSrv.Shutdown(ctx); err != nil {
-			s.logger.Warn("HTTPS server graceful shutdown failed", zap.Error(err))
-		}
-	}
+	return srv, secureSrv, &healthy, &ready
 }

 func (s *Server) startServer() *http.Server {
@@ -239,7 +211,7 @@ func (s *Server) startServer() *http.Server {
 	}

 	srv := &http.Server{
-		Addr:         ":" + s.config.Port,
+		Addr:         s.config.Host + ":" + s.config.Port,
 		WriteTimeout: s.config.HttpServerTimeout,
 		ReadTimeout:  s.config.HttpServerTimeout,
 		IdleTimeout:  2 * s.config.HttpServerTimeout,
@@ -248,6 +220,7 @@ func (s *Server) startServer() *http.Server {

 	// start the server in the background
 	go func() {
+		s.logger.Info("Starting HTTP Server.", zap.String("addr", srv.Addr))
 		if err := srv.ListenAndServe(); err != http.ErrServerClosed {
 			s.logger.Fatal("HTTP server crashed", zap.Error(err))
 		}
@@ -267,7 +240,7 @@ func (s *Server) startSecureServer() *http.Server {
 	}

 	srv := &http.Server{
-		Addr:         ":" + s.config.SecurePort,
+		Addr:         s.config.Host + ":" + s.config.SecurePort,
 		WriteTimeout: s.config.HttpServerTimeout,
 		ReadTimeout:  s.config.HttpServerTimeout,
 		IdleTimeout:  2 * s.config.HttpServerTimeout,
@@ -279,6 +252,7 @@ func (s *Server) startSecureServer() *http.Server {

 	// start the server in the background
 	go func() {
+		s.logger.Info("Starting HTTPS Server.", zap.String("addr", srv.Addr))
 		if err := srv.ListenAndServeTLS(cert, key); err != http.ErrServerClosed {
 			s.logger.Fatal("HTTPS server crashed", zap.Error(err))
 		}
--- a/pkg/api/status.go
+++ b/pkg/api/status.go
@@ -14,14 +14,18 @@ import (
 // @Tags HTTP API
 // @Accept json
 // @Produce json
+// @Param code path int true "status code to return"
 // @Router /status/{code} [get]
 // @Success 200 {object} api.MapResponse
 func (s *Server) statusHandler(w http.ResponseWriter, r *http.Request) {
+	_, span := s.tracer.Start(r.Context(), "statusHandler")
+	defer span.End()
+
 	vars := mux.Vars(r)

 	code, err := strconv.Atoi(vars["code"])
 	if err != nil {
-		s.ErrorResponse(w, r, err.Error(), http.StatusBadRequest)
+		s.ErrorResponse(w, r, span, err.Error(), http.StatusBadRequest)
 		return
 	}

--- a/pkg/api/store.go
+++ b/pkg/api/store.go
@@ -3,8 +3,9 @@ package api
 import (
 	"crypto/sha1"
 	"encoding/hex"
-	"io/ioutil"
+	"io"
 	"net/http"
+	"os"
 	"path"

 	"github.com/gorilla/mux"
@@ -20,18 +21,20 @@ import (
 // @Router /store [post]
 // @Success 200 {object} api.MapResponse
 func (s *Server) storeWriteHandler(w http.ResponseWriter, r *http.Request) {
+	_, span := s.tracer.Start(r.Context(), "storeWriteHandler")
+	defer span.End()

-	body, err := ioutil.ReadAll(r.Body)
+	body, err := io.ReadAll(r.Body)
 	if err != nil {
-		s.ErrorResponse(w, r, "reading the request body failed", http.StatusBadRequest)
+		s.ErrorResponse(w, r, span, "reading the request body failed", http.StatusBadRequest)
 		return
 	}

