Merge pull request #310 from stefanprodan/release-6.5.2

Release 6.5.2

.cosign/README.md

@@ -0,0 +1,39 @@
+# Podinfo signed releases
+
+Podinfo deployment manifests are published to GitHub Container Registry as OCI artifacts
+and are signed using [cosign](https://github.com/sigstore/cosign).
+
+## Verify the artifacts with cosign
+
+Install the [cosign](https://github.com/sigstore/cosign) CLI:
+
+```sh
+brew install sigstore/tap/cosign
+```
+
+Verify a podinfo release with cosign CLI:
+
+```sh
+cosign verify -key https://raw.githubusercontent.com/stefanprodan/podinfo/master/cosign/cosign.pub \
+ghcr.io/stefanprodan/podinfo-deploy:latest
+```
+
+## Download the artifacts with crane
+
+Install the [crane](https://github.com/google/go-containerregistry/tree/main/cmd/crane) CLI:
+
+```sh
+brew install crane
+```
+
+Download the podinfo deployment manifests with crane CLI:
+
+```console
+$ crane export ghcr.io/stefanprodan/podinfo-deploy:latest -| tar -xf - 
+
+$ ls -1
+deployment.yaml
+hpa.yaml
+kustomization.yaml
+service.yaml
+```

.cosign/cosign.pub

@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEST+BqQ1XZhhVYx0YWQjdUJYIG5Lt
+iz2+UxRIqmKBqNmce2T+l45qyqOs99qfD7gLNGmkVZ4vtJ9bM7FxChFczg==
+-----END PUBLIC KEY-----

.gitattributes

@@ -0,0 +1 @@
+timoni/podinfo/cue.mod/** linguist-vendored

.github/actions/helm/action.yml

@@ -1,33 +0,0 @@
-name: Setup Helm CLI
-description: A GitHub Action for running Helm commands
-author: Stefan Prodan
-branding:
-  color: blue
-  icon: command
-inputs:
-  version:
-    description: "Helm version"
-    required: true
-runs:
-  using: composite
-  steps:
-    - name: "Download helm binary to tmp"
-      shell: bash
-      run: |
-        VERSION=${{ inputs.version }}
-        BIN_URL="https://get.helm.sh/helm-v${VERSION}-linux-amd64.tar.gz"
-        curl -sL ${BIN_URL} -o /tmp/helm.tar.gz
-        mkdir -p /tmp/helm
-        tar -C /tmp/helm/ -zxvf /tmp/helm.tar.gz
-    - name: "Add helm binary to /usr/local/bin"
-      shell: bash
-      run: |
-        sudo cp /tmp/helm/linux-amd64/helm /usr/local/bin
-    - name: "Cleanup tmp"
-      shell: bash
-      run: |
-        rm -rf /tmp/helm/ /tmp/helm.tar.gz
-    - name: "Verify correct installation of binary"
-      shell: bash
-      run: |
-        helm version

.github/actions/kubeconform/action.yml

@@ -0,0 +1,38 @@
+name: Setup kubeconform
+description: A GitHub Action for running kubeconform commands
+author: Stefan Prodan
+branding:
+  color: blue
+  icon: command
+inputs:
+  version:
+    description: "kubeconform version e.g. 0.5.0 (defaults to latest stable release)"
+    required: false
+  arch:
+    description: "arch can be amd64 or arm64"
+    required: true
+    default: "amd64"
+runs:
+  using: composite
+  steps:
+    - name: "Download binary to the GH runner cache"
+      shell: bash
+      run: |  
+        ARCH=${{ inputs.arch }}
+        VERSION=${{ inputs.version }}
+
+        if [ -z $VERSION ]; then
+          VERSION=$(curl https://api.github.com/repos/yannh/kubeconform/releases/latest -sL | grep tag_name | sed -E 's/.*"([^"]+)".*/\1/' | cut -c 2-)
+        fi
+        
+        BIN_URL="https://github.com/yannh/kubeconform/releases/download/v${VERSION}/kubeconform-linux-${ARCH}.tar.gz"
+        BIN_DIR=$RUNNER_TOOL_CACHE/kubeconform/$VERSION/$ARCH
+        
+        if [[ ! -x "$BIN_DIR/kind" ]]; then
+          mkdir -p $BIN_DIR
+          cd $BIN_DIR
+          curl -sL $BIN_URL | tar xz
+          chmod +x kubeconform
+        fi
+        
+        echo "$BIN_DIR" >> "$GITHUB_PATH"

.github/policy/kubernetes.rego

@@ -1,51 +0,0 @@
-package kubernetes
-
-name = input.metadata.name
-
-kind = input.kind
-
-is_service {
-	input.kind = "Service"
-}
-
-is_deployment {
-	input.kind = "Deployment"
-}
-
-is_pod {
-	input.kind = "Pod"
-}
-
-split_image(image) = [image, "latest"] {
-	not contains(image, ":")
-}
-
-split_image(image) = [image_name, tag] {
-	[image_name, tag] = split(image, ":")
-}
-
-pod_containers(pod) = all_containers {
-	keys = {"containers", "initContainers"}
-	all_containers = [c | keys[k]; c = pod.spec[k][_]]
-}
-
-containers[container] {
-	pods[pod]
-	all_containers = pod_containers(pod)
-	container = all_containers[_]
-}
-
-containers[container] {
-	all_containers = pod_containers(input)
-	container = all_containers[_]
-}
-
-pods[pod] {
-	is_deployment
-	pod = input.spec.template
-}
-
-pods[pod] {
-	is_pod
-	pod = input
-}

.github/policy/rules.rego

@@ -1,43 +0,0 @@
-package main
-
-import data.kubernetes
-
-name = input.metadata.name
-
-# Deny containers with latest image tag
-deny[msg] {
-	kubernetes.containers[container]
-	[image_name, "latest"] = kubernetes.split_image(container.image)
-	msg = sprintf("%s in the %s %s has an image %s, using the latest tag", [container.name, kubernetes.kind, kubernetes.name, image_name])
-}
-
-# Deny services without app label selector
-service_labels {
-  input.spec.selector["app"]
-}
-deny[msg] {
-  kubernetes.is_service
-  not service_labels
-  msg = sprintf("Service %s should set app label selector", [name])
-}
-
-# Deny deployments without app label selector
-match_labels {
-  input.spec.selector.matchLabels["app"]
-}
-deny[msg] {
-  kubernetes.is_deployment
-  not match_labels
-  msg = sprintf("Service %s should set app label selector", [name])
-}
-
-# Warn if deployments have no prometheus pod annotations
-annotations {
-  input.spec.template.metadata.annotations["prometheus.io/scrape"]
-  input.spec.template.metadata.annotations["prometheus.io/port"]
-}
-warn[msg] {
-  kubernetes.is_deployment
-  not annotations
-  msg = sprintf("Deployment %s should set prometheus.io/scrape and prometheus.io/port pod annotations", [name])
-}

.github/workflows/cve-scan.yml

@@ -5,19 +5,27 @@ on:
     branches:
       - 'master'
 
+permissions:
+  contents: read
+
 jobs:
   trivy:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Build image
         id: build
         run: |
           IMAGE=test/podinfo:${GITHUB_SHA}
           docker build -t ${IMAGE} .
           echo "::set-output name=image::$IMAGE"
-      - name: Scan image
-        uses: docker://docker.io/aquasec/trivy:latest
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
         with:
-          args: --cache-dir /var/lib/trivy --no-progress --exit-code 1 --severity MEDIUM,HIGH,CRITICAL ${{ steps.build.outputs.image }}
+          image-ref: ${{ steps.build.outputs.image }}
+          format: table
+          exit-code: "1"
+          ignore-unfixed: true
+          vuln-type: os,library
+          severity: CRITICAL,HIGH

.github/workflows/e2e.yml

@@ -6,26 +6,28 @@ on:
     branches:
       - 'master'
 
+permissions:
+  contents: read
+
 jobs:
   kind-helm:
-    strategy:
-      matrix:
-        helm-version:
-          - 3.5.3
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       - name: Setup Kubernetes
-        uses: engineerd/setup-kind@v0.5.0
+        uses: helm/kind-action@v1.8.0
+        with:
+          version: v0.20.0
+          cluster_name: kind
       - name: Build container image
         run: |
           ./test/build.sh
           kind load docker-image test/podinfo:latest
       - name: Setup Helm
-        uses: ./.github/actions/helm
+        uses: azure/setup-helm@v3
         with:
-          version: ${{ matrix.helm-version }}
+          version: v3.12.3
       - name: Deploy
         run: ./test/deploy.sh
       - name: Run integration tests
@@ -34,3 +36,42 @@ jobs:
         if: failure()
         run: |
           kubectl logs -l app=podinfo || true
+  kind-timoni:
+    runs-on: ubuntu-latest
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
+    env:
+      PODINFO_IMAGE_URL: "test/podinfo"
+      PODINFO_MODULE_URL: "oci://localhost:5000/podinfo"
+      PODINFO_VERSION: "0.0.0-devel"
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Setup Timoni
+        uses: stefanprodan/timoni/actions/setup@main
+      - name: Setup Kubernetes
+        uses: helm/kind-action@v1.8.0
+        with:
+          version: v0.20.0
+          cluster_name: kind
+      - name: Build container
+        run: |
+          docker build -t ${PODINFO_IMAGE_URL}:${PODINFO_VERSION} --build-arg "REVISION=${GITHUB_SHA}"  -f Dockerfile.xx .
+          kind load docker-image ${PODINFO_IMAGE_URL}:${PODINFO_VERSION}
+      - name: Build module
+        run: |
+          timoni mod push ./timoni/podinfo ${PODINFO_MODULE_URL} -v ${PODINFO_VERSION}
+      - name: Apply bundle
+        run: |
+          timoni bundle apply -f ./timoni/bundles/test.podinfo.cue --runtime-from-env
+      - name: Verify status
+        run: |
+          timoni -n podinfo status backend
+          timoni -n podinfo status frontend
+      - name: Debug failure
+        if: failure()
+        run: |
+          kubectl -n podinfo get all || true

.github/workflows/release.yml

@@ -2,30 +2,47 @@ name: release
 
 on:
   push:
-    tags: '*'
+    tags:
+      - '*'
+
+permissions:
+  contents: read
 
 jobs:
   release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # needed to write releases
+      id-token: write # needed for keyless signing
+      packages: write # needed for ghcr access
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
+      - uses: sigstore/cosign-installer@v3
+      - uses: fluxcd/flux2/action@main
+      - uses: stefanprodan/timoni/actions/setup@main
+      - name: Setup Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: 1.21.x
+      - name: Setup Helm
+        uses: azure/setup-helm@v3
+        with:
+          version: v3.12.3
       - name: Setup QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v3
         with:
           platforms: all
       - name: Setup Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v1
-        with:
-          buildkitd-flags: "--debug"
+        uses: docker/setup-buildx-action@v3
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.GHCR_TOKEN }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - name: Login to Docker Hub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
@@ -36,30 +53,64 @@ jobs:
           if [[ $GITHUB_REF == refs/tags/* ]]; then
             VERSION=${GITHUB_REF/refs\/tags\//}
           fi
-          echo ::set-output name=BUILD_DATE::$(date -u +'%Y-%m-%dT%H:%M:%SZ')
-          echo ::set-output name=VERSION::${VERSION}
-      - name: Publish multi-arch image
-        uses: docker/build-push-action@v2
+          echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
+          echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
+          echo "REVISION=${GITHUB_SHA}" >> $GITHUB_OUTPUT
+      - name: Generate images meta
+        id: meta
+        uses: docker/metadata-action@v5
         with:
+          images: |
+            docker.io/stefanprodan/podinfo
+            ghcr.io/stefanprodan/podinfo
+          tags: |
+            type=raw,value=${{ steps.prep.outputs.VERSION }}
+            type=raw,value=latest
+      - name: Publish multi-arch image
+        uses: docker/build-push-action@v5
+        with:
+          sbom: true
+          provenance: true
           push: true
           builder: ${{ steps.buildx.outputs.name }}
           context: .
-          file: ./Dockerfile
+          file: ./Dockerfile.xx
+          build-args: |
+            REVISION=${{ steps.prep.outputs.REVISION }}
           platforms: linux/amd64,linux/arm/v7,linux/arm64
-          tags: |
-            docker.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }}
-            docker.io/stefanprodan/podinfo:latest
-            ghcr.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }}
-          labels: |
-            org.opencontainers.image.title=${{ github.event.repository.name }}
-            org.opencontainers.image.description=${{ github.event.repository.description }}
-            org.opencontainers.image.source=${{ github.event.repository.html_url }}
-            org.opencontainers.image.url=${{ github.event.repository.html_url }}
-            org.opencontainers.image.revision=${{ github.sha }}
-            org.opencontainers.image.version=${{ steps.prep.outputs.VERSION }}
-            org.opencontainers.image.created=${{ steps.prep.outputs.BUILD_DATE }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+      - name: Publish Timoni module to GHCR
+        run: |
+          timoni mod push ./timoni/podinfo oci://ghcr.io/stefanprodan/modules/podinfo \
+          --sign cosign \
+          --version ${{ steps.prep.outputs.VERSION }} \
+          -a 'org.opencontainers.image.source=https://github.com/stefanprodan/podinfo' \
+          -a 'org.opencontainers.image.licenses=Apache-2.0' \
+          -a 'org.opencontainers.image.description=A timoni.sh module for deploying Podinfo.' \
+          -a 'org.opencontainers.image.documentation=https://github.com/stefanprodan/podinfo/blob/main/timoni/podinfo/README.md'
+      - name: Publish Helm chart to GHCR
+        run: |
+          helm package charts/podinfo
+          helm push podinfo-${{ steps.prep.outputs.VERSION }}.tgz oci://ghcr.io/stefanprodan/charts
+          rm podinfo-${{ steps.prep.outputs.VERSION }}.tgz
+      - name: Publish Flux OCI artifact to GHCR
+        run: |
+          flux push artifact oci://ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }} \
+            --path="./kustomize" \
+            --source="${{ github.event.repository.html_url }}" \
+            --revision="${GITHUB_REF_NAME}/${GITHUB_SHA}"
+          flux tag artifact oci://ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }} --tag latest
+      - name: Sign OCI artifacts
+        env:
+          COSIGN_EXPERIMENTAL: 1
+        run: |
+          cosign sign docker.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }} --yes
+          cosign sign ghcr.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }} --yes
+          cosign sign ghcr.io/stefanprodan/charts/podinfo:${{ steps.prep.outputs.VERSION }} --yes
+          cosign sign ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }} --yes
       - name: Publish base image
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v5
         with:
           push: true
           builder: ${{ steps.buildx.outputs.name }}
@@ -71,15 +122,30 @@ jobs:
         uses: stefanprodan/helm-gh-pages@master
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Publish config artifact
+        run: |
+          flux push artifact oci://ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }} \
+            --path="./kustomize" \
+            --source="${{ github.event.repository.html_url }}" \
+            --revision="${GITHUB_REF_NAME}/${GITHUB_SHA}"
+          flux tag artifact oci://ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }} --tag latest
+      - name: Sign config artifact
+        run: |
+          echo "$COSIGN_KEY" > /tmp/cosign.key
+          cosign sign -key /tmp/cosign.key ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }} --yes
+          cosign sign -key /tmp/cosign.key ghcr.io/stefanprodan/podinfo-deploy:latest --yes
+        env:
+          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
+          COSIGN_KEY: ${{secrets.COSIGN_KEY}}
       - uses: ./.github/actions/release-notes
       - name: Generate release notes
         run: |
           echo 'CHANGELOG' > /tmp/release.txt
           github-release-notes -org stefanprodan -repo podinfo -since-latest-release >> /tmp/release.txt
       - name: Publish release
-        uses: goreleaser/goreleaser-action@v1
+        uses: goreleaser/goreleaser-action@v5
         with:
           version: latest
-          args: release --release-notes=/tmp/release.txt
+          args: release --release-notes=/tmp/release.txt --skip-validate
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/test.yml

@@ -6,38 +6,67 @@ on:
     branches:
       - 'master'
 
+permissions:
+  contents: read
+
+env:
+  KUBERNETES_VERSION: 1.26.0
+
 jobs:
   test:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
-      - name: Restore Go cache
-        uses: actions/cache@v1
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: ${{ runner.os }}-go-
+        uses: actions/checkout@v4
       - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v4
         with:
-          go-version: 1.16.x
+          go-version: 1.21.x
+          cache-dependency-path: |
+            **/go.sum
+            **/go.mod
+      - name: Setup kubectl
+        uses: azure/setup-kubectl@v3
+        with:
+          version: v${{ env.KUBERNETES_VERSION }}
+      - name: Setup kubeconform
+        uses: ./.github/actions/kubeconform
+      - name: Setup Helm
+        uses: azure/setup-helm@v3
+        with:
+          version: v3.10.3
+      - name: Setup CUE
+        uses: cue-lang/setup-cue@v1.0.0
+      - name: Setup Timoni
+        uses: stefanprodan/timoni/actions/setup@main
       - name: Run unit tests
         run: make test
+      - name: Validate Helm chart
+        run: |
+          helm lint ./charts/podinfo/
+          helm template ./charts/podinfo/ | kubeconform -strict -summary -kubernetes-version ${{ env.KUBERNETES_VERSION }}
+      - name: Validate Kustomize overlay
+        run: |
+          kubectl kustomize ./kustomize/ | kubeconform -strict -summary -kubernetes-version ${{ env.KUBERNETES_VERSION }}
+      - name: Verify CUE formatting
+        working-directory: ./timoni/podinfo
+        run: |
+          cue fmt ./..
+          status=$(git status . --porcelain)
+          [[ -z "$status" ]] || {
+            echo "CUE files are not correctly formatted"
+            echo "$status"
+            git diff
+            exit 1
+          }
+      - name: Validate Timoni module
+        working-directory: ./timoni/podinfo
+        run: |
+          timoni mod lint . 
+          timoni build podinfo . -f test_values.cue | kubeconform -strict -summary -skip=ServiceMonitor -kubernetes-version ${{ env.KUBERNETES_VERSION }}
       - name: Check if working tree is dirty
         run: |
           if [[ $(git diff --stat) != '' ]]; then
             echo 'run make test and commit changes'
             exit 1
           fi
-      - name: Validate Helm chart
-        uses: stefanprodan/kube-tools@v1
-        with:
-          command: |
-            helmv3 template ./charts/podinfo | kubeval --strict
-      - name: Validate kustomization
-        uses: stefanprodan/kube-tools@v1
-        with:
-          command: |
-            kustomize build ./kustomize | kubeval --strict
-            kustomize build ./kustomize | conftest test -p .github/policy -

.gitignore

@@ -19,4 +19,7 @@ release/
 build/
 gcloud/
 dist/
-bin/
+bin/
+cue/cue.mod/gen/
+cue/go.mod
+cue/go.sum

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.16-alpine as builder
+FROM golang:1.21-alpine as builder
 
 ARG REVISION
 
@@ -18,7 +18,7 @@ RUN CGO_ENABLED=0 go build -ldflags "-s -w \
     -X github.com/stefanprodan/podinfo/pkg/version.REVISION=${REVISION}" \
     -a -o bin/podcli cmd/podcli/*
 
-FROM alpine:3.13
+FROM alpine:3.18
 
 ARG BUILD_DATE
 ARG VERSION

Dockerfile.base

@@ -1,4 +1,4 @@
-FROM golang:1.16
+FROM golang:1.21
 
 WORKDIR /workspace
 

Dockerfile.xx

@@ -0,0 +1,53 @@
+ARG GO_VERSION=1.21
+ARG XX_VERSION=1.2.0
+
+FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
+
+FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine as builder
+
+# Copy the build utilities.
+COPY --from=xx / /
+
+ARG TARGETPLATFORM
+ARG REVISION
+
+RUN mkdir -p /podinfo/
+
+WORKDIR /podinfo
+
+COPY . .
+
+RUN go mod download
+
+ENV CGO_ENABLED=0
+RUN xx-go build -ldflags "-s -w \
+    -X github.com/stefanprodan/podinfo/pkg/version.REVISION=${REVISION}" \
+    -a -o bin/podinfo cmd/podinfo/*
+
+RUN xx-go build -ldflags "-s -w \
+    -X github.com/stefanprodan/podinfo/pkg/version.REVISION=${REVISION}" \
+    -a -o bin/podcli cmd/podcli/*
+
+FROM alpine:3.18
+
+ARG BUILD_DATE
+ARG VERSION
+ARG REVISION
+
+LABEL maintainer="stefanprodan"
+
+RUN addgroup -S app \
+    && adduser -S -G app app \
+    && apk --no-cache add \
+    ca-certificates curl netcat-openbsd
+
+WORKDIR /home/app
+
+COPY --from=builder /podinfo/bin/podinfo .
+COPY --from=builder /podinfo/bin/podcli /usr/local/bin/podcli
+COPY ./ui ./ui
+RUN chown -R app:app ./
+
+USER app
+
+CMD ["./podinfo"]

Makefile

@@ -15,6 +15,7 @@ run:
 	--level=debug --grpc-port=9999 --backend-url=https://httpbin.org/status/401 --backend-url=https://httpbin.org/status/500 \
 	--ui-logo=https://raw.githubusercontent.com/stefanprodan/podinfo/gh-pages/cuddle_clap.gif $(EXTRA_RUN_ARGS)
 
+.PHONY: test
 test:
 	go test ./... -coverprofile cover.out
 
@@ -22,6 +23,12 @@ build:
 	GIT_COMMIT=$$(git rev-list -1 HEAD) && CGO_ENABLED=0 go build  -ldflags "-s -w -X github.com/stefanprodan/podinfo/pkg/version.REVISION=$(GIT_COMMIT)" -a -o ./bin/podinfo ./cmd/podinfo/*
 	GIT_COMMIT=$$(git rev-list -1 HEAD) && CGO_ENABLED=0 go build  -ldflags "-s -w -X github.com/stefanprodan/podinfo/pkg/version.REVISION=$(GIT_COMMIT)" -a -o ./bin/podcli ./cmd/podcli/*
 
+tidy:
+	rm -f go.sum; go mod tidy -compat=1.21
+
+vet:
+	go vet ./...
+
 fmt:
 	gofmt -l -s -w ./
 	goimports -l -w ./
@@ -33,6 +40,13 @@ build-charts:
 build-container:
 	docker build -t $(DOCKER_IMAGE_NAME):$(VERSION) .
 
+build-xx:
+	docker buildx build \
+	--platform=linux/amd64 \
+	-t $(DOCKER_IMAGE_NAME):$(VERSION) \
+	--load \
+	-f Dockerfile.xx .
+
 build-base:
 	docker build -f Dockerfile.base -t $(DOCKER_REPOSITORY)/podinfo-base:latest .
 
@@ -58,22 +72,29 @@ push-container:
 version-set:
 	@next="$(TAG)" && \
 	current="$(VERSION)" && \
-	sed -i '' "s/$$current/$$next/g" pkg/version/version.go && \
-	sed -i '' "s/tag: $$current/tag: $$next/g" charts/podinfo/values.yaml && \
-	sed -i '' "s/tag: $$current/tag: $$next/g" charts/podinfo/values-prod.yaml && \
-	sed -i '' "s/appVersion: $$current/appVersion: $$next/g" charts/podinfo/Chart.yaml && \
-	sed -i '' "s/version: $$current/version: $$next/g" charts/podinfo/Chart.yaml && \
-	sed -i '' "s/podinfo:$$current/podinfo:$$next/g" kustomize/deployment.yaml && \
-	sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/webapp/frontend/deployment.yaml && \
-	sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/webapp/backend/deployment.yaml && \
-	sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/bases/frontend/deployment.yaml && \
-	sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/bases/backend/deployment.yaml && \
-	echo "Version $$next set in code, deployment, chart and kustomize"
+	/usr/bin/sed -i '' "s/$$current/$$next/g" pkg/version/version.go && \
+	/usr/bin/sed -i '' "s/tag: $$current/tag: $$next/g" charts/podinfo/values.yaml && \
+	/usr/bin/sed -i '' "s/tag: $$current/tag: $$next/g" charts/podinfo/values-prod.yaml && \
+	/usr/bin/sed -i '' "s/appVersion: $$current/appVersion: $$next/g" charts/podinfo/Chart.yaml && \
+	/usr/bin/sed -i '' "s/version: $$current/version: $$next/g" charts/podinfo/Chart.yaml && \
+	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" kustomize/deployment.yaml && \
+	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/webapp/frontend/deployment.yaml && \
+	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/webapp/backend/deployment.yaml && \
+	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/bases/frontend/deployment.yaml && \
+	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/bases/backend/deployment.yaml && \
+	/usr/bin/sed -i '' "s/$$current/$$next/g" timoni/podinfo/values.cue && \
+	echo "Version $$next set in code, deployment, module, chart and kustomize"
 
 release:
-	git tag $(VERSION)
+	git tag -s -m $(VERSION) $(VERSION)
 	git push origin $(VERSION)
 
 swagger:
-	go get github.com/swaggo/swag/cmd/swag
-	cd pkg/api && $$(go env GOPATH)/bin/swag init -g server.go
+	go install github.com/swaggo/swag/cmd/swag@latest
+	go get github.com/swaggo/swag/gen@latest
+	go get github.com/swaggo/swag/cmd/swag@latest
+	cd pkg/api && $$(go env GOPATH)/bin/swag init -g server.go
+
+.PHONY: timoni-build
+timoni-build:
+	@timoni build podinfo ./timoni/podinfo -f ./timoni/podinfo/test_values.cue

README.md

@@ -15,18 +15,17 @@ Specifications:
 * Health checks (readiness and liveness)
 * Graceful shutdown on interrupt signals
 * File watcher for secrets and configmaps
-* Instrumented with Prometheus
-* Tracing with Istio and Jaeger
-* Linkerd service profile
+* Instrumented with Prometheus and Open Telemetry
 * Structured logging with zap 
 * 12-factor app with viper
 * Fault injection (random errors and latency)
 * Swagger docs
-* Helm and Kustomize installers
+* Timoni, Helm and Kustomize installers
 * End-to-End testing with Kubernetes Kind and Helm
-* Kustomize testing with GitHub Actions and Open Policy Agent
 * Multi-arch container image with Docker buildx and Github Actions
-* CVE scanning with trivy
+* Container image signing with Sigstore cosign
+* SBOMs and SLSA Provenance embedded in the container image
+* CVE scanning with Trivy
 
 Web API:
 
@@ -67,17 +66,26 @@ To access the Swagger UI open `<podinfo-host>/swagger/index.html` in a browser.
 
 ### Guides
 
-* [GitOps Progressive Deliver with Flagger, Helm v3 and Linkerd](https://helm.workshop.flagger.dev/intro/)
-* [GitOps Progressive Deliver on EKS with Flagger and AppMesh](https://eks.handson.flagger.dev/prerequisites/)
-* [Automated canary deployments with Flagger and Istio](https://medium.com/google-cloud/automated-canary-deployments-with-flagger-and-istio-ac747827f9d1)
-* [Kubernetes autoscaling with Istio metrics](https://medium.com/google-cloud/kubernetes-autoscaling-with-istio-metrics-76442253a45a)
-* [Autoscaling EKS on Fargate with custom metrics](https://aws.amazon.com/blogs/containers/autoscaling-eks-on-fargate-with-custom-metrics/)
-* [Managing Helm releases the GitOps way](https://medium.com/google-cloud/managing-helm-releases-the-gitops-way-207a6ac6ff0e)
-* [Securing EKS Ingress With Contour And Let’s Encrypt The GitOps Way](https://aws.amazon.com/blogs/containers/securing-eks-ingress-contour-lets-encrypt-gitops/)
+* [Getting started with Timoni](https://timoni.sh/quickstart/)
+* [Getting started with Flux](https://fluxcd.io/flux/get-started/)
+* [Progressive Deliver with Flagger and Linkerd](https://docs.flagger.app/tutorials/linkerd-progressive-delivery)
+* [Automated canary deployments with Kubernetes Gateway API](https://docs.flagger.app/tutorials/gatewayapi-progressive-delivery)
 
 ### Install
 
-Helm:
+To install Podinfo on Kubernetes the minimum required version is **Kubernetes v1.23**.
+
+#### Timoni
+
+Install with [Timoni](https://timoni.sh):
+
+```bash
+timoni -n default apply podinfo oci://ghcr.io/stefanprodan/modules/podinfo
+```
+
+#### Helm
+
+Install from github.io:
 
 ```bash
 helm repo add podinfo https://stefanprodan.github.io/podinfo
@@ -88,7 +96,7 @@ helm upgrade --install --wait frontend \
 --set backend=http://backend-podinfo:9898/echo \
 podinfo/podinfo
 
-helm test frontend
+helm test frontend --namespace test
 
 helm upgrade --install --wait backend \
 --namespace test \
@@ -96,13 +104,20 @@ helm upgrade --install --wait backend \
 podinfo/podinfo
 ```
 
-Kustomize:
+Install from ghcr.io:
+
+```bash
+helm upgrade --install --wait podinfo --namespace default \
+oci://ghcr.io/stefanprodan/charts/podinfo
+```
+
+#### Kustomize
 
 ```bash
 kubectl apply -k github.com/stefanprodan/podinfo//kustomize
 ```
 
-Docker:
+#### Docker
 
 ```bash
 docker run -dp 9898:9898 stefanprodan/podinfo

charts/podinfo/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
-version: 5.2.0
-appVersion: 5.2.0
+version: 6.5.2
+appVersion: 6.5.2
 name: podinfo
 engine: gotpl
 description: Podinfo Helm chart for Kubernetes
@@ -10,3 +10,4 @@ maintainers:
   name: stefanprodan
 sources:
 - https://github.com/stefanprodan/podinfo
+kubeVersion: ">=1.23.0-0"

charts/podinfo/README.md

@@ -1,6 +1,6 @@
 # Podinfo
 
-Podinfo is a tiny web application made with Go 
+Podinfo is a tiny web application made with Go
 that showcases best practices of running microservices in Kubernetes.
 
 Podinfo is used by CNCF projects like [Flux](https://github.com/fluxcd/flux2)
@@ -9,12 +9,28 @@ for end-to-end testing and workshops.
 
 ## Installing the Chart
 
-To install the chart with the release name `my-release`:
+The Podinfo charts are published to
+[GitHub Container Registry](https://github.com/stefanprodan/podinfo/pkgs/container/charts%2Fpodinfo)
+and signed with [Cosign](https://github.com/sigstore/cosign) & GitHub Actions OIDC.
+
+To install the chart with the release name `my-release` from GHCR:
+
+```console
+$ helm upgrade -i my-release oci://ghcr.io/stefanprodan/charts/podinfo
+```
+
+To verify a chart with Cosign:
+
+```console
+$ cosign verify ghcr.io/stefanprodan/charts/podinfo:<VERSION>
+```
+
+Alternatively, you can install the chart from GitHub pages:
 
 ```console
 $ helm repo add podinfo https://stefanprodan.github.io/podinfo
 
-$ helm upgrade -i my-release podinfo/podinfo 
+$ helm upgrade -i my-release podinfo/podinfo
 ```
 
 The command deploys podinfo on the Kubernetes cluster in the default namespace.
@@ -34,59 +50,62 @@ The command removes all the Kubernetes components associated with the chart and
 
 The following tables lists the configurable parameters of the podinfo chart and their default values.
 
-Parameter | Default | Description
---- | --- | ---
-`replicaCount` | `1` | Desired number of pods
-`logLevel` | `info` | Log level: `debug`, `info`, `warn`, `error`
-`backend` | `None` | Echo backend URL
-`backends` | `[]` | Array of echo backend URLs
-`cache` | `None` | Redis address in the format `<host>:<port>`
-`redis.enabled` | `false` | Create Redis deployment for caching purposes
-`ui.color` | `#34577c` |  UI color
-`ui.message` | `None` |  UI greetings message
-`ui.logo` | `None` |  UI logo
-`faults.delay` | `false` | Random HTTP response delays between 0 and 5 seconds
-`faults.error` | `false` | 1/3 chances of a random HTTP response error
-`faults.unhealthy` | `false` | When set, the healthy state is never reached
-`faults.unready` | `false` | When set, the ready state is never reached
-`faults.testFail` | `false` | When set, a helm test is included which always fails
-`faults.testTimeout` | `false` | When set, a helm test is included which always times out
-`image.repository` | `stefanprodan/podinfo` | Image repository
-`image.tag` | `<VERSION>` | Image tag
-`image.pullPolicy` | `IfNotPresent` | Image pull policy
-`service.enabled` | `true` | Create a Kubernetes Service, should be disabled when using [Flagger](https://flagger.app)
-`service.type` | `ClusterIP` | Type of the Kubernetes Service
-`service.metricsPort` | `9797` | Prometheus metrics endpoint port
-`service.httpPort` | `9898` | Container HTTP port
-`service.externalPort` | `9898` | ClusterIP HTTP port
-`service.grpcPort` | `9999` | ClusterIP gPRC port
-`service.grpcService` | `podinfo` | gPRC service name
-`service.nodePort` | `31198` | NodePort for the HTTP endpoint
-`h2c.enabled` | `false` | Allow upgrading to h2c (non-TLS version of HTTP/2)
-`hpa.enabled` | `false` | Enables the Kubernetes HPA
-`hpa.maxReplicas` | `10` | Maximum amount of pods
-`hpa.cpu` | `None` | Target CPU usage per pod
-`hpa.memory` | `None` | Target memory usage per pod
-`hpa.requests` | `None` | Target HTTP requests per second per pod
-`serviceAccount.enabled` | `false` | Whether a service account should be created
-`serviceAccount.name` | `None` | The name of the service account to use, if not set and create is true, a name is generated using the fullname template
-`securityContext` | `{}` | The security context to be set on the podinfo container
-`linkerd.profile.enabled` | `false` | Create Linkerd service profile
-`serviceMonitor.enabled` | `false` | Whether a Prometheus Operator service monitor should be created
-`serviceMonitor.interval` | `15s` | Prometheus scraping interval
-`ingress.enabled` | `false` | Enables Ingress
-`ingress.annotations` | `{}` | Ingress annotations
-`ingress.path` | `/*` | Ingress path
-`ingress.hosts` | `[]` | Ingress accepted hosts
-`ingress.tls` | `[]` | Ingress TLS configuration
-`resources.requests.cpu` | `1m` | Pod CPU request
-`resources.requests.memory` | `16Mi` | Pod memory request
-`resources.limits.cpu` | `None` | Pod CPU limit
-`resources.limits.memory` | `None` | Pod memory limit
-`nodeSelector` | `{}` | Node labels for pod assignment
-`tolerations` | `[]` | List of node taints to tolerate
-`affinity` | `None` | Node/pod affinities
-`podAnnotations` | `{}` | Pod annotations
+| Parameter                         | Default                | Description                                                                                                            |
+| --------------------------------- | ---------------------- | ---------------------------------------------------------------------------------------------------------------------- |
+| `replicaCount`                    | `1`                    | Desired number of pods                                                                                                 |
+| `logLevel`                        | `info`                 | Log level: `debug`, `info`, `warn`, `error`                                                                            |
+| `backend`                         | `None`                 | Echo backend URL                                                                                                       |
+| `backends`                        | `[]`                   | Array of echo backend URLs                                                                                             |
+| `cache`                           | `None`                 | Redis address in the format `tcp://<host>:<port>`                                                                      |
+| `redis.enabled`                   | `false`                | Create Redis deployment for caching purposes                                                                           |
+| `ui.color`                        | `#34577c`              | UI color                                                                                                               |
+| `ui.message`                      | `None`                 | UI greetings message                                                                                                   |
+| `ui.logo`                         | `None`                 | UI logo                                                                                                                |
+| `faults.delay`                    | `false`                | Random HTTP response delays between 0 and 5 seconds                                                                    |
+| `faults.error`                    | `false`                | 1/3 chances of a random HTTP response error                                                                            |
+| `faults.unhealthy`                | `false`                | When set, the healthy state is never reached                                                                           |
+| `faults.unready`                  | `false`                | When set, the ready state is never reached                                                                             |
+| `faults.testFail`                 | `false`                | When set, a helm test is included which always fails                                                                   |
+| `faults.testTimeout`              | `false`                | When set, a helm test is included which always times out                                                               |
+| `image.repository`                | `stefanprodan/podinfo` | Image repository                                                                                                       |
+| `image.tag`                       | `<VERSION>`            | Image tag                                                                                                              |
+| `image.pullPolicy`                | `IfNotPresent`         | Image pull policy                                                                                                      |
+| `service.enabled`                 | `true`                 | Create a Kubernetes Service, should be disabled when using [Flagger](https://flagger.app)                              |
+| `service.type`                    | `ClusterIP`            | Type of the Kubernetes Service                                                                                         |
+| `service.metricsPort`             | `9797`                 | Prometheus metrics endpoint port                                                                                       |
+| `service.httpPort`                | `9898`                 | Container HTTP port                                                                                                    |
+| `service.externalPort`            | `9898`                 | ClusterIP HTTP port                                                                                                    |
+| `service.grpcPort`                | `9999`                 | ClusterIP gPRC port                                                                                                    |
+| `service.grpcService`             | `podinfo`              | gPRC service name                                                                                                      |
+| `service.nodePort`                | `31198`                | NodePort for the HTTP endpoint                                                                                         |
+| `h2c.enabled`                     | `false`                | Allow upgrading to h2c (non-TLS version of HTTP/2)                                                                     |
+| `hpa.enabled`                     | `false`                | Enables the Kubernetes HPA                                                                                             |
+| `hpa.maxReplicas`                 | `10`                   | Maximum amount of pods                                                                                                 |
+| `hpa.cpu`                         | `None`                 | Target CPU usage per pod                                                                                               |
+| `hpa.memory`                      | `None`                 | Target memory usage per pod                                                                                            |
+| `hpa.requests`                    | `None`                 | Target HTTP requests per second per pod                                                                                |
+| `serviceAccount.enabled`          | `false`                | Whether a service account should be created                                                                            |
+| `serviceAccount.name`             | `None`                 | The name of the service account to use, if not set and create is true, a name is generated using the fullname template |
+| `serviceAccount.imagePullSecrets` | `[]`                   | List of image pull secrets if pulling from private registries.                                                         |
+| `securityContext`                 | `{}`                   | The security context to be set on the podinfo container                                                                |
+| `linkerd.profile.enabled`         | `false`                | Create Linkerd service profile                                                                                         |
+| `serviceMonitor.enabled`          | `false`                | Whether a Prometheus Operator service monitor should be created                                                        |
+| `serviceMonitor.interval`         | `15s`                  | Prometheus scraping interval                                                                                           |
+| `serviceMonitor.additionalLabels` | `{}`                   | Add additional labels to the service monitor                                                                           |
+| `ingress.enabled`                 | `false`                | Enables Ingress                                                                                                        |
+| `ingress.className `              | `""`                   | Use ingressClassName                                                                                                   |
+| `ingress.additionalLabels`        | `{}`                   | Add additional labels to the ingress                                                                                   |
+| `ingress.annotations`             | `{}`                   | Ingress annotations                                                                                                    |
+| `ingress.hosts`                   | `[]`                   | Ingress accepted hosts                                                                                                 |
+| `ingress.tls`                     | `[]`                   | Ingress TLS configuration                                                                                              |
+| `resources.requests.cpu`          | `1m`                   | Pod CPU request                                                                                                        |
+| `resources.requests.memory`       | `16Mi`                 | Pod memory request                                                                                                     |
+| `resources.limits.cpu`            | `None`                 | Pod CPU limit                                                                                                          |
+| `resources.limits.memory`         | `None`                 | Pod memory limit                                                                                                       |
+| `nodeSelector`                    | `{}`                   | Node labels for pod assignment                                                                                         |
+| `tolerations`                     | `[]`                   | List of node taints to tolerate                                                                                        |
+| `affinity`                        | `None`                 | Node/pod affinities                                                                                                    |
+| `podAnnotations`                  | `{}`                   | Pod annotations                                                                                                        |
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
 
@@ -109,14 +128,3 @@ $ helm install my-release podinfo/podinfo -f values.yaml
 ```
 