 	hash := hash(string(body))
-	err = ioutil.WriteFile(path.Join(s.config.DataPath, hash), body, 0644)
+	err = os.WriteFile(path.Join(s.config.DataPath, hash), body, 0644)
 	if err != nil {
 		s.logger.Warn("writing file failed", zap.Error(err), zap.String("file", path.Join(s.config.DataPath, hash)))
-		s.ErrorResponse(w, r, "writing file failed", http.StatusInternalServerError)
+		s.ErrorResponse(w, r, span, "writing file failed", http.StatusInternalServerError)
 		return
 	}
 	s.JSONResponseCode(w, r, map[string]string{"hash": hash}, http.StatusAccepted)
@@ -43,14 +46,18 @@ func (s *Server) storeWriteHandler(w http.ResponseWriter, r *http.Request) {
 // @Tags HTTP API
 // @Accept json
 // @Produce plain
+// @Param hash path string true "hash value"
 // @Router /store/{hash} [get]
 // @Success 200 {string} string "file"
 func (s *Server) storeReadHandler(w http.ResponseWriter, r *http.Request) {
+	_, span := s.tracer.Start(r.Context(), "storeReadHandler")
+	defer span.End()
+
 	hash := mux.Vars(r)["hash"]
-	content, err := ioutil.ReadFile(path.Join(s.config.DataPath, hash))
+	content, err := os.ReadFile(path.Join(s.config.DataPath, hash))
 	if err != nil {
 		s.logger.Warn("reading file failed", zap.Error(err), zap.String("file", path.Join(s.config.DataPath, hash)))
-		s.ErrorResponse(w, r, "reading file failed", http.StatusInternalServerError)
+		s.ErrorResponse(w, r, span, "reading file failed", http.StatusInternalServerError)
 		return
 	}
 	w.WriteHeader(http.StatusAccepted)
--- a/pkg/api/token.go
+++ b/pkg/api/token.go
@@ -2,13 +2,12 @@ package api

 import (
 	"fmt"
+	"io"
 	"net/http"
 	"strings"
 	"time"

-	"io/ioutil"
-
-	"github.com/dgrijalva/jwt-go"
+	"github.com/golang-jwt/jwt/v4"
 	"go.uber.org/zap"
 )

@@ -26,10 +25,13 @@ type jwtCustomClaims struct {
 // @Router /token [post]
 // @Success 200 {object} api.TokenResponse
 func (s *Server) tokenGenerateHandler(w http.ResponseWriter, r *http.Request) {
-	body, err := ioutil.ReadAll(r.Body)
+	_, span := s.tracer.Start(r.Context(), "tokenGenerateHandler")
+	defer span.End()
+
+	body, err := io.ReadAll(r.Body)
 	if err != nil {
 		s.logger.Error("reading the request body failed", zap.Error(err))
-		s.ErrorResponse(w, r, "invalid request body", http.StatusBadRequest)
+		s.ErrorResponse(w, r, span, "invalid request body", http.StatusBadRequest)
 		return
 	}
 	defer r.Body.Close()
@@ -39,18 +41,19 @@ func (s *Server) tokenGenerateHandler(w http.ResponseWriter, r *http.Request) {
 		user = string(body)
 	}

+	expiresAt := time.Now().Add(time.Minute * 1)
 	claims := &jwtCustomClaims{
 		user,
 		jwt.StandardClaims{
 			Issuer:    "podinfo",
-			ExpiresAt: time.Now().Add(time.Minute * 1).Unix(),
+			ExpiresAt: expiresAt.Unix(),
 		},
 	}

 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
 	t, err := token.SignedString([]byte(s.config.JWTSecret))
 	if err != nil {
-		s.ErrorResponse(w, r, err.Error(), http.StatusBadRequest)
+		s.ErrorResponse(w, r, span, err.Error(), http.StatusBadRequest)
 		return
 	}

@@ -74,14 +77,17 @@ func (s *Server) tokenGenerateHandler(w http.ResponseWriter, r *http.Request) {
 // Get: JWT=$(curl -s -d 'test' localhost:9898/token | jq -r .token)
 // Post: curl -H "Authorization: Bearer ${JWT}" localhost:9898/token/validate
 func (s *Server) tokenValidateHandler(w http.ResponseWriter, r *http.Request) {
+	_, span := s.tracer.Start(r.Context(), "tokenValidateHandler")
+	defer span.End()
+
 	authorizationHeader := r.Header.Get("authorization")
 	if authorizationHeader == "" {
-		s.ErrorResponse(w, r, "authorization bearer header required", http.StatusUnauthorized)
+		s.ErrorResponse(w, r, span, "authorization bearer header required", http.StatusUnauthorized)
 		return
 	}
 	bearerToken := strings.Split(authorizationHeader, " ")
 	if len(bearerToken) != 2 || strings.ToLower(bearerToken[0]) != "bearer" {
-		s.ErrorResponse(w, r, "authorization bearer header required", http.StatusUnauthorized)
+		s.ErrorResponse(w, r, span, "authorization bearer header required", http.StatusUnauthorized)
 		return
 	}

@@ -93,13 +99,13 @@ func (s *Server) tokenValidateHandler(w http.ResponseWriter, r *http.Request) {
 		return []byte(s.config.JWTSecret), nil
 	})
 	if err != nil {
-		s.ErrorResponse(w, r, err.Error(), http.StatusUnauthorized)
+		s.ErrorResponse(w, r, span, err.Error(), http.StatusUnauthorized)
 		return
 	}

 	if token.Valid {
 		if claims.StandardClaims.Issuer != "podinfo" {
-			s.ErrorResponse(w, r, "invalid issuer", http.StatusUnauthorized)
+			s.ErrorResponse(w, r, span, "invalid issuer", http.StatusUnauthorized)
 		} else {
 			var result = TokenValidationResponse{
 				TokenName: claims.Name,
@@ -108,7 +114,7 @@ func (s *Server) tokenValidateHandler(w http.ResponseWriter, r *http.Request) {
 			s.JSONResponse(w, r, result)
 		}
 	} else {
-		s.ErrorResponse(w, r, "Invalid authorization token", http.StatusUnauthorized)
+		s.ErrorResponse(w, r, span, "Invalid authorization token", http.StatusUnauthorized)
 	}
 }

--- a/pkg/api/token_test.go
+++ b/pkg/api/token_test.go
@@ -0,0 +1,36 @@
+package api
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+)
+
+func TestTokenHandler(t *testing.T) {
+	req, err := http.NewRequest("POST", "/token", strings.NewReader("test-user"))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	rr := httptest.NewRecorder()
+	srv := NewMockServer()
+	handler := http.HandlerFunc(srv.tokenGenerateHandler)
+
+	handler.ServeHTTP(rr, req)
+
+	// Check the status code is what we expect.
+	if status := rr.Code; status != http.StatusOK {
+		t.Errorf("handler returned wrong status code: got %v want %v",
+			status, http.StatusOK)
+	}
+
+	var token TokenResponse
+	if err := json.Unmarshal(rr.Body.Bytes(), &token); err != nil {
+		t.Fatal(err)
+	}
+	if token.Token == "" {
+		t.Error("handler returned no token")
+	}
+}
--- a/pkg/api/tracer.go
+++ b/pkg/api/tracer.go
@@ -0,0 +1,70 @@
+package api
+
+import (
+	"context"
+
+	"github.com/gorilla/mux"
+	"github.com/spf13/viper"
+	"github.com/stefanprodan/podinfo/pkg/version"
+	"go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux"
+	"go.opentelemetry.io/contrib/propagators/aws/xray"
+	"go.opentelemetry.io/contrib/propagators/b3"
+	"go.opentelemetry.io/contrib/propagators/jaeger"
+	"go.opentelemetry.io/contrib/propagators/ot"
+	"go.opentelemetry.io/otel"
+	"go.opentelemetry.io/otel/exporters/otlp/otlptrace"
+	"go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc"
+	"go.opentelemetry.io/otel/propagation"
+	"go.opentelemetry.io/otel/sdk/resource"
+	sdktrace "go.opentelemetry.io/otel/sdk/trace"
+	semconv "go.opentelemetry.io/otel/semconv/v1.7.0"
+	"go.opentelemetry.io/otel/trace"
+	"go.uber.org/zap"
+)
+
+const (
+	instrumentationName = "github.com/stefanprodan/podinfo/pkg/api"
+)
+
+func (s *Server) initTracer(ctx context.Context) {
+	if viper.GetString("otel-service-name") == "" {
+		nop := trace.NewNoopTracerProvider()
+		s.tracer = nop.Tracer(viper.GetString("otel-service-name"))
+		return
+	}
+
+	client := otlptracegrpc.NewClient()
+	exporter, err := otlptrace.New(ctx, client)
+	if err != nil {
+		s.logger.Error("creating OTLP trace exporter", zap.Error(err))
+	}
+
+	s.tracerProvider = sdktrace.NewTracerProvider(
+		sdktrace.WithBatcher(exporter),
+		sdktrace.WithResource(resource.NewWithAttributes(
+			semconv.SchemaURL,
+			semconv.ServiceNameKey.String(viper.GetString("otel-service-name")),
+			semconv.ServiceVersionKey.String(version.VERSION),
+		)),
+	)
+
+	otel.SetTracerProvider(s.tracerProvider)
+	otel.SetTextMapPropagator(propagation.NewCompositeTextMapPropagator(
+		propagation.TraceContext{},
+		propagation.Baggage{},
+		b3.New(),
+		&jaeger.Jaeger{},
+		&ot.OT{},
+		&xray.Propagator{},
+	))
+
+	s.tracer = s.tracerProvider.Tracer(
+		instrumentationName,
+		trace.WithInstrumentationVersion(version.VERSION),
+		trace.WithSchemaURL(semconv.SchemaURL),
+	)
+}
+
+func NewOpenTelemetryMiddleware() mux.MiddlewareFunc {
+	return otelmux.Middleware(viper.GetString("otel-service-name"))
+}
--- a/pkg/fscache/fscache.go
+++ b/pkg/fscache/fscache.go
@@ -2,8 +2,8 @@ package fscache