 > **Tip**: You can use the default [values.yaml](values.yaml)
-
-## Upgrading the chart
-
-### To =< 5.0.0
-
-Version 5.0.0 is a major update.
-
-* The chart now follows the new Kubernetes label recommendations:
-<https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/>
-
-The simplest way to update is to do a force upgrade, which recreates the resources by doing a delete and an install.

charts/podinfo/templates/NOTES.txt

@@ -1,7 +1,9 @@
 1. Get the application URL by running these commands:
 {{- if .Values.ingress.enabled }}
-{{- range .Values.ingress.hosts }}
-  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ . }}{{ $.Values.ingress.path }}
+{{- range $host := .Values.ingress.hosts }}
+  {{- range .paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+  {{- end }}
 {{- end }}
 {{- else if contains "NodePort" .Values.service.type }}
   export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "podinfo.fullname" . }})

charts/podinfo/templates/deployment.yaml

@@ -49,6 +49,9 @@ spec:
           command:
             - ./podinfo
             - --port={{ .Values.service.httpPort | default 9898 }}
+            {{- if .Values.host }}
+            - --host={{ .Values.host }}
+            {{- end }}
             {{- if .Values.tls.enabled }}
             - --secure-port={{ .Values.tls.port }}
             {{- end }}
@@ -70,7 +73,7 @@ spec:
             {{- if .Values.cache }}
             - --cache-server={{ .Values.cache }}
             {{- else if .Values.redis.enabled }}
-            - --cache-server={{ template "podinfo.fullname" . }}-redis:6379
+            - --cache-server=tcp://{{ template "podinfo.fullname" . }}-redis:6379
             {{- end }}
             - --level={{ .Values.logLevel }}
             - --random-delay={{ .Values.faults.delay }}
@@ -126,6 +129,22 @@ spec:
               containerPort: {{ .Values.service.grpcPort }}
               protocol: TCP
             {{- end }}
+          {{- if .Values.probes.startup.enable }}
+          startupProbe:
+            exec:
+              command:
+              - podcli
+              - check
+              - http
+              - localhost:{{ .Values.service.httpPort | default 9898 }}/healthz
+            {{- with .Values.probes.startup }}
+            initialDelaySeconds: {{ .initialDelaySeconds | default 1 }}
+            timeoutSeconds: {{ .timeoutSeconds | default 5 }}
+            failureThreshold: {{ .failureThreshold | default 3 }}
+            successThreshold: {{ .successThreshold | default 1 }}
+            periodSeconds: {{ .periodSeconds | default 10 }}
+            {{- end }}
+            {{- end }}
           livenessProbe:
             exec:
               command:
@@ -133,8 +152,13 @@ spec:
               - check
               - http
               - localhost:{{ .Values.service.httpPort | default 9898 }}/healthz
-            initialDelaySeconds: 1
-            timeoutSeconds: 5
+            {{- with .Values.probes.liveness }}
+            initialDelaySeconds: {{ .initialDelaySeconds | default 1 }}
+            timeoutSeconds: {{ .timeoutSeconds | default 5 }}
+            failureThreshold: {{ .failureThreshold | default 3 }}
+            successThreshold: {{ .successThreshold | default 1 }}
+            periodSeconds: {{ .periodSeconds | default 10 }}
+            {{- end }}
           readinessProbe:
             exec:
               command:
@@ -142,8 +166,13 @@ spec:
               - check
               - http
               - localhost:{{ .Values.service.httpPort | default 9898 }}/readyz
-            initialDelaySeconds: 1
-            timeoutSeconds: 5
+            {{- with .Values.probes.readiness }}
+            initialDelaySeconds: {{ .initialDelaySeconds | default 1 }}
+            timeoutSeconds: {{ .timeoutSeconds | default 5 }}
+            failureThreshold: {{ .failureThreshold | default 3 }}
+            successThreshold: {{ .successThreshold | default 1 }}
+            periodSeconds: {{ .periodSeconds | default 10 }}
+            {{- end }}
           volumeMounts:
           - name: data
             mountPath: /data

charts/podinfo/templates/hpa.yaml

@@ -1,5 +1,5 @@
 {{- if .Values.hpa.enabled -}}
-apiVersion: autoscaling/v2beta2
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
   name: {{ template "podinfo.fullname" . }}

charts/podinfo/templates/ingress.yaml

@@ -1,43 +1,44 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "podinfo.fullname" . -}}
-{{- $ingressPath := .Values.ingress.path -}}
-apiVersion: networking.k8s.io/v1beta1
+{{- $svcPort := .Values.service.externalPort -}}
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: {{ $fullName }}
   labels:
     {{- include "podinfo.labels" . | nindent 4 }}
-{{- with .Values.ingress.annotations }}
+    {{- with .Values.ingress.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.ingress.annotations }}
   annotations:
-{{ toYaml . | indent 4 }}
-{{- end }}
-spec:
-{{- if .Values.ingress.tls }}
-  tls:
-  {{- range .Values.ingress.tls }}
-    - hosts:
-      {{- range .hosts }}
-        - {{ . | quote }}
-      {{- end }}
-      secretName: {{ .secretName }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
   {{- end }}
-{{- end }}
   rules:
-  {{- range .Values.ingress.hosts }}
-    - host: {{ . | quote }}
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
       http:
         paths:
-          - path: {{ $ingressPath }}
+          {{- range .paths }}
+          - path: {{ .path }}
+            pathType: {{ .pathType }}
             backend:
-              serviceName: {{ $fullName }}
-              servicePort: http
-  {{- end }}
-  {{- if not .Values.ingress.hosts }}
-    - http:
-        paths:
-          - path: {{ $ingressPath }}
-            backend:
-              serviceName: {{ $fullName }}
-              servicePort: http
-  {{- end }}
+              service:
+                name: {{ $fullName }}
+                port:
+                  number: {{ $svcPort }}
+          {{- end }}
+    {{- end }}
 {{- end }}

charts/podinfo/templates/serviceaccount.yaml

@@ -5,4 +5,8 @@ metadata:
   name: {{ template "podinfo.serviceAccountName" . }}
   labels:
     {{- include "podinfo.labels" . | nindent 4 }}
+{{- with .Values.serviceAccount.imagePullSecrets }}
+imagePullSecrets:
+  {{- toYaml . | nindent 2 }}
 {{- end -}}
+{{- end -}}

charts/podinfo/templates/servicemonitor.yaml

@@ -5,6 +5,9 @@ metadata:
   name: {{ template "podinfo.fullname" . }}
   labels:
     {{- include "podinfo.labels" . | nindent 4 }}
+    {{- with .Values.serviceMonitor.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 spec:
   endpoints:
     - path: /metrics

charts/podinfo/values-prod.yaml

@@ -8,7 +8,7 @@ backends: []
 
 image:
   repository: ghcr.io/stefanprodan/podinfo
-  tag: 5.2.0
+  tag: 6.5.2
   pullPolicy: IfNotPresent
 
 ui:
@@ -77,13 +77,13 @@ hpa:
   # average http requests per second per pod (k8s-prometheus-adapter)
   requests:
 
-# Redis address in the format <host>:<port>
+# Redis address in the format tcp://<host>:<port>
 cache: ""
 # Redis deployment
 redis:
   enabled: true
   repository: redis
-  tag: 6.0.8
+  tag: 7.0.7
 
 serviceAccount:
   # Specifies whether a service account should be created
@@ -91,18 +91,24 @@ serviceAccount:
   # The name of the service account to use.
   # If not set and create is true, a name is generated using the fullname template
   name:
+  # List of image pull secrets if pulling from private registries
+  imagePullSecrets: []
 
 # set container security context
 securityContext: {}
 
 ingress:
   enabled: false
+  className: ""
+  additionalLabels: {}
   annotations: {}
     # kubernetes.io/ingress.class: nginx
     # kubernetes.io/tls-acme: "true"
-  path: /*
-  hosts: []
-  #  - podinfo.local
+  hosts:
+    - host: podinfo.local
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
   tls: []
   #  - secretName: chart-example-tls
   #    hosts:
@@ -116,6 +122,7 @@ linkerd:
 serviceMonitor:
   enabled: false
   interval: 15s
+  additionalLabels: {}
 
 resources:
   limits:

charts/podinfo/values.yaml

@@ -2,12 +2,13 @@
 
 replicaCount: 1
 logLevel: info
+host: #0.0.0.0
 backend: #http://backend-podinfo:9898/echo
 backends: []
 
 image:
   repository: ghcr.io/stefanprodan/podinfo
-  tag: 5.2.0
+  tag: 6.5.2
   pullPolicy: IfNotPresent
 
 ui:
@@ -80,13 +81,13 @@ hpa:
   # average http requests per second per pod (k8s-prometheus-adapter)
   requests:
 
-# Redis address in the format <host>:<port>
+# Redis address in the format tcp://<host>:<port>
 cache: ""
 # Redis deployment
 redis:
   enabled: false
   repository: redis
-  tag: 6.0.8
+  tag: 7.0.7
 
 serviceAccount:
   # Specifies whether a service account should be created
@@ -94,18 +95,24 @@ serviceAccount:
   # The name of the service account to use.
   # If not set and create is true, a name is generated using the fullname template
   name:
+  # List of image pull secrets if pulling from private registries
+  imagePullSecrets: []
 
 # set container security context
 securityContext: {}
 
 ingress:
   enabled: false
+  className: ""
+  additionalLabels: {}
   annotations: {}
     # kubernetes.io/ingress.class: nginx
     # kubernetes.io/tls-acme: "true"
-  path: /*
-  hosts: []
-  #  - podinfo.local
+  hosts:
+    - host: podinfo.local
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
   tls: []
   #  - secretName: chart-example-tls
   #    hosts:
@@ -119,6 +126,7 @@ linkerd:
 serviceMonitor:
   enabled: false
   interval: 15s
+  additionalLabels: {}
 
 resources:
   limits:
@@ -133,3 +141,25 @@ tolerations: []
 affinity: {}
 
 podAnnotations: {}
+
+# https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+probes:
+  readiness:
+    initialDelaySeconds: 1
+    timeoutSeconds: 5
+    failureThreshold: 3
+    successThreshold: 1
+    periodSeconds: 10
+  liveness:
+    initialDelaySeconds: 1
+    timeoutSeconds: 5
+    failureThreshold: 3
+    successThreshold: 1
+    periodSeconds: 10
+  startup:
+    enable: false
+    initialDelaySeconds: 10
+    timeoutSeconds: 5
+    failureThreshold: 20
+    successThreshold: 1
+    periodSeconds: 10

cmd/podinfo/main.go

@@ -2,7 +2,6 @@ package main
 
 import (
 	"fmt"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"strconv"
@@ -18,21 +17,23 @@ import (
 	"github.com/stefanprodan/podinfo/pkg/grpc"
 	"github.com/stefanprodan/podinfo/pkg/signals"
 	"github.com/stefanprodan/podinfo/pkg/version"
+	go_grpc "google.golang.org/grpc"
 )
 
 func main() {
 	// flags definition
 	fs := pflag.NewFlagSet("default", pflag.ContinueOnError)
-	fs.Int("port", 9898, "HTTP port")
+	fs.String("host", "", "Host to bind service to")
+	fs.Int("port", 9898, "HTTP port to bind service to")
 	fs.Int("secure-port", 0, "HTTPS port")
 	fs.Int("port-metrics", 0, "metrics port")
 	fs.Int("grpc-port", 0, "gRPC port")
 	fs.String("grpc-service-name", "podinfo", "gPRC service name")
-	fs.String("level", "info", "log level debug, info, warn, error, flat or panic")
+	fs.String("level", "info", "log level debug, info, warn, error, fatal or panic")
 	fs.StringSlice("backend-url", []string{}, "backend service URL")
 	fs.Duration("http-client-timeout", 2*time.Minute, "client timeout duration")
 	fs.Duration("http-server-timeout", 30*time.Second, "server read and write timeout duration")
-	fs.Duration("http-server-shutdown-timeout", 5*time.Second, "server graceful shutdown timeout duration")
+	fs.Duration("server-shutdown-timeout", 5*time.Second, "server graceful shutdown timeout duration")
 	fs.String("data-path", "/data", "data local path")
 	fs.String("config-path", "", "config dir path")
 	fs.String("cert-path", "/data/cert", "certificate path for HTTPS port")
@@ -51,7 +52,8 @@ func main() {
 	fs.Bool("unready", false, "when set, ready state is never reached")
 	fs.Int("stress-cpu", 0, "number of CPU cores with 100 load")
 	fs.Int("stress-memory", 0, "MB of data to load into memory")
-	fs.String("cache-server", "", "Redis address in the format <host>:<port>")
+	fs.String("cache-server", "", "Redis address in the format 'tcp://<host>:<port>'")
+	fs.String("otel-service-name", "", "service name for reporting to open telemetry address, when not set tracing is disabled")
 
 	versionFlag := fs.BoolP("version", "v", false, "get version number")
 
@@ -89,8 +91,6 @@ func main() {
 		if readErr := viper.ReadInConfig(); readErr != nil {
 			fmt.Printf("Error reading config file, %v\n", readErr)
 		}
-	}else{
-		fmt.Printf("Error to open config file, %v\n",fileErr)
 	}
 
 	// configure logging
@@ -135,9 +135,10 @@ func main() {
 	}
 
 	// start gRPC server
+	var grpcServer *go_grpc.Server
 	if grpcCfg.Port > 0 {
 		grpcSrv, _ := grpc.NewServer(&grpcCfg, logger)
-		go grpcSrv.ListenAndServe()
+		grpcServer = grpcSrv.ListenAndServe()
 	}
 
 	// load HTTP server config
@@ -155,8 +156,12 @@ func main() {
 
 	// start HTTP server
 	srv, _ := api.NewServer(&srvCfg, logger)
+	httpServer, httpsServer, healthy, ready := srv.ListenAndServe()
+
+	// graceful shutdown
 	stopCh := signals.SetupSignalHandler()
-	srv.ListenAndServe(stopCh)
+	sd, _ := signals.NewShutdown(srvCfg.ServerShutdownTimeout, logger)
+	sd.Graceful(stopCh, httpServer, httpsServer, grpcServer, healthy, ready)
 }
 
 func initZap(logLevel string) (*zap.Logger, error) {
@@ -238,12 +243,12 @@ func beginStressTest(cpus int, mem int, logger *zap.Logger) {
 			logger.Error("memory stress failed", zap.Error(err))
 		}
 
-		stressMemoryPayload, err = ioutil.ReadFile(path)
+		stressMemoryPayload, err = os.ReadFile(path)
 		f.Close()
 		os.Remove(path)
 		if err != nil {
 			logger.Error("memory stress failed", zap.Error(err))
 		}
-		logger.Info("starting CPU stress", zap.Int("memory", len(stressMemoryPayload)))
+		logger.Info("starting MEMORY stress", zap.Int("memory", len(stressMemoryPayload)))
 	}
 }

deploy/bases/backend/deployment.yaml

@@ -23,7 +23,7 @@ spec:
     spec:
       containers:
       - name: backend
-        image: ghcr.io/stefanprodan/podinfo:5.2.0
+        image: ghcr.io/stefanprodan/podinfo:6.5.2
         imagePullPolicy: IfNotPresent
         ports:
         - name: http

deploy/bases/backend/hpa.yaml

@@ -1,4 +1,4 @@
-apiVersion: autoscaling/v2beta2
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
   name: backend

deploy/bases/cache/deployment.yaml

@@ -13,7 +13,7 @@ spec:
     spec:
       containers:
         - name: redis
-          image: redis:6.0.1
+          image: redis:7.0.7
           imagePullPolicy: IfNotPresent
           command:
             - redis-server

deploy/bases/frontend/deployment.yaml

@@ -23,7 +23,7 @@ spec:
     spec:
       containers:
       - name: frontend
-        image: ghcr.io/stefanprodan/podinfo:5.2.0
+        image: ghcr.io/stefanprodan/podinfo:6.5.2
         imagePullPolicy: IfNotPresent
         ports:
         - name: http

deploy/bases/frontend/hpa.yaml

@@ -1,4 +1,4 @@
-apiVersion: autoscaling/v2beta2
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
   name: frontend

deploy/secure/backend/hpa.yaml

@@ -1,4 +1,4 @@
-apiVersion: autoscaling/v2beta2
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
   name: backend

deploy/secure/frontend/hpa.yaml

@@ -1,4 +1,4 @@
-apiVersion: autoscaling/v2beta2
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
   name: frontend

deploy/webapp/backend/deployment.yaml

@@ -25,7 +25,7 @@ spec:
       serviceAccountName: webapp
       containers:
       - name: backend
-        image: ghcr.io/stefanprodan/podinfo:5.2.0
+        image: ghcr.io/stefanprodan/podinfo:6.5.2
         imagePullPolicy: IfNotPresent
         ports:
         - name: http

deploy/webapp/backend/hpa.yaml

@@ -1,4 +1,4 @@
-apiVersion: autoscaling/v2beta2
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
   name: backend

deploy/webapp/frontend/deployment.yaml

@@ -25,7 +25,7 @@ spec:
       serviceAccountName: webapp
       containers:
       - name: frontend
-        image: ghcr.io/stefanprodan/podinfo:5.2.0
+        image: ghcr.io/stefanprodan/podinfo:6.5.2
         imagePullPolicy: IfNotPresent
         ports:
         - name: http

deploy/webapp/frontend/hpa.yaml

@@ -1,4 +1,4 @@
-apiVersion: autoscaling/v2beta2
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
   name: frontend

go.mod

@@ -1,26 +1,86 @@
 module github.com/stefanprodan/podinfo
 
-go 1.15
+go 1.21
 
 require (
-	github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751
-	github.com/chzyer/logex v1.1.10 // indirect
-	github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e
-	github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1 // indirect
-	github.com/dgrijalva/jwt-go v3.2.0+incompatible
-	github.com/fatih/color v1.9.0
-	github.com/fsnotify/fsnotify v1.4.9
-	github.com/gomodule/redigo v1.8.4
+	github.com/chzyer/readline v1.5.1
+	github.com/fatih/color v1.15.0
+	github.com/fsnotify/fsnotify v1.6.0
+	github.com/golang-jwt/jwt/v4 v4.5.0
+	github.com/gomodule/redigo v1.8.9
 	github.com/gorilla/mux v1.8.0
-	github.com/gorilla/websocket v1.4.2
-	github.com/mattn/go-isatty v0.0.12 // indirect
-	github.com/prometheus/client_golang v1.8.0
-	github.com/spf13/cobra v1.1.3
+	github.com/gorilla/websocket v1.5.0
+	github.com/prometheus/client_golang v1.17.0
+	github.com/spf13/cobra v1.7.0
 	github.com/spf13/pflag v1.0.5
-	github.com/spf13/viper v1.7.1
-	github.com/swaggo/http-swagger v1.0.0
-	github.com/swaggo/swag v1.7.0
-	go.uber.org/zap v1.16.0
-	golang.org/x/net v0.0.0-20201207224615-747e23833adb
-	google.golang.org/grpc v1.36.0
+	github.com/spf13/viper v1.16.0
+	github.com/swaggo/http-swagger v1.3.4
+	github.com/swaggo/swag v1.16.2
+	go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux v0.45.0
+	go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.45.0
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0
+	go.opentelemetry.io/contrib/propagators/aws v1.20.0
+	go.opentelemetry.io/contrib/propagators/b3 v1.20.0
+	go.opentelemetry.io/contrib/propagators/jaeger v1.20.0
+	go.opentelemetry.io/contrib/propagators/ot v1.20.0
+	go.opentelemetry.io/otel v1.19.0
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.19.0
+	go.opentelemetry.io/otel/sdk v1.19.0
+	go.opentelemetry.io/otel/trace v1.19.0
+	go.uber.org/zap v1.26.0
+	golang.org/x/net v0.17.0
+	google.golang.org/grpc v1.58.2
+)
+
+// Fix CVE-2022-32149
+replace golang.org/x/text => golang.org/x/text v0.13.0
+
+// Fix CVE-2022-28948
+replace gopkg.in/yaml.v3 => gopkg.in/yaml.v3 v3.0.1
+
+require (
+	github.com/KyleBanks/depth v1.2.1 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/felixge/httpsnoop v1.0.3 // indirect
+	github.com/go-logr/logr v1.2.4 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-openapi/jsonpointer v0.19.5 // indirect
+	github.com/go-openapi/jsonreference v0.20.0 // indirect
+	github.com/go-openapi/spec v0.20.6 // indirect
+	github.com/go-openapi/swag v0.19.15 // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 // indirect
+	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/magiconair/properties v1.8.7 // indirect
+	github.com/mailru/easyjson v0.7.6 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.17 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/pelletier/go-toml/v2 v2.0.8 // indirect
+	github.com/prometheus/client_model v0.4.1-0.20230718164431-9a2bf3000d16 // indirect
+	github.com/prometheus/common v0.44.0 // indirect
+	github.com/prometheus/procfs v0.11.1 // indirect
+	github.com/spf13/afero v1.9.5 // indirect
+	github.com/spf13/cast v1.5.1 // indirect
+	github.com/spf13/jwalterweatherman v1.1.0 // indirect
+	github.com/subosito/gotenv v1.4.2 // indirect
+	github.com/swaggo/files v0.0.0-20220610200504-28940afbdbfe // indirect
+	go.opentelemetry.io/otel/metric v1.19.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.0.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	golang.org/x/sys v0.13.0 // indirect
+	golang.org/x/text v0.13.0 // indirect
+	golang.org/x/tools v0.7.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20230711160842-782d3b101e98 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98 // indirect
+	google.golang.org/protobuf v1.31.0 // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

kustomize/deployment.yaml

@@ -23,7 +23,7 @@ spec:
     spec:
       containers:
       - name: podinfod
-        image: ghcr.io/stefanprodan/podinfo:5.2.0
+        image: ghcr.io/stefanprodan/podinfo:6.5.2
         imagePullPolicy: IfNotPresent
         ports:
         - name: http

kustomize/hpa.yaml

@@ -1,4 +1,4 @@
-apiVersion: autoscaling/v2beta2
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
   name: podinfo

otel/Makefile

@@ -0,0 +1,20 @@
+DC=docker-compose -f docker-compose.yaml
+
+.PHONY: help
+.DEFAULT_GOAL := help
+
+help:
+	@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
+
+stop: ## Stop all Docker Containers run in Compose
+	$(DC) stop
+
+clean: stop ## Clean all Docker Containers and Volumes
+	$(DC) down --rmi local --remove-orphans -v
+	$(DC) rm -f -v
+
+build: clean ## Rebuild the Docker Image for use by Compose
+	$(DC) build
+
+run: stop ## Run the Application
+	$(DC) up

otel/README.md

@@ -0,0 +1,37 @@
+# Tracing Demo
+
+The directory contains sample [OpenTelemetry Collector](https://github.com/open-telemetry/opentelemetry-collector)
+and [Jaeger](https://www.jaegertracing.io) configurations for a tracing demo.
+
+## Configuration
+
+The provided [docker-compose.yaml](docker-compose.yaml) sets up 4 Containers
+
+1. PodInfo Frontend on port 9898
+2. PodInfo Backend on port 9899
+3. OpenTelemetry Collector listening on port 4317 for GRPC
+4. Jaeger all-in-one listening on multiple ports
+
+## How does it work?
+
+The frontend pods are configured to call onto the backend pods. Both the podinfo
+pods are configured to send traces over to the collector at port 4317 using GRPC.
+The collector forwards all received spans to Jaeger over port 14250 and Jaeger
+exposes a UI over port `16686`.
+
+## Running it locally
+
+1. Start all the Containers
+```shell
+make run
+```
+2. Send some sample requests
+```shell
+curl -v http://localhost:9898/status/200
+curl -X POST -v http://localhost:9898/api/echo
+```
+3. Visit `http://localhost:16686/` to see the spans
+4. Stop all the containers
+```shell
+make stop
+```

otel/docker-compose.yaml

@@ -0,0 +1,35 @@
+version: '2'
+
+services:
+  podinfo_frontend:
+    build: ..
+    command: ./podinfo --backend-url http://podinfo_backend:9899/status/200 --otel-service-name=podinfo_frontend
+    environment:
+      - OTEL_EXPORTER_OTLP_TRACES_ENDPOINT=http://otel:4317
+    ports:
+      - "9898:9898"
+  podinfo_backend:
+    build: ..
+    command: ./podinfo --port 9899 --otel-service-name=podinfo_backend
+    environment:
+      - OTEL_EXPORTER_OTLP_TRACES_ENDPOINT=http://otel:4317
+    ports:
+      - "9899:9899"
+  otel:
+    command: --config otel-config.yaml
+    image: otel/opentelemetry-collector:0.41.0
+    ports:
+      - "4317:4317"
+    volumes:
+      - ${PWD}/otel-config.yaml:/otel-config.yaml
+  jaeger:
+    image: jaegertracing/all-in-one:1.29.0
+    ports:
+      - "5775:5775/udp"
+      - "6831:6831/udp"
+      - "6832:6832/udp"
+      - "5778:5778"
+      - "16686:16686"
+      - "14268:14268"
+      - "14250:14250"
+      - "9411:9411"

otel/otel-config.yaml

@@ -0,0 +1,26 @@
+receivers:
+  otlp:
+    protocols:
+      grpc:
+      http:
+
+processors:
+
+exporters:
+  jaeger:
+    endpoint: jaeger:14250
+    tls:
+      insecure: true
+
+extensions:
+  health_check:
+  pprof:
+  zpages:
+
+service:
+  extensions: [health_check,pprof,zpages]
+  pipelines:
+    traces:
+      receivers: [otlp]
+      processors: []
+      exporters: [jaeger]

pkg/api/cache.go

@@ -1,8 +1,10 @@
 package api
 
 import (
-	"io/ioutil"
+	"fmt"
+	"io"
 	"net/http"
+	"net/url"
 	"time"
 
 	"github.com/gomodule/redigo/redis"
@@ -18,18 +20,22 @@ import (
 // @Tags HTTP API
 // @Accept json
 // @Produce json
+// @Param key path string true "Key to save to"
 // @Router /cache/{key} [post]
 // @Success 202
 func (s *Server) cacheWriteHandler(w http.ResponseWriter, r *http.Request) {
+	_, span := s.tracer.Start(r.Context(), "cacheWriteHandler")
+	defer span.End()
+
 	if s.pool == nil {
-		s.ErrorResponse(w, r, "cache server is offline", http.StatusBadRequest)
+		s.ErrorResponse(w, r, span, "cache server is offline", http.StatusBadRequest)
 		return
 	}
 
 	key := mux.Vars(r)["key"]
-	body, err := ioutil.ReadAll(r.Body)
+	body, err := io.ReadAll(r.Body)
 	if err != nil {
-		s.ErrorResponse(w, r, "reading the request body failed", http.StatusBadRequest)
+		s.ErrorResponse(w, r, span, "reading the request body failed", http.StatusBadRequest)
 		return
 	}
 
@@ -38,7 +44,7 @@ func (s *Server) cacheWriteHandler(w http.ResponseWriter, r *http.Request) {
 	_, err = conn.Do("SET", key, string(body))
 	if err != nil {
 		s.logger.Warn("cache set failed", zap.Error(err))
-		s.ErrorResponse(w, r, "cache set failed", http.StatusInternalServerError)
+		s.ErrorResponse(w, r, span, "cache set failed", http.StatusInternalServerError)
 		return
 	}
 
@@ -51,11 +57,15 @@ func (s *Server) cacheWriteHandler(w http.ResponseWriter, r *http.Request) {
 // @Tags HTTP API
 // @Accept json
 // @Produce json
+// @Param key path string true "Key to delete"
 // @Router /cache/{key} [delete]
 // @Success 202
 func (s *Server) cacheDeleteHandler(w http.ResponseWriter, r *http.Request) {
+	_, span := s.tracer.Start(r.Context(), "cacheDeleteHandler")
+	defer span.End()
+
 	if s.pool == nil {
-		s.ErrorResponse(w, r, "cache server is offline", http.StatusBadRequest)
+		s.ErrorResponse(w, r, span, "cache server is offline", http.StatusBadRequest)
 		return
 	}
 
@@ -79,11 +89,15 @@ func (s *Server) cacheDeleteHandler(w http.ResponseWriter, r *http.Request) {
 // @Tags HTTP API
 // @Accept json
 // @Produce json
+// @Param key path string true "Key to load from cache"
 // @Router /cache/{key} [get]
 // @Success 200 {string} string value
 func (s *Server) cacheReadHandler(w http.ResponseWriter, r *http.Request) {
+	_, span := s.tracer.Start(r.Context(), "cacheReadHandler")
+	defer span.End()
+
 	if s.pool == nil {
-		s.ErrorResponse(w, r, "cache server is offline", http.StatusBadRequest)
+		s.ErrorResponse(w, r, span, "cache server is offline", http.StatusBadRequest)
 		return
 	}
 
@@ -110,16 +124,31 @@ func (s *Server) cacheReadHandler(w http.ResponseWriter, r *http.Request) {
 	w.Write([]byte(data))
 }
 
-func (s *Server) startCachePool(ticker *time.Ticker, stopCh <-chan struct{}) {
+func (s *Server) getCacheConn() (redis.Conn, error) {
+	redisUrl, err := url.Parse(s.config.CacheServer)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse redis url: %v", err)
+	}
+
+	var opts []redis.DialOption
+	if user := redisUrl.User; user != nil {
+		opts = append(opts, redis.DialUsername(user.Username()))
+		if password, ok := user.Password(); ok {
+			opts = append(opts, redis.DialPassword(password))
+		}
+	}
+
+	return redis.Dial("tcp", redisUrl.Host, opts...)
+}
+
+func (s *Server) startCachePool(ticker *time.Ticker) {
 	if s.config.CacheServer == "" {
 		return
 	}
 	s.pool = &redis.Pool{
 		MaxIdle:     3,
 		IdleTimeout: 240 * time.Second,
-		Dial: func() (redis.Conn, error) {
-			return redis.Dial("tcp", s.config.CacheServer)
-		},
+		Dial:        s.getCacheConn,
 		TestOnBorrow: func(c redis.Conn, t time.Time) error {
 			_, err := c.Do("PING")
 			return err
@@ -140,8 +169,6 @@ func (s *Server) startCachePool(ticker *time.Ticker, stopCh <-chan struct{}) {
 		setVersion()
 		for {
 			select {
-			case <-stopCh:
-				return
 			case <-ticker.C:
 				setVersion()
 			}

pkg/api/chunked.go

@@ -15,9 +15,13 @@ import (
 // @Tags HTTP API
 // @Accept json
 // @Produce json
+// @Param seconds path int true "seconds to wait for"
 // @Router /chunked/{seconds} [get]
 // @Success 200 {object} api.MapResponse
 func (s *Server) chunkedHandler(w http.ResponseWriter, r *http.Request) {
+	_, span := s.tracer.Start(r.Context(), "chunkedHandler")
+	defer span.End()
+
 	vars := mux.Vars(r)
 
 	delay, err := strconv.Atoi(vars["wait"])
@@ -27,7 +31,7 @@ func (s *Server) chunkedHandler(w http.ResponseWriter, r *http.Request) {
 
 	flusher, ok := w.(http.Flusher)
 	if !ok {
-		s.ErrorResponse(w, r, "Streaming unsupported!", http.StatusInternalServerError)
+		s.ErrorResponse(w, r, span, "Streaming unsupported!", http.StatusInternalServerError)
 		return
 	}
 

pkg/api/configs.go

@@ -3,6 +3,9 @@ package api
 import "net/http"
 
 func (s *Server) configReadHandler(w http.ResponseWriter, r *http.Request) {
+	_, span := s.tracer.Start(r.Context(), "configReadHandler")
+	defer span.End()
+
 	files := make(map[string]string)
 	if watcher != nil {
 		watcher.Cache.Range(func(key interface{}, value interface{}) bool {

pkg/api/delay.go

@@ -49,14 +49,18 @@ func (m *RandomDelayMiddleware) Handler(next http.Handler) http.Handler {
 // @Tags HTTP API
 // @Accept json
 // @Produce json
+// @Param seconds path int true "seconds to wait for"
 // @Router /delay/{seconds} [get]
 // @Success 200 {object} api.MapResponse
 func (s *Server) delayHandler(w http.ResponseWriter, r *http.Request) {
+	_, span := s.tracer.Start(r.Context(), "delayHandler")
+	defer span.End()
+
 	vars := mux.Vars(r)
 
 	delay, err := strconv.Atoi(vars["wait"])
 	if err != nil {
-		s.ErrorResponse(w, r, err.Error(), http.StatusBadRequest)
+		s.ErrorResponse(w, r, span, err.Error(), http.StatusBadRequest)
 		return
 	}
 

pkg/api/docs/docs.go

@@ -1,22 +1,13 @@
-// GENERATED BY THE COMMAND ABOVE; DO NOT EDIT
-// This file was generated by swaggo/swag
-
+// Package docs Code generated by swaggo/swag. DO NOT EDIT
 package docs
 
-import (
-	"bytes"
-	"encoding/json"
-	"strings"
+import "github.com/swaggo/swag"
 
-	"github.com/alecthomas/template"
-	"github.com/swaggo/swag"
-)
-
-var doc = `{
+const docTemplate = `{
     "schemes": {{ marshal .Schemes }},
     "swagger": "2.0",
     "info": {
-        "description": "{{.Description}}",
+        "description": "{{escape .Description}}",
         "title": "{{.Title}}",
         "contact": {
             "name": "Source Code",
@@ -110,6 +101,15 @@ var doc = `{
                     "HTTP API"
                 ],
                 "summary": "Get payload from cache",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Key to load from cache",
+                        "name": "key",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
                 "responses": {
                     "200": {
                         "description": "OK",
@@ -131,9 +131,18 @@ var doc = `{
                     "HTTP API"
                 ],
                 "summary": "Save payload in cache",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Key to save to",
+                        "name": "key",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
                 "responses": {
                     "202": {
-                        "description": ""
+                        "description": "Accepted"
                     }
                 }
             },
@@ -149,9 +158,18 @@ var doc = `{
                     "HTTP API"
                 ],
                 "summary": "Delete payload from cache",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Key to delete",
+                        "name": "key",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
                 "responses": {
                     "202": {
-                        "description": ""
+                        "description": "Accepted"
                     }
                 }
             }
@@ -169,6 +187,15 @@ var doc = `{
                     "HTTP API"
                 ],
                 "summary": "Chunked transfer encoding",
+                "parameters": [
+                    {
+                        "type": "integer",
+                        "description": "seconds to wait for",
+                        "name": "seconds",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
                 "responses": {
                     "200": {
                         "description": "OK",
@@ -192,6 +219,15 @@ var doc = `{
                     "HTTP API"
                 ],
                 "summary": "Delay",
+                "parameters": [
+                    {
+                        "type": "integer",
+                        "description": "seconds to wait for",
+                        "name": "seconds",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
                 "responses": {
                     "200": {
                         "description": "OK",
@@ -303,7 +339,8 @@ var doc = `{
                 "tags": [
                     "HTTP API"
                 ],
-                "summary": "Panic"
+                "summary": "Panic",
+                "responses": {}
             }
         },
         "/readyz": {
@@ -388,6 +425,15 @@ var doc = `{
                     "HTTP API"
                 ],
                 "summary": "Status code",
+                "parameters": [
+                    {
+                        "type": "integer",
+                        "description": "status code to return",
+                        "name": "code",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
                 "responses": {
                     "200": {
                         "description": "OK",
@@ -434,6 +480,15 @@ var doc = `{
                     "HTTP API"
                 ],
                 "summary": "Download file",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "hash value",
+                        "name": "hash",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
                 "responses": {
                     "200": {
                         "description": "file",
@@ -610,49 +665,20 @@ var doc = `{
     }
 }`
 