 import (
 	"errors"
-	"io/ioutil"
 	"log"
+	"os"
 	"path/filepath"
 	"strings"
 	"sync"
@@ -77,7 +77,7 @@ func (w *Watcher) Watch() {
 // updateCache reads files content and loads them into the cache
 func (w *Watcher) updateCache() error {
 	fileMap := make(map[string]string)
-	files, err := ioutil.ReadDir(w.dir)
+	files, err := os.ReadDir(w.dir)
 	if err != nil {
 		return err
 	}
@@ -86,7 +86,7 @@ func (w *Watcher) updateCache() error {
 	for _, file := range files {
 		name := filepath.Base(file.Name())
 		if !file.IsDir() && !strings.Contains(name, "..") {
-			b, err := ioutil.ReadFile(filepath.Join(w.dir, file.Name()))
+			b, err := os.ReadFile(filepath.Join(w.dir, file.Name()))
 			if err != nil {
 				return err
 			}
--- a/pkg/grpc/server.go
+++ b/pkg/grpc/server.go
@@ -30,7 +30,7 @@ func NewServer(config *Config, logger *zap.Logger) (*Server, error) {
 	return srv, nil
 }

-func (s *Server) ListenAndServe() {
+func (s *Server) ListenAndServe() *grpc.Server {
 	listener, err := net.Listen("tcp", fmt.Sprintf(":%v", s.config.Port))
 	if err != nil {
 		s.logger.Fatal("failed to listen", zap.Int("port", s.config.Port))
@@ -42,7 +42,11 @@ func (s *Server) ListenAndServe() {
 	grpc_health_v1.RegisterHealthServer(srv, server)
 	server.SetServingStatus(s.config.ServiceName, grpc_health_v1.HealthCheckResponse_SERVING)