-type swaggerInfo struct {
-	Version     string
-	Host        string
-	BasePath    string
-	Schemes     []string
-	Title       string
-	Description string
-}
-
 // SwaggerInfo holds exported Swagger Info so clients can modify it
-var SwaggerInfo = swaggerInfo{
-	Version:     "2.0",
-	Host:        "localhost:9898",
-	BasePath:    "/",
-	Schemes:     []string{"http", "https"},
-	Title:       "Podinfo API",
-	Description: "Go microservice template for Kubernetes.",
-}
-
-type s struct{}
-
-func (s *s) ReadDoc() string {
-	sInfo := SwaggerInfo
-	sInfo.Description = strings.Replace(sInfo.Description, "\n", "\\n", -1)
-
-	t, err := template.New("swagger_info").Funcs(template.FuncMap{
-		"marshal": func(v interface{}) string {
-			a, _ := json.Marshal(v)
-			return string(a)
-		},
-	}).Parse(doc)
-	if err != nil {
-		return doc
-	}
-
-	var tpl bytes.Buffer
-	if err := t.Execute(&tpl, sInfo); err != nil {
-		return doc
-	}
-
-	return tpl.String()
+var SwaggerInfo = &swag.Spec{
+	Version:          "2.0",
+	Host:             "localhost:9898",
+	BasePath:         "/",
+	Schemes:          []string{"http", "https"},
+	Title:            "Podinfo API",
+	Description:      "Go microservice template for Kubernetes.",
+	InfoInstanceName: "swagger",
+	SwaggerTemplate:  docTemplate,
+	LeftDelim:        "{{",
+	RightDelim:       "}}",
 }
 
 func init() {
-	swag.Register(swag.Name, &s{})
+	swag.Register(SwaggerInfo.InstanceName(), SwaggerInfo)
 }

pkg/api/docs/swagger.json

@@ -99,6 +99,15 @@
                     "HTTP API"
                 ],
                 "summary": "Get payload from cache",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Key to load from cache",
+                        "name": "key",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
                 "responses": {
                     "200": {
                         "description": "OK",
@@ -120,9 +129,18 @@
                     "HTTP API"
                 ],
                 "summary": "Save payload in cache",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Key to save to",
+                        "name": "key",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
                 "responses": {
                     "202": {
-                        "description": ""
+                        "description": "Accepted"
                     }
                 }
             },
@@ -138,9 +156,18 @@
                     "HTTP API"
                 ],
                 "summary": "Delete payload from cache",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Key to delete",
+                        "name": "key",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
                 "responses": {
                     "202": {
-                        "description": ""
+                        "description": "Accepted"
                     }
                 }
             }
@@ -158,6 +185,15 @@
                     "HTTP API"
                 ],
                 "summary": "Chunked transfer encoding",
+                "parameters": [
+                    {
+                        "type": "integer",
+                        "description": "seconds to wait for",
+                        "name": "seconds",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
                 "responses": {
                     "200": {
                         "description": "OK",
@@ -181,6 +217,15 @@
                     "HTTP API"
                 ],
                 "summary": "Delay",
+                "parameters": [
+                    {
+                        "type": "integer",
+                        "description": "seconds to wait for",
+                        "name": "seconds",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
                 "responses": {
                     "200": {
                         "description": "OK",
@@ -292,7 +337,8 @@
                 "tags": [
                     "HTTP API"
                 ],
-                "summary": "Panic"
+                "summary": "Panic",
+                "responses": {}
             }
         },
         "/readyz": {
@@ -377,6 +423,15 @@
                     "HTTP API"
                 ],
                 "summary": "Status code",
+                "parameters": [
+                    {
+                        "type": "integer",
+                        "description": "status code to return",
+                        "name": "code",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
                 "responses": {
                     "200": {
                         "description": "OK",
@@ -423,6 +478,15 @@
                     "HTTP API"
                 ],
                 "summary": "Download file",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "hash value",
+                        "name": "hash",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
                 "responses": {
                     "200": {
                         "description": "file",

pkg/api/docs/swagger.yaml

@@ -103,11 +103,17 @@ paths:
       consumes:
       - application/json
       description: deletes the key and its value from cache
+      parameters:
+      - description: Key to delete
+        in: path
+        name: key
+        required: true
+        type: string
       produces:
       - application/json
       responses:
         "202":
-          description: ""
+          description: Accepted
       summary: Delete payload from cache
       tags:
       - HTTP API
@@ -115,6 +121,12 @@ paths:
       consumes:
       - application/json
       description: returns the content from cache if key exists
+      parameters:
+      - description: Key to load from cache
+        in: path
+        name: key
+        required: true
+        type: string
       produces:
       - application/json
       responses:
@@ -129,11 +141,17 @@ paths:
       consumes:
       - application/json
       description: writes the posted content in cache
+      parameters:
+      - description: Key to save to
+        in: path
+        name: key
+        required: true
+        type: string
       produces:
       - application/json
       responses:
         "202":
-          description: ""
+          description: Accepted
       summary: Save payload in cache
       tags:
       - HTTP API
@@ -143,6 +161,12 @@ paths:
       - application/json
       description: uses transfer-encoding type chunked to give a partial response
         and then waits for the specified period
+      parameters:
+      - description: seconds to wait for
+        in: path
+        name: seconds
+        required: true
+        type: integer
       produces:
       - application/json
       responses:
@@ -158,6 +182,12 @@ paths:
       consumes:
       - application/json
       description: waits for the specified period
+      parameters:
+      - description: seconds to wait for
+        in: path
+        name: seconds
+        required: true
+        type: integer
       produces:
       - application/json
       responses:
@@ -233,6 +263,7 @@ paths:
   /panic:
     get:
       description: crashes the process with exit code 255
+      responses: {}
       summary: Panic
       tags:
       - HTTP API
@@ -287,6 +318,12 @@ paths:
       consumes:
       - application/json
       description: sets the response status code to the specified code
+      parameters:
+      - description: status code to return
+        in: path
+        name: code
+        required: true
+        type: integer
       produces:
       - application/json
       responses:
@@ -318,6 +355,12 @@ paths:
       consumes:
       - application/json
       description: returns the content of the file /data/hash if exists
+      parameters:
+      - description: hash value
+        in: path
+        name: hash
+        required: true
+        type: string
       produces:
       - text/plain
       responses:

pkg/api/echo.go

@@ -4,11 +4,14 @@ import (
 	"bytes"
 	"context"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
+	"net/http/httptrace"
 	"sync"
 
 	"github.com/stefanprodan/podinfo/pkg/version"
+	"go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace"
+	"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
 	"go.uber.org/zap"
 )
 
@@ -21,13 +24,19 @@ import (
 // @Router /api/echo [post]
 // @Success 202 {object} api.MapResponse
 func (s *Server) echoHandler(w http.ResponseWriter, r *http.Request) {
-	body, err := ioutil.ReadAll(r.Body)
+	ctx, span := s.tracer.Start(r.Context(), "echoHandler")
+	defer span.End()
+
+	body, err := io.ReadAll(r.Body)
 	if err != nil {
 		s.logger.Error("reading the request body failed", zap.Error(err))
-		s.ErrorResponse(w, r, "invalid request body", http.StatusBadRequest)
+		s.ErrorResponse(w, r, span, "invalid request body", http.StatusBadRequest)
 		return
 	}
 	defer r.Body.Close()
+
+	client := http.Client{Transport: otelhttp.NewTransport(http.DefaultTransport)}
+
 	if len(s.config.BackendURL) > 0 {
 		result := make([]string, len(s.config.BackendURL))
 		var wg sync.WaitGroup
@@ -35,7 +44,12 @@ func (s *Server) echoHandler(w http.ResponseWriter, r *http.Request) {
 		for i, b := range s.config.BackendURL {
 			go func(index int, backend string) {
 				defer wg.Done()
-				backendReq, err := http.NewRequest("POST", backend, bytes.NewReader(body))
+
+				ctx = httptrace.WithClientTrace(ctx, otelhttptrace.NewClientTrace(ctx))
+				ctx, cancel := context.WithTimeout(ctx, s.config.HttpClientTimeout)
+				defer cancel()
+
+				backendReq, err := http.NewRequestWithContext(ctx, "POST", backend, bytes.NewReader(body))
 				if err != nil {
 					s.logger.Error("backend call failed", zap.Error(err), zap.String("url", backend))
 					return
@@ -47,11 +61,8 @@ func (s *Server) echoHandler(w http.ResponseWriter, r *http.Request) {
 				backendReq.Header.Set("X-API-Version", version.VERSION)
 				backendReq.Header.Set("X-API-Revision", version.REVISION)
 
-				ctx, cancel := context.WithTimeout(backendReq.Context(), s.config.HttpClientTimeout)
-				defer cancel()
-
 				// call backend
-				resp, err := http.DefaultClient.Do(backendReq.WithContext(ctx))
+				resp, err := client.Do(backendReq)
 				if err != nil {
 					s.logger.Error("backend call failed", zap.Error(err), zap.String("url", backend))
 					result[index] = fmt.Sprintf("backend %v call failed %v", backend, err)
@@ -67,7 +78,7 @@ func (s *Server) echoHandler(w http.ResponseWriter, r *http.Request) {
 				}
 
 				// forward the received body
-				rbody, err := ioutil.ReadAll(resp.Body)
+				rbody, err := io.ReadAll(resp.Body)
 				if err != nil {
 					s.logger.Error(
 						"reading the backend request body failed",
@@ -96,3 +107,22 @@ func (s *Server) echoHandler(w http.ResponseWriter, r *http.Request) {
 		w.Write(body)
 	}
 }
+
+func copyTracingHeaders(from *http.Request, to *http.Request) {
+	headers := []string{
+		"x-request-id",
+		"x-b3-traceid",
+		"x-b3-spanid",
+		"x-b3-parentspanid",
+		"x-b3-sampled",
+		"x-b3-flags",
+		"x-ot-span-context",
+	}
+
+	for i := range headers {
+		headerValue := from.Header.Get(headers[i])
+		if len(headerValue) > 0 {
+			to.Header.Set(headers[i], headerValue)
+		}
+	}
+}

pkg/api/echo_test.go

@@ -8,27 +8,41 @@ import (
 )
 
 func TestEchoHandler(t *testing.T) {
-	expected := `{"test": true}`
-	req, err := http.NewRequest("POST", "/api/echo", strings.NewReader(expected))
-	if err != nil {
-		t.Fatal(err)
+	cases := []struct {
+		url      string
+		method   string
+		expected string
+	}{
+		{url: "/api/echo", method: "POST", expected: `{"test": true}`},
+		{url: "/api/echo", method: "PUT", expected: `{"test": true}`},
+		{url: "/echo", method: "PUT", expected: `{"test": true}`},
+		{url: "/echo/", method: "POST", expected: `{"test": true}`},
+		{url: "/echo/test", method: "POST", expected: `{"test": true}`},
+		{url: "/echo/test/", method: "POST", expected: `{"test": true}`},
+		{url: "/echo/test/test123-test", method: "POST", expected: `{"test": true}`},
 	}
 
-	rr := httptest.NewRecorder()
 	srv := NewMockServer()
 	handler := http.HandlerFunc(srv.echoHandler)
 
-	handler.ServeHTTP(rr, req)
+	for _, c := range cases {
+		req, err := http.NewRequest(c.method, c.url, strings.NewReader(c.expected))
+		if err != nil {
+			t.Fatal(err)
+		}
+		rr := httptest.NewRecorder()
+		handler.ServeHTTP(rr, req)
 
-	// Check the status code is what we expect.
-	if status := rr.Code; status != http.StatusAccepted {
-		t.Errorf("handler returned wrong status code: got %v want %v",
-			status, http.StatusAccepted)
-	}
+		// Check the status code is what we expect.
+		if status := rr.Code; status != http.StatusAccepted {
+			t.Errorf("handler returned wrong status code: got %v want %v",
+				status, http.StatusAccepted)
+		}
 
-	// Check the response body is what we expect.
-	if rr.Body.String() != expected {
-		t.Fatalf("handler returned unexpected body:\ngot \n%v \nwant \n%s",
-			rr.Body.String(), expected)
+		// Check the response body is what we expect.
+		if rr.Body.String() != c.expected {
+			t.Fatalf("handler returned unexpected body:\ngot \n%v \nwant \n%s",
+				rr.Body.String(), c.expected)
+		}
 	}
 }

pkg/api/env.go

@@ -15,5 +15,7 @@ import (
 // @Router /env [get]
 // @Success 200 {object} api.ArrayResponse
 func (s *Server) envHandler(w http.ResponseWriter, r *http.Request) {
+	_, span := s.tracer.Start(r.Context(), "envHandler")
+	defer span.End()
 	s.JSONResponse(w, r, os.Environ())
 }

pkg/api/headers.go

@@ -13,5 +13,7 @@ import (
 // @Router /headers [get]
 // @Success 200 {object} api.ArrayResponse
 func (s *Server) echoHeadersHandler(w http.ResponseWriter, r *http.Request) {
+	_, span := s.tracer.Start(r.Context(), "echoHeadersHandler")
+	defer span.End()
 	s.JSONResponse(w, r, r.Header)
 }

pkg/api/http.go

@@ -8,6 +8,8 @@ import (
 	"time"
 
 	"github.com/stefanprodan/podinfo/pkg/version"
+	"go.opentelemetry.io/otel/codes"
+	"go.opentelemetry.io/otel/trace"
 	"go.uber.org/zap"
 )
 
@@ -33,27 +35,6 @@ func versionMiddleware(next http.Handler) http.Handler {
 	})
 }
 
-// TODO: use Istio tracing package
-// https://github.com/istio/istio/blob/master/pkg/tracing/config.go
-func copyTracingHeaders(from *http.Request, to *http.Request) {
-	headers := []string{
-		"x-request-id",
-		"x-b3-traceid",
-		"x-b3-spanid",
-		"x-b3-parentspanid",
-		"x-b3-sampled",
-		"x-b3-flags",
-		"x-ot-span-context",
-	}
-
-	for i := range headers {
-		headerValue := from.Header.Get(headers[i])
-		if len(headerValue) > 0 {
-			to.Header.Set(headers[i], headerValue)
-		}
-	}
-}
-
 func (s *Server) JSONResponse(w http.ResponseWriter, r *http.Request, result interface{}) {
 	body, err := json.Marshal(result)
 	if err != nil {
@@ -82,7 +63,7 @@ func (s *Server) JSONResponseCode(w http.ResponseWriter, r *http.Request, result
 	w.Write(prettyJSON(body))
 }
 
-func (s *Server) ErrorResponse(w http.ResponseWriter, r *http.Request, error string, code int) {
+func (s *Server) ErrorResponse(w http.ResponseWriter, r *http.Request, span trace.Span, error string, code int) {
 	data := struct {
 		Code    int    `json:"code"`
 		Message string `json:"message"`
@@ -91,6 +72,8 @@ func (s *Server) ErrorResponse(w http.ResponseWriter, r *http.Request, error str
 		Message: error,
 	}
 
+	span.SetStatus(codes.Error, error)
+
 	body, err := json.Marshal(data)
 	if err != nil {
 		w.WriteHeader(http.StatusInternalServerError)

pkg/api/index.go

@@ -14,6 +14,9 @@ import (
 // @Router / [get]
 // @Success 200 {string} string "OK"
 func (s *Server) indexHandler(w http.ResponseWriter, r *http.Request) {
+	_, span := s.tracer.Start(r.Context(), "indexHandler")
+	defer span.End()
+
 	tmpl, err := template.New("vue.html").ParseFiles(path.Join(s.config.UIPath, "vue.html"))
 	if err != nil {
 		w.WriteHeader(http.StatusInternalServerError)

pkg/api/info.go

@@ -18,6 +18,9 @@ import (
 // @Success 200 {object} api.RuntimeResponse
 // @Router /api/info [get]
 func (s *Server) infoHandler(w http.ResponseWriter, r *http.Request) {
+	_, span := s.tracer.Start(r.Context(), "infoHandler")
+	defer span.End()
+
 	data := RuntimeResponse{
 		Hostname:     s.config.Hostname,
 		Version:      version.VERSION,

pkg/api/mock.go

@@ -3,23 +3,25 @@ package api
 import (
 	"time"
 
+	"go.opentelemetry.io/otel/trace"
+
 	"github.com/gorilla/mux"
 	"go.uber.org/zap"
 )
 
 func NewMockServer() *Server {
 	config := &Config{
-		Port:                      "9898",
-		HttpServerShutdownTimeout: 5 * time.Second,
-		HttpServerTimeout:         30 * time.Second,
-		BackendURL:                []string{},
-		ConfigPath:                "/config",
-		DataPath:                  "/data",
-		HttpClientTimeout:         30 * time.Second,
-		UIColor:                   "blue",
-		UIPath:                    ".ui",
-		UIMessage:                 "Greetings",
-		Hostname:                  "localhost",
+		Port:                  "9898",
+		ServerShutdownTimeout: 5 * time.Second,
+		HttpServerTimeout:     30 * time.Second,
+		BackendURL:            []string{},
+		ConfigPath:            "/config",
+		DataPath:              "/data",
+		HttpClientTimeout:     30 * time.Second,
+		UIColor:               "blue",
+		UIPath:                ".ui",
+		UIMessage:             "Greetings",
+		Hostname:              "localhost",
 	}
 
 	logger, _ := zap.NewDevelopment()
@@ -28,5 +30,6 @@ func NewMockServer() *Server {
 		router: mux.NewRouter(),
 		logger: logger,
 		config: config,
+		tracer: trace.NewNoopTracerProvider().Tracer("mock"),
 	}
 }

pkg/api/panic.go

@@ -2,6 +2,7 @@ package api
 
 import (
 	"net/http"
+	"os"
 )
 
 // Panic godoc
@@ -10,5 +11,6 @@ import (
 // @Tags HTTP API
 // @Router /panic [get]
 func (s *Server) panicHandler(w http.ResponseWriter, r *http.Request) {
-	s.logger.Panic("Panic command received")
+	s.logger.Info("Panic command received")
+	os.Exit(255)
 }

pkg/api/server.go

@@ -14,11 +14,12 @@ import (
 	"github.com/gomodule/redigo/redis"
 	"github.com/gorilla/mux"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
-	"github.com/spf13/viper"
 	_ "github.com/stefanprodan/podinfo/pkg/api/docs"
 	"github.com/stefanprodan/podinfo/pkg/fscache"
 	httpSwagger "github.com/swaggo/http-swagger"
 	"github.com/swaggo/swag"
+	sdktrace "go.opentelemetry.io/otel/sdk/trace"
+	"go.opentelemetry.io/otel/trace"
 	"go.uber.org/zap"
 	"golang.org/x/net/http2"
 	"golang.org/x/net/http2/h2c"
@@ -45,39 +46,42 @@ var (
 )
 
 type Config struct {
-	HttpClientTimeout         time.Duration `mapstructure:"http-client-timeout"`
-	HttpServerTimeout         time.Duration `mapstructure:"http-server-timeout"`
-	HttpServerShutdownTimeout time.Duration `mapstructure:"http-server-shutdown-timeout"`
-	BackendURL                []string      `mapstructure:"backend-url"`
-	UILogo                    string        `mapstructure:"ui-logo"`
-	UIMessage                 string        `mapstructure:"ui-message"`
-	UIColor                   string        `mapstructure:"ui-color"`
-	UIPath                    string        `mapstructure:"ui-path"`
-	DataPath                  string        `mapstructure:"data-path"`
-	ConfigPath                string        `mapstructure:"config-path"`
-	CertPath                  string        `mapstructure:"cert-path"`
-	Port                      string        `mapstructure:"port"`
-	SecurePort                string        `mapstructure:"secure-port"`
-	PortMetrics               int           `mapstructure:"port-metrics"`
-	Hostname                  string        `mapstructure:"hostname"`
-	H2C                       bool          `mapstructure:"h2c"`
-	RandomDelay               bool          `mapstructure:"random-delay"`
-	RandomDelayUnit           string        `mapstructure:"random-delay-unit"`
-	RandomDelayMin            int           `mapstructure:"random-delay-min"`
-	RandomDelayMax            int           `mapstructure:"random-delay-max"`
-	RandomError               bool          `mapstructure:"random-error"`
-	Unhealthy                 bool          `mapstructure:"unhealthy"`
-	Unready                   bool          `mapstructure:"unready"`
-	JWTSecret                 string        `mapstructure:"jwt-secret"`
-	CacheServer               string        `mapstructure:"cache-server"`
+	HttpClientTimeout     time.Duration `mapstructure:"http-client-timeout"`
+	HttpServerTimeout     time.Duration `mapstructure:"http-server-timeout"`
+	ServerShutdownTimeout time.Duration `mapstructure:"server-shutdown-timeout"`
+	BackendURL            []string      `mapstructure:"backend-url"`
+	UILogo                string        `mapstructure:"ui-logo"`
+	UIMessage             string        `mapstructure:"ui-message"`
+	UIColor               string        `mapstructure:"ui-color"`
+	UIPath                string        `mapstructure:"ui-path"`
+	DataPath              string        `mapstructure:"data-path"`
+	ConfigPath            string        `mapstructure:"config-path"`
+	CertPath              string        `mapstructure:"cert-path"`
+	Host                  string        `mapstructure:"host"`
+	Port                  string        `mapstructure:"port"`
+	SecurePort            string        `mapstructure:"secure-port"`
+	PortMetrics           int           `mapstructure:"port-metrics"`
+	Hostname              string        `mapstructure:"hostname"`
+	H2C                   bool          `mapstructure:"h2c"`
+	RandomDelay           bool          `mapstructure:"random-delay"`
+	RandomDelayUnit       string        `mapstructure:"random-delay-unit"`
+	RandomDelayMin        int           `mapstructure:"random-delay-min"`
+	RandomDelayMax        int           `mapstructure:"random-delay-max"`
+	RandomError           bool          `mapstructure:"random-error"`
+	Unhealthy             bool          `mapstructure:"unhealthy"`
+	Unready               bool          `mapstructure:"unready"`
+	JWTSecret             string        `mapstructure:"jwt-secret"`
+	CacheServer           string        `mapstructure:"cache-server"`
 }
 
 type Server struct {
-	router  *mux.Router
-	logger  *zap.Logger
-	config  *Config
-	pool    *redis.Pool
-	handler http.Handler
+	router         *mux.Router
+	logger         *zap.Logger
+	config         *Config
+	pool           *redis.Pool
+	handler        http.Handler
+	tracer         trace.Tracer
+	tracerProvider *sdktrace.TracerProvider
 }
 
 func NewServer(config *Config, logger *zap.Logger) (*Server, error) {
@@ -96,7 +100,8 @@ func (s *Server) registerHandlers() {
 	s.router.HandleFunc("/", s.indexHandler).HeadersRegexp("User-Agent", "^Mozilla.*").Methods("GET")
 	s.router.HandleFunc("/", s.infoHandler).Methods("GET")
 	s.router.HandleFunc("/version", s.versionHandler).Methods("GET")
-	s.router.HandleFunc("/echo", s.echoHandler).Methods("POST")
+	s.router.HandleFunc("/echo", s.echoHandler)
+	s.router.PathPrefix("/echo/").HandlerFunc(s.echoHandler)
 	s.router.HandleFunc("/env", s.envHandler).Methods("GET", "POST")
 	s.router.HandleFunc("/headers", s.echoHeadersHandler).Methods("GET", "POST")
 	s.router.HandleFunc("/delay/{wait:[0-9]+}", s.delayHandler).Methods("GET").Name("delay")
@@ -115,16 +120,14 @@ func (s *Server) registerHandlers() {
 	s.router.HandleFunc("/token", s.tokenGenerateHandler).Methods("POST")
 	s.router.HandleFunc("/token/validate", s.tokenValidateHandler).Methods("GET")
 	s.router.HandleFunc("/api/info", s.infoHandler).Methods("GET")
-	s.router.HandleFunc("/api/echo", s.echoHandler).Methods("POST")
+	s.router.HandleFunc("/api/echo", s.echoHandler)
+	s.router.PathPrefix("/api/echo/").HandlerFunc(s.echoHandler)
 	s.router.HandleFunc("/ws/echo", s.echoWsHandler)
 	s.router.HandleFunc("/chunked", s.chunkedHandler)
 	s.router.HandleFunc("/chunked/{wait:[0-9]+}", s.chunkedHandler)
 	s.router.PathPrefix("/swagger/").Handler(httpSwagger.Handler(
 		httpSwagger.URL("/swagger/doc.json"),
 	))
-	s.router.PathPrefix("/swagger/").Handler(httpSwagger.Handler(
-		httpSwagger.URL("/swagger/doc.json"),
-	))
 	s.router.HandleFunc("/swagger.json", func(w http.ResponseWriter, r *http.Request) {
 		doc, err := swag.ReadDoc()
 		if err != nil {
@@ -137,6 +140,8 @@ func (s *Server) registerHandlers() {
 func (s *Server) registerMiddlewares() {
 	prom := NewPrometheusMiddleware()
 	s.router.Use(prom.Handler)
+	otel := NewOpenTelemetryMiddleware()
+	s.router.Use(otel)
 	httpLogger := NewLoggingMiddleware(s.logger)
 	s.router.Use(httpLogger.Handler)
 	s.router.Use(versionMiddleware)
@@ -149,9 +154,12 @@ func (s *Server) registerMiddlewares() {
 	}
 }
 
-func (s *Server) ListenAndServe(stopCh <-chan struct{}) {
+func (s *Server) ListenAndServe() (*http.Server, *http.Server, *int32, *int32) {
+	ctx := context.Background()
+
 	go s.startMetricsServer()
 
+	s.initTracer(ctx)
 	s.registerHandlers()
 	s.registerMiddlewares()
 
@@ -176,7 +184,7 @@ func (s *Server) ListenAndServe(stopCh <-chan struct{}) {
 
 	// start redis connection pool
 	ticker := time.NewTicker(30 * time.Second)
-	s.startCachePool(ticker, stopCh)
+	s.startCachePool(ticker)
 
 	// create the http server
 	srv := s.startServer()
@@ -192,41 +200,7 @@ func (s *Server) ListenAndServe(stopCh <-chan struct{}) {
 		atomic.StoreInt32(&ready, 1)
 	}
 
-	// wait for SIGTERM or SIGINT
-	<-stopCh
-	ctx, cancel := context.WithTimeout(context.Background(), s.config.HttpServerShutdownTimeout)
-	defer cancel()
-
-	// all calls to /healthz and /readyz will fail from now on
-	atomic.StoreInt32(&healthy, 0)
-	atomic.StoreInt32(&ready, 0)
-
-	// close cache pool
-	if s.pool != nil {
-		_ = s.pool.Close()
-	}
-
-	s.logger.Info("Shutting down HTTP/HTTPS server", zap.Duration("timeout", s.config.HttpServerShutdownTimeout))
-
-	// wait for Kubernetes readiness probe to remove this instance from the load balancer
-	// the readiness check interval must be lower than the timeout
-	if viper.GetString("level") != "debug" {
-		time.Sleep(3 * time.Second)
-	}
-
-	// determine if the http server was started
-	if srv != nil {
-		if err := srv.Shutdown(ctx); err != nil {
-			s.logger.Warn("HTTP server graceful shutdown failed", zap.Error(err))
-		}
-	}
-
-	// determine if the secure server was started
-	if secureSrv != nil {
-		if err := secureSrv.Shutdown(ctx); err != nil {
-			s.logger.Warn("HTTPS server graceful shutdown failed", zap.Error(err))
-		}
-	}
+	return srv, secureSrv, &healthy, &ready
 }
 
 func (s *Server) startServer() *http.Server {
@@ -239,7 +213,7 @@ func (s *Server) startServer() *http.Server {
 	}
 
 	srv := &http.Server{
-		Addr:         ":" + s.config.Port,
+		Addr:         s.config.Host + ":" + s.config.Port,
 		WriteTimeout: s.config.HttpServerTimeout,
 		ReadTimeout:  s.config.HttpServerTimeout,
 		IdleTimeout:  2 * s.config.HttpServerTimeout,
@@ -248,6 +222,7 @@ func (s *Server) startServer() *http.Server {
 
 	// start the server in the background
 	go func() {
+		s.logger.Info("Starting HTTP Server.", zap.String("addr", srv.Addr))
 		if err := srv.ListenAndServe(); err != http.ErrServerClosed {
 			s.logger.Fatal("HTTP server crashed", zap.Error(err))
 		}
@@ -267,7 +242,7 @@ func (s *Server) startSecureServer() *http.Server {
 	}
 
 	srv := &http.Server{
-		Addr:         ":" + s.config.SecurePort,
+		Addr:         s.config.Host + ":" + s.config.SecurePort,
 		WriteTimeout: s.config.HttpServerTimeout,
 		ReadTimeout:  s.config.HttpServerTimeout,
 		IdleTimeout:  2 * s.config.HttpServerTimeout,
@@ -279,6 +254,7 @@ func (s *Server) startSecureServer() *http.Server {
 
 	// start the server in the background
 	go func() {
+		s.logger.Info("Starting HTTPS Server.", zap.String("addr", srv.Addr))
 		if err := srv.ListenAndServeTLS(cert, key); err != http.ErrServerClosed {
 			s.logger.Fatal("HTTPS server crashed", zap.Error(err))
 		}

pkg/api/status.go

@@ -14,14 +14,18 @@ import (
 // @Tags HTTP API
 // @Accept json
 // @Produce json
+// @Param code path int true "status code to return"
 // @Router /status/{code} [get]
 // @Success 200 {object} api.MapResponse
 func (s *Server) statusHandler(w http.ResponseWriter, r *http.Request) {
+	_, span := s.tracer.Start(r.Context(), "statusHandler")
+	defer span.End()
+
 	vars := mux.Vars(r)
 
 	code, err := strconv.Atoi(vars["code"])
 	if err != nil {
-		s.ErrorResponse(w, r, err.Error(), http.StatusBadRequest)
+		s.ErrorResponse(w, r, span, err.Error(), http.StatusBadRequest)
 		return
 	}
 

pkg/api/store.go

@@ -3,8 +3,9 @@ package api
 import (
 	"crypto/sha1"
 	"encoding/hex"
-	"io/ioutil"
+	"io"
 	"net/http"
+	"os"
 	"path"
 
 	"github.com/gorilla/mux"
@@ -20,18 +21,20 @@ import (
 // @Router /store [post]
 // @Success 200 {object} api.MapResponse
 func (s *Server) storeWriteHandler(w http.ResponseWriter, r *http.Request) {
+	_, span := s.tracer.Start(r.Context(), "storeWriteHandler")
+	defer span.End()
 
-	body, err := ioutil.ReadAll(r.Body)
+	body, err := io.ReadAll(r.Body)
 	if err != nil {
-		s.ErrorResponse(w, r, "reading the request body failed", http.StatusBadRequest)
+		s.ErrorResponse(w, r, span, "reading the request body failed", http.StatusBadRequest)
 		return
 	}
 
 	hash := hash(string(body))
-	err = ioutil.WriteFile(path.Join(s.config.DataPath, hash), body, 0644)
+	err = os.WriteFile(path.Join(s.config.DataPath, hash), body, 0644)
 	if err != nil {
 		s.logger.Warn("writing file failed", zap.Error(err), zap.String("file", path.Join(s.config.DataPath, hash)))
-		s.ErrorResponse(w, r, "writing file failed", http.StatusInternalServerError)
+		s.ErrorResponse(w, r, span, "writing file failed", http.StatusInternalServerError)
 		return
 	}
 	s.JSONResponseCode(w, r, map[string]string{"hash": hash}, http.StatusAccepted)
@@ -43,14 +46,18 @@ func (s *Server) storeWriteHandler(w http.ResponseWriter, r *http.Request) {
 // @Tags HTTP API
 // @Accept json
 // @Produce plain
+// @Param hash path string true "hash value"
 // @Router /store/{hash} [get]
 // @Success 200 {string} string "file"
 func (s *Server) storeReadHandler(w http.ResponseWriter, r *http.Request) {
+	_, span := s.tracer.Start(r.Context(), "storeReadHandler")
+	defer span.End()
+
 	hash := mux.Vars(r)["hash"]
-	content, err := ioutil.ReadFile(path.Join(s.config.DataPath, hash))
+	content, err := os.ReadFile(path.Join(s.config.DataPath, hash))
 	if err != nil {
 		s.logger.Warn("reading file failed", zap.Error(err), zap.String("file", path.Join(s.config.DataPath, hash)))
-		s.ErrorResponse(w, r, "reading file failed", http.StatusInternalServerError)
+		s.ErrorResponse(w, r, span, "reading file failed", http.StatusInternalServerError)
 		return
 	}
 	w.WriteHeader(http.StatusAccepted)

pkg/api/token.go

@@ -2,13 +2,12 @@ package api
 
 import (
 	"fmt"
+	"io"
 	"net/http"
 	"strings"
 	"time"
 
-	"io/ioutil"
-
-	"github.com/dgrijalva/jwt-go"
+	"github.com/golang-jwt/jwt/v4"
 	"go.uber.org/zap"
 )
 
@@ -26,10 +25,13 @@ type jwtCustomClaims struct {
 // @Router /token [post]
 // @Success 200 {object} api.TokenResponse
 func (s *Server) tokenGenerateHandler(w http.ResponseWriter, r *http.Request) {
-	body, err := ioutil.ReadAll(r.Body)
+	_, span := s.tracer.Start(r.Context(), "tokenGenerateHandler")
+	defer span.End()
+
+	body, err := io.ReadAll(r.Body)
 	if err != nil {
 		s.logger.Error("reading the request body failed", zap.Error(err))
-		s.ErrorResponse(w, r, "invalid request body", http.StatusBadRequest)
+		s.ErrorResponse(w, r, span, "invalid request body", http.StatusBadRequest)
 		return
 	}
 	defer r.Body.Close()
@@ -39,18 +41,19 @@ func (s *Server) tokenGenerateHandler(w http.ResponseWriter, r *http.Request) {
 		user = string(body)
 	}
 
+	expiresAt := time.Now().Add(time.Minute * 1)
 	claims := &jwtCustomClaims{
 		user,
 		jwt.StandardClaims{
 			Issuer:    "podinfo",
-			ExpiresAt: time.Now().Add(time.Minute * 1).Unix(),
+			ExpiresAt: expiresAt.Unix(),
 		},
 	}
 
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
 	t, err := token.SignedString([]byte(s.config.JWTSecret))
 	if err != nil {
-		s.ErrorResponse(w, r, err.Error(), http.StatusBadRequest)
+		s.ErrorResponse(w, r, span, err.Error(), http.StatusBadRequest)
 		return
 	}
 
@@ -74,14 +77,17 @@ func (s *Server) tokenGenerateHandler(w http.ResponseWriter, r *http.Request) {
 // Get: JWT=$(curl -s -d 'test' localhost:9898/token | jq -r .token)
 // Post: curl -H "Authorization: Bearer ${JWT}" localhost:9898/token/validate
 func (s *Server) tokenValidateHandler(w http.ResponseWriter, r *http.Request) {
+	_, span := s.tracer.Start(r.Context(), "tokenValidateHandler")
+	defer span.End()
+
 	authorizationHeader := r.Header.Get("authorization")
 	if authorizationHeader == "" {
-		s.ErrorResponse(w, r, "authorization bearer header required", http.StatusUnauthorized)
+		s.ErrorResponse(w, r, span, "authorization bearer header required", http.StatusUnauthorized)
 		return
 	}
 	bearerToken := strings.Split(authorizationHeader, " ")
 	if len(bearerToken) != 2 || strings.ToLower(bearerToken[0]) != "bearer" {
-		s.ErrorResponse(w, r, "authorization bearer header required", http.StatusUnauthorized)
+		s.ErrorResponse(w, r, span, "authorization bearer header required", http.StatusUnauthorized)
 		return
 	}
 
@@ -93,13 +99,13 @@ func (s *Server) tokenValidateHandler(w http.ResponseWriter, r *http.Request) {
 		return []byte(s.config.JWTSecret), nil
 	})
 	if err != nil {
-		s.ErrorResponse(w, r, err.Error(), http.StatusUnauthorized)
+		s.ErrorResponse(w, r, span, err.Error(), http.StatusUnauthorized)
 		return
 	}
 
 	if token.Valid {
 		if claims.StandardClaims.Issuer != "podinfo" {
-			s.ErrorResponse(w, r, "invalid issuer", http.StatusUnauthorized)
+			s.ErrorResponse(w, r, span, "invalid issuer", http.StatusUnauthorized)
 		} else {
 			var result = TokenValidationResponse{
 				TokenName: claims.Name,
@@ -108,7 +114,7 @@ func (s *Server) tokenValidateHandler(w http.ResponseWriter, r *http.Request) {
 			s.JSONResponse(w, r, result)
 		}
 	} else {
-		s.ErrorResponse(w, r, "Invalid authorization token", http.StatusUnauthorized)
+		s.ErrorResponse(w, r, span, "Invalid authorization token", http.StatusUnauthorized)
 	}
 }
 

pkg/api/token_test.go

@@ -0,0 +1,36 @@
+package api
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+)
+
+func TestTokenHandler(t *testing.T) {
+	req, err := http.NewRequest("POST", "/token", strings.NewReader("test-user"))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	rr := httptest.NewRecorder()
+	srv := NewMockServer()
+	handler := http.HandlerFunc(srv.tokenGenerateHandler)
+
+	handler.ServeHTTP(rr, req)
+
+	// Check the status code is what we expect.
+	if status := rr.Code; status != http.StatusOK {
+		t.Errorf("handler returned wrong status code: got %v want %v",
+			status, http.StatusOK)
+	}
+
+	var token TokenResponse
+	if err := json.Unmarshal(rr.Body.Bytes(), &token); err != nil {
+		t.Fatal(err)
+	}
+	if token.Token == "" {
+		t.Error("handler returned no token")
+	}
+}

pkg/api/tracer.go

@@ -0,0 +1,70 @@
+package api
+
+import (
+	"context"
+
+	"github.com/gorilla/mux"
+	"github.com/spf13/viper"
+	"github.com/stefanprodan/podinfo/pkg/version"
+	"go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux"
+	"go.opentelemetry.io/contrib/propagators/aws/xray"
+	"go.opentelemetry.io/contrib/propagators/b3"
+	"go.opentelemetry.io/contrib/propagators/jaeger"
+	"go.opentelemetry.io/contrib/propagators/ot"
+	"go.opentelemetry.io/otel"
+	"go.opentelemetry.io/otel/exporters/otlp/otlptrace"
+	"go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc"
+	"go.opentelemetry.io/otel/propagation"
+	"go.opentelemetry.io/otel/sdk/resource"
+	sdktrace "go.opentelemetry.io/otel/sdk/trace"
+	semconv "go.opentelemetry.io/otel/semconv/v1.7.0"
+	"go.opentelemetry.io/otel/trace"
+	"go.uber.org/zap"
+)
+
+const (
+	instrumentationName = "github.com/stefanprodan/podinfo/pkg/api"
+)
+
+func (s *Server) initTracer(ctx context.Context) {
+	if viper.GetString("otel-service-name") == "" {
+		nop := trace.NewNoopTracerProvider()
+		s.tracer = nop.Tracer(viper.GetString("otel-service-name"))
+		return
+	}
+
+	client := otlptracegrpc.NewClient()
+	exporter, err := otlptrace.New(ctx, client)
+	if err != nil {
+		s.logger.Error("creating OTLP trace exporter", zap.Error(err))
+	}
+
+	s.tracerProvider = sdktrace.NewTracerProvider(
+		sdktrace.WithBatcher(exporter),
+		sdktrace.WithResource(resource.NewWithAttributes(
+			semconv.SchemaURL,
+			semconv.ServiceNameKey.String(viper.GetString("otel-service-name")),
+			semconv.ServiceVersionKey.String(version.VERSION),
+		)),
+	)
+
+	otel.SetTracerProvider(s.tracerProvider)
+	otel.SetTextMapPropagator(propagation.NewCompositeTextMapPropagator(
+		propagation.TraceContext{},
+		propagation.Baggage{},
+		b3.New(),
+		&jaeger.Jaeger{},
+		&ot.OT{},
+		&xray.Propagator{},
+	))
+
+	s.tracer = s.tracerProvider.Tracer(
+		instrumentationName,
+		trace.WithInstrumentationVersion(version.VERSION),
+		trace.WithSchemaURL(semconv.SchemaURL),
+	)
+}
+
+func NewOpenTelemetryMiddleware() mux.MiddlewareFunc {
+	return otelmux.Middleware(viper.GetString("otel-service-name"))
+}

pkg/fscache/fscache.go

@@ -2,8 +2,8 @@ package fscache
 
 import (
 	"errors"
-	"io/ioutil"
 	"log"
+	"os"
 	"path/filepath"
 	"strings"
 	"sync"
@@ -77,7 +77,7 @@ func (w *Watcher) Watch() {
 // updateCache reads files content and loads them into the cache
 func (w *Watcher) updateCache() error {
 	fileMap := make(map[string]string)
-	files, err := ioutil.ReadDir(w.dir)
+	files, err := os.ReadDir(w.dir)
 	if err != nil {
 		return err
 	}
@@ -86,7 +86,7 @@ func (w *Watcher) updateCache() error {
 	for _, file := range files {
 		name := filepath.Base(file.Name())
 		if !file.IsDir() && !strings.Contains(name, "..") {
-			b, err := ioutil.ReadFile(filepath.Join(w.dir, file.Name()))
+			b, err := os.ReadFile(filepath.Join(w.dir, file.Name()))
 			if err != nil {
 				return err
 			}

pkg/grpc/server.go

@@ -30,7 +30,7 @@ func NewServer(config *Config, logger *zap.Logger) (*Server, error) {
 	return srv, nil
 }
 
-func (s *Server) ListenAndServe() {
+func (s *Server) ListenAndServe() *grpc.Server {
 	listener, err := net.Listen("tcp", fmt.Sprintf(":%v", s.config.Port))
 	if err != nil {
 		s.logger.Fatal("failed to listen", zap.Int("port", s.config.Port))
@@ -42,7 +42,11 @@ func (s *Server) ListenAndServe() {
 	grpc_health_v1.RegisterHealthServer(srv, server)
 	server.SetServingStatus(s.config.ServiceName, grpc_health_v1.HealthCheckResponse_SERVING)
 
-	if err := srv.Serve(listener); err != nil {
-		s.logger.Fatal("failed to serve", zap.Error(err))
-	}
+	go func() {
+		if err := srv.Serve(listener); err != nil {
+			s.logger.Fatal("failed to serve", zap.Error(err))
+		}
+	}()
+
+	return srv
 }

pkg/signals/shutdown.go

@@ -0,0 +1,83 @@
+package signals
+
+import (
+	"context"
+	"net/http"
+	"sync/atomic"
+	"time"
+
+	"github.com/gomodule/redigo/redis"
+	"github.com/spf13/viper"
+	sdktrace "go.opentelemetry.io/otel/sdk/trace"
+	"go.uber.org/zap"
+	"google.golang.org/grpc"
+)
+
+type Shutdown struct {
+	logger                *zap.Logger
+	pool                  *redis.Pool
+	tracerProvider        *sdktrace.TracerProvider
+	serverShutdownTimeout time.Duration
+}
+
+func NewShutdown(serverShutdownTimeout time.Duration, logger *zap.Logger) (*Shutdown, error) {
+	srv := &Shutdown{
+		logger:                logger,
+		serverShutdownTimeout: serverShutdownTimeout,
+	}
+
+	return srv, nil
+}
+
+func (s *Shutdown) Graceful(stopCh <-chan struct{}, httpServer *http.Server, httpsServer *http.Server, grpcServer *grpc.Server, healthy *int32, ready *int32) {
+	ctx := context.Background()
+
+	// wait for SIGTERM or SIGINT
+	<-stopCh
+	ctx, cancel := context.WithTimeout(ctx, s.serverShutdownTimeout)
+	defer cancel()
+
+	// all calls to /healthz and /readyz will fail from now on
+	atomic.StoreInt32(healthy, 0)
+	atomic.StoreInt32(ready, 0)
+
+	// close cache pool
+	if s.pool != nil {
+		_ = s.pool.Close()
+	}
+
+	s.logger.Info("Shutting down HTTP/HTTPS server", zap.Duration("timeout", s.serverShutdownTimeout))
+
+	// wait for Kubernetes readiness probe to remove this instance from the load balancer
+	// the readiness check interval must be lower than the timeout
+	if viper.GetString("level") != "debug" {
+		time.Sleep(3 * time.Second)
+	}
+
+	// stop OpenTelemetry tracer provider
+	if s.tracerProvider != nil {
+		if err := s.tracerProvider.Shutdown(ctx); err != nil {
+			s.logger.Warn("stopping tracer provider", zap.Error(err))
+		}
+	}
+
+	// determine if the GRPC was started
+	if grpcServer != nil {
+		s.logger.Info("Shutting down GRPC server", zap.Duration("timeout", s.serverShutdownTimeout))
+		grpcServer.GracefulStop()
+	}
+
+	// determine if the http server was started
+	if httpServer != nil {
+		if err := httpServer.Shutdown(ctx); err != nil {
+			s.logger.Warn("HTTP server graceful shutdown failed", zap.Error(err))
+		}
+	}
+
+	// determine if the secure server was started
+	if httpsServer != nil {
+		if err := httpsServer.Shutdown(ctx); err != nil {
+			s.logger.Warn("HTTPS server graceful shutdown failed", zap.Error(err))
+		}
+	}
+}

pkg/signals/signal_posix.go

@@ -1,3 +1,4 @@
+//go:build !windows
 // +build !windows
 
 package signals
@@ -7,4 +8,4 @@ import (
 	"syscall"
 )
 
-var shutdownSignals = []os.Signal{os.Interrupt, syscall.SIGTERM}
+var shutdownSignals = []os.Signal{os.Interrupt, syscall.SIGTERM, syscall.SIGINT}

pkg/version/version.go

@@ -1,4 +1,4 @@
 package version
 
-var VERSION = "5.2.0"
+var VERSION = "6.5.2"
 var REVISION = "unknown"

test/deploy.sh

@@ -1,17 +1,12 @@
 #! /usr/bin/env sh
 
-# add jetstack repository
-helm repo add jetstack https://charts.jetstack.io || true
-
 # install cert-manager
-helm upgrade --install cert-manager jetstack/cert-manager \
-    --set installCRDs=true \
-    --namespace default
+kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.5.3/cert-manager.yaml
 
 # wait for cert manager
-kubectl rollout status deployment/cert-manager --timeout=2m
-kubectl rollout status deployment/cert-manager-webhook --timeout=2m
-kubectl rollout status deployment/cert-manager-cainjector --timeout=2m
+kubectl -n cert-manager rollout status deployment/cert-manager --timeout=2m
+kubectl -n cert-manager rollout status deployment/cert-manager-webhook --timeout=2m
+kubectl -n cert-manager rollout status deployment/cert-manager-cainjector --timeout=2m
 
 # install self-signed certificate
 cat << 'EOF' | kubectl apply -f -
@@ -29,4 +24,6 @@ helm upgrade --install podinfo ./charts/podinfo \
     --set image.tag=latest \
     --set tls.enabled=true \
     --set certificate.create=true \
+    --set hpa.enabled=true \
+    --set hpa.cpu=95 \
     --namespace=default

timoni/bundles/test.podinfo.cue

@@ -0,0 +1,66 @@
+bundle: {
+	apiVersion: "v1alpha1"
+	name:       "podinfo"
+
+	_modURL: "oci://ghcr.io/stefanprodan/modules/podinfo" @timoni(runtime:string:PODINFO_MODULE_URL)
+	_imgURL: "ghcr.io/stefanprodan/modules/podinfo"       @timoni(runtime:string:PODINFO_IMAGE_URL)
+	_imgTag: "latest"                                     @timoni(runtime:string:PODINFO_VERSION)
+
+	instances: {
+		backend: {
+			module: url: _modURL
+			namespace: "podinfo"
+			values: {
+				image: {
+					repository: _imgURL
+					tag:        _imgTag
+				}
+				resources: requests: {
+					cpu:    "100m"
+					memory: "128Mi"
+				}
+				autoscaling: {
+					enabled:     true
+					minReplicas: 1
+					maxReplicas: 10
+					cpu:         90
+				}
+			}
+		}
+		frontend: {
+			module: url: _modURL
+			namespace: "podinfo"
+			values: {
+				image: {
+					repository: _imgURL
+					tag:        _imgTag
+				}
+				ui: backend: "http://backend.podinfo.svc.cluster.local/echo"
+				replicas: 2
+				podSecurityContext: {
+					runAsUser:  100
+					runAsGroup: 101
+					fsGroup:    101
+				}
+				securityContext: {
+					allowPrivilegeEscalation: false
+					readOnlyRootFilesystem:   true
+					runAsNonRoot:             true
+					capabilities: drop: ["ALL"]
+					seccompProfile: type: "RuntimeDefault"
+				}
+				ingress: {
+					enabled:   true
+					className: "nginx"
+					host:      "podinfo.local"
+					tls:       true
+					annotations: {
+						"nginx.ingress.kubernetes.io/ssl-redirect":       "false"
+						"nginx.ingress.kubernetes.io/force-ssl-redirect": "false"
+						"cert-manager.io/cluster-issuer":                 "self-signed"
+					}
+				}
+			}
+		}
+	}
+}

timoni/podinfo/README.md

@@ -0,0 +1,139 @@
+# Podinfo
+
+[Podinfo](https://github.com/stefanprodan/podinfo) is a tiny web application
+made with Go that showcases best practices of running microservices in Kubernetes.
+
+## Module Repository
+
+This module is available on GitHub Container Registry at
+[ghcr.io/stefanprodan/modules/podinfo](https://github.com/stefanprodan/podinfo/pkgs/container/modules%2Fpodinfo).
+
+## Install
+
+To create an instance using the default values:
+
+```shell
+timoni -n default apply podinfo oci://ghcr.io/stefanprodan/modules/podinfo
+```
+
+To install a specific module version:
+
+```shell
+timoni -n default apply podinfo oci://ghcr.io/stefanprodan/modules/podinfo -v 6.5.0
+```
+
+To change the [default configuration](#configuration),
+create one or more `values.cue` files and apply them to the instance.
+
+For example, create a file `my-values.cue` with the following content:
+
+```cue
+values: {
+	resources: requests: {
+		cpu:    "100m"
+		memory: "128Mi"
+	}
+}
+```
+
+And apply the values with:
+
+```shell
+timoni -n default apply podinfo oci://ghcr.io/stefanprodan/modules/podinfo \
+--values ./my-values.cue
+```
+
+## Uninstall
+
+To uninstall an instance and delete all its Kubernetes resources:
+
+```shell
+timoni -n default delete podinfo
+```
+
+## Configuration
+
+### General values
+
+| Key                          | Type                                    | Default                        | Description                                                                                                                                  |
+|------------------------------|-----------------------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------|
+| `image: tag:`                | `string`                                | `<latest version>`             | Container image tag                                                                                                                          |
+| `image: digest:`             | `string`                                | `""`                           | Container image digest, takes precedence over `tag` when specified                                                                           |
+| `image: repository:`         | `string`                                | `ghcr.io/stefanprodan/podinfo` | Container image repository                                                                                                                   |
+| `image: pullPolicy:`         | `string`                                | `IfNotPresent`                 | [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy)                                     |
+| `metadata: labels:`          | `{[ string]: string}`                   | `{}`                           | Common labels for all resources                                                                                                              |
+| `metadata: annotations:`     | `{[ string]: string}`                   | `{}`                           | Common annotations for all resources                                                                                                         |
+| `podAnnotations:`            | `{[ string]: string}`                   | `{}`                           | Annotations applied to pods                                                                                                                  |
+| `imagePullSecrets:`          | `[...corev1.LocalObjectReference]`      | `[]`                           | [Kubernetes image pull secrets](https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod)                 |
+| `tolerations:`               | `[ ...corev1.#Toleration]`              | `[]`                           | [Kubernetes toleration](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration)                                        |
+| `affinity:`                  | `corev1.#Affinity`                      | `{}`                           | [Kubernetes affinity and anti-affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) |
+| `resources:`                 | `corev1.#ResourceRequirements`          | `{}`                           | [Kubernetes resource requests and limits](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers)                     |
+| `topologySpreadConstraints:` | `[...corev1.#TopologySpreadConstraint]` | `[]`                           | [Kubernetes pod topology spread constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints)            |
+| `podSecurityContext:`        | `corev1.#PodSecurityContext`            | `{}`                           | [Kubernetes pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context)                                 |
+| `securityContext:`           | `corev1.#SecurityContext`               | `{}`                           | [Kubernetes container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context)                           |
+
+#### Recommended values
+
+Comply with the
+restricted [Kubernetes pod security standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/):
+
+```cue
+values: {
+	podSecurityContext: {
+		runAsUser:  100
+		runAsGroup: 101
+		fsGroup:    101
+	}
+	securityContext: {
+		allowPrivilegeEscalation: false
+		readOnlyRootFilesystem:   true
+		runAsNonRoot:             true
+		capabilities: drop: ["ALL"]
+		seccompProfile: type: "RuntimeDefault"
+	}
+}
+```
+
+### Autoscaling values
+
+| Key                         | Type     | Default       | Description                                                                                                  |
+|-----------------------------|----------|---------------|--------------------------------------------------------------------------------------------------------------|
+| `replicas:`                 | `int`    | `1`           | Number of pods when autoscaling is disabled                                                                  |
+| `autoscaling: enabled:`     | `bool`   | `false`       | Enable [Kubernetes HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) creation |
+| `autoscaling: minReplicas:` | `int`    | `replicas`    | Minimum number of pods                                                                                       |
+| `autoscaling: maxReplicas:` | `int`    | `minReplicas` | Maximum number of pods                                                                                       |
+| `autoscaling: cpu:`         | `int`    | `99`          | CPU average utilization (percentage)                                                                         |
+| `autoscaling: memory:`      | `string` | `""`          | memory average value (e.g. `1024Mi`)                                                                         |
+
+### Ingress values
+
+| Key                     | Type                  | Default         | Description                                                                                            |
+|-------------------------|-----------------------|-----------------|--------------------------------------------------------------------------------------------------------|
+| `service: port:`        | `int`                 | `80`            | Kubernetes Service ClusterIP port                                                                      |
+| `ingress: enabled:`     | `bool`                | `false`         | Enable [Kubernetes Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) creation |
+| `ingress: tls:`         | `bool`                | `false`         | Enable TLS (requires cert-manager)                                                                     |
+| `ingress: host:`        | `string`              | `podinfo.local` | Ingress host                                                                                           |
+| `ingress: className:`   | `string`              | `""`            | Ingress class name                                                                                     |
+| `ingress: annotations:` | `{[ string]: string}` | `{}`            | Annotations applied to ingress                                                                         |
+
+### Monitoring values
+
+| Key                     | Type   | Default | Description                                                                   |
+|-------------------------|--------|---------|-------------------------------------------------------------------------------|
+| `monitoring: enabled:`  | `bool` | `false` | Enable [Prometheus ServiceMonitor](https://prometheus-operator.dev/) creation |
+| `monitoring: interval:` | `int`  | `15`    | Prometheus scrape interval in seconds                                         |
+
+### Cashing values
+
+| Key                  | Type     | Default | Description                                             |
+|----------------------|----------|---------|---------------------------------------------------------|
+| `caching: enabled:`  | `bool`   | `false` | Enable Redis caching                                    |
+| `caching: redisURL:` | `string` | `""`    | Redis URL in the format `tcp://:[password]@host[:port]` |
+
+### UI values
+
+| Key            | Type     | Default   | Description      |
+|----------------|----------|-----------|------------------|
+| `ui: color:`   | `string` | `#34577c` | Background color |
+| `ui: message:` | `string` | `""`      | Greeting message |
+| `ui: backend:` | `string` | `""`      | Backend URL      |

timoni/podinfo/cue.mod/gen/k8s.io/api/admission/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/admission/v1
+
+package v1
+
+#GroupName: "admission.k8s.io"

timoni/podinfo/cue.mod/gen/k8s.io/api/admission/v1/types_go_gen.cue

@@ -0,0 +1,172 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/admission/v1
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	authenticationv1 "k8s.io/api/authentication/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// AdmissionReview describes an admission review request/response.
+#AdmissionReview: {
+	metav1.#TypeMeta
+
+	// Request describes the attributes for the admission request.
+	// +optional
+	request?: null | #AdmissionRequest @go(Request,*AdmissionRequest) @protobuf(1,bytes,opt)
+
+	// Response describes the attributes for the admission response.
+	// +optional
+	response?: null | #AdmissionResponse @go(Response,*AdmissionResponse) @protobuf(2,bytes,opt)
+}
+
+// AdmissionRequest describes the admission.Attributes for the admission request.
+#AdmissionRequest: {
+	// UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are
+	// otherwise identical (parallel requests, requests when earlier requests did not modify etc)
+	// The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request.
+	// It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
+	uid: types.#UID @go(UID) @protobuf(1,bytes,opt)
+
+	// Kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale)
+	kind: metav1.#GroupVersionKind @go(Kind) @protobuf(2,bytes,opt)
+
+	// Resource is the fully-qualified resource being requested (for example, v1.pods)
+	resource: metav1.#GroupVersionResource @go(Resource) @protobuf(3,bytes,opt)
+
+	// SubResource is the subresource being requested, if any (for example, "status" or "scale")
+	// +optional
+	subResource?: string @go(SubResource) @protobuf(4,bytes,opt)
+
+	// RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).
+	// If this is specified and differs from the value in "kind", an equivalent match and conversion was performed.
+	//
+	// For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
+	// `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
+	// an API request to apps/v1beta1 deployments would be converted and sent to the webhook
+	// with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for),
+	// and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request).
+	//
+	// See documentation for the "matchPolicy" field in the webhook configuration type for more details.
+	// +optional
+	requestKind?: null | metav1.#GroupVersionKind @go(RequestKind,*metav1.GroupVersionKind) @protobuf(13,bytes,opt)
+
+	// RequestResource is the fully-qualified resource of the original API request (for example, v1.pods).
+	// If this is specified and differs from the value in "resource", an equivalent match and conversion was performed.
+	//
+	// For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
+	// `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
+	// an API request to apps/v1beta1 deployments would be converted and sent to the webhook
+	// with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for),
+	// and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request).
+	//
+	// See documentation for the "matchPolicy" field in the webhook configuration type.
+	// +optional
+	requestResource?: null | metav1.#GroupVersionResource @go(RequestResource,*metav1.GroupVersionResource) @protobuf(14,bytes,opt)
+
+	// RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale")
+	// If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed.
+	// See documentation for the "matchPolicy" field in the webhook configuration type.
+	// +optional
+	requestSubResource?: string @go(RequestSubResource) @protobuf(15,bytes,opt)
+
+	// Name is the name of the object as presented in the request.  On a CREATE operation, the client may omit name and
+	// rely on the server to generate the name.  If that is the case, this field will contain an empty string.
+	// +optional
+	name?: string @go(Name) @protobuf(5,bytes,opt)
+
+	// Namespace is the namespace associated with the request (if any).
+	// +optional
+	namespace?: string @go(Namespace) @protobuf(6,bytes,opt)
+
+	// Operation is the operation being performed. This may be different than the operation
+	// requested. e.g. a patch can result in either a CREATE or UPDATE Operation.
+	operation: #Operation @go(Operation) @protobuf(7,bytes,opt)
+
+	// UserInfo is information about the requesting user
+	userInfo: authenticationv1.#UserInfo @go(UserInfo) @protobuf(8,bytes,opt)
+
+	// Object is the object from the incoming request.
+	// +optional
+	object?: runtime.#RawExtension @go(Object) @protobuf(9,bytes,opt)
+
+	// OldObject is the existing object. Only populated for DELETE and UPDATE requests.
+	// +optional
+	oldObject?: runtime.#RawExtension @go(OldObject) @protobuf(10,bytes,opt)
+
+	// DryRun indicates that modifications will definitely not be persisted for this request.
+	// Defaults to false.
+	// +optional
+	dryRun?: null | bool @go(DryRun,*bool) @protobuf(11,varint,opt)
+
+	// Options is the operation option structure of the operation being performed.
+	// e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be
+	// different than the options the caller provided. e.g. for a patch request the performed
+	// Operation might be a CREATE, in which case the Options will a
+	// `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.
+	// +optional
+	options?: runtime.#RawExtension @go(Options) @protobuf(12,bytes,opt)
+}
+
+// AdmissionResponse describes an admission response.
+#AdmissionResponse: {
+	// UID is an identifier for the individual request/response.
+	// This must be copied over from the corresponding AdmissionRequest.
+	uid: types.#UID @go(UID) @protobuf(1,bytes,opt)
+
+	// Allowed indicates whether or not the admission request was permitted.
+	allowed: bool @go(Allowed) @protobuf(2,varint,opt)
+
+	// Result contains extra details into why an admission request was denied.
+	// This field IS NOT consulted in any way if "Allowed" is "true".
+	// +optional
+	status?: null | metav1.#Status @go(Result,*metav1.Status) @protobuf(3,bytes,opt)
+
+	// The patch body. Currently we only support "JSONPatch" which implements RFC 6902.
+	// +optional
+	patch?: bytes @go(Patch,[]byte) @protobuf(4,bytes,opt)
+
+	// The type of Patch. Currently we only allow "JSONPatch".
+	// +optional
+	patchType?: null | #PatchType @go(PatchType,*PatchType) @protobuf(5,bytes,opt)
+
+	// AuditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted).
+	// MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controller will prefix the keys with
+	// admission webhook name (e.g. imagepolicy.example.com/error=image-blacklisted). AuditAnnotations will be provided by
+	// the admission webhook to add additional context to the audit log for this request.
+	// +optional
+	auditAnnotations?: {[string]: string} @go(AuditAnnotations,map[string]string) @protobuf(6,bytes,opt)
+
+	// warnings is a list of warning messages to return to the requesting API client.
+	// Warning messages describe a problem the client making the API request should correct or be aware of.
+	// Limit warnings to 120 characters if possible.
+	// Warnings over 256 characters and large numbers of warnings may be truncated.
+	// +optional
+	warnings?: [...string] @go(Warnings,[]string) @protobuf(7,bytes,rep)
+}
+
+// PatchType is the type of patch being used to represent the mutated object
+#PatchType: string // #enumPatchType
+
+#enumPatchType:
+	#PatchTypeJSONPatch
+
+#PatchTypeJSONPatch: #PatchType & "JSONPatch"
+
+// Operation is the type of resource operation being checked for admission control
+#Operation: string // #enumOperation
+
+#enumOperation:
+	#Create |
+	#Update |
+	#Delete |
+	#Connect
+
+#Create:  #Operation & "CREATE"
+#Update:  #Operation & "UPDATE"
+#Delete:  #Operation & "DELETE"
+#Connect: #Operation & "CONNECT"

timoni/podinfo/cue.mod/gen/k8s.io/api/admissionregistration/v1/doc_go_gen.cue

@@ -0,0 +1,9 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/admissionregistration/v1
+
+// Package v1 is the v1 version of the API.
+// AdmissionConfiguration and AdmissionPluginConfiguration are legacy static admission plugin configuration
+// MutatingWebhookConfiguration and ValidatingWebhookConfiguration are for the
+// new dynamic admission controller configuration.
+package v1

timoni/podinfo/cue.mod/gen/k8s.io/api/admissionregistration/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/admissionregistration/v1
+
+package v1
+
+#GroupName: "admissionregistration.k8s.io"