-	if err := srv.Serve(listener); err != nil {
-		s.logger.Fatal("failed to serve", zap.Error(err))
-	}
+	go func() {
+		if err := srv.Serve(listener); err != nil {
+			s.logger.Fatal("failed to serve", zap.Error(err))
+		}
+	}()
+
+	return srv
 }
--- a/pkg/signals/shutdown.go
+++ b/pkg/signals/shutdown.go
@@ -0,0 +1,83 @@
+package signals
+
+import (
+	"context"
+	"net/http"
+	"sync/atomic"
+	"time"
+
+	"github.com/gomodule/redigo/redis"
+	"github.com/spf13/viper"
+	sdktrace "go.opentelemetry.io/otel/sdk/trace"
+	"go.uber.org/zap"
+	"google.golang.org/grpc"
+)
+
+type Shutdown struct {
+	logger                *zap.Logger
+	pool                  *redis.Pool
+	tracerProvider        *sdktrace.TracerProvider
+	serverShutdownTimeout time.Duration
+}
+
+func NewShutdown(serverShutdownTimeout time.Duration, logger *zap.Logger) (*Shutdown, error) {
+	srv := &Shutdown{
+		logger:                logger,
+		serverShutdownTimeout: serverShutdownTimeout,
+	}
+
+	return srv, nil
+}
+
+func (s *Shutdown) Graceful(stopCh <-chan struct{}, httpServer *http.Server, httpsServer *http.Server, grpcServer *grpc.Server, healthy *int32, ready *int32) {
+	ctx := context.Background()
+
+	// wait for SIGTERM or SIGINT
+	<-stopCh
+	ctx, cancel := context.WithTimeout(ctx, s.serverShutdownTimeout)
+	defer cancel()
+
+	// all calls to /healthz and /readyz will fail from now on
+	atomic.StoreInt32(healthy, 0)
+	atomic.StoreInt32(ready, 0)
+
+	// close cache pool
+	if s.pool != nil {
+		_ = s.pool.Close()
+	}
+
+	s.logger.Info("Shutting down HTTP/HTTPS server", zap.Duration("timeout", s.serverShutdownTimeout))
+
+	// wait for Kubernetes readiness probe to remove this instance from the load balancer
+	// the readiness check interval must be lower than the timeout
+	if viper.GetString("level") != "debug" {
+		time.Sleep(3 * time.Second)
+	}
+
+	// stop OpenTelemetry tracer provider
+	if s.tracerProvider != nil {
+		if err := s.tracerProvider.Shutdown(ctx); err != nil {
+			s.logger.Warn("stopping tracer provider", zap.Error(err))
+		}
+	}
+
+	// determine if the GRPC was started
+	if grpcServer != nil {
+		s.logger.Info("Shutting down GRPC server", zap.Duration("timeout", s.serverShutdownTimeout))
+		grpcServer.GracefulStop()
+	}
+
+	// determine if the http server was started
+	if httpServer != nil {
+		if err := httpServer.Shutdown(ctx); err != nil {
+			s.logger.Warn("HTTP server graceful shutdown failed", zap.Error(err))
+		}
+	}
+
+	// determine if the secure server was started
+	if httpsServer != nil {
+		if err := httpsServer.Shutdown(ctx); err != nil {
+			s.logger.Warn("HTTPS server graceful shutdown failed", zap.Error(err))
+		}
+	}
+}
--- a/pkg/signals/signal_posix.go
+++ b/pkg/signals/signal_posix.go
@@ -1,3 +1,4 @@
+//go:build !windows
 // +build !windows

 package signals
@@ -7,4 +8,4 @@ import (
 	"syscall"
 )

-var shutdownSignals = []os.Signal{os.Interrupt, syscall.SIGTERM}
+var shutdownSignals = []os.Signal{os.Interrupt, syscall.SIGTERM, syscall.SIGINT}
--- a/pkg/version/version.go
+++ b/pkg/version/version.go
@@ -1,4 +1,4 @@
 package version

-var VERSION = "5.1.4"
+var VERSION = "6.3.2"
 var REVISION = "unknown"
--- a/test/deploy.sh
+++ b/test/deploy.sh
@@ -1,17 +1,12 @@
 #! /usr/bin/env sh

-# add jetstack repository
-helm repo add jetstack https://charts.jetstack.io || true
-
 # install cert-manager
-helm upgrade --install cert-manager jetstack/cert-manager \
-    --set installCRDs=true \
-    --namespace default
+kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.5.3/cert-manager.yaml

 # wait for cert manager
-kubectl rollout status deployment/cert-manager --timeout=2m
-kubectl rollout status deployment/cert-manager-webhook --timeout=2m
-kubectl rollout status deployment/cert-manager-cainjector --timeout=2m
+kubectl -n cert-manager rollout status deployment/cert-manager --timeout=2m
+kubectl -n cert-manager rollout status deployment/cert-manager-webhook --timeout=2m
+kubectl -n cert-manager rollout status deployment/cert-manager-cainjector --timeout=2m

 # install self-signed certificate
 cat << 'EOF' | kubectl apply -f -
@@ -29,4 +24,6 @@ helm upgrade --install podinfo ./charts/podinfo \
    --set image.tag=latest \
    --set tls.enabled=true \
    --set certificate.create=true \
+    --set hpa.enabled=true \
+    --set hpa.cpu=95 \
    --namespace=default
				`@@ -0,0 +1 @@`
				`module: "github.com/stefanprodan/podinfo/cue"`