timoni/podinfo/cue.mod/gen/k8s.io/api/admissionregistration/v1/types_go_gen.cue

@@ -0,0 +1,645 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/admissionregistration/v1
+
+package v1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// Rule is a tuple of APIGroups, APIVersion, and Resources.It is recommended
+// to make sure that all the tuple expansions are valid.
+#Rule: {
+	// APIGroups is the API groups the resources belong to. '*' is all groups.
+	// If '*' is present, the length of the slice must be one.
+	// Required.
+	// +listType=atomic
+	apiGroups?: [...string] @go(APIGroups,[]string) @protobuf(1,bytes,rep)
+
+	// APIVersions is the API versions the resources belong to. '*' is all versions.
+	// If '*' is present, the length of the slice must be one.
+	// Required.
+	// +listType=atomic
+	apiVersions?: [...string] @go(APIVersions,[]string) @protobuf(2,bytes,rep)
+
+	// Resources is a list of resources this rule applies to.
+	//
+	// For example:
+	// 'pods' means pods.
+	// 'pods/log' means the log subresource of pods.
+	// '*' means all resources, but not subresources.
+	// 'pods/*' means all subresources of pods.
+	// '*/scale' means all scale subresources.
+	// '*/*' means all resources and their subresources.
+	//
+	// If wildcard is present, the validation rule will ensure resources do not
+	// overlap with each other.
+	//
+	// Depending on the enclosing object, subresources might not be allowed.
+	// Required.
+	// +listType=atomic
+	resources?: [...string] @go(Resources,[]string) @protobuf(3,bytes,rep)
+
+	// scope specifies the scope of this rule.
+	// Valid values are "Cluster", "Namespaced", and "*"
+	// "Cluster" means that only cluster-scoped resources will match this rule.
+	// Namespace API objects are cluster-scoped.
+	// "Namespaced" means that only namespaced resources will match this rule.
+	// "*" means that there are no scope restrictions.
+	// Subresources match the scope of their parent resource.
+	// Default is "*".
+	//
+	// +optional
+	scope?: null | #ScopeType @go(Scope,*ScopeType) @protobuf(4,bytes,rep)
+}
+
+// ScopeType specifies a scope for a Rule.
+// +enum
+#ScopeType: string // #enumScopeType
+
+#enumScopeType:
+	#ClusterScope |
+	#NamespacedScope |
+	#AllScopes
+
+// ClusterScope means that scope is limited to cluster-scoped objects.
+// Namespace objects are cluster-scoped.
+#ClusterScope: #ScopeType & "Cluster"
+
+// NamespacedScope means that scope is limited to namespaced objects.
+#NamespacedScope: #ScopeType & "Namespaced"
+
+// AllScopes means that all scopes are included.
+#AllScopes: #ScopeType & "*"
+
+// FailurePolicyType specifies a failure policy that defines how unrecognized errors from the admission endpoint are handled.
+// +enum
+#FailurePolicyType: string // #enumFailurePolicyType
+
+#enumFailurePolicyType:
+	#Ignore |
+	#Fail
+
+// Ignore means that an error calling the webhook is ignored.
+#Ignore: #FailurePolicyType & "Ignore"
+
+// Fail means that an error calling the webhook causes the admission to fail.
+#Fail: #FailurePolicyType & "Fail"
+
+// MatchPolicyType specifies the type of match policy.
+// +enum
+#MatchPolicyType: string // #enumMatchPolicyType
+
+#enumMatchPolicyType:
+	#Exact |
+	#Equivalent
+
+// Exact means requests should only be sent to the webhook if they exactly match a given rule.
+#Exact: #MatchPolicyType & "Exact"
+
+// Equivalent means requests should be sent to the webhook if they modify a resource listed in rules via another API group or version.
+#Equivalent: #MatchPolicyType & "Equivalent"
+
+// SideEffectClass specifies the types of side effects a webhook may have.
+// +enum
+#SideEffectClass: string // #enumSideEffectClass
+
+#enumSideEffectClass:
+	#SideEffectClassUnknown |
+	#SideEffectClassNone |
+	#SideEffectClassSome |
+	#SideEffectClassNoneOnDryRun
+
+// SideEffectClassUnknown means that no information is known about the side effects of calling the webhook.
+// If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail.
+#SideEffectClassUnknown: #SideEffectClass & "Unknown"
+
+// SideEffectClassNone means that calling the webhook will have no side effects.
+#SideEffectClassNone: #SideEffectClass & "None"
+
+// SideEffectClassSome means that calling the webhook will possibly have side effects.
+// If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail.
+#SideEffectClassSome: #SideEffectClass & "Some"
+
+// SideEffectClassNoneOnDryRun means that calling the webhook will possibly have side effects, but if the
+// request being reviewed has the dry-run attribute, the side effects will be suppressed.
+#SideEffectClassNoneOnDryRun: #SideEffectClass & "NoneOnDryRun"
+
+// ValidatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and object without changing it.
+#ValidatingWebhookConfiguration: {
+	metav1.#TypeMeta
+
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Webhooks is a list of webhooks and the affected resources and operations.
+	// +optional
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	webhooks?: [...#ValidatingWebhook] @go(Webhooks,[]ValidatingWebhook) @protobuf(2,bytes,rep,name=Webhooks)
+}
+
+// ValidatingWebhookConfigurationList is a list of ValidatingWebhookConfiguration.
+#ValidatingWebhookConfigurationList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// List of ValidatingWebhookConfiguration.
+	items: [...#ValidatingWebhookConfiguration] @go(Items,[]ValidatingWebhookConfiguration) @protobuf(2,bytes,rep)
+}
+
+// MutatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and may change the object.
+#MutatingWebhookConfiguration: {
+	metav1.#TypeMeta
+
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Webhooks is a list of webhooks and the affected resources and operations.
+	// +optional
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	webhooks?: [...#MutatingWebhook] @go(Webhooks,[]MutatingWebhook) @protobuf(2,bytes,rep,name=Webhooks)
+}
+
+// MutatingWebhookConfigurationList is a list of MutatingWebhookConfiguration.
+#MutatingWebhookConfigurationList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// List of MutatingWebhookConfiguration.
+	items: [...#MutatingWebhookConfiguration] @go(Items,[]MutatingWebhookConfiguration) @protobuf(2,bytes,rep)
+}
+
+// ValidatingWebhook describes an admission webhook and the resources and operations it applies to.
+#ValidatingWebhook: {
+	// The name of the admission webhook.
+	// Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
+	// "imagepolicy" is the name of the webhook, and kubernetes.io is the name
+	// of the organization.
+	// Required.
+	name: string @go(Name) @protobuf(1,bytes,opt)
+
+	// ClientConfig defines how to communicate with the hook.
+	// Required
+	clientConfig: #WebhookClientConfig @go(ClientConfig) @protobuf(2,bytes,opt)
+
+	// Rules describes what operations on what resources/subresources the webhook cares about.
+	// The webhook cares about an operation if it matches _any_ Rule.
+	// However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks
+	// from putting the cluster in a state which cannot be recovered from without completely
+	// disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called
+	// on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
+	rules?: [...#RuleWithOperations] @go(Rules,[]RuleWithOperations) @protobuf(3,bytes,rep)
+
+	// FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
+	// allowed values are Ignore or Fail. Defaults to Fail.
+	// +optional
+	failurePolicy?: null | #FailurePolicyType @go(FailurePolicy,*FailurePolicyType) @protobuf(4,bytes,opt,casttype=FailurePolicyType)
+
+	// matchPolicy defines how the "rules" list is used to match incoming requests.
+	// Allowed values are "Exact" or "Equivalent".
+	//
+	// - Exact: match a request only if it exactly matches a specified rule.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
+	//
+	// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
+	//
+	// Defaults to "Equivalent"
+	// +optional
+	matchPolicy?: null | #MatchPolicyType @go(MatchPolicy,*MatchPolicyType) @protobuf(9,bytes,opt,casttype=MatchPolicyType)
+
+	// NamespaceSelector decides whether to run the webhook on an object based
+	// on whether the namespace for that object matches the selector. If the
+	// object itself is a namespace, the matching is performed on
+	// object.metadata.labels. If the object is another cluster scoped resource,
+	// it never skips the webhook.
+	//
+	// For example, to run the webhook on any objects whose namespace is not
+	// associated with "runlevel" of "0" or "1";  you will set the selector as
+	// follows:
+	// "namespaceSelector": {
+	//   "matchExpressions": [
+	//     {
+	//       "key": "runlevel",
+	//       "operator": "NotIn",
+	//       "values": [
+	//         "0",
+	//         "1"
+	//       ]
+	//     }
+	//   ]
+	// }
+	//
+	// If instead you want to only run the webhook on any objects whose
+	// namespace is associated with the "environment" of "prod" or "staging";
+	// you will set the selector as follows:
+	// "namespaceSelector": {
+	//   "matchExpressions": [
+	//     {
+	//       "key": "environment",
+	//       "operator": "In",
+	//       "values": [
+	//         "prod",
+	//         "staging"
+	//       ]
+	//     }
+	//   ]
+	// }
+	//
+	// See
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
+	// for more examples of label selectors.
+	//
+	// Default to the empty LabelSelector, which matches everything.
+	// +optional
+	namespaceSelector?: null | metav1.#LabelSelector @go(NamespaceSelector,*metav1.LabelSelector) @protobuf(5,bytes,opt)
+
+	// ObjectSelector decides whether to run the webhook based on if the
+	// object has matching labels. objectSelector is evaluated against both
+	// the oldObject and newObject that would be sent to the webhook, and
+	// is considered to match if either object matches the selector. A null
+	// object (oldObject in the case of create, or newObject in the case of
+	// delete) or an object that cannot have labels (like a
+	// DeploymentRollback or a PodProxyOptions object) is not considered to
+	// match.
+	// Use the object selector only if the webhook is opt-in, because end
+	// users may skip the admission webhook by setting the labels.
+	// Default to the empty LabelSelector, which matches everything.
+	// +optional
+	objectSelector?: null | metav1.#LabelSelector @go(ObjectSelector,*metav1.LabelSelector) @protobuf(10,bytes,opt)
+
+	// SideEffects states whether this webhook has side effects.
+	// Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
+	// Webhooks with side effects MUST implement a reconciliation system, since a request may be
+	// rejected by a future step in the admission chain and the side effects therefore need to be undone.
+	// Requests with the dryRun attribute will be auto-rejected if they match a webhook with
+	// sideEffects == Unknown or Some.
+	sideEffects?: null | #SideEffectClass @go(SideEffects,*SideEffectClass) @protobuf(6,bytes,opt,casttype=SideEffectClass)
+
+	// TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
+	// the webhook call will be ignored or the API call will fail based on the
+	// failure policy.
+	// The timeout value must be between 1 and 30 seconds.
+	// Default to 10 seconds.
+	// +optional
+	timeoutSeconds?: null | int32 @go(TimeoutSeconds,*int32) @protobuf(7,varint,opt)
+
+	// AdmissionReviewVersions is an ordered list of preferred `AdmissionReview`
+	// versions the Webhook expects. API server will try to use first version in
+	// the list which it supports. If none of the versions specified in this list
+	// supported by API server, validation will fail for this object.
+	// If a persisted webhook configuration specifies allowed versions and does not
+	// include any versions known to the API Server, calls to the webhook will fail
+	// and be subject to the failure policy.
+	admissionReviewVersions: [...string] @go(AdmissionReviewVersions,[]string) @protobuf(8,bytes,rep)
+
+	// MatchConditions is a list of conditions that must be met for a request to be sent to this
+	// webhook. Match conditions filter requests that have already been matched by the rules,
+	// namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
+	// There are a maximum of 64 match conditions allowed.
+	//
+	// The exact matching logic is (in order):
+	//   1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.
+	//   2. If ALL matchConditions evaluate to TRUE, the webhook is called.
+	//   3. If any matchCondition evaluates to an error (but none are FALSE):
+	//      - If failurePolicy=Fail, reject the request
+	//      - If failurePolicy=Ignore, the error is ignored and the webhook is skipped
+	//
+	// This is a beta feature and managed by the AdmissionWebhookMatchConditions feature gate.
+	//
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=name
+	// +featureGate=AdmissionWebhookMatchConditions
+	// +optional
+	matchConditions?: [...#MatchCondition] @go(MatchConditions,[]MatchCondition) @protobuf(11,bytes,opt)
+}
+
+// MutatingWebhook describes an admission webhook and the resources and operations it applies to.
+#MutatingWebhook: {
+	// The name of the admission webhook.
+	// Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
+	// "imagepolicy" is the name of the webhook, and kubernetes.io is the name
+	// of the organization.
+	// Required.
+	name: string @go(Name) @protobuf(1,bytes,opt)
+
+	// ClientConfig defines how to communicate with the hook.
+	// Required
+	clientConfig: #WebhookClientConfig @go(ClientConfig) @protobuf(2,bytes,opt)
+
+	// Rules describes what operations on what resources/subresources the webhook cares about.
+	// The webhook cares about an operation if it matches _any_ Rule.
+	// However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks
+	// from putting the cluster in a state which cannot be recovered from without completely
+	// disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called
+	// on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
+	rules?: [...#RuleWithOperations] @go(Rules,[]RuleWithOperations) @protobuf(3,bytes,rep)
+
+	// FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
+	// allowed values are Ignore or Fail. Defaults to Fail.
+	// +optional
+	failurePolicy?: null | #FailurePolicyType @go(FailurePolicy,*FailurePolicyType) @protobuf(4,bytes,opt,casttype=FailurePolicyType)
+
+	// matchPolicy defines how the "rules" list is used to match incoming requests.
+	// Allowed values are "Exact" or "Equivalent".
+	//
+	// - Exact: match a request only if it exactly matches a specified rule.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
+	//
+	// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
+	//
+	// Defaults to "Equivalent"
+	// +optional
+	matchPolicy?: null | #MatchPolicyType @go(MatchPolicy,*MatchPolicyType) @protobuf(9,bytes,opt,casttype=MatchPolicyType)
+
+	// NamespaceSelector decides whether to run the webhook on an object based
+	// on whether the namespace for that object matches the selector. If the
+	// object itself is a namespace, the matching is performed on
+	// object.metadata.labels. If the object is another cluster scoped resource,
+	// it never skips the webhook.
+	//
+	// For example, to run the webhook on any objects whose namespace is not
+	// associated with "runlevel" of "0" or "1";  you will set the selector as
+	// follows:
+	// "namespaceSelector": {
+	//   "matchExpressions": [
+	//     {
+	//       "key": "runlevel",
+	//       "operator": "NotIn",
+	//       "values": [
+	//         "0",
+	//         "1"
+	//       ]
+	//     }
+	//   ]
+	// }
+	//
+	// If instead you want to only run the webhook on any objects whose
+	// namespace is associated with the "environment" of "prod" or "staging";
+	// you will set the selector as follows:
+	// "namespaceSelector": {
+	//   "matchExpressions": [
+	//     {
+	//       "key": "environment",
+	//       "operator": "In",
+	//       "values": [
+	//         "prod",
+	//         "staging"
+	//       ]
+	//     }
+	//   ]
+	// }
+	//
+	// See
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+	// for more examples of label selectors.
+	//
+	// Default to the empty LabelSelector, which matches everything.
+	// +optional
+	namespaceSelector?: null | metav1.#LabelSelector @go(NamespaceSelector,*metav1.LabelSelector) @protobuf(5,bytes,opt)
+
+	// ObjectSelector decides whether to run the webhook based on if the
+	// object has matching labels. objectSelector is evaluated against both
+	// the oldObject and newObject that would be sent to the webhook, and
+	// is considered to match if either object matches the selector. A null
+	// object (oldObject in the case of create, or newObject in the case of
+	// delete) or an object that cannot have labels (like a
+	// DeploymentRollback or a PodProxyOptions object) is not considered to
+	// match.
+	// Use the object selector only if the webhook is opt-in, because end
+	// users may skip the admission webhook by setting the labels.
+	// Default to the empty LabelSelector, which matches everything.
+	// +optional
+	objectSelector?: null | metav1.#LabelSelector @go(ObjectSelector,*metav1.LabelSelector) @protobuf(11,bytes,opt)
+
+	// SideEffects states whether this webhook has side effects.
+	// Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
+	// Webhooks with side effects MUST implement a reconciliation system, since a request may be
+	// rejected by a future step in the admission chain and the side effects therefore need to be undone.
+	// Requests with the dryRun attribute will be auto-rejected if they match a webhook with
+	// sideEffects == Unknown or Some.
+	sideEffects?: null | #SideEffectClass @go(SideEffects,*SideEffectClass) @protobuf(6,bytes,opt,casttype=SideEffectClass)
+
+	// TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
+	// the webhook call will be ignored or the API call will fail based on the
+	// failure policy.
+	// The timeout value must be between 1 and 30 seconds.
+	// Default to 10 seconds.
+	// +optional
+	timeoutSeconds?: null | int32 @go(TimeoutSeconds,*int32) @protobuf(7,varint,opt)
+
+	// AdmissionReviewVersions is an ordered list of preferred `AdmissionReview`
+	// versions the Webhook expects. API server will try to use first version in
+	// the list which it supports. If none of the versions specified in this list
+	// supported by API server, validation will fail for this object.
+	// If a persisted webhook configuration specifies allowed versions and does not
+	// include any versions known to the API Server, calls to the webhook will fail
+	// and be subject to the failure policy.
+	admissionReviewVersions: [...string] @go(AdmissionReviewVersions,[]string) @protobuf(8,bytes,rep)
+
+	// reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation.
+	// Allowed values are "Never" and "IfNeeded".
+	//
+	// Never: the webhook will not be called more than once in a single admission evaluation.
+	//
+	// IfNeeded: the webhook will be called at least one additional time as part of the admission evaluation
+	// if the object being admitted is modified by other admission plugins after the initial webhook call.
+	// Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted.
+	// Note:
+	// * the number of additional invocations is not guaranteed to be exactly one.
+	// * if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again.
+	// * webhooks that use this option may be reordered to minimize the number of additional invocations.
+	// * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead.
+	//
+	// Defaults to "Never".
+	// +optional
+	reinvocationPolicy?: null | #ReinvocationPolicyType @go(ReinvocationPolicy,*ReinvocationPolicyType) @protobuf(10,bytes,opt,casttype=ReinvocationPolicyType)
+
+	// MatchConditions is a list of conditions that must be met for a request to be sent to this
+	// webhook. Match conditions filter requests that have already been matched by the rules,
+	// namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
+	// There are a maximum of 64 match conditions allowed.
+	//
+	// The exact matching logic is (in order):
+	//   1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.
+	//   2. If ALL matchConditions evaluate to TRUE, the webhook is called.
+	//   3. If any matchCondition evaluates to an error (but none are FALSE):
+	//      - If failurePolicy=Fail, reject the request
+	//      - If failurePolicy=Ignore, the error is ignored and the webhook is skipped
+	//
+	// This is a beta feature and managed by the AdmissionWebhookMatchConditions feature gate.
+	//
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=name
+	// +featureGate=AdmissionWebhookMatchConditions
+	// +optional
+	matchConditions?: [...#MatchCondition] @go(MatchConditions,[]MatchCondition) @protobuf(12,bytes,opt)
+}
+
+// ReinvocationPolicyType specifies what type of policy the admission hook uses.
+// +enum
+#ReinvocationPolicyType: string // #enumReinvocationPolicyType
+
+#enumReinvocationPolicyType:
+	#NeverReinvocationPolicy |
+	#IfNeededReinvocationPolicy
+
+// NeverReinvocationPolicy indicates that the webhook must not be called more than once in a
+// single admission evaluation.
+#NeverReinvocationPolicy: #ReinvocationPolicyType & "Never"
+
+// IfNeededReinvocationPolicy indicates that the webhook may be called at least one
+// additional time as part of the admission evaluation if the object being admitted is
+// modified by other admission plugins after the initial webhook call.
+#IfNeededReinvocationPolicy: #ReinvocationPolicyType & "IfNeeded"
+
+// RuleWithOperations is a tuple of Operations and Resources. It is recommended to make
+// sure that all the tuple expansions are valid.
+#RuleWithOperations: {
+	// Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *
+	// for all of those operations and any future admission operations that are added.
+	// If '*' is present, the length of the slice must be one.
+	// Required.
+	// +listType=atomic
+	operations?: [...#OperationType] @go(Operations,[]OperationType) @protobuf(1,bytes,rep,casttype=OperationType)
+
+	#Rule
+}
+
+// OperationType specifies an operation for a request.
+// +enum
+#OperationType: string // #enumOperationType
+
+#enumOperationType:
+	#OperationAll |
+	#Create |
+	#Update |
+	#Delete |
+	#Connect
+
+#OperationAll: #OperationType & "*"
+#Create:       #OperationType & "CREATE"
+#Update:       #OperationType & "UPDATE"
+#Delete:       #OperationType & "DELETE"
+#Connect:      #OperationType & "CONNECT"
+
+// WebhookClientConfig contains the information to make a TLS
+// connection with the webhook
+#WebhookClientConfig: {
+	// `url` gives the location of the webhook, in standard URL form
+	// (`scheme://host:port/path`). Exactly one of `url` or `service`
+	// must be specified.
+	//
+	// The `host` should not refer to a service running in the cluster; use
+	// the `service` field instead. The host might be resolved via external
+	// DNS in some apiservers (e.g., `kube-apiserver` cannot resolve
+	// in-cluster DNS as that would be a layering violation). `host` may
+	// also be an IP address.
+	//
+	// Please note that using `localhost` or `127.0.0.1` as a `host` is
+	// risky unless you take great care to run this webhook on all hosts
+	// which run an apiserver which might need to make calls to this
+	// webhook. Such installs are likely to be non-portable, i.e., not easy
+	// to turn up in a new cluster.
+	//
+	// The scheme must be "https"; the URL must begin with "https://".
+	//
+	// A path is optional, and if present may be any string permissible in
+	// a URL. You may use the path to pass an arbitrary string to the
+	// webhook, for example, a cluster identifier.
+	//
+	// Attempting to use a user or basic auth e.g. "user:password@" is not
+	// allowed. Fragments ("#...") and query parameters ("?...") are not
+	// allowed, either.
+	//
+	// +optional
+	url?: null | string @go(URL,*string) @protobuf(3,bytes,opt)
+
+	// `service` is a reference to the service for this webhook. Either
+	// `service` or `url` must be specified.
+	//
+	// If the webhook is running within the cluster, then you should use `service`.
+	//
+	// +optional
+	service?: null | #ServiceReference @go(Service,*ServiceReference) @protobuf(1,bytes,opt)
+
+	// `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
+	// If unspecified, system trust roots on the apiserver are used.
+	// +optional
+	caBundle?: bytes @go(CABundle,[]byte) @protobuf(2,bytes,opt)
+}
+
+// ServiceReference holds a reference to Service.legacy.k8s.io
+#ServiceReference: {
+	// `namespace` is the namespace of the service.
+	// Required
+	namespace: string @go(Namespace) @protobuf(1,bytes,opt)
+
+	// `name` is the name of the service.
+	// Required
+	name: string @go(Name) @protobuf(2,bytes,opt)
+
+	// `path` is an optional URL path which will be sent in any request to
+	// this service.
+	// +optional
+	path?: null | string @go(Path,*string) @protobuf(3,bytes,opt)
+
+	// If specified, the port on the service that hosting webhook.
+	// Default to 443 for backward compatibility.
+	// `port` should be a valid port number (1-65535, inclusive).
+	// +optional
+	port?: null | int32 @go(Port,*int32) @protobuf(4,varint,opt)
+}
+
+// MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.
+#MatchCondition: {
+	// Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+	// as well as providing an identifier for logging purposes. A good name should be descriptive of
+	// the associated expression.
+	// Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+	// must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or
+	// '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+	// optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+	//
+	// Required.
+	name: string @go(Name) @protobuf(1,bytes,opt)
+
+	// Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+	// CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+	//
+	// 'object' - The object from the incoming request. The value is null for DELETE requests.
+	// 'oldObject' - The existing object. The value is null for CREATE requests.
+	// 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+	// 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+	//   See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+	// 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+	//   request resource.
+	// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+	//
+	// Required.
+	expression: string @go(Expression) @protobuf(2,bytes,opt)
+}

timoni/podinfo/cue.mod/gen/k8s.io/api/apps/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/apps/v1
+
+package v1
+
+#GroupName: "apps"

timoni/podinfo/cue.mod/gen/k8s.io/api/apps/v1/types_go_gen.cue

@@ -0,0 +1,946 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/apps/v1
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+#ControllerRevisionHashLabelKey: "controller-revision-hash"
+#StatefulSetRevisionLabel:       "controller-revision-hash"
+#DeprecatedRollbackTo:           "deprecated.deployment.rollback.to"
+#DeprecatedTemplateGeneration:   "deprecated.daemonset.template.generation"
+#StatefulSetPodNameLabel:        "statefulset.kubernetes.io/pod-name"
+#PodIndexLabel:                  "apps.kubernetes.io/pod-index"
+
+// StatefulSet represents a set of pods with consistent identities.
+// Identities are defined as:
+//   - Network: A single stable DNS and hostname.
+//   - Storage: As many VolumeClaims as requested.
+//
+// The StatefulSet guarantees that a given network identity will always
+// map to the same storage identity.
+#StatefulSet: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Spec defines the desired identities of pods in this set.
+	// +optional
+	spec?: #StatefulSetSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// Status is the current status of Pods in this StatefulSet. This data
+	// may be out of date by some window of time.
+	// +optional
+	status?: #StatefulSetStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// PodManagementPolicyType defines the policy for creating pods under a stateful set.
+// +enum
+#PodManagementPolicyType: string // #enumPodManagementPolicyType
+
+#enumPodManagementPolicyType:
+	#OrderedReadyPodManagement |
+	#ParallelPodManagement
+
+// OrderedReadyPodManagement will create pods in strictly increasing order on
+// scale up and strictly decreasing order on scale down, progressing only when
+// the previous pod is ready or terminated. At most one pod will be changed
+// at any time.
+#OrderedReadyPodManagement: #PodManagementPolicyType & "OrderedReady"
+
+// ParallelPodManagement will create and delete pods as soon as the stateful set
+// replica count is changed, and will not wait for pods to be ready or complete
+// termination.
+#ParallelPodManagement: #PodManagementPolicyType & "Parallel"
+
+// StatefulSetUpdateStrategy indicates the strategy that the StatefulSet
+// controller will use to perform updates. It includes any additional parameters
+// necessary to perform the update for the indicated strategy.
+#StatefulSetUpdateStrategy: {
+	// Type indicates the type of the StatefulSetUpdateStrategy.
+	// Default is RollingUpdate.
+	// +optional
+	type?: #StatefulSetUpdateStrategyType @go(Type) @protobuf(1,bytes,opt,casttype=StatefulSetStrategyType)
+
+	// RollingUpdate is used to communicate parameters when Type is RollingUpdateStatefulSetStrategyType.
+	// +optional
+	rollingUpdate?: null | #RollingUpdateStatefulSetStrategy @go(RollingUpdate,*RollingUpdateStatefulSetStrategy) @protobuf(2,bytes,opt)
+}
+
+// StatefulSetUpdateStrategyType is a string enumeration type that enumerates
+// all possible update strategies for the StatefulSet controller.
+// +enum
+#StatefulSetUpdateStrategyType: string // #enumStatefulSetUpdateStrategyType
+
+#enumStatefulSetUpdateStrategyType:
+	#RollingUpdateStatefulSetStrategyType |
+	#OnDeleteStatefulSetStrategyType
+
+// RollingUpdateStatefulSetStrategyType indicates that update will be
+// applied to all Pods in the StatefulSet with respect to the StatefulSet
+// ordering constraints. When a scale operation is performed with this
+// strategy, new Pods will be created from the specification version indicated
+// by the StatefulSet's updateRevision.
+#RollingUpdateStatefulSetStrategyType: #StatefulSetUpdateStrategyType & "RollingUpdate"
+
+// OnDeleteStatefulSetStrategyType triggers the legacy behavior. Version
+// tracking and ordered rolling restarts are disabled. Pods are recreated
+// from the StatefulSetSpec when they are manually deleted. When a scale
+// operation is performed with this strategy,specification version indicated
+// by the StatefulSet's currentRevision.
+#OnDeleteStatefulSetStrategyType: #StatefulSetUpdateStrategyType & "OnDelete"
+
+// RollingUpdateStatefulSetStrategy is used to communicate parameter for RollingUpdateStatefulSetStrategyType.
+#RollingUpdateStatefulSetStrategy: {
+	// Partition indicates the ordinal at which the StatefulSet should be partitioned
+	// for updates. During a rolling update, all pods from ordinal Replicas-1 to
+	// Partition are updated. All pods from ordinal Partition-1 to 0 remain untouched.
+	// This is helpful in being able to do a canary based deployment. The default value is 0.
+	// +optional
+	partition?: null | int32 @go(Partition,*int32) @protobuf(1,varint,opt)
+
+	// The maximum number of pods that can be unavailable during the update.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// Absolute number is calculated from percentage by rounding up. This can not be 0.
+	// Defaults to 1. This field is alpha-level and is only honored by servers that enable the
+	// MaxUnavailableStatefulSet feature. The field applies to all pods in the range 0 to
+	// Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it
+	// will be counted towards MaxUnavailable.
+	// +optional
+	maxUnavailable?: null | intstr.#IntOrString @go(MaxUnavailable,*intstr.IntOrString) @protobuf(2,varint,opt)
+}
+
+// PersistentVolumeClaimRetentionPolicyType is a string enumeration of the policies that will determine
+// when volumes from the VolumeClaimTemplates will be deleted when the controlling StatefulSet is
+// deleted or scaled down.
+#PersistentVolumeClaimRetentionPolicyType: string // #enumPersistentVolumeClaimRetentionPolicyType
+
+#enumPersistentVolumeClaimRetentionPolicyType:
+	#RetainPersistentVolumeClaimRetentionPolicyType |
+	#DeletePersistentVolumeClaimRetentionPolicyType
+
+// RetainPersistentVolumeClaimRetentionPolicyType is the default
+// PersistentVolumeClaimRetentionPolicy and specifies that
+// PersistentVolumeClaims associated with StatefulSet VolumeClaimTemplates
+// will not be deleted.
+#RetainPersistentVolumeClaimRetentionPolicyType: #PersistentVolumeClaimRetentionPolicyType & "Retain"
+
+// RetentionPersistentVolumeClaimRetentionPolicyType specifies that
+// PersistentVolumeClaims associated with StatefulSet VolumeClaimTemplates
+// will be deleted in the scenario specified in
+// StatefulSetPersistentVolumeClaimRetentionPolicy.
+#DeletePersistentVolumeClaimRetentionPolicyType: #PersistentVolumeClaimRetentionPolicyType & "Delete"
+
+// StatefulSetPersistentVolumeClaimRetentionPolicy describes the policy used for PVCs
+// created from the StatefulSet VolumeClaimTemplates.
+#StatefulSetPersistentVolumeClaimRetentionPolicy: {
+	// WhenDeleted specifies what happens to PVCs created from StatefulSet
+	// VolumeClaimTemplates when the StatefulSet is deleted. The default policy
+	// of `Retain` causes PVCs to not be affected by StatefulSet deletion. The
+	// `Delete` policy causes those PVCs to be deleted.
+	whenDeleted?: #PersistentVolumeClaimRetentionPolicyType @go(WhenDeleted) @protobuf(1,bytes,opt,casttype=PersistentVolumeClaimRetentionPolicyType)
+
+	// WhenScaled specifies what happens to PVCs created from StatefulSet
+	// VolumeClaimTemplates when the StatefulSet is scaled down. The default
+	// policy of `Retain` causes PVCs to not be affected by a scaledown. The
+	// `Delete` policy causes the associated PVCs for any excess pods above
+	// the replica count to be deleted.
+	whenScaled?: #PersistentVolumeClaimRetentionPolicyType @go(WhenScaled) @protobuf(2,bytes,opt,casttype=PersistentVolumeClaimRetentionPolicyType)
+}
+
+// StatefulSetOrdinals describes the policy used for replica ordinal assignment
+// in this StatefulSet.
+#StatefulSetOrdinals: {
+	// start is the number representing the first replica's index. It may be used
+	// to number replicas from an alternate index (eg: 1-indexed) over the default
+	// 0-indexed names, or to orchestrate progressive movement of replicas from
+	// one StatefulSet to another.
+	// If set, replica indices will be in the range:
+	//   [.spec.ordinals.start, .spec.ordinals.start + .spec.replicas).
+	// If unset, defaults to 0. Replica indices will be in the range:
+	//   [0, .spec.replicas).
+	// +optional
+	start: int32 @go(Start) @protobuf(1,varint,opt)
+}
+
+// A StatefulSetSpec is the specification of a StatefulSet.
+#StatefulSetSpec: {
+	// replicas is the desired number of replicas of the given Template.
+	// These are replicas in the sense that they are instantiations of the
+	// same Template, but individual replicas also have a consistent identity.
+	// If unspecified, defaults to 1.
+	// TODO: Consider a rename of this field.
+	// +optional
+	replicas?: null | int32 @go(Replicas,*int32) @protobuf(1,varint,opt)
+
+	// selector is a label query over pods that should match the replica count.
+	// It must match the pod template's labels.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes,opt)
+
+	// template is the object that describes the pod that will be created if
+	// insufficient replicas are detected. Each pod stamped out by the StatefulSet
+	// will fulfill this Template, but have a unique identity from the rest
+	// of the StatefulSet. Each pod will be named with the format
+	// <statefulsetname>-<podindex>. For example, a pod in a StatefulSet named
+	// "web" with index number "3" would be named "web-3".
+	// The only allowed template.spec.restartPolicy value is "Always".
+	template: v1.#PodTemplateSpec @go(Template) @protobuf(3,bytes,opt)
+
+	// volumeClaimTemplates is a list of claims that pods are allowed to reference.
+	// The StatefulSet controller is responsible for mapping network identities to
+	// claims in a way that maintains the identity of a pod. Every claim in
+	// this list must have at least one matching (by name) volumeMount in one
+	// container in the template. A claim in this list takes precedence over
+	// any volumes in the template, with the same name.
+	// TODO: Define the behavior if a claim already exists with the same name.
+	// +optional
+	volumeClaimTemplates?: [...v1.#PersistentVolumeClaim] @go(VolumeClaimTemplates,[]v1.PersistentVolumeClaim) @protobuf(4,bytes,rep)
+
+	// serviceName is the name of the service that governs this StatefulSet.
+	// This service must exist before the StatefulSet, and is responsible for
+	// the network identity of the set. Pods get DNS/hostnames that follow the
+	// pattern: pod-specific-string.serviceName.default.svc.cluster.local
+	// where "pod-specific-string" is managed by the StatefulSet controller.
+	serviceName: string @go(ServiceName) @protobuf(5,bytes,opt)
+
+	// podManagementPolicy controls how pods are created during initial scale up,
+	// when replacing pods on nodes, or when scaling down. The default policy is
+	// `OrderedReady`, where pods are created in increasing order (pod-0, then
+	// pod-1, etc) and the controller will wait until each pod is ready before
+	// continuing. When scaling down, the pods are removed in the opposite order.
+	// The alternative policy is `Parallel` which will create pods in parallel
+	// to match the desired scale without waiting, and on scale down will delete
+	// all pods at once.
+	// +optional
+	podManagementPolicy?: #PodManagementPolicyType @go(PodManagementPolicy) @protobuf(6,bytes,opt,casttype=PodManagementPolicyType)
+
+	// updateStrategy indicates the StatefulSetUpdateStrategy that will be
+	// employed to update Pods in the StatefulSet when a revision is made to
+	// Template.
+	updateStrategy?: #StatefulSetUpdateStrategy @go(UpdateStrategy) @protobuf(7,bytes,opt)
+
+	// revisionHistoryLimit is the maximum number of revisions that will
+	// be maintained in the StatefulSet's revision history. The revision history
+	// consists of all revisions not represented by a currently applied
+	// StatefulSetSpec version. The default value is 10.
+	revisionHistoryLimit?: null | int32 @go(RevisionHistoryLimit,*int32) @protobuf(8,varint,opt)
+
+	// Minimum number of seconds for which a newly created pod should be ready
+	// without any of its container crashing for it to be considered available.
+	// Defaults to 0 (pod will be considered available as soon as it is ready)
+	// +optional
+	minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(9,varint,opt)
+
+	// persistentVolumeClaimRetentionPolicy describes the lifecycle of persistent
+	// volume claims created from volumeClaimTemplates. By default, all persistent
+	// volume claims are created as needed and retained until manually deleted. This
+	// policy allows the lifecycle to be altered, for example by deleting persistent
+	// volume claims when their stateful set is deleted, or when their pod is scaled
+	// down. This requires the StatefulSetAutoDeletePVC feature gate to be enabled,
+	// which is alpha.  +optional
+	persistentVolumeClaimRetentionPolicy?: null | #StatefulSetPersistentVolumeClaimRetentionPolicy @go(PersistentVolumeClaimRetentionPolicy,*StatefulSetPersistentVolumeClaimRetentionPolicy) @protobuf(10,bytes,opt)
+
+	// ordinals controls the numbering of replica indices in a StatefulSet. The
+	// default ordinals behavior assigns a "0" index to the first replica and
+	// increments the index by one for each additional replica requested. Using
+	// the ordinals field requires the StatefulSetStartOrdinal feature gate to be
+	// enabled, which is beta.
+	// +optional
+	ordinals?: null | #StatefulSetOrdinals @go(Ordinals,*StatefulSetOrdinals) @protobuf(11,bytes,opt)
+}
+
+// StatefulSetStatus represents the current state of a StatefulSet.
+#StatefulSetStatus: {
+	// observedGeneration is the most recent generation observed for this StatefulSet. It corresponds to the
+	// StatefulSet's generation, which is updated on mutation by the API Server.
+	// +optional
+	observedGeneration?: int64 @go(ObservedGeneration) @protobuf(1,varint,opt)
+
+	// replicas is the number of Pods created by the StatefulSet controller.
+	replicas: int32 @go(Replicas) @protobuf(2,varint,opt)
+
+	// readyReplicas is the number of pods created for this StatefulSet with a Ready Condition.
+	readyReplicas?: int32 @go(ReadyReplicas) @protobuf(3,varint,opt)
+
+	// currentReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version
+	// indicated by currentRevision.
+	currentReplicas?: int32 @go(CurrentReplicas) @protobuf(4,varint,opt)
+
+	// updatedReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version
+	// indicated by updateRevision.
+	updatedReplicas?: int32 @go(UpdatedReplicas) @protobuf(5,varint,opt)
+
+	// currentRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the
+	// sequence [0,currentReplicas).
+	currentRevision?: string @go(CurrentRevision) @protobuf(6,bytes,opt)
+
+	// updateRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the sequence
+	// [replicas-updatedReplicas,replicas)
+	updateRevision?: string @go(UpdateRevision) @protobuf(7,bytes,opt)
+
+	// collisionCount is the count of hash collisions for the StatefulSet. The StatefulSet controller
+	// uses this field as a collision avoidance mechanism when it needs to create the name for the
+	// newest ControllerRevision.
+	// +optional
+	collisionCount?: null | int32 @go(CollisionCount,*int32) @protobuf(9,varint,opt)
+
+	// Represents the latest available observations of a statefulset's current state.
+	// +optional
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	conditions?: [...#StatefulSetCondition] @go(Conditions,[]StatefulSetCondition) @protobuf(10,bytes,rep)
+
+	// Total number of available pods (ready for at least minReadySeconds) targeted by this statefulset.
+	// +optional
+	availableReplicas: int32 @go(AvailableReplicas) @protobuf(11,varint,opt)
+}
+
+#StatefulSetConditionType: string
+
+// StatefulSetCondition describes the state of a statefulset at a certain point.
+#StatefulSetCondition: {
+	// Type of statefulset condition.
+	type: #StatefulSetConditionType @go(Type) @protobuf(1,bytes,opt,casttype=StatefulSetConditionType)
+
+	// Status of the condition, one of True, False, Unknown.
+	status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus)
+
+	// Last time the condition transitioned from one status to another.
+	// +optional
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt)
+
+	// The reason for the condition's last transition.
+	// +optional
+	reason?: string @go(Reason) @protobuf(4,bytes,opt)
+
+	// A human readable message indicating details about the transition.
+	// +optional
+	message?: string @go(Message) @protobuf(5,bytes,opt)
+}
+
+// StatefulSetList is a collection of StatefulSets.
+#StatefulSetList: {
+	metav1.#TypeMeta
+
+	// Standard list's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// Items is the list of stateful sets.
+	items: [...#StatefulSet] @go(Items,[]StatefulSet) @protobuf(2,bytes,rep)
+}
+
+// Deployment enables declarative updates for Pods and ReplicaSets.
+#Deployment: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Specification of the desired behavior of the Deployment.
+	// +optional
+	spec?: #DeploymentSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// Most recently observed status of the Deployment.
+	// +optional
+	status?: #DeploymentStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// DeploymentSpec is the specification of the desired behavior of the Deployment.
+#DeploymentSpec: {
+	// Number of desired pods. This is a pointer to distinguish between explicit
+	// zero and not specified. Defaults to 1.
+	// +optional
+	replicas?: null | int32 @go(Replicas,*int32) @protobuf(1,varint,opt)
+
+	// Label selector for pods. Existing ReplicaSets whose pods are
+	// selected by this will be the ones affected by this deployment.
+	// It must match the pod template's labels.
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes,opt)
+
+	// Template describes the pods that will be created.
+	// The only allowed template.spec.restartPolicy value is "Always".
+	template: v1.#PodTemplateSpec @go(Template) @protobuf(3,bytes,opt)
+
+	// The deployment strategy to use to replace existing pods with new ones.
+	// +optional
+	// +patchStrategy=retainKeys
+	strategy?: #DeploymentStrategy @go(Strategy) @protobuf(4,bytes,opt)
+
+	// Minimum number of seconds for which a newly created pod should be ready
+	// without any of its container crashing, for it to be considered available.
+	// Defaults to 0 (pod will be considered available as soon as it is ready)
+	// +optional
+	minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(5,varint,opt)
+
+	// The number of old ReplicaSets to retain to allow rollback.
+	// This is a pointer to distinguish between explicit zero and not specified.
+	// Defaults to 10.
+	// +optional
+	revisionHistoryLimit?: null | int32 @go(RevisionHistoryLimit,*int32) @protobuf(6,varint,opt)
+
+	// Indicates that the deployment is paused.
+	// +optional
+	paused?: bool @go(Paused) @protobuf(7,varint,opt)
+
+	// The maximum time in seconds for a deployment to make progress before it
+	// is considered to be failed. The deployment controller will continue to
+	// process failed deployments and a condition with a ProgressDeadlineExceeded
+	// reason will be surfaced in the deployment status. Note that progress will
+	// not be estimated during the time a deployment is paused. Defaults to 600s.
+	progressDeadlineSeconds?: null | int32 @go(ProgressDeadlineSeconds,*int32) @protobuf(9,varint,opt)
+}
+
+// DefaultDeploymentUniqueLabelKey is the default key of the selector that is added
+// to existing ReplicaSets (and label key that is added to its pods) to prevent the existing ReplicaSets
+// to select new pods (and old pods being select by new ReplicaSet).
+#DefaultDeploymentUniqueLabelKey: "pod-template-hash"
+
+// DeploymentStrategy describes how to replace existing pods with new ones.
+#DeploymentStrategy: {
+	// Type of deployment. Can be "Recreate" or "RollingUpdate". Default is RollingUpdate.
+	// +optional
+	type?: #DeploymentStrategyType @go(Type) @protobuf(1,bytes,opt,casttype=DeploymentStrategyType)
+
+	// Rolling update config params. Present only if DeploymentStrategyType =
+	// RollingUpdate.
+	//---
+	// TODO: Update this to follow our convention for oneOf, whatever we decide it
+	// to be.
+	// +optional
+	rollingUpdate?: null | #RollingUpdateDeployment @go(RollingUpdate,*RollingUpdateDeployment) @protobuf(2,bytes,opt)
+}
+
+// +enum
+#DeploymentStrategyType: string // #enumDeploymentStrategyType
+
+#enumDeploymentStrategyType:
+	#RecreateDeploymentStrategyType |
+	#RollingUpdateDeploymentStrategyType
+
+// Kill all existing pods before creating new ones.
+#RecreateDeploymentStrategyType: #DeploymentStrategyType & "Recreate"
+
+// Replace the old ReplicaSets by new one using rolling update i.e gradually scale down the old ReplicaSets and scale up the new one.
+#RollingUpdateDeploymentStrategyType: #DeploymentStrategyType & "RollingUpdate"
+
+// Spec to control the desired behavior of rolling update.
+#RollingUpdateDeployment: {
+	// The maximum number of pods that can be unavailable during the update.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// Absolute number is calculated from percentage by rounding down.
+	// This can not be 0 if MaxSurge is 0.
+	// Defaults to 25%.
+	// Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods
+	// immediately when the rolling update starts. Once new pods are ready, old ReplicaSet
+	// can be scaled down further, followed by scaling up the new ReplicaSet, ensuring
+	// that the total number of pods available at all times during the update is at
+	// least 70% of desired pods.
+	// +optional
+	maxUnavailable?: null | intstr.#IntOrString @go(MaxUnavailable,*intstr.IntOrString) @protobuf(1,bytes,opt)
+
+	// The maximum number of pods that can be scheduled above the desired number of
+	// pods.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// This can not be 0 if MaxUnavailable is 0.
+	// Absolute number is calculated from percentage by rounding up.
+	// Defaults to 25%.
+	// Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when
+	// the rolling update starts, such that the total number of old and new pods do not exceed
+	// 130% of desired pods. Once old pods have been killed,
+	// new ReplicaSet can be scaled up further, ensuring that total number of pods running
+	// at any time during the update is at most 130% of desired pods.
+	// +optional
+	maxSurge?: null | intstr.#IntOrString @go(MaxSurge,*intstr.IntOrString) @protobuf(2,bytes,opt)
+}
+
+// DeploymentStatus is the most recently observed status of the Deployment.
+#DeploymentStatus: {
+	// The generation observed by the deployment controller.
+	// +optional
+	observedGeneration?: int64 @go(ObservedGeneration) @protobuf(1,varint,opt)
+
+	// Total number of non-terminated pods targeted by this deployment (their labels match the selector).
+	// +optional
+	replicas?: int32 @go(Replicas) @protobuf(2,varint,opt)
+
+	// Total number of non-terminated pods targeted by this deployment that have the desired template spec.
+	// +optional
+	updatedReplicas?: int32 @go(UpdatedReplicas) @protobuf(3,varint,opt)
+
+	// readyReplicas is the number of pods targeted by this Deployment with a Ready Condition.
+	// +optional
+	readyReplicas?: int32 @go(ReadyReplicas) @protobuf(7,varint,opt)
+
+	// Total number of available pods (ready for at least minReadySeconds) targeted by this deployment.
+	// +optional
+	availableReplicas?: int32 @go(AvailableReplicas) @protobuf(4,varint,opt)
+
+	// Total number of unavailable pods targeted by this deployment. This is the total number of
+	// pods that are still required for the deployment to have 100% available capacity. They may
+	// either be pods that are running but not yet available or pods that still have not been created.
+	// +optional
+	unavailableReplicas?: int32 @go(UnavailableReplicas) @protobuf(5,varint,opt)
+
+	// Represents the latest available observations of a deployment's current state.
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	conditions?: [...#DeploymentCondition] @go(Conditions,[]DeploymentCondition) @protobuf(6,bytes,rep)
+
+	// Count of hash collisions for the Deployment. The Deployment controller uses this
+	// field as a collision avoidance mechanism when it needs to create the name for the
+	// newest ReplicaSet.
+	// +optional
+	collisionCount?: null | int32 @go(CollisionCount,*int32) @protobuf(8,varint,opt)
+}
+
+#DeploymentConditionType: string // #enumDeploymentConditionType
+
+#enumDeploymentConditionType:
+	#DeploymentAvailable |
+	#DeploymentProgressing |
+	#DeploymentReplicaFailure
+
+// Available means the deployment is available, ie. at least the minimum available
+// replicas required are up and running for at least minReadySeconds.
+#DeploymentAvailable: #DeploymentConditionType & "Available"
+
+// Progressing means the deployment is progressing. Progress for a deployment is
+// considered when a new replica set is created or adopted, and when new pods scale
+// up or old pods scale down. Progress is not estimated for paused deployments or
+// when progressDeadlineSeconds is not specified.
+#DeploymentProgressing: #DeploymentConditionType & "Progressing"
+
+// ReplicaFailure is added in a deployment when one of its pods fails to be created
+// or deleted.
+#DeploymentReplicaFailure: #DeploymentConditionType & "ReplicaFailure"
+
+// DeploymentCondition describes the state of a deployment at a certain point.
+#DeploymentCondition: {
+	// Type of deployment condition.
+	type: #DeploymentConditionType @go(Type) @protobuf(1,bytes,opt,casttype=DeploymentConditionType)
+
+	// Status of the condition, one of True, False, Unknown.
+	status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus)
+
+	// The last time this condition was updated.
+	lastUpdateTime?: metav1.#Time @go(LastUpdateTime) @protobuf(6,bytes,opt)
+
+	// Last time the condition transitioned from one status to another.
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(7,bytes,opt)
+
+	// The reason for the condition's last transition.
+	reason?: string @go(Reason) @protobuf(4,bytes,opt)
+
+	// A human readable message indicating details about the transition.
+	message?: string @go(Message) @protobuf(5,bytes,opt)
+}
+
+// DeploymentList is a list of Deployments.
+#DeploymentList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// Items is the list of Deployments.
+	items: [...#Deployment] @go(Items,[]Deployment) @protobuf(2,bytes,rep)
+}
+
+// DaemonSetUpdateStrategy is a struct used to control the update strategy for a DaemonSet.
+#DaemonSetUpdateStrategy: {
+	// Type of daemon set update. Can be "RollingUpdate" or "OnDelete". Default is RollingUpdate.
+	// +optional
+	type?: #DaemonSetUpdateStrategyType @go(Type) @protobuf(1,bytes,opt)
+
+	// Rolling update config params. Present only if type = "RollingUpdate".
+	//---
+	// TODO: Update this to follow our convention for oneOf, whatever we decide it
+	// to be. Same as Deployment `strategy.rollingUpdate`.
+	// See https://github.com/kubernetes/kubernetes/issues/35345
+	// +optional
+	rollingUpdate?: null | #RollingUpdateDaemonSet @go(RollingUpdate,*RollingUpdateDaemonSet) @protobuf(2,bytes,opt)
+}
+
+// +enum
+#DaemonSetUpdateStrategyType: string // #enumDaemonSetUpdateStrategyType
+
+#enumDaemonSetUpdateStrategyType:
+	#RollingUpdateDaemonSetStrategyType |
+	#OnDeleteDaemonSetStrategyType
+
+// Replace the old daemons by new ones using rolling update i.e replace them on each node one after the other.
+#RollingUpdateDaemonSetStrategyType: #DaemonSetUpdateStrategyType & "RollingUpdate"
+
+// Replace the old daemons only when it's killed
+#OnDeleteDaemonSetStrategyType: #DaemonSetUpdateStrategyType & "OnDelete"
+
+// Spec to control the desired behavior of daemon set rolling update.
+#RollingUpdateDaemonSet: {
+	// The maximum number of DaemonSet pods that can be unavailable during the
+	// update. Value can be an absolute number (ex: 5) or a percentage of total
+	// number of DaemonSet pods at the start of the update (ex: 10%). Absolute
+	// number is calculated from percentage by rounding up.
+	// This cannot be 0 if MaxSurge is 0
+	// Default value is 1.
+	// Example: when this is set to 30%, at most 30% of the total number of nodes
+	// that should be running the daemon pod (i.e. status.desiredNumberScheduled)
+	// can have their pods stopped for an update at any given time. The update
+	// starts by stopping at most 30% of those DaemonSet pods and then brings
+	// up new DaemonSet pods in their place. Once the new pods are available,
+	// it then proceeds onto other DaemonSet pods, thus ensuring that at least
+	// 70% of original number of DaemonSet pods are available at all times during
+	// the update.
+	// +optional
+	maxUnavailable?: null | intstr.#IntOrString @go(MaxUnavailable,*intstr.IntOrString) @protobuf(1,bytes,opt)
+
+	// The maximum number of nodes with an existing available DaemonSet pod that
+	// can have an updated DaemonSet pod during during an update.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// This can not be 0 if MaxUnavailable is 0.
+	// Absolute number is calculated from percentage by rounding up to a minimum of 1.
+	// Default value is 0.
+	// Example: when this is set to 30%, at most 30% of the total number of nodes
+	// that should be running the daemon pod (i.e. status.desiredNumberScheduled)
+	// can have their a new pod created before the old pod is marked as deleted.
+	// The update starts by launching new pods on 30% of nodes. Once an updated
+	// pod is available (Ready for at least minReadySeconds) the old DaemonSet pod
+	// on that node is marked deleted. If the old pod becomes unavailable for any
+	// reason (Ready transitions to false, is evicted, or is drained) an updated
+	// pod is immediatedly created on that node without considering surge limits.
+	// Allowing surge implies the possibility that the resources consumed by the
+	// daemonset on any given node can double if the readiness check fails, and
+	// so resource intensive daemonsets should take into account that they may
+	// cause evictions during disruption.
+	// +optional
+	maxSurge?: null | intstr.#IntOrString @go(MaxSurge,*intstr.IntOrString) @protobuf(2,bytes,opt)
+}
+
+// DaemonSetSpec is the specification of a daemon set.
+#DaemonSetSpec: {
+	// A label query over pods that are managed by the daemon set.
+	// Must match in order to be controlled.
+	// It must match the pod template's labels.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(1,bytes,opt)
+
+	// An object that describes the pod that will be created.
+	// The DaemonSet will create exactly one copy of this pod on every node
+	// that matches the template's node selector (or on every node if no node
+	// selector is specified).
+	// The only allowed template.spec.restartPolicy value is "Always".
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
+	template: v1.#PodTemplateSpec @go(Template) @protobuf(2,bytes,opt)
+
+	// An update strategy to replace existing DaemonSet pods with new pods.
+	// +optional
+	updateStrategy?: #DaemonSetUpdateStrategy @go(UpdateStrategy) @protobuf(3,bytes,opt)
+
+	// The minimum number of seconds for which a newly created DaemonSet pod should
+	// be ready without any of its container crashing, for it to be considered
+	// available. Defaults to 0 (pod will be considered available as soon as it
+	// is ready).
+	// +optional
+	minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(4,varint,opt)
+
+	// The number of old history to retain to allow rollback.
+	// This is a pointer to distinguish between explicit zero and not specified.
+	// Defaults to 10.
+	// +optional
+	revisionHistoryLimit?: null | int32 @go(RevisionHistoryLimit,*int32) @protobuf(6,varint,opt)
+}
+
+// DaemonSetStatus represents the current status of a daemon set.
+#DaemonSetStatus: {
+	// The number of nodes that are running at least 1
+	// daemon pod and are supposed to run the daemon pod.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+	currentNumberScheduled: int32 @go(CurrentNumberScheduled) @protobuf(1,varint,opt)
+
+	// The number of nodes that are running the daemon pod, but are
+	// not supposed to run the daemon pod.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+	numberMisscheduled: int32 @go(NumberMisscheduled) @protobuf(2,varint,opt)
+
+	// The total number of nodes that should be running the daemon
+	// pod (including nodes correctly running the daemon pod).
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+	desiredNumberScheduled: int32 @go(DesiredNumberScheduled) @protobuf(3,varint,opt)
+
+	// numberReady is the number of nodes that should be running the daemon pod and have one
+	// or more of the daemon pod running with a Ready Condition.
+	numberReady: int32 @go(NumberReady) @protobuf(4,varint,opt)
+
+	// The most recent generation observed by the daemon set controller.
+	// +optional
+	observedGeneration?: int64 @go(ObservedGeneration) @protobuf(5,varint,opt)
+
+	// The total number of nodes that are running updated daemon pod
+	// +optional
+	updatedNumberScheduled?: int32 @go(UpdatedNumberScheduled) @protobuf(6,varint,opt)
+
+	// The number of nodes that should be running the
+	// daemon pod and have one or more of the daemon pod running and
+	// available (ready for at least spec.minReadySeconds)
+	// +optional
+	numberAvailable?: int32 @go(NumberAvailable) @protobuf(7,varint,opt)
+
+	// The number of nodes that should be running the
+	// daemon pod and have none of the daemon pod running and available
+	// (ready for at least spec.minReadySeconds)
+	// +optional
+	numberUnavailable?: int32 @go(NumberUnavailable) @protobuf(8,varint,opt)
+
+	// Count of hash collisions for the DaemonSet. The DaemonSet controller
+	// uses this field as a collision avoidance mechanism when it needs to
+	// create the name for the newest ControllerRevision.
+	// +optional
+	collisionCount?: null | int32 @go(CollisionCount,*int32) @protobuf(9,varint,opt)
+
+	// Represents the latest available observations of a DaemonSet's current state.
+	// +optional
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	conditions?: [...#DaemonSetCondition] @go(Conditions,[]DaemonSetCondition) @protobuf(10,bytes,rep)
+}
+
+#DaemonSetConditionType: string
+
+// DaemonSetCondition describes the state of a DaemonSet at a certain point.
+#DaemonSetCondition: {
+	// Type of DaemonSet condition.
+	type: #DaemonSetConditionType @go(Type) @protobuf(1,bytes,opt,casttype=DaemonSetConditionType)
+
+	// Status of the condition, one of True, False, Unknown.
+	status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus)
+
+	// Last time the condition transitioned from one status to another.
+	// +optional
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt)
+
+	// The reason for the condition's last transition.
+	// +optional
+	reason?: string @go(Reason) @protobuf(4,bytes,opt)
+
+	// A human readable message indicating details about the transition.
+	// +optional
+	message?: string @go(Message) @protobuf(5,bytes,opt)
+}
+
+// DaemonSet represents the configuration of a daemon set.
+#DaemonSet: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// The desired behavior of this daemon set.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	spec?: #DaemonSetSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// The current status of this daemon set. This data may be
+	// out of date by some window of time.
+	// Populated by the system.
+	// Read-only.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	status?: #DaemonSetStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// DefaultDaemonSetUniqueLabelKey is the default label key that is added
+// to existing DaemonSet pods to distinguish between old and new
+// DaemonSet pods during DaemonSet template updates.
+#DefaultDaemonSetUniqueLabelKey: "controller-revision-hash"
+
+// DaemonSetList is a collection of daemon sets.
+#DaemonSetList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// A list of daemon sets.
+	items: [...#DaemonSet] @go(Items,[]DaemonSet) @protobuf(2,bytes,rep)
+}
+
+// ReplicaSet ensures that a specified number of pod replicas are running at any given time.
+#ReplicaSet: {
+	metav1.#TypeMeta
+
+	// If the Labels of a ReplicaSet are empty, they are defaulted to
+	// be the same as the Pod(s) that the ReplicaSet manages.
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Spec defines the specification of the desired behavior of the ReplicaSet.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	spec?: #ReplicaSetSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// Status is the most recently observed status of the ReplicaSet.
+	// This data may be out of date by some window of time.
+	// Populated by the system.
+	// Read-only.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	status?: #ReplicaSetStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// ReplicaSetList is a collection of ReplicaSets.
+#ReplicaSetList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// List of ReplicaSets.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller
+	items: [...#ReplicaSet] @go(Items,[]ReplicaSet) @protobuf(2,bytes,rep)
+}
+
+// ReplicaSetSpec is the specification of a ReplicaSet.
+#ReplicaSetSpec: {
+	// Replicas is the number of desired replicas.
+	// This is a pointer to distinguish between explicit zero and unspecified.
+	// Defaults to 1.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller
+	// +optional
+	replicas?: null | int32 @go(Replicas,*int32) @protobuf(1,varint,opt)
+
+	// Minimum number of seconds for which a newly created pod should be ready
+	// without any of its container crashing, for it to be considered available.
+	// Defaults to 0 (pod will be considered available as soon as it is ready)
+	// +optional
+	minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(4,varint,opt)
+
+	// Selector is a label query over pods that should match the replica count.
+	// Label keys and values that must match in order to be controlled by this replica set.
+	// It must match the pod template's labels.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes,opt)
+
+	// Template is the object that describes the pod that will be created if
+	// insufficient replicas are detected.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
+	// +optional
+	template?: v1.#PodTemplateSpec @go(Template) @protobuf(3,bytes,opt)
+}
+
+// ReplicaSetStatus represents the current status of a ReplicaSet.
+#ReplicaSetStatus: {
+	// Replicas is the most recently observed number of replicas.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller
+	replicas: int32 @go(Replicas) @protobuf(1,varint,opt)
+
+	// The number of pods that have labels matching the labels of the pod template of the replicaset.
+	// +optional
+	fullyLabeledReplicas?: int32 @go(FullyLabeledReplicas) @protobuf(2,varint,opt)
+
+	// readyReplicas is the number of pods targeted by this ReplicaSet with a Ready Condition.
+	// +optional
+	readyReplicas?: int32 @go(ReadyReplicas) @protobuf(4,varint,opt)
+
+	// The number of available replicas (ready for at least minReadySeconds) for this replica set.
+	// +optional
+	availableReplicas?: int32 @go(AvailableReplicas) @protobuf(5,varint,opt)
+
+	// ObservedGeneration reflects the generation of the most recently observed ReplicaSet.
+	// +optional
+	observedGeneration?: int64 @go(ObservedGeneration) @protobuf(3,varint,opt)
+
+	// Represents the latest available observations of a replica set's current state.
+	// +optional
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	conditions?: [...#ReplicaSetCondition] @go(Conditions,[]ReplicaSetCondition) @protobuf(6,bytes,rep)
+}
+
+#ReplicaSetConditionType: string // #enumReplicaSetConditionType
+
+#enumReplicaSetConditionType:
+	#ReplicaSetReplicaFailure
+
+// ReplicaSetReplicaFailure is added in a replica set when one of its pods fails to be created
+// due to insufficient quota, limit ranges, pod security policy, node selectors, etc. or deleted
+// due to kubelet being down or finalizers are failing.
+#ReplicaSetReplicaFailure: #ReplicaSetConditionType & "ReplicaFailure"
+
+// ReplicaSetCondition describes the state of a replica set at a certain point.
+#ReplicaSetCondition: {
+	// Type of replica set condition.
+	type: #ReplicaSetConditionType @go(Type) @protobuf(1,bytes,opt,casttype=ReplicaSetConditionType)
+
+	// Status of the condition, one of True, False, Unknown.
+	status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus)
+
+	// The last time the condition transitioned from one status to another.
+	// +optional
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt)
+
+	// The reason for the condition's last transition.
+	// +optional
+	reason?: string @go(Reason) @protobuf(4,bytes,opt)
+
+	// A human readable message indicating details about the transition.
+	// +optional
+	message?: string @go(Message) @protobuf(5,bytes,opt)
+}
+
+// ControllerRevision implements an immutable snapshot of state data. Clients
+// are responsible for serializing and deserializing the objects that contain
+// their internal state.
+// Once a ControllerRevision has been successfully created, it can not be updated.
+// The API Server will fail validation of all requests that attempt to mutate
+// the Data field. ControllerRevisions may, however, be deleted. Note that, due to its use by both
+// the DaemonSet and StatefulSet controllers for update and rollback, this object is beta. However,
+// it may be subject to name and representation changes in future releases, and clients should not
+// depend on its stability. It is primarily for internal use by controllers.
+#ControllerRevision: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Data is the serialized representation of the state.
+	data?: runtime.#RawExtension @go(Data) @protobuf(2,bytes,opt)
+
+	// Revision indicates the revision of the state represented by Data.
+	revision: int64 @go(Revision) @protobuf(3,varint,opt)
+}
+
+// ControllerRevisionList is a resource containing a list of ControllerRevision objects.
+#ControllerRevisionList: {
+	metav1.#TypeMeta
+
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// Items is the list of ControllerRevisions
+	items: [...#ControllerRevision] @go(Items,[]ControllerRevision) @protobuf(2,bytes,rep)
+}

timoni/podinfo/cue.mod/gen/k8s.io/api/authentication/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/authentication/v1
+
+package v1
+
+#GroupName: "authentication.k8s.io"

timoni/podinfo/cue.mod/gen/k8s.io/api/authentication/v1/types_go_gen.cue

@@ -0,0 +1,206 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/authentication/v1
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+// ImpersonateUserHeader is used to impersonate a particular user during an API server request
+#ImpersonateUserHeader: "Impersonate-User"
+
+// ImpersonateGroupHeader is used to impersonate a particular group during an API server request.
+// It can be repeated multiplied times for multiple groups.
+#ImpersonateGroupHeader: "Impersonate-Group"
+
+// ImpersonateUIDHeader is used to impersonate a particular UID during an API server request
+#ImpersonateUIDHeader: "Impersonate-Uid"
+
+// ImpersonateUserExtraHeaderPrefix is a prefix for any header used to impersonate an entry in the
+// extra map[string][]string for user.Info.  The key will be every after the prefix.
+// It can be repeated multiplied times for multiple map keys and the same key can be repeated multiple
+// times to have multiple elements in the slice under a single key
+#ImpersonateUserExtraHeaderPrefix: "Impersonate-Extra-"
+
+// TokenReview attempts to authenticate a token to a known user.
+// Note: TokenReview requests may be cached by the webhook token authenticator
+// plugin in the kube-apiserver.
+#TokenReview: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Spec holds information about the request being evaluated
+	spec: #TokenReviewSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// Status is filled in by the server and indicates whether the request can be authenticated.
+	// +optional
+	status?: #TokenReviewStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// TokenReviewSpec is a description of the token authentication request.
+#TokenReviewSpec: {
+	// Token is the opaque bearer token.
+	// +optional
+	token?: string @go(Token) @protobuf(1,bytes,opt)
+
+	// Audiences is a list of the identifiers that the resource server presented
+	// with the token identifies as. Audience-aware token authenticators will
+	// verify that the token was intended for at least one of the audiences in
+	// this list. If no audiences are provided, the audience will default to the
+	// audience of the Kubernetes apiserver.
+	// +optional
+	audiences?: [...string] @go(Audiences,[]string) @protobuf(2,bytes,rep)
+}
+
+// TokenReviewStatus is the result of the token authentication request.
+#TokenReviewStatus: {
+	// Authenticated indicates that the token was associated with a known user.
+	// +optional
+	authenticated?: bool @go(Authenticated) @protobuf(1,varint,opt)
+
+	// User is the UserInfo associated with the provided token.
+	// +optional
+	user?: #UserInfo @go(User) @protobuf(2,bytes,opt)
+
+	// Audiences are audience identifiers chosen by the authenticator that are
+	// compatible with both the TokenReview and token. An identifier is any
+	// identifier in the intersection of the TokenReviewSpec audiences and the
+	// token's audiences. A client of the TokenReview API that sets the
+	// spec.audiences field should validate that a compatible audience identifier
+	// is returned in the status.audiences field to ensure that the TokenReview
+	// server is audience aware. If a TokenReview returns an empty
+	// status.audience field where status.authenticated is "true", the token is
+	// valid against the audience of the Kubernetes API server.
+	// +optional
+	audiences?: [...string] @go(Audiences,[]string) @protobuf(4,bytes,rep)
+
+	// Error indicates that the token couldn't be checked
+	// +optional
+	error?: string @go(Error) @protobuf(3,bytes,opt)
+}
+
+// UserInfo holds the information about the user needed to implement the
+// user.Info interface.
+#UserInfo: {
+	// The name that uniquely identifies this user among all active users.
+	// +optional
+	username?: string @go(Username) @protobuf(1,bytes,opt)
+
+	// A unique value that identifies this user across time. If this user is
+	// deleted and another user by the same name is added, they will have
+	// different UIDs.
+	// +optional
+	uid?: string @go(UID) @protobuf(2,bytes,opt)
+
+	// The names of groups this user is a part of.
+	// +optional
+	groups?: [...string] @go(Groups,[]string) @protobuf(3,bytes,rep)
+
+	// Any additional information provided by the authenticator.
+	// +optional
+	extra?: {[string]: #ExtraValue} @go(Extra,map[string]ExtraValue) @protobuf(4,bytes,rep)
+}
+
+// ExtraValue masks the value so protobuf can generate
+// +protobuf.nullable=true
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+#ExtraValue: [...string]
+
+// TokenRequest requests a token for a given service account.
+#TokenRequest: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Spec holds information about the request being evaluated
+	spec: #TokenRequestSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// Status is filled in by the server and indicates whether the token can be authenticated.
+	// +optional
+	status?: #TokenRequestStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// TokenRequestSpec contains client provided parameters of a token request.
+#TokenRequestSpec: {
+	// Audiences are the intendend audiences of the token. A recipient of a
+	// token must identify themself with an identifier in the list of
+	// audiences of the token, and otherwise should reject the token. A
+	// token issued for multiple audiences may be used to authenticate
+	// against any of the audiences listed but implies a high degree of
+	// trust between the target audiences.
+	audiences: [...string] @go(Audiences,[]string) @protobuf(1,bytes,rep)
+
+	// ExpirationSeconds is the requested duration of validity of the request. The
+	// token issuer may return a token with a different validity duration so a
+	// client needs to check the 'expiration' field in a response.
+	// +optional
+	expirationSeconds?: null | int64 @go(ExpirationSeconds,*int64) @protobuf(4,varint,opt)
+
+	// BoundObjectRef is a reference to an object that the token will be bound to.
+	// The token will only be valid for as long as the bound object exists.
+	// NOTE: The API server's TokenReview endpoint will validate the
+	// BoundObjectRef, but other audiences may not. Keep ExpirationSeconds
+	// small if you want prompt revocation.
+	// +optional
+	boundObjectRef?: null | #BoundObjectReference @go(BoundObjectRef,*BoundObjectReference) @protobuf(3,bytes,opt)
+}
+
+// TokenRequestStatus is the result of a token request.
+#TokenRequestStatus: {
+	// Token is the opaque bearer token.
+	token: string @go(Token) @protobuf(1,bytes,opt)
+
+	// ExpirationTimestamp is the time of expiration of the returned token.
+	expirationTimestamp: metav1.#Time @go(ExpirationTimestamp) @protobuf(2,bytes,opt)
+}
+
+// BoundObjectReference is a reference to an object that a token is bound to.
+#BoundObjectReference: {
+	// Kind of the referent. Valid kinds are 'Pod' and 'Secret'.
+	// +optional
+	kind?: string @go(Kind) @protobuf(1,bytes,opt)
+
+	// API version of the referent.
+	// +optional
+	apiVersion?: string @go(APIVersion) @protobuf(2,bytes,opt)
+
+	// Name of the referent.
+	// +optional
+	name?: string @go(Name) @protobuf(3,bytes,opt)
+
+	// UID of the referent.
+	// +optional
+	uid?: types.#UID @go(UID) @protobuf(4,bytes,opt,name=uID,casttype=k8s.io/apimachinery/pkg/types.UID)
+}
+
+// SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request.
+// When using impersonation, users will receive the user info of the user being impersonated.  If impersonation or
+// request header authentication is used, any extra keys will have their case ignored and returned as lowercase.
+#SelfSubjectReview: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Status is filled in by the server with the user attributes.
+	status?: #SelfSubjectReviewStatus @go(Status) @protobuf(2,bytes,opt)
+}
+
+// SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user.
+#SelfSubjectReviewStatus: {
+	// User attributes of the user making this request.
+	// +optional
+	userInfo?: #UserInfo @go(UserInfo) @protobuf(1,bytes,opt)
+}

timoni/podinfo/cue.mod/gen/k8s.io/api/authorization/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/authorization/v1
+
+package v1
+
+#GroupName: "authorization.k8s.io"

timoni/podinfo/cue.mod/gen/k8s.io/api/authorization/v1/types_go_gen.cue

@@ -0,0 +1,262 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/authorization/v1
+
+package v1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// SubjectAccessReview checks whether or not a user or group can perform an action.
+#SubjectAccessReview: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Spec holds information about the request being evaluated
+	spec: #SubjectAccessReviewSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// Status is filled in by the server and indicates whether the request is allowed or not
+	// +optional
+	status?: #SubjectAccessReviewStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// SelfSubjectAccessReview checks whether or the current user can perform an action.  Not filling in a
+// spec.namespace means "in all namespaces".  Self is a special case, because users should always be able
+// to check whether they can perform an action
+#SelfSubjectAccessReview: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Spec holds information about the request being evaluated.  user and groups must be empty
+	spec: #SelfSubjectAccessReviewSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// Status is filled in by the server and indicates whether the request is allowed or not
+	// +optional
+	status?: #SubjectAccessReviewStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace.
+// Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions
+// checking.
+#LocalSubjectAccessReview: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Spec holds information about the request being evaluated.  spec.namespace must be equal to the namespace
+	// you made the request against.  If empty, it is defaulted.
+	spec: #SubjectAccessReviewSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// Status is filled in by the server and indicates whether the request is allowed or not
+	// +optional
+	status?: #SubjectAccessReviewStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface
+#ResourceAttributes: {
+	// Namespace is the namespace of the action being requested.  Currently, there is no distinction between no namespace and all namespaces
+	// "" (empty) is defaulted for LocalSubjectAccessReviews
+	// "" (empty) is empty for cluster-scoped resources
+	// "" (empty) means "all" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview
+	// +optional
+	namespace?: string @go(Namespace) @protobuf(1,bytes,opt)
+
+	// Verb is a kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy.  "*" means all.
+	// +optional
+	verb?: string @go(Verb) @protobuf(2,bytes,opt)
+
+	// Group is the API Group of the Resource.  "*" means all.
+	// +optional
+	group?: string @go(Group) @protobuf(3,bytes,opt)
+
+	// Version is the API Version of the Resource.  "*" means all.
+	// +optional
+	version?: string @go(Version) @protobuf(4,bytes,opt)
+
+	// Resource is one of the existing resource types.  "*" means all.
+	// +optional
+	resource?: string @go(Resource) @protobuf(5,bytes,opt)
+
+	// Subresource is one of the existing resource types.  "" means none.
+	// +optional
+	subresource?: string @go(Subresource) @protobuf(6,bytes,opt)
+
+	// Name is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all.
+	// +optional
+	name?: string @go(Name) @protobuf(7,bytes,opt)
+}
+
+// NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface
+#NonResourceAttributes: {
+	// Path is the URL path of the request
+	// +optional
+	path?: string @go(Path) @protobuf(1,bytes,opt)
+
+	// Verb is the standard HTTP verb
+	// +optional
+	verb?: string @go(Verb) @protobuf(2,bytes,opt)
+}
+
+// SubjectAccessReviewSpec is a description of the access request.  Exactly one of ResourceAuthorizationAttributes
+// and NonResourceAuthorizationAttributes must be set
+#SubjectAccessReviewSpec: {
+	// ResourceAuthorizationAttributes describes information for a resource access request
+	// +optional
+	resourceAttributes?: null | #ResourceAttributes @go(ResourceAttributes,*ResourceAttributes) @protobuf(1,bytes,opt)
+
+	// NonResourceAttributes describes information for a non-resource access request
+	// +optional
+	nonResourceAttributes?: null | #NonResourceAttributes @go(NonResourceAttributes,*NonResourceAttributes) @protobuf(2,bytes,opt)
+
+	// User is the user you're testing for.
+	// If you specify "User" but not "Groups", then is it interpreted as "What if User were not a member of any groups
+	// +optional
+	user?: string @go(User) @protobuf(3,bytes,opt)
+
+	// Groups is the groups you're testing for.
+	// +optional
+	groups?: [...string] @go(Groups,[]string) @protobuf(4,bytes,rep)
+
+	// Extra corresponds to the user.Info.GetExtra() method from the authenticator.  Since that is input to the authorizer
+	// it needs a reflection here.
+	// +optional
+	extra?: {[string]: #ExtraValue} @go(Extra,map[string]ExtraValue) @protobuf(5,bytes,rep)
+
+	// UID information about the requesting user.
+	// +optional
+	uid?: string @go(UID) @protobuf(6,bytes,opt)
+}
+
+// ExtraValue masks the value so protobuf can generate
+// +protobuf.nullable=true
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+#ExtraValue: [...string]
+
+// SelfSubjectAccessReviewSpec is a description of the access request.  Exactly one of ResourceAuthorizationAttributes
+// and NonResourceAuthorizationAttributes must be set
+#SelfSubjectAccessReviewSpec: {
+	// ResourceAuthorizationAttributes describes information for a resource access request
+	// +optional
+	resourceAttributes?: null | #ResourceAttributes @go(ResourceAttributes,*ResourceAttributes) @protobuf(1,bytes,opt)
+
+	// NonResourceAttributes describes information for a non-resource access request
+	// +optional
+	nonResourceAttributes?: null | #NonResourceAttributes @go(NonResourceAttributes,*NonResourceAttributes) @protobuf(2,bytes,opt)
+}
+
+// SubjectAccessReviewStatus
+#SubjectAccessReviewStatus: {
+	// Allowed is required. True if the action would be allowed, false otherwise.
+	allowed: bool @go(Allowed) @protobuf(1,varint,opt)
+
+	// Denied is optional. True if the action would be denied, otherwise
+	// false. If both allowed is false and denied is false, then the
+	// authorizer has no opinion on whether to authorize the action. Denied
+	// may not be true if Allowed is true.
+	// +optional
+	denied?: bool @go(Denied) @protobuf(4,varint,opt)
+
+	// Reason is optional.  It indicates why a request was allowed or denied.
+	// +optional
+	reason?: string @go(Reason) @protobuf(2,bytes,opt)
+
+	// EvaluationError is an indication that some error occurred during the authorization check.
+	// It is entirely possible to get an error and be able to continue determine authorization status in spite of it.
+	// For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request.
+	// +optional
+	evaluationError?: string @go(EvaluationError) @protobuf(3,bytes,opt)
+}
+
+// SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace.
+// The returned list of actions may be incomplete depending on the server's authorization mode,
+// and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions,
+// or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to
+// drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns.
+// SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server.
+#SelfSubjectRulesReview: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Spec holds information about the request being evaluated.
+	spec: #SelfSubjectRulesReviewSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// Status is filled in by the server and indicates the set of actions a user can perform.
+	// +optional
+	status?: #SubjectRulesReviewStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// SelfSubjectRulesReviewSpec defines the specification for SelfSubjectRulesReview.
+#SelfSubjectRulesReviewSpec: {
+	// Namespace to evaluate rules for. Required.
+	namespace?: string @go(Namespace) @protobuf(1,bytes,opt)
+}
+
+// SubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on
+// the set of authorizers the server is configured with and any errors experienced during evaluation.
+// Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission,
+// even if that list is incomplete.
+#SubjectRulesReviewStatus: {
+	// ResourceRules is the list of actions the subject is allowed to perform on resources.
+	// The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
+	resourceRules: [...#ResourceRule] @go(ResourceRules,[]ResourceRule) @protobuf(1,bytes,rep)
+
+	// NonResourceRules is the list of actions the subject is allowed to perform on non-resources.
+	// The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
+	nonResourceRules: [...#NonResourceRule] @go(NonResourceRules,[]NonResourceRule) @protobuf(2,bytes,rep)
+
+	// Incomplete is true when the rules returned by this call are incomplete. This is most commonly
+	// encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation.
+	incomplete: bool @go(Incomplete) @protobuf(3,bytes,rep)
+
+	// EvaluationError can appear in combination with Rules. It indicates an error occurred during
+	// rule evaluation, such as an authorizer that doesn't support rule evaluation, and that
+	// ResourceRules and/or NonResourceRules may be incomplete.
+	// +optional
+	evaluationError?: string @go(EvaluationError) @protobuf(4,bytes,opt)
+}
+
+// ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant,
+// may contain duplicates, and possibly be incomplete.
+#ResourceRule: {
+	// Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy.  "*" means all.
+	verbs: [...string] @go(Verbs,[]string) @protobuf(1,bytes,rep)
+
+	// APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of
+	// the enumerated resources in any API group will be allowed.  "*" means all.
+	// +optional
+	apiGroups?: [...string] @go(APIGroups,[]string) @protobuf(2,bytes,rep)
+
+	// Resources is a list of resources this rule applies to.  "*" means all in the specified apiGroups.
+	//  "*/foo" represents the subresource 'foo' for all resources in the specified apiGroups.
+	// +optional
+	resources?: [...string] @go(Resources,[]string) @protobuf(3,bytes,rep)
+
+	// ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.  "*" means all.
+	// +optional
+	resourceNames?: [...string] @go(ResourceNames,[]string) @protobuf(4,bytes,rep)
+}
+
+// NonResourceRule holds information that describes a rule for the non-resource
+#NonResourceRule: {
+	// Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options.  "*" means all.
+	verbs: [...string] @go(Verbs,[]string) @protobuf(1,bytes,rep)
+
+	// NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full,
+	// final step in the path.  "*" means all.
+	// +optional
+	nonResourceURLs?: [...string] @go(NonResourceURLs,[]string) @protobuf(2,bytes,rep)
+}

timoni/podinfo/cue.mod/gen/k8s.io/api/autoscaling/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/autoscaling/v1
+
+package v1
+
+#GroupName: "autoscaling"

timoni/podinfo/cue.mod/gen/k8s.io/api/autoscaling/v1/types_go_gen.cue

@@ -0,0 +1,542 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/autoscaling/v1
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/api/core/v1"
+)
+
+// CrossVersionObjectReference contains enough information to let you identify the referred resource.
+// +structType=atomic
+#CrossVersionObjectReference: {
+	// kind is the kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: string @go(Kind) @protobuf(1,bytes,opt)
+
+	// name is the name of the referent; More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+	name: string @go(Name) @protobuf(2,bytes,opt)
+
+	// apiVersion is the API version of the referent
+	// +optional
+	apiVersion?: string @go(APIVersion) @protobuf(3,bytes,opt)
+}
+
+// specification of a horizontal pod autoscaler.
+#HorizontalPodAutoscalerSpec: {
+	// reference to scaled resource; horizontal pod autoscaler will learn the current resource consumption
+	// and will set the desired number of pods by using its Scale subresource.
+	scaleTargetRef: #CrossVersionObjectReference @go(ScaleTargetRef) @protobuf(1,bytes,opt)
+
+	// minReplicas is the lower limit for the number of replicas to which the autoscaler
+	// can scale down.  It defaults to 1 pod.  minReplicas is allowed to be 0 if the
+	// alpha feature gate HPAScaleToZero is enabled and at least one Object or External
+	// metric is configured.  Scaling is active as long as at least one metric value is
+	// available.
+	// +optional
+	minReplicas?: null | int32 @go(MinReplicas,*int32) @protobuf(2,varint,opt)
+
+	// maxReplicas is the upper limit for the number of pods that can be set by the autoscaler; cannot be smaller than MinReplicas.
+	maxReplicas: int32 @go(MaxReplicas) @protobuf(3,varint,opt)
+
+	// targetCPUUtilizationPercentage is the target average CPU utilization (represented as a percentage of requested CPU) over all the pods;
+	// if not specified the default autoscaling policy will be used.
+	// +optional
+	targetCPUUtilizationPercentage?: null | int32 @go(TargetCPUUtilizationPercentage,*int32) @protobuf(4,varint,opt)
+}
+
+// current status of a horizontal pod autoscaler
+#HorizontalPodAutoscalerStatus: {
+	// observedGeneration is the most recent generation observed by this autoscaler.
+	// +optional
+	observedGeneration?: null | int64 @go(ObservedGeneration,*int64) @protobuf(1,varint,opt)
+
+	// lastScaleTime is the last time the HorizontalPodAutoscaler scaled the number of pods;
+	// used by the autoscaler to control how often the number of pods is changed.
+	// +optional
+	lastScaleTime?: null | metav1.#Time @go(LastScaleTime,*metav1.Time) @protobuf(2,bytes,opt)
+
+	// currentReplicas is the current number of replicas of pods managed by this autoscaler.
+	currentReplicas: int32 @go(CurrentReplicas) @protobuf(3,varint,opt)
+
+	// desiredReplicas is the  desired number of replicas of pods managed by this autoscaler.
+	desiredReplicas: int32 @go(DesiredReplicas) @protobuf(4,varint,opt)
+
+	// currentCPUUtilizationPercentage is the current average CPU utilization over all pods, represented as a percentage of requested CPU,
+	// e.g. 70 means that an average pod is using now 70% of its requested CPU.
+	// +optional
+	currentCPUUtilizationPercentage?: null | int32 @go(CurrentCPUUtilizationPercentage,*int32) @protobuf(5,varint,opt)
+}
+
+// configuration of a horizontal pod autoscaler.
+#HorizontalPodAutoscaler: {
+	metav1.#TypeMeta
+
+	// Standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// spec defines the behaviour of autoscaler. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.
+	// +optional
+	spec?: #HorizontalPodAutoscalerSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// status is the current information about the autoscaler.
+	// +optional
+	status?: #HorizontalPodAutoscalerStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// list of horizontal pod autoscaler objects.
+#HorizontalPodAutoscalerList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// items is the list of horizontal pod autoscaler objects.
+	items: [...#HorizontalPodAutoscaler] @go(Items,[]HorizontalPodAutoscaler) @protobuf(2,bytes,rep)
+}
+
+// Scale represents a scaling request for a resource.
+#Scale: {
+	metav1.#TypeMeta
+
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// spec defines the behavior of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.
+	// +optional
+	spec?: #ScaleSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// status is the current status of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. Read-only.
+	// +optional
+	status?: #ScaleStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// ScaleSpec describes the attributes of a scale subresource.
+#ScaleSpec: {
+	// replicas is the desired number of instances for the scaled object.
+	// +optional
+	replicas?: int32 @go(Replicas) @protobuf(1,varint,opt)
+}
+
+// ScaleStatus represents the current status of a scale subresource.
+#ScaleStatus: {
+	// replicas is the actual number of observed instances of the scaled object.
+	replicas: int32 @go(Replicas) @protobuf(1,varint,opt)
+
+	// selector is the label query over pods that should match the replicas count. This is same
+	// as the label selector but in the string format to avoid introspection
+	// by clients. The string will be in the same format as the query-param syntax.
+	// More info about label selectors: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+	// +optional
+	selector?: string @go(Selector) @protobuf(2,bytes,opt)
+}
+
+// MetricSourceType indicates the type of metric.
+// +enum
+#MetricSourceType: string // #enumMetricSourceType
+
+#enumMetricSourceType:
+	#ObjectMetricSourceType |
+	#PodsMetricSourceType |
+	#ResourceMetricSourceType |
+	#ContainerResourceMetricSourceType |
+	#ExternalMetricSourceType
+
+// ObjectMetricSourceType is a metric describing a kubernetes object
+// (for example, hits-per-second on an Ingress object).
+#ObjectMetricSourceType: #MetricSourceType & "Object"
+
+// PodsMetricSourceType is a metric describing each pod in the current scale
+// target (for example, transactions-processed-per-second).  The values
+// will be averaged together before being compared to the target value.
+#PodsMetricSourceType: #MetricSourceType & "Pods"
+
+// ResourceMetricSourceType is a resource metric known to Kubernetes, as
+// specified in requests and limits, describing each pod in the current
+// scale target (e.g. CPU or memory).  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available
+// to normal per-pod metrics (the "pods" source).
+#ResourceMetricSourceType: #MetricSourceType & "Resource"
+
+// ContainerResourceMetricSourceType is a resource metric known to Kubernetes, as
+// specified in requests and limits, describing a single container in each pod in the current
+// scale target (e.g. CPU or memory).  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available
+// to normal per-pod metrics (the "pods" source).
+#ContainerResourceMetricSourceType: #MetricSourceType & "ContainerResource"
+
+// ExternalMetricSourceType is a global metric that is not associated
+// with any Kubernetes object. It allows autoscaling based on information
+// coming from components running outside of cluster
+// (for example length of queue in cloud messaging service, or
+// QPS from loadbalancer running outside of cluster).
+#ExternalMetricSourceType: #MetricSourceType & "External"
+
+// MetricSpec specifies how to scale based on a single metric
+// (only `type` and one other matching field should be set at once).
+#MetricSpec: {
+	// type is the type of metric source.  It should be one of "ContainerResource",
+	// "External", "Object", "Pods" or "Resource", each mapping to a matching field in the object.
+	// Note: "ContainerResource" type is available on when the feature-gate
+	// HPAContainerMetrics is enabled
+	type: #MetricSourceType @go(Type) @protobuf(1,bytes)
+
+	// object refers to a metric describing a single kubernetes object
+	// (for example, hits-per-second on an Ingress object).
+	// +optional
+	object?: null | #ObjectMetricSource @go(Object,*ObjectMetricSource) @protobuf(2,bytes,opt)
+
+	// pods refers to a metric describing each pod in the current scale target
+	// (for example, transactions-processed-per-second).  The values will be
+	// averaged together before being compared to the target value.
+	// +optional
+	pods?: null | #PodsMetricSource @go(Pods,*PodsMetricSource) @protobuf(3,bytes,opt)
+
+	// resource refers to a resource metric (such as those specified in
+	// requests and limits) known to Kubernetes describing each pod in the
+	// current scale target (e.g. CPU or memory). Such metrics are built in to
+	// Kubernetes, and have special scaling options on top of those available
+	// to normal per-pod metrics using the "pods" source.
+	// +optional
+	resource?: null | #ResourceMetricSource @go(Resource,*ResourceMetricSource) @protobuf(4,bytes,opt)
+
+	// containerResource refers to a resource metric (such as those specified in
+	// requests and limits) known to Kubernetes describing a single container in each pod of the
+	// current scale target (e.g. CPU or memory). Such metrics are built in to
+	// Kubernetes, and have special scaling options on top of those available
+	// to normal per-pod metrics using the "pods" source.
+	// This is an alpha feature and can be enabled by the HPAContainerMetrics feature flag.
+	// +optional
+	containerResource?: null | #ContainerResourceMetricSource @go(ContainerResource,*ContainerResourceMetricSource) @protobuf(7,bytes,opt)
+
+	// external refers to a global metric that is not associated
+	// with any Kubernetes object. It allows autoscaling based on information
+	// coming from components running outside of cluster
+	// (for example length of queue in cloud messaging service, or
+	// QPS from loadbalancer running outside of cluster).
+	// +optional
+	external?: null | #ExternalMetricSource @go(External,*ExternalMetricSource) @protobuf(5,bytes,opt)
+}
+
+// ObjectMetricSource indicates how to scale on a metric describing a
+// kubernetes object (for example, hits-per-second on an Ingress object).
+#ObjectMetricSource: {
+	// target is the described Kubernetes object.
+	target: #CrossVersionObjectReference @go(Target) @protobuf(1,bytes)
+
+	// metricName is the name of the metric in question.
+	metricName: string @go(MetricName) @protobuf(2,bytes)
+
+	// targetValue is the target value of the metric (as a quantity).
+	targetValue: resource.#Quantity @go(TargetValue) @protobuf(3,bytes)
+
+	// selector is the string-encoded form of a standard kubernetes label selector for the given metric.
+	// When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping
+	// When unset, just the metricName will be used to gather metrics.
+	// +optional
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(4,bytes)
+
+	// averageValue is the target value of the average of the
+	// metric across all relevant pods (as a quantity)
+	// +optional
+	averageValue?: null | resource.#Quantity @go(AverageValue,*resource.Quantity) @protobuf(5,bytes)
+}
+
+// PodsMetricSource indicates how to scale on a metric describing each pod in
+// the current scale target (for example, transactions-processed-per-second).
+// The values will be averaged together before being compared to the target
+// value.
+#PodsMetricSource: {
+	// metricName is the name of the metric in question
+	metricName: string @go(MetricName) @protobuf(1,bytes)
+
+	// targetAverageValue is the target value of the average of the
+	// metric across all relevant pods (as a quantity)
+	targetAverageValue: resource.#Quantity @go(TargetAverageValue) @protobuf(2,bytes)
+
+	// selector is the string-encoded form of a standard kubernetes label selector for the given metric
+	// When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping
+	// When unset, just the metricName will be used to gather metrics.
+	// +optional
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(3,bytes)
+}
+
+// ResourceMetricSource indicates how to scale on a resource metric known to
+// Kubernetes, as specified in requests and limits, describing each pod in the
+// current scale target (e.g. CPU or memory).  The values will be averaged
+// together before being compared to the target.  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available to
+// normal per-pod metrics using the "pods" source.  Only one "target" type
+// should be set.
+#ResourceMetricSource: {
+	// name is the name of the resource in question.
+	name: v1.#ResourceName @go(Name) @protobuf(1,bytes)
+
+	// targetAverageUtilization is the target value of the average of the
+	// resource metric across all relevant pods, represented as a percentage of
+	// the requested value of the resource for the pods.
+	// +optional
+	targetAverageUtilization?: null | int32 @go(TargetAverageUtilization,*int32) @protobuf(2,varint,opt)
+
+	// targetAverageValue is the target value of the average of the
+	// resource metric across all relevant pods, as a raw value (instead of as
+	// a percentage of the request), similar to the "pods" metric source type.
+	// +optional
+	targetAverageValue?: null | resource.#Quantity @go(TargetAverageValue,*resource.Quantity) @protobuf(3,bytes,opt)
+}
+
+// ContainerResourceMetricSource indicates how to scale on a resource metric known to
+// Kubernetes, as specified in the requests and limits, describing a single container in
+// each of the pods of the current scale target(e.g. CPU or memory). The values will be
+// averaged together before being compared to the target. Such metrics are built into
+// Kubernetes, and have special scaling options on top of those available to
+// normal per-pod metrics using the "pods" source. Only one "target" type
+// should be set.
+#ContainerResourceMetricSource: {
+	// name is the name of the resource in question.
+	name: v1.#ResourceName @go(Name) @protobuf(1,bytes)
+
+	// targetAverageUtilization is the target value of the average of the
+	// resource metric across all relevant pods, represented as a percentage of
+	// the requested value of the resource for the pods.
+	// +optional
+	targetAverageUtilization?: null | int32 @go(TargetAverageUtilization,*int32) @protobuf(2,varint,opt)
+
+	// targetAverageValue is the target value of the average of the
+	// resource metric across all relevant pods, as a raw value (instead of as
+	// a percentage of the request), similar to the "pods" metric source type.
+	// +optional
+	targetAverageValue?: null | resource.#Quantity @go(TargetAverageValue,*resource.Quantity) @protobuf(3,bytes,opt)
+
+	// container is the name of the container in the pods of the scaling target.
+	container: string @go(Container) @protobuf(5,bytes,opt)
+}
+
+// ExternalMetricSource indicates how to scale on a metric not associated with
+// any Kubernetes object (for example length of queue in cloud
+// messaging service, or QPS from loadbalancer running outside of cluster).
+#ExternalMetricSource: {
+	// metricName is the name of the metric in question.
+	metricName: string @go(MetricName) @protobuf(1,bytes)
+
+	// metricSelector is used to identify a specific time series
+	// within a given metric.
+	// +optional
+	metricSelector?: null | metav1.#LabelSelector @go(MetricSelector,*metav1.LabelSelector) @protobuf(2,bytes,opt)
+
+	// targetValue is the target value of the metric (as a quantity).
+	// Mutually exclusive with TargetAverageValue.
+	// +optional
+	targetValue?: null | resource.#Quantity @go(TargetValue,*resource.Quantity) @protobuf(3,bytes,opt)
+
+	// targetAverageValue is the target per-pod value of global metric (as a quantity).
+	// Mutually exclusive with TargetValue.
+	// +optional
+	targetAverageValue?: null | resource.#Quantity @go(TargetAverageValue,*resource.Quantity) @protobuf(4,bytes,opt)
+}
+
+// MetricStatus describes the last-read state of a single metric.
+#MetricStatus: {
+	// type is the type of metric source.  It will be one of "ContainerResource",
+	// "External", "Object", "Pods" or "Resource", each corresponds to a matching field in the object.
+	// Note: "ContainerResource" type is available on when the feature-gate
+	// HPAContainerMetrics is enabled
+	type: #MetricSourceType @go(Type) @protobuf(1,bytes)
+
+	// object refers to a metric describing a single kubernetes object
+	// (for example, hits-per-second on an Ingress object).
+	// +optional
+	object?: null | #ObjectMetricStatus @go(Object,*ObjectMetricStatus) @protobuf(2,bytes,opt)
+
+	// pods refers to a metric describing each pod in the current scale target
+	// (for example, transactions-processed-per-second).  The values will be
+	// averaged together before being compared to the target value.
+	// +optional
+	pods?: null | #PodsMetricStatus @go(Pods,*PodsMetricStatus) @protobuf(3,bytes,opt)
+
+	// resource refers to a resource metric (such as those specified in
+	// requests and limits) known to Kubernetes describing each pod in the
+	// current scale target (e.g. CPU or memory). Such metrics are built in to
+	// Kubernetes, and have special scaling options on top of those available
+	// to normal per-pod metrics using the "pods" source.
+	// +optional
+	resource?: null | #ResourceMetricStatus @go(Resource,*ResourceMetricStatus) @protobuf(4,bytes,opt)
+
+	// containerResource refers to a resource metric (such as those specified in
+	// requests and limits) known to Kubernetes describing a single container in each pod in the
+	// current scale target (e.g. CPU or memory). Such metrics are built in to
+	// Kubernetes, and have special scaling options on top of those available
+	// to normal per-pod metrics using the "pods" source.
+	// +optional
+	containerResource?: null | #ContainerResourceMetricStatus @go(ContainerResource,*ContainerResourceMetricStatus) @protobuf(7,bytes,opt)
+
+	// external refers to a global metric that is not associated
+	// with any Kubernetes object. It allows autoscaling based on information
+	// coming from components running outside of cluster
+	// (for example length of queue in cloud messaging service, or
+	// QPS from loadbalancer running outside of cluster).
+	// +optional
+	external?: null | #ExternalMetricStatus @go(External,*ExternalMetricStatus) @protobuf(5,bytes,opt)
+}
+
+// HorizontalPodAutoscalerConditionType are the valid conditions of
+// a HorizontalPodAutoscaler.
+#HorizontalPodAutoscalerConditionType: string // #enumHorizontalPodAutoscalerConditionType
+
+#enumHorizontalPodAutoscalerConditionType:
+	#ScalingActive |
+	#AbleToScale |
+	#ScalingLimited
+
+// ScalingActive indicates that the HPA controller is able to scale if necessary:
+// it's correctly configured, can fetch the desired metrics, and isn't disabled.
+#ScalingActive: #HorizontalPodAutoscalerConditionType & "ScalingActive"
+
+// AbleToScale indicates a lack of transient issues which prevent scaling from occurring,
+// such as being in a backoff window, or being unable to access/update the target scale.
+#AbleToScale: #HorizontalPodAutoscalerConditionType & "AbleToScale"
+
+// ScalingLimited indicates that the calculated scale based on metrics would be above or
+// below the range for the HPA, and has thus been capped.
+#ScalingLimited: #HorizontalPodAutoscalerConditionType & "ScalingLimited"
+
+// HorizontalPodAutoscalerCondition describes the state of
+// a HorizontalPodAutoscaler at a certain point.
+#HorizontalPodAutoscalerCondition: {
+	// type describes the current condition
+	type: #HorizontalPodAutoscalerConditionType @go(Type) @protobuf(1,bytes)
+
+	// status is the status of the condition (True, False, Unknown)
+	status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes)
+
+	// lastTransitionTime is the last time the condition transitioned from
+	// one status to another
+	// +optional
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt)
+
+	// reason is the reason for the condition's last transition.
+	// +optional
+	reason?: string @go(Reason) @protobuf(4,bytes,opt)
+
+	// message is a human-readable explanation containing details about
+	// the transition
+	// +optional
+	message?: string @go(Message) @protobuf(5,bytes,opt)
+}
+
+// ObjectMetricStatus indicates the current value of a metric describing a
+// kubernetes object (for example, hits-per-second on an Ingress object).
+#ObjectMetricStatus: {
+	// target is the described Kubernetes object.
+	target: #CrossVersionObjectReference @go(Target) @protobuf(1,bytes)
+
+	// metricName is the name of the metric in question.
+	metricName: string @go(MetricName) @protobuf(2,bytes)
+
+	// currentValue is the current value of the metric (as a quantity).
+	currentValue: resource.#Quantity @go(CurrentValue) @protobuf(3,bytes)
+
+	// selector is the string-encoded form of a standard kubernetes label selector for the given metric
+	// When set in the ObjectMetricSource, it is passed as an additional parameter to the metrics server for more specific metrics scoping.
+	// When unset, just the metricName will be used to gather metrics.
+	// +optional
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(4,bytes)
+
+	// averageValue is the current value of the average of the
+	// metric across all relevant pods (as a quantity)
+	// +optional
+	averageValue?: null | resource.#Quantity @go(AverageValue,*resource.Quantity) @protobuf(5,bytes)
+}
+
+// PodsMetricStatus indicates the current value of a metric describing each pod in
+// the current scale target (for example, transactions-processed-per-second).
+#PodsMetricStatus: {
+	// metricName is the name of the metric in question
+	metricName: string @go(MetricName) @protobuf(1,bytes)
+
+	// currentAverageValue is the current value of the average of the
+	// metric across all relevant pods (as a quantity)
+	currentAverageValue: resource.#Quantity @go(CurrentAverageValue) @protobuf(2,bytes)
+
+	// selector is the string-encoded form of a standard kubernetes label selector for the given metric
+	// When set in the PodsMetricSource, it is passed as an additional parameter to the metrics server for more specific metrics scoping.
+	// When unset, just the metricName will be used to gather metrics.
+	// +optional
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(3,bytes)
+}
+
+// ResourceMetricStatus indicates the current value of a resource metric known to
+// Kubernetes, as specified in requests and limits, describing each pod in the
+// current scale target (e.g. CPU or memory).  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available to
+// normal per-pod metrics using the "pods" source.
+#ResourceMetricStatus: {
+	// name is the name of the resource in question.
+	name: v1.#ResourceName @go(Name) @protobuf(1,bytes)
+
+	// currentAverageUtilization is the current value of the average of the
+	// resource metric across all relevant pods, represented as a percentage of
+	// the requested value of the resource for the pods.  It will only be
+	// present if `targetAverageValue` was set in the corresponding metric
+	// specification.
+	// +optional
+	currentAverageUtilization?: null | int32 @go(CurrentAverageUtilization,*int32) @protobuf(2,bytes,opt)
+
+	// currentAverageValue is the current value of the average of the
+	// resource metric across all relevant pods, as a raw value (instead of as
+	// a percentage of the request), similar to the "pods" metric source type.
+	// It will always be set, regardless of the corresponding metric specification.
+	currentAverageValue: resource.#Quantity @go(CurrentAverageValue) @protobuf(3,bytes)
+}
+
+// ContainerResourceMetricStatus indicates the current value of a resource metric known to
+// Kubernetes, as specified in requests and limits, describing a single container in each pod in the
+// current scale target (e.g. CPU or memory).  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available to
+// normal per-pod metrics using the "pods" source.
+#ContainerResourceMetricStatus: {
+	// name is the name of the resource in question.
+	name: v1.#ResourceName @go(Name) @protobuf(1,bytes)
+
+	// currentAverageUtilization is the current value of the average of the
+	// resource metric across all relevant pods, represented as a percentage of
+	// the requested value of the resource for the pods.  It will only be
+	// present if `targetAverageValue` was set in the corresponding metric
+	// specification.
+	// +optional
+	currentAverageUtilization?: null | int32 @go(CurrentAverageUtilization,*int32) @protobuf(2,bytes,opt)
+
+	// currentAverageValue is the current value of the average of the
+	// resource metric across all relevant pods, as a raw value (instead of as
+	// a percentage of the request), similar to the "pods" metric source type.
+	// It will always be set, regardless of the corresponding metric specification.
+	currentAverageValue: resource.#Quantity @go(CurrentAverageValue) @protobuf(3,bytes)
+
+	// container is the name of the container in the pods of the scaling taget
+	container: string @go(Container) @protobuf(4,bytes,opt)
+}
+
+// ExternalMetricStatus indicates the current value of a global metric
+// not associated with any Kubernetes object.
+#ExternalMetricStatus: {
+	// metricName is the name of a metric used for autoscaling in
+	// metric system.
+	metricName: string @go(MetricName) @protobuf(1,bytes)
+
+	// metricSelector is used to identify a specific time series
+	// within a given metric.
+	// +optional
+	metricSelector?: null | metav1.#LabelSelector @go(MetricSelector,*metav1.LabelSelector) @protobuf(2,bytes,opt)
+
+	// currentValue is the current value of the metric (as a quantity)
+	currentValue: resource.#Quantity @go(CurrentValue) @protobuf(3,bytes)
+
+	// currentAverageValue is the current value of metric averaged over autoscaled pods.
+	// +optional
+	currentAverageValue?: null | resource.#Quantity @go(CurrentAverageValue,*resource.Quantity) @protobuf(4,bytes,opt)
+}

timoni/podinfo/cue.mod/gen/k8s.io/api/autoscaling/v2/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/autoscaling/v2
+
+package v2
+
+#GroupName: "autoscaling"

timoni/podinfo/cue.mod/gen/k8s.io/api/autoscaling/v2/types_go_gen.cue

@@ -0,0 +1,597 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/autoscaling/v2
+
+package v2
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
+)
+
+// HorizontalPodAutoscaler is the configuration for a horizontal pod
+// autoscaler, which automatically manages the replica count of any resource
+// implementing the scale subresource based on the metrics specified.
+#HorizontalPodAutoscaler: {
+	metav1.#TypeMeta
+
+	// metadata is the standard object metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// spec is the specification for the behaviour of the autoscaler.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.
+	// +optional
+	spec?: #HorizontalPodAutoscalerSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// status is the current information about the autoscaler.
+	// +optional
+	status?: #HorizontalPodAutoscalerStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// HorizontalPodAutoscalerSpec describes the desired functionality of the HorizontalPodAutoscaler.
+#HorizontalPodAutoscalerSpec: {
+	// scaleTargetRef points to the target resource to scale, and is used to the pods for which metrics
+	// should be collected, as well as to actually change the replica count.
+	scaleTargetRef: #CrossVersionObjectReference @go(ScaleTargetRef) @protobuf(1,bytes,opt)
+
+	// minReplicas is the lower limit for the number of replicas to which the autoscaler
+	// can scale down.  It defaults to 1 pod.  minReplicas is allowed to be 0 if the
+	// alpha feature gate HPAScaleToZero is enabled and at least one Object or External
+	// metric is configured.  Scaling is active as long as at least one metric value is
+	// available.
+	// +optional
+	minReplicas?: null | int32 @go(MinReplicas,*int32) @protobuf(2,varint,opt)
+
+	// maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up.
+	// It cannot be less that minReplicas.
+	maxReplicas: int32 @go(MaxReplicas) @protobuf(3,varint,opt)
+
+	// metrics contains the specifications for which to use to calculate the
+	// desired replica count (the maximum replica count across all metrics will
+	// be used).  The desired replica count is calculated multiplying the
+	// ratio between the target value and the current value by the current
+	// number of pods.  Ergo, metrics used must decrease as the pod count is
+	// increased, and vice-versa.  See the individual metric source types for
+	// more information about how each type of metric must respond.
+	// If not set, the default metric will be set to 80% average CPU utilization.
+	// +listType=atomic
+	// +optional
+	metrics?: [...#MetricSpec] @go(Metrics,[]MetricSpec) @protobuf(4,bytes,rep)
+
+	// behavior configures the scaling behavior of the target
+	// in both Up and Down directions (scaleUp and scaleDown fields respectively).
+	// If not set, the default HPAScalingRules for scale up and scale down are used.
+	// +optional
+	behavior?: null | #HorizontalPodAutoscalerBehavior @go(Behavior,*HorizontalPodAutoscalerBehavior) @protobuf(5,bytes,opt)
+}
+
+// CrossVersionObjectReference contains enough information to let you identify the referred resource.
+#CrossVersionObjectReference: {
+	// kind is the kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: string @go(Kind) @protobuf(1,bytes,opt)
+
+	// name is the name of the referent; More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+	name: string @go(Name) @protobuf(2,bytes,opt)
+
+	// apiVersion is the API version of the referent
+	// +optional
+	apiVersion?: string @go(APIVersion) @protobuf(3,bytes,opt)
+}
+
+// MetricSpec specifies how to scale based on a single metric
+// (only `type` and one other matching field should be set at once).
+#MetricSpec: {
+	// type is the type of metric source.  It should be one of "ContainerResource", "External",
+	// "Object", "Pods" or "Resource", each mapping to a matching field in the object.
+	// Note: "ContainerResource" type is available on when the feature-gate
+	// HPAContainerMetrics is enabled
+	type: #MetricSourceType @go(Type) @protobuf(1,bytes)
+
+	// object refers to a metric describing a single kubernetes object
+	// (for example, hits-per-second on an Ingress object).
+	// +optional
+	object?: null | #ObjectMetricSource @go(Object,*ObjectMetricSource) @protobuf(2,bytes,opt)
+
+	// pods refers to a metric describing each pod in the current scale target
+	// (for example, transactions-processed-per-second).  The values will be
+	// averaged together before being compared to the target value.
+	// +optional
+	pods?: null | #PodsMetricSource @go(Pods,*PodsMetricSource) @protobuf(3,bytes,opt)
+
+	// resource refers to a resource metric (such as those specified in
+	// requests and limits) known to Kubernetes describing each pod in the
+	// current scale target (e.g. CPU or memory). Such metrics are built in to
+	// Kubernetes, and have special scaling options on top of those available
+	// to normal per-pod metrics using the "pods" source.
+	// +optional
+	resource?: null | #ResourceMetricSource @go(Resource,*ResourceMetricSource) @protobuf(4,bytes,opt)
+
+	// containerResource refers to a resource metric (such as those specified in
+	// requests and limits) known to Kubernetes describing a single container in
+	// each pod of the current scale target (e.g. CPU or memory). Such metrics are
+	// built in to Kubernetes, and have special scaling options on top of those
+	// available to normal per-pod metrics using the "pods" source.
+	// This is an alpha feature and can be enabled by the HPAContainerMetrics feature flag.
+	// +optional
+	containerResource?: null | #ContainerResourceMetricSource @go(ContainerResource,*ContainerResourceMetricSource) @protobuf(7,bytes,opt)
+
+	// external refers to a global metric that is not associated
+	// with any Kubernetes object. It allows autoscaling based on information
+	// coming from components running outside of cluster
+	// (for example length of queue in cloud messaging service, or
+	// QPS from loadbalancer running outside of cluster).
+	// +optional
+	external?: null | #ExternalMetricSource @go(External,*ExternalMetricSource) @protobuf(5,bytes,opt)
+}
+
+// HorizontalPodAutoscalerBehavior configures the scaling behavior of the target
+// in both Up and Down directions (scaleUp and scaleDown fields respectively).
+#HorizontalPodAutoscalerBehavior: {
+	// scaleUp is scaling policy for scaling Up.
+	// If not set, the default value is the higher of:
+	//   * increase no more than 4 pods per 60 seconds
+	//   * double the number of pods per 60 seconds
+	// No stabilization is used.
+	// +optional
+	scaleUp?: null | #HPAScalingRules @go(ScaleUp,*HPAScalingRules) @protobuf(1,bytes,opt)
+
+	// scaleDown is scaling policy for scaling Down.
+	// If not set, the default value is to allow to scale down to minReplicas pods, with a
+	// 300 second stabilization window (i.e., the highest recommendation for
+	// the last 300sec is used).
+	// +optional
+	scaleDown?: null | #HPAScalingRules @go(ScaleDown,*HPAScalingRules) @protobuf(2,bytes,opt)
+}
+
+// ScalingPolicySelect is used to specify which policy should be used while scaling in a certain direction
+#ScalingPolicySelect: string // #enumScalingPolicySelect
+
+#enumScalingPolicySelect:
+	#MaxChangePolicySelect |
+	#MinChangePolicySelect |
+	#DisabledPolicySelect
+
+// MaxChangePolicySelect  selects the policy with the highest possible change.
+#MaxChangePolicySelect: #ScalingPolicySelect & "Max"
+
+// MinChangePolicySelect selects the policy with the lowest possible change.
+#MinChangePolicySelect: #ScalingPolicySelect & "Min"
+
+// DisabledPolicySelect disables the scaling in this direction.
+#DisabledPolicySelect: #ScalingPolicySelect & "Disabled"
+
+// HPAScalingRules configures the scaling behavior for one direction.
+// These Rules are applied after calculating DesiredReplicas from metrics for the HPA.
+// They can limit the scaling velocity by specifying scaling policies.
+// They can prevent flapping by specifying the stabilization window, so that the
+// number of replicas is not set instantly, instead, the safest value from the stabilization
+// window is chosen.
+#HPAScalingRules: {
+	// stabilizationWindowSeconds is the number of seconds for which past recommendations should be
+	// considered while scaling up or scaling down.
+	// StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour).
+	// If not set, use the default values:
+	// - For scale up: 0 (i.e. no stabilization is done).
+	// - For scale down: 300 (i.e. the stabilization window is 300 seconds long).
+	// +optional
+	stabilizationWindowSeconds?: null | int32 @go(StabilizationWindowSeconds,*int32) @protobuf(3,varint,opt)
+
+	// selectPolicy is used to specify which policy should be used.
+	// If not set, the default value Max is used.
+	// +optional
+	selectPolicy?: null | #ScalingPolicySelect @go(SelectPolicy,*ScalingPolicySelect) @protobuf(1,bytes,opt)
+
+	// policies is a list of potential scaling polices which can be used during scaling.
+	// At least one policy must be specified, otherwise the HPAScalingRules will be discarded as invalid
+	// +listType=atomic
+	// +optional
+	policies?: [...#HPAScalingPolicy] @go(Policies,[]HPAScalingPolicy) @protobuf(2,bytes,rep)
+}
+
+// HPAScalingPolicyType is the type of the policy which could be used while making scaling decisions.
+#HPAScalingPolicyType: string // #enumHPAScalingPolicyType
+
+#enumHPAScalingPolicyType:
+	#PodsScalingPolicy |
+	#PercentScalingPolicy
+
+// PodsScalingPolicy is a policy used to specify a change in absolute number of pods.
+#PodsScalingPolicy: #HPAScalingPolicyType & "Pods"
+
+// PercentScalingPolicy is a policy used to specify a relative amount of change with respect to
+// the current number of pods.
+#PercentScalingPolicy: #HPAScalingPolicyType & "Percent"
+
+// HPAScalingPolicy is a single policy which must hold true for a specified past interval.
+#HPAScalingPolicy: {
+	// type is used to specify the scaling policy.
+	type: #HPAScalingPolicyType @go(Type) @protobuf(1,bytes,opt,casttype=HPAScalingPolicyType)
+
+	// value contains the amount of change which is permitted by the policy.
+	// It must be greater than zero
+	value: int32 @go(Value) @protobuf(2,varint,opt)
+
+	// periodSeconds specifies the window of time for which the policy should hold true.
+	// PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min).
+	periodSeconds: int32 @go(PeriodSeconds) @protobuf(3,varint,opt)
+}
+
+// MetricSourceType indicates the type of metric.
+#MetricSourceType: string // #enumMetricSourceType
+
+#enumMetricSourceType:
+	#ObjectMetricSourceType |
+	#PodsMetricSourceType |
+	#ResourceMetricSourceType |
+	#ContainerResourceMetricSourceType |
+	#ExternalMetricSourceType
+
+// ObjectMetricSourceType is a metric describing a kubernetes object
+// (for example, hits-per-second on an Ingress object).
+#ObjectMetricSourceType: #MetricSourceType & "Object"
+
+// PodsMetricSourceType is a metric describing each pod in the current scale
+// target (for example, transactions-processed-per-second).  The values
+// will be averaged together before being compared to the target value.
+#PodsMetricSourceType: #MetricSourceType & "Pods"
+
+// ResourceMetricSourceType is a resource metric known to Kubernetes, as
+// specified in requests and limits, describing each pod in the current
+// scale target (e.g. CPU or memory).  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available
+// to normal per-pod metrics (the "pods" source).
+#ResourceMetricSourceType: #MetricSourceType & "Resource"
+
+// ContainerResourceMetricSourceType is a resource metric known to Kubernetes, as
+// specified in requests and limits, describing a single container in each pod in the current
+// scale target (e.g. CPU or memory).  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available
+// to normal per-pod metrics (the "pods" source).
+#ContainerResourceMetricSourceType: #MetricSourceType & "ContainerResource"
+
+// ExternalMetricSourceType is a global metric that is not associated
+// with any Kubernetes object. It allows autoscaling based on information
+// coming from components running outside of cluster
+// (for example length of queue in cloud messaging service, or
+// QPS from loadbalancer running outside of cluster).
+#ExternalMetricSourceType: #MetricSourceType & "External"
+
+// ObjectMetricSource indicates how to scale on a metric describing a
+// kubernetes object (for example, hits-per-second on an Ingress object).
+#ObjectMetricSource: {
+	// describedObject specifies the descriptions of a object,such as kind,name apiVersion
+	describedObject: #CrossVersionObjectReference @go(DescribedObject) @protobuf(1,bytes)
+
+	// target specifies the target value for the given metric
+	target: #MetricTarget @go(Target) @protobuf(2,bytes)
+
+	// metric identifies the target metric by name and selector
+	metric: #MetricIdentifier @go(Metric) @protobuf(3,bytes)
+}
+
+// PodsMetricSource indicates how to scale on a metric describing each pod in
+// the current scale target (for example, transactions-processed-per-second).
+// The values will be averaged together before being compared to the target
+// value.
+#PodsMetricSource: {
+	// metric identifies the target metric by name and selector
+	metric: #MetricIdentifier @go(Metric) @protobuf(1,bytes)
+
+	// target specifies the target value for the given metric
+	target: #MetricTarget @go(Target) @protobuf(2,bytes)
+}
+
+// ResourceMetricSource indicates how to scale on a resource metric known to
+// Kubernetes, as specified in requests and limits, describing each pod in the
+// current scale target (e.g. CPU or memory).  The values will be averaged
+// together before being compared to the target.  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available to
+// normal per-pod metrics using the "pods" source.  Only one "target" type
+// should be set.
+#ResourceMetricSource: {
+	// name is the name of the resource in question.
+	name: v1.#ResourceName @go(Name) @protobuf(1,bytes)
+
+	// target specifies the target value for the given metric
+	target: #MetricTarget @go(Target) @protobuf(2,bytes)
+}
+
+// ContainerResourceMetricSource indicates how to scale on a resource metric known to
+// Kubernetes, as specified in requests and limits, describing each pod in the
+// current scale target (e.g. CPU or memory).  The values will be averaged
+// together before being compared to the target.  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available to
+// normal per-pod metrics using the "pods" source.  Only one "target" type
+// should be set.
+#ContainerResourceMetricSource: {
+	// name is the name of the resource in question.
+	name: v1.#ResourceName @go(Name) @protobuf(1,bytes)
+
+	// target specifies the target value for the given metric
+	target: #MetricTarget @go(Target) @protobuf(2,bytes)
+
+	// container is the name of the container in the pods of the scaling target
+	container: string @go(Container) @protobuf(3,bytes,opt)
+}
+
+// ExternalMetricSource indicates how to scale on a metric not associated with
+// any Kubernetes object (for example length of queue in cloud
+// messaging service, or QPS from loadbalancer running outside of cluster).
+#ExternalMetricSource: {
+	// metric identifies the target metric by name and selector
+	metric: #MetricIdentifier @go(Metric) @protobuf(1,bytes)
+
+	// target specifies the target value for the given metric
+	target: #MetricTarget @go(Target) @protobuf(2,bytes)
+}
+
+// MetricIdentifier defines the name and optionally selector for a metric
+#MetricIdentifier: {
+	// name is the name of the given metric
+	name: string @go(Name) @protobuf(1,bytes)
+
+	// selector is the string-encoded form of a standard kubernetes label selector for the given metric
+	// When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping.
+	// When unset, just the metricName will be used to gather metrics.
+	// +optional
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes)
+}
+
+// MetricTarget defines the target value, average value, or average utilization of a specific metric
+#MetricTarget: {
+	// type represents whether the metric type is Utilization, Value, or AverageValue
+	type: #MetricTargetType @go(Type) @protobuf(1,bytes)
+
+	// value is the target value of the metric (as a quantity).
+	// +optional
+	value?: null | resource.#Quantity @go(Value,*resource.Quantity) @protobuf(2,bytes,opt)
+
+	// averageValue is the target value of the average of the
+	// metric across all relevant pods (as a quantity)
+	// +optional
+	averageValue?: null | resource.#Quantity @go(AverageValue,*resource.Quantity) @protobuf(3,bytes,opt)
+
+	// averageUtilization is the target value of the average of the
+	// resource metric across all relevant pods, represented as a percentage of
+	// the requested value of the resource for the pods.
+	// Currently only valid for Resource metric source type
+	// +optional
+	averageUtilization?: null | int32 @go(AverageUtilization,*int32) @protobuf(4,bytes,opt)
+}
+
+// MetricTargetType specifies the type of metric being targeted, and should be either
+// "Value", "AverageValue", or "Utilization"
+#MetricTargetType: string // #enumMetricTargetType
+
+#enumMetricTargetType:
+	#UtilizationMetricType |
+	#ValueMetricType |
+	#AverageValueMetricType
+
+// UtilizationMetricType declares a MetricTarget is an AverageUtilization value
+#UtilizationMetricType: #MetricTargetType & "Utilization"
+
+// ValueMetricType declares a MetricTarget is a raw value
+#ValueMetricType: #MetricTargetType & "Value"
+
+// AverageValueMetricType declares a MetricTarget is an
+#AverageValueMetricType: #MetricTargetType & "AverageValue"
+
+// HorizontalPodAutoscalerStatus describes the current status of a horizontal pod autoscaler.
+#HorizontalPodAutoscalerStatus: {
+	// observedGeneration is the most recent generation observed by this autoscaler.
+	// +optional
+	observedGeneration?: null | int64 @go(ObservedGeneration,*int64) @protobuf(1,varint,opt)
+
+	// lastScaleTime is the last time the HorizontalPodAutoscaler scaled the number of pods,
+	// used by the autoscaler to control how often the number of pods is changed.
+	// +optional
+	lastScaleTime?: null | metav1.#Time @go(LastScaleTime,*metav1.Time) @protobuf(2,bytes,opt)
+
+	// currentReplicas is current number of replicas of pods managed by this autoscaler,
+	// as last seen by the autoscaler.
+	// +optional
+	currentReplicas?: int32 @go(CurrentReplicas) @protobuf(3,varint,opt)
+
+	// desiredReplicas is the desired number of replicas of pods managed by this autoscaler,
+	// as last calculated by the autoscaler.
+	desiredReplicas: int32 @go(DesiredReplicas) @protobuf(4,varint,opt)
+
+	// currentMetrics is the last read state of the metrics used by this autoscaler.
+	// +listType=atomic
+	// +optional
+	currentMetrics: [...#MetricStatus] @go(CurrentMetrics,[]MetricStatus) @protobuf(5,bytes,rep)
+
+	// conditions is the set of conditions required for this autoscaler to scale its target,
+	// and indicates whether or not those conditions are met.
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=type
+	// +optional
+	conditions?: [...#HorizontalPodAutoscalerCondition] @go(Conditions,[]HorizontalPodAutoscalerCondition) @protobuf(6,bytes,rep)
+}
+
+// HorizontalPodAutoscalerConditionType are the valid conditions of
+// a HorizontalPodAutoscaler.
+#HorizontalPodAutoscalerConditionType: string // #enumHorizontalPodAutoscalerConditionType
+
+#enumHorizontalPodAutoscalerConditionType:
+	#ScalingActive |
+	#AbleToScale |
+	#ScalingLimited
+
+// ScalingActive indicates that the HPA controller is able to scale if necessary:
+// it's correctly configured, can fetch the desired metrics, and isn't disabled.
+#ScalingActive: #HorizontalPodAutoscalerConditionType & "ScalingActive"
+
+// AbleToScale indicates a lack of transient issues which prevent scaling from occurring,
+// such as being in a backoff window, or being unable to access/update the target scale.
+#AbleToScale: #HorizontalPodAutoscalerConditionType & "AbleToScale"
+
+// ScalingLimited indicates that the calculated scale based on metrics would be above or
+// below the range for the HPA, and has thus been capped.
+#ScalingLimited: #HorizontalPodAutoscalerConditionType & "ScalingLimited"
+
+// HorizontalPodAutoscalerCondition describes the state of
+// a HorizontalPodAutoscaler at a certain point.
+#HorizontalPodAutoscalerCondition: {
+	// type describes the current condition
+	type: #HorizontalPodAutoscalerConditionType @go(Type) @protobuf(1,bytes)
+
+	// status is the status of the condition (True, False, Unknown)
+	status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes)
+
+	// lastTransitionTime is the last time the condition transitioned from
+	// one status to another
+	// +optional
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt)
+
+	// reason is the reason for the condition's last transition.
+	// +optional
+	reason?: string @go(Reason) @protobuf(4,bytes,opt)
+
+	// message is a human-readable explanation containing details about
+	// the transition
+	// +optional
+	message?: string @go(Message) @protobuf(5,bytes,opt)
+}
+
+// MetricStatus describes the last-read state of a single metric.
+#MetricStatus: {
+	// type is the type of metric source.  It will be one of "ContainerResource", "External",
+	// "Object", "Pods" or "Resource", each corresponds to a matching field in the object.
+	// Note: "ContainerResource" type is available on when the feature-gate
+	// HPAContainerMetrics is enabled
+	type: #MetricSourceType @go(Type) @protobuf(1,bytes)
+
+	// object refers to a metric describing a single kubernetes object
+	// (for example, hits-per-second on an Ingress object).
+	// +optional
+	object?: null | #ObjectMetricStatus @go(Object,*ObjectMetricStatus) @protobuf(2,bytes,opt)
+
+	// pods refers to a metric describing each pod in the current scale target
+	// (for example, transactions-processed-per-second).  The values will be
+	// averaged together before being compared to the target value.
+	// +optional
+	pods?: null | #PodsMetricStatus @go(Pods,*PodsMetricStatus) @protobuf(3,bytes,opt)
+
+	// resource refers to a resource metric (such as those specified in
+	// requests and limits) known to Kubernetes describing each pod in the
+	// current scale target (e.g. CPU or memory). Such metrics are built in to
+	// Kubernetes, and have special scaling options on top of those available
+	// to normal per-pod metrics using the "pods" source.
+	// +optional
+	resource?: null | #ResourceMetricStatus @go(Resource,*ResourceMetricStatus) @protobuf(4,bytes,opt)
+
+	// container resource refers to a resource metric (such as those specified in
+	// requests and limits) known to Kubernetes describing a single container in each pod in the
+	// current scale target (e.g. CPU or memory). Such metrics are built in to
+	// Kubernetes, and have special scaling options on top of those available
+	// to normal per-pod metrics using the "pods" source.
+	// +optional
+	containerResource?: null | #ContainerResourceMetricStatus @go(ContainerResource,*ContainerResourceMetricStatus) @protobuf(7,bytes,opt)
+
+	// external refers to a global metric that is not associated
+	// with any Kubernetes object. It allows autoscaling based on information
+	// coming from components running outside of cluster
+	// (for example length of queue in cloud messaging service, or
+	// QPS from loadbalancer running outside of cluster).
+	// +optional
+	external?: null | #ExternalMetricStatus @go(External,*ExternalMetricStatus) @protobuf(5,bytes,opt)
+}
+
+// ObjectMetricStatus indicates the current value of a metric describing a
+// kubernetes object (for example, hits-per-second on an Ingress object).
+#ObjectMetricStatus: {
+	// metric identifies the target metric by name and selector
+	metric: #MetricIdentifier @go(Metric) @protobuf(1,bytes)
+
+	// current contains the current value for the given metric
+	current: #MetricValueStatus @go(Current) @protobuf(2,bytes)
+
+	// DescribedObject specifies the descriptions of a object,such as kind,name apiVersion
+	describedObject: #CrossVersionObjectReference @go(DescribedObject) @protobuf(3,bytes)
+}
+
+// PodsMetricStatus indicates the current value of a metric describing each pod in
+// the current scale target (for example, transactions-processed-per-second).
+#PodsMetricStatus: {
+	// metric identifies the target metric by name and selector
+	metric: #MetricIdentifier @go(Metric) @protobuf(1,bytes)
+
+	// current contains the current value for the given metric
+	current: #MetricValueStatus @go(Current) @protobuf(2,bytes)
+}
+
+// ResourceMetricStatus indicates the current value of a resource metric known to
+// Kubernetes, as specified in requests and limits, describing each pod in the
+// current scale target (e.g. CPU or memory).  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available to
+// normal per-pod metrics using the "pods" source.
+#ResourceMetricStatus: {
+	// name is the name of the resource in question.
+	name: v1.#ResourceName @go(Name) @protobuf(1,bytes)
+
+	// current contains the current value for the given metric
+	current: #MetricValueStatus @go(Current) @protobuf(2,bytes)
+}
+
+// ContainerResourceMetricStatus indicates the current value of a resource metric known to
+// Kubernetes, as specified in requests and limits, describing a single container in each pod in the
+// current scale target (e.g. CPU or memory).  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available to
+// normal per-pod metrics using the "pods" source.
+#ContainerResourceMetricStatus: {
+	// name is the name of the resource in question.
+	name: v1.#ResourceName @go(Name) @protobuf(1,bytes)
+
+	// current contains the current value for the given metric
+	current: #MetricValueStatus @go(Current) @protobuf(2,bytes)
+
+	// container is the name of the container in the pods of the scaling target
+	container: string @go(Container) @protobuf(3,bytes,opt)
+}
+
+// ExternalMetricStatus indicates the current value of a global metric
+// not associated with any Kubernetes object.
+#ExternalMetricStatus: {
+	// metric identifies the target metric by name and selector
+	metric: #MetricIdentifier @go(Metric) @protobuf(1,bytes)
+
+	// current contains the current value for the given metric
+	current: #MetricValueStatus @go(Current) @protobuf(2,bytes)
+}
+
+// MetricValueStatus holds the current value for a metric
+#MetricValueStatus: {
+	// value is the current value of the metric (as a quantity).
+	// +optional
+	value?: null | resource.#Quantity @go(Value,*resource.Quantity) @protobuf(1,bytes,opt)
+
+	// averageValue is the current value of the average of the
+	// metric across all relevant pods (as a quantity)
+	// +optional
+	averageValue?: null | resource.#Quantity @go(AverageValue,*resource.Quantity) @protobuf(2,bytes,opt)
+
+	// currentAverageUtilization is the current value of the average of the
+	// resource metric across all relevant pods, represented as a percentage of
+	// the requested value of the resource for the pods.
+	// +optional
+	averageUtilization?: null | int32 @go(AverageUtilization,*int32) @protobuf(3,bytes,opt)
+}
+
+// HorizontalPodAutoscalerList is a list of horizontal pod autoscaler objects.
+#HorizontalPodAutoscalerList: {
+	metav1.#TypeMeta
+
+	// metadata is the standard list metadata.
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// items is the list of horizontal pod autoscaler objects.
+	items: [...#HorizontalPodAutoscaler] @go(Items,[]HorizontalPodAutoscaler) @protobuf(2,bytes,rep)
+}

timoni/podinfo/cue.mod/gen/k8s.io/api/batch/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/batch/v1
+
+package v1
+
+#GroupName: "batch"

timoni/podinfo/cue.mod/gen/k8s.io/api/batch/v1/types_go_gen.cue

@@ -0,0 +1,693 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/batch/v1
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+// All Kubernetes labels need to be prefixed with Kubernetes to distinguish them from end-user labels
+// More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#label-selector-and-annotation-conventions
+_#labelPrefix: "batch.kubernetes.io/"
+
+// CronJobScheduledTimestampAnnotation is the scheduled timestamp annotation for the Job.
+// It records the original/expected scheduled timestamp for the running job, represented in RFC3339.
+// The CronJob controller adds this annotation if the CronJobsScheduledAnnotation feature gate (beta in 1.28) is enabled.
+#CronJobScheduledTimestampAnnotation: "batch.kubernetes.io/cronjob-scheduled-timestamp"
+#JobCompletionIndexAnnotation:        "batch.kubernetes.io/job-completion-index"
+
+// JobTrackingFinalizer is a finalizer for Job's pods. It prevents them from
+// being deleted before being accounted in the Job status.
+//
+// Additionally, the apiserver and job controller use this string as a Job
+// annotation, to mark Jobs that are being tracked using pod finalizers.
+// However, this behavior is deprecated in kubernetes 1.26. This means that, in
+// 1.27+, one release after JobTrackingWithFinalizers graduates to GA, the
+// apiserver and job controller will ignore this annotation and they will
+// always track jobs using finalizers.
+#JobTrackingFinalizer: "batch.kubernetes.io/job-tracking"
+
+// The Job labels will use batch.kubernetes.io as a prefix for all labels
+// Historically the job controller uses unprefixed labels for job-name and controller-uid and
+// Kubernetes continutes to recognize those unprefixed labels for consistency.
+#JobNameLabel: "batch.kubernetes.io/job-name"
+
+// ControllerUid is used to programatically get pods corresponding to a Job.
+// There is a corresponding label without the batch.kubernetes.io that we support for legacy reasons.
+#ControllerUidLabel: "batch.kubernetes.io/controller-uid"
+
+// Annotation indicating the number of failures for the index corresponding
+// to the pod, which are counted towards the backoff limit.
+#JobIndexFailureCountAnnotation: "batch.kubernetes.io/job-index-failure-count"
+
+// Annotation indicating the number of failures for the index corresponding
+// to the pod, which don't count towards the backoff limit, according to the
+// pod failure policy. When the annotation is absent zero is implied.
+#JobIndexIgnoredFailureCountAnnotation: "batch.kubernetes.io/job-index-ignored-failure-count"
+
+// Job represents the configuration of a single job.
+#Job: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Specification of the desired behavior of a job.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	spec?: #JobSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// Current status of a job.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	status?: #JobStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// JobList is a collection of jobs.
+#JobList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// items is the list of Jobs.
+	items: [...#Job] @go(Items,[]Job) @protobuf(2,bytes,rep)
+}
+
+// CompletionMode specifies how Pod completions of a Job are tracked.
+// +enum
+#CompletionMode: string // #enumCompletionMode
+
+#enumCompletionMode:
+	#NonIndexedCompletion |
+	#IndexedCompletion
+
+// NonIndexedCompletion is a Job completion mode. In this mode, the Job is
+// considered complete when there have been .spec.completions
+// successfully completed Pods. Pod completions are homologous to each other.
+#NonIndexedCompletion: #CompletionMode & "NonIndexed"
+
+// IndexedCompletion is a Job completion mode. In this mode, the Pods of a
+// Job get an associated completion index from 0 to (.spec.completions - 1).
+// The Job is  considered complete when a Pod completes for each completion
+// index.
+#IndexedCompletion: #CompletionMode & "Indexed"
+
+// PodFailurePolicyAction specifies how a Pod failure is handled.
+// +enum
+#PodFailurePolicyAction: string // #enumPodFailurePolicyAction
+
+#enumPodFailurePolicyAction:
+	#PodFailurePolicyActionFailJob |
+	#PodFailurePolicyActionFailIndex |
+	#PodFailurePolicyActionIgnore |
+	#PodFailurePolicyActionCount
+
+// This is an action which might be taken on a pod failure - mark the
+// pod's job as Failed and terminate all running pods.
+#PodFailurePolicyActionFailJob: #PodFailurePolicyAction & "FailJob"
+
+// This is an action which might be taken on a pod failure - mark the
+// Job's index as failed to avoid restarts within this index. This action
+// can only be used when backoffLimitPerIndex is set.
+#PodFailurePolicyActionFailIndex: #PodFailurePolicyAction & "FailIndex"
+
+// This is an action which might be taken on a pod failure - the counter towards
+// .backoffLimit, represented by the job's .status.failed field, is not
+// incremented and a replacement pod is created.
+#PodFailurePolicyActionIgnore: #PodFailurePolicyAction & "Ignore"
+
+// This is an action which might be taken on a pod failure - the pod failure
+// is handled in the default way - the counter towards .backoffLimit,
+// represented by the job's .status.failed field, is incremented.
+#PodFailurePolicyActionCount: #PodFailurePolicyAction & "Count"
+
+// +enum
+#PodFailurePolicyOnExitCodesOperator: string // #enumPodFailurePolicyOnExitCodesOperator
+
+#enumPodFailurePolicyOnExitCodesOperator:
+	#PodFailurePolicyOnExitCodesOpIn |
+	#PodFailurePolicyOnExitCodesOpNotIn
+
+#PodFailurePolicyOnExitCodesOpIn:    #PodFailurePolicyOnExitCodesOperator & "In"
+#PodFailurePolicyOnExitCodesOpNotIn: #PodFailurePolicyOnExitCodesOperator & "NotIn"
+
+// PodReplacementPolicy specifies the policy for creating pod replacements.
+// +enum
+#PodReplacementPolicy: string // #enumPodReplacementPolicy
+
+#enumPodReplacementPolicy:
+	#TerminatingOrFailed |
+	#Failed
+
+// TerminatingOrFailed means that we recreate pods
+// when they are terminating (has a metadata.deletionTimestamp) or failed.
+#TerminatingOrFailed: #PodReplacementPolicy & "TerminatingOrFailed"
+
+// Failed means to wait until a previously created Pod is fully terminated (has phase
+// Failed or Succeeded) before creating a replacement Pod.
+#Failed: #PodReplacementPolicy & "Failed"
+
+// PodFailurePolicyOnExitCodesRequirement describes the requirement for handling
+// a failed pod based on its container exit codes. In particular, it lookups the
+// .state.terminated.exitCode for each app container and init container status,
+// represented by the .status.containerStatuses and .status.initContainerStatuses
+// fields in the Pod status, respectively. Containers completed with success
+// (exit code 0) are excluded from the requirement check.
+#PodFailurePolicyOnExitCodesRequirement: {
+	// Restricts the check for exit codes to the container with the
+	// specified name. When null, the rule applies to all containers.
+	// When specified, it should match one the container or initContainer
+	// names in the pod template.
+	// +optional
+	containerName?: null | string @go(ContainerName,*string) @protobuf(1,bytes,opt)
+
+	// Represents the relationship between the container exit code(s) and the
+	// specified values. Containers completed with success (exit code 0) are
+	// excluded from the requirement check. Possible values are:
+	//
+	// - In: the requirement is satisfied if at least one container exit code
+	//   (might be multiple if there are multiple containers not restricted
+	//   by the 'containerName' field) is in the set of specified values.
+	// - NotIn: the requirement is satisfied if at least one container exit code
+	//   (might be multiple if there are multiple containers not restricted
+	//   by the 'containerName' field) is not in the set of specified values.
+	// Additional values are considered to be added in the future. Clients should
+	// react to an unknown operator by assuming the requirement is not satisfied.
+	operator: #PodFailurePolicyOnExitCodesOperator @go(Operator) @protobuf(2,bytes,req)
+
+	// Specifies the set of values. Each returned container exit code (might be
+	// multiple in case of multiple containers) is checked against this set of
+	// values with respect to the operator. The list of values must be ordered
+	// and must not contain duplicates. Value '0' cannot be used for the In operator.
+	// At least one element is required. At most 255 elements are allowed.
+	// +listType=set
+	values: [...int32] @go(Values,[]int32) @protobuf(3,varint,rep)
+}
+
+// PodFailurePolicyOnPodConditionsPattern describes a pattern for matching
+// an actual pod condition type.
+#PodFailurePolicyOnPodConditionsPattern: {
+	// Specifies the required Pod condition type. To match a pod condition
+	// it is required that specified type equals the pod condition type.
+	type: corev1.#PodConditionType @go(Type) @protobuf(1,bytes,req)
+
+	// Specifies the required Pod condition status. To match a pod condition
+	// it is required that the specified status equals the pod condition status.
+	// Defaults to True.
+	status: corev1.#ConditionStatus @go(Status) @protobuf(2,bytes,req)
+}
+
+// PodFailurePolicyRule describes how a pod failure is handled when the requirements are met.
+// One of onExitCodes and onPodConditions, but not both, can be used in each rule.
+#PodFailurePolicyRule: {
+	// Specifies the action taken on a pod failure when the requirements are satisfied.
+	// Possible values are:
+	//
+	// - FailJob: indicates that the pod's job is marked as Failed and all
+	//   running pods are terminated.
+	// - FailIndex: indicates that the pod's index is marked as Failed and will
+	//   not be restarted.
+	//   This value is alpha-level. It can be used when the
+	//   `JobBackoffLimitPerIndex` feature gate is enabled (disabled by default).
+	// - Ignore: indicates that the counter towards the .backoffLimit is not
+	//   incremented and a replacement pod is created.
+	// - Count: indicates that the pod is handled in the default way - the
+	//   counter towards the .backoffLimit is incremented.
+	// Additional values are considered to be added in the future. Clients should
+	// react to an unknown action by skipping the rule.
+	action: #PodFailurePolicyAction @go(Action) @protobuf(1,bytes,req)
+
+	// Represents the requirement on the container exit codes.
+	// +optional
+	onExitCodes?: null | #PodFailurePolicyOnExitCodesRequirement @go(OnExitCodes,*PodFailurePolicyOnExitCodesRequirement) @protobuf(2,bytes,opt)
+
+	// Represents the requirement on the pod conditions. The requirement is represented
+	// as a list of pod condition patterns. The requirement is satisfied if at
+	// least one pattern matches an actual pod condition. At most 20 elements are allowed.
+	// +listType=atomic
+	// +optional
+	onPodConditions: [...#PodFailurePolicyOnPodConditionsPattern] @go(OnPodConditions,[]PodFailurePolicyOnPodConditionsPattern) @protobuf(3,bytes,opt)
+}
+
+// PodFailurePolicy describes how failed pods influence the backoffLimit.
+#PodFailurePolicy: {
+	// A list of pod failure policy rules. The rules are evaluated in order.
+	// Once a rule matches a Pod failure, the remaining of the rules are ignored.
+	// When no rule matches the Pod failure, the default handling applies - the
+	// counter of pod failures is incremented and it is checked against
+	// the backoffLimit. At most 20 elements are allowed.
+	// +listType=atomic
+	rules: [...#PodFailurePolicyRule] @go(Rules,[]PodFailurePolicyRule) @protobuf(1,bytes,opt)
+}
+
+// JobSpec describes how the job execution will look like.
+#JobSpec: {
+	// Specifies the maximum desired number of pods the job should
+	// run at any given time. The actual number of pods running in steady state will
+	// be less than this number when ((.spec.completions - .status.successful) < .spec.parallelism),
+	// i.e. when the work left to do is less than max parallelism.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/
+	// +optional
+	parallelism?: null | int32 @go(Parallelism,*int32) @protobuf(1,varint,opt)
+
+	// Specifies the desired number of successfully finished pods the
+	// job should be run with.  Setting to null means that the success of any
+	// pod signals the success of all pods, and allows parallelism to have any positive
+	// value.  Setting to 1 means that parallelism is limited to 1 and the success of that
+	// pod signals the success of the job.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/
+	// +optional
+	completions?: null | int32 @go(Completions,*int32) @protobuf(2,varint,opt)
+
+	// Specifies the duration in seconds relative to the startTime that the job
+	// may be continuously active before the system tries to terminate it; value
+	// must be positive integer. If a Job is suspended (at creation or through an
+	// update), this timer will effectively be stopped and reset when the Job is
+	// resumed again.
+	// +optional
+	activeDeadlineSeconds?: null | int64 @go(ActiveDeadlineSeconds,*int64) @protobuf(3,varint,opt)
+
+	// Specifies the policy of handling failed pods. In particular, it allows to
+	// specify the set of actions and conditions which need to be
+	// satisfied to take the associated action.
+	// If empty, the default behaviour applies - the counter of failed pods,
+	// represented by the jobs's .status.failed field, is incremented and it is
+	// checked against the backoffLimit. This field cannot be used in combination
+	// with restartPolicy=OnFailure.
+	//
+	// This field is beta-level. It can be used when the `JobPodFailurePolicy`
+	// feature gate is enabled (enabled by default).
+	// +optional
+	podFailurePolicy?: null | #PodFailurePolicy @go(PodFailurePolicy,*PodFailurePolicy) @protobuf(11,bytes,opt)
+
+	// Specifies the number of retries before marking this job failed.
+	// Defaults to 6
+	// +optional
+	backoffLimit?: null | int32 @go(BackoffLimit,*int32) @protobuf(7,varint,opt)
+
+	// Specifies the limit for the number of retries within an
+	// index before marking this index as failed. When enabled the number of
+	// failures per index is kept in the pod's
+	// batch.kubernetes.io/job-index-failure-count annotation. It can only
+	// be set when Job's completionMode=Indexed, and the Pod's restart
+	// policy is Never. The field is immutable.
+	// This field is alpha-level. It can be used when the `JobBackoffLimitPerIndex`
+	// feature gate is enabled (disabled by default).
+	// +optional
+	backoffLimitPerIndex?: null | int32 @go(BackoffLimitPerIndex,*int32) @protobuf(12,varint,opt)
+
+	// Specifies the maximal number of failed indexes before marking the Job as
+	// failed, when backoffLimitPerIndex is set. Once the number of failed
+	// indexes exceeds this number the entire Job is marked as Failed and its
+	// execution is terminated. When left as null the job continues execution of
+	// all of its indexes and is marked with the `Complete` Job condition.
+	// It can only be specified when backoffLimitPerIndex is set.
+	// It can be null or up to completions. It is required and must be
+	// less than or equal to 10^4 when is completions greater than 10^5.
+	// This field is alpha-level. It can be used when the `JobBackoffLimitPerIndex`
+	// feature gate is enabled (disabled by default).
+	// +optional
+	maxFailedIndexes?: null | int32 @go(MaxFailedIndexes,*int32) @protobuf(13,varint,opt)
+
+	// A label query over pods that should match the pod count.
+	// Normally, the system sets this field for you.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	// +optional
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(4,bytes,opt)
+
+	// manualSelector controls generation of pod labels and pod selectors.
+	// Leave `manualSelector` unset unless you are certain what you are doing.
+	// When false or unset, the system pick labels unique to this job
+	// and appends those labels to the pod template.  When true,
+	// the user is responsible for picking unique labels and specifying
+	// the selector.  Failure to pick a unique label may cause this
+	// and other jobs to not function correctly.  However, You may see
+	// `manualSelector=true` in jobs that were created with the old `extensions/v1beta1`
+	// API.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/#specifying-your-own-pod-selector
+	// +optional
+	manualSelector?: null | bool @go(ManualSelector,*bool) @protobuf(5,varint,opt)
+
+	// Describes the pod that will be created when executing a job.
+	// The only allowed template.spec.restartPolicy values are "Never" or "OnFailure".
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/
+	template: corev1.#PodTemplateSpec @go(Template) @protobuf(6,bytes,opt)
+
+	// ttlSecondsAfterFinished limits the lifetime of a Job that has finished
+	// execution (either Complete or Failed). If this field is set,
+	// ttlSecondsAfterFinished after the Job finishes, it is eligible to be
+	// automatically deleted. When the Job is being deleted, its lifecycle
+	// guarantees (e.g. finalizers) will be honored. If this field is unset,
+	// the Job won't be automatically deleted. If this field is set to zero,
+	// the Job becomes eligible to be deleted immediately after it finishes.
+	// +optional
+	ttlSecondsAfterFinished?: null | int32 @go(TTLSecondsAfterFinished,*int32) @protobuf(8,varint,opt)
+
+	// completionMode specifies how Pod completions are tracked. It can be
+	// `NonIndexed` (default) or `Indexed`.
+	//
+	// `NonIndexed` means that the Job is considered complete when there have
+	// been .spec.completions successfully completed Pods. Each Pod completion is
+	// homologous to each other.
+	//
+	// `Indexed` means that the Pods of a
+	// Job get an associated completion index from 0 to (.spec.completions - 1),
+	// available in the annotation batch.kubernetes.io/job-completion-index.
+	// The Job is considered complete when there is one successfully completed Pod
+	// for each index.
+	// When value is `Indexed`, .spec.completions must be specified and
+	// `.spec.parallelism` must be less than or equal to 10^5.
+	// In addition, The Pod name takes the form
+	// `$(job-name)-$(index)-$(random-string)`,
+	// the Pod hostname takes the form `$(job-name)-$(index)`.
+	//
+	// More completion modes can be added in the future.
+	// If the Job controller observes a mode that it doesn't recognize, which
+	// is possible during upgrades due to version skew, the controller
+	// skips updates for the Job.
+	// +optional
+	completionMode?: null | #CompletionMode @go(CompletionMode,*CompletionMode) @protobuf(9,bytes,opt,casttype=CompletionMode)
+
+	// suspend specifies whether the Job controller should create Pods or not. If
+	// a Job is created with suspend set to true, no Pods are created by the Job
+	// controller. If a Job is suspended after creation (i.e. the flag goes from
+	// false to true), the Job controller will delete all active Pods associated
+	// with this Job. Users must design their workload to gracefully handle this.
+	// Suspending a Job will reset the StartTime field of the Job, effectively
+	// resetting the ActiveDeadlineSeconds timer too. Defaults to false.
+	//
+	// +optional
+	suspend?: null | bool @go(Suspend,*bool) @protobuf(10,varint,opt)
+
+	// podReplacementPolicy specifies when to create replacement Pods.
+	// Possible values are:
+	// - TerminatingOrFailed means that we recreate pods
+	//   when they are terminating (has a metadata.deletionTimestamp) or failed.
+	// - Failed means to wait until a previously created Pod is fully terminated (has phase
+	//   Failed or Succeeded) before creating a replacement Pod.
+	//
+	// When using podFailurePolicy, Failed is the the only allowed value.
+	// TerminatingOrFailed and Failed are allowed values when podFailurePolicy is not in use.
+	// This is an alpha field. Enable JobPodReplacementPolicy to be able to use this field.
+	// +optional
+	podReplacementPolicy?: null | #PodReplacementPolicy @go(PodReplacementPolicy,*PodReplacementPolicy) @protobuf(14,bytes,opt,casttype=podReplacementPolicy)
+}
+
+// JobStatus represents the current state of a Job.
+#JobStatus: {
+	// The latest available observations of an object's current state. When a Job
+	// fails, one of the conditions will have type "Failed" and status true. When
+	// a Job is suspended, one of the conditions will have type "Suspended" and
+	// status true; when the Job is resumed, the status of this condition will
+	// become false. When a Job is completed, one of the conditions will have
+	// type "Complete" and status true.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/
+	// +optional
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	// +listType=atomic
+	conditions?: [...#JobCondition] @go(Conditions,[]JobCondition) @protobuf(1,bytes,rep)
+
+	// Represents time when the job controller started processing a job. When a
+	// Job is created in the suspended state, this field is not set until the
+	// first time it is resumed. This field is reset every time a Job is resumed
+	// from suspension. It is represented in RFC3339 form and is in UTC.
+	// +optional
+	startTime?: null | metav1.#Time @go(StartTime,*metav1.Time) @protobuf(2,bytes,opt)
+
+	// Represents time when the job was completed. It is not guaranteed to
+	// be set in happens-before order across separate operations.
+	// It is represented in RFC3339 form and is in UTC.
+	// The completion time is only set when the job finishes successfully.
+	// +optional
+	completionTime?: null | metav1.#Time @go(CompletionTime,*metav1.Time) @protobuf(3,bytes,opt)
+
+	// The number of pending and running pods.
+	// +optional
+	active?: int32 @go(Active) @protobuf(4,varint,opt)
+
+	// The number of pods which reached phase Succeeded.
+	// +optional
+	succeeded?: int32 @go(Succeeded) @protobuf(5,varint,opt)
+
+	// The number of pods which reached phase Failed.
+	// +optional
+	failed?: int32 @go(Failed) @protobuf(6,varint,opt)
+
+	// The number of pods which are terminating (in phase Pending or Running
+	// and have a deletionTimestamp).
+	//
+	// This field is alpha-level. The job controller populates the field when
+	// the feature gate JobPodReplacementPolicy is enabled (disabled by default).
+	// +optional
+	terminating?: null | int32 @go(Terminating,*int32) @protobuf(11,varint,opt)
+
+	// completedIndexes holds the completed indexes when .spec.completionMode =
+	// "Indexed" in a text format. The indexes are represented as decimal integers
+	// separated by commas. The numbers are listed in increasing order. Three or
+	// more consecutive numbers are compressed and represented by the first and
+	// last element of the series, separated by a hyphen.
+	// For example, if the completed indexes are 1, 3, 4, 5 and 7, they are
+	// represented as "1,3-5,7".
+	// +optional
+	completedIndexes?: string @go(CompletedIndexes) @protobuf(7,bytes,opt)
+
+	// FailedIndexes holds the failed indexes when backoffLimitPerIndex=true.
+	// The indexes are represented in the text format analogous as for the
+	// `completedIndexes` field, ie. they are kept as decimal integers
+	// separated by commas. The numbers are listed in increasing order. Three or
+	// more consecutive numbers are compressed and represented by the first and
+	// last element of the series, separated by a hyphen.
+	// For example, if the failed indexes are 1, 3, 4, 5 and 7, they are
+	// represented as "1,3-5,7".
+	// This field is alpha-level. It can be used when the `JobBackoffLimitPerIndex`
+	// feature gate is enabled (disabled by default).
+	// +optional
+	failedIndexes?: null | string @go(FailedIndexes,*string) @protobuf(10,bytes,opt)
+
+	// uncountedTerminatedPods holds the UIDs of Pods that have terminated but
+	// the job controller hasn't yet accounted for in the status counters.
+	//
+	// The job controller creates pods with a finalizer. When a pod terminates
+	// (succeeded or failed), the controller does three steps to account for it
+	// in the job status:
+	//
+	// 1. Add the pod UID to the arrays in this field.
+	// 2. Remove the pod finalizer.
+	// 3. Remove the pod UID from the arrays while increasing the corresponding
+	//     counter.
+	//
+	// Old jobs might not be tracked using this field, in which case the field
+	// remains null.
+	// +optional
+	uncountedTerminatedPods?: null | #UncountedTerminatedPods @go(UncountedTerminatedPods,*UncountedTerminatedPods) @protobuf(8,bytes,opt)
+
+	// The number of pods which have a Ready condition.
+	//
+	// This field is beta-level. The job controller populates the field when
+	// the feature gate JobReadyPods is enabled (enabled by default).
+	// +optional
+	ready?: null | int32 @go(Ready,*int32) @protobuf(9,varint,opt)
+}
+
+// UncountedTerminatedPods holds UIDs of Pods that have terminated but haven't
+// been accounted in Job status counters.
+#UncountedTerminatedPods: {
+	// succeeded holds UIDs of succeeded Pods.
+	// +listType=set
+	// +optional
+	succeeded?: [...types.#UID] @go(Succeeded,[]types.UID) @protobuf(1,bytes,rep,casttype=k8s.io/apimachinery/pkg/types.UID)
+
+	// failed holds UIDs of failed Pods.
+	// +listType=set
+	// +optional
+	failed?: [...types.#UID] @go(Failed,[]types.UID) @protobuf(2,bytes,rep,casttype=k8s.io/apimachinery/pkg/types.UID)
+}
+
+#JobConditionType: string // #enumJobConditionType
+
+#enumJobConditionType:
+	#JobSuspended |
+	#JobComplete |
+	#JobFailed |
+	#JobFailureTarget
+
+// JobSuspended means the job has been suspended.
+#JobSuspended: #JobConditionType & "Suspended"
+
+// JobComplete means the job has completed its execution.
+#JobComplete: #JobConditionType & "Complete"
+
+// JobFailed means the job has failed its execution.
+#JobFailed: #JobConditionType & "Failed"
+
+// FailureTarget means the job is about to fail its execution.
+#JobFailureTarget: #JobConditionType & "FailureTarget"
+
+// JobCondition describes current state of a job.
+#JobCondition: {
+	// Type of job condition, Complete or Failed.
+	type: #JobConditionType @go(Type) @protobuf(1,bytes,opt,casttype=JobConditionType)
+
+	// Status of the condition, one of True, False, Unknown.
+	status: corev1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus)
+
+	// Last time the condition was checked.
+	// +optional
+	lastProbeTime?: metav1.#Time @go(LastProbeTime) @protobuf(3,bytes,opt)
+
+	// Last time the condition transit from one status to another.
+	// +optional
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(4,bytes,opt)
+
+	// (brief) reason for the condition's last transition.
+	// +optional
+	reason?: string @go(Reason) @protobuf(5,bytes,opt)
+
+	// Human readable message indicating details about last transition.
+	// +optional
+	message?: string @go(Message) @protobuf(6,bytes,opt)
+}
+
+// JobTemplateSpec describes the data a Job should have when created from a template
+#JobTemplateSpec: {
+	// Standard object's metadata of the jobs created from this template.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Specification of the desired behavior of the job.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	spec?: #JobSpec @go(Spec) @protobuf(2,bytes,opt)
+}
+
+// CronJob represents the configuration of a single cron job.
+#CronJob: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Specification of the desired behavior of a cron job, including the schedule.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	spec?: #CronJobSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// Current status of a cron job.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	status?: #CronJobStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// CronJobList is a collection of cron jobs.
+#CronJobList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// items is the list of CronJobs.
+	items: [...#CronJob] @go(Items,[]CronJob) @protobuf(2,bytes,rep)
+}
+
+// CronJobSpec describes how the job execution will look like and when it will actually run.
+#CronJobSpec: {
+	// The schedule in Cron format, see https://en.wikipedia.org/wiki/Cron.
+	schedule: string @go(Schedule) @protobuf(1,bytes,opt)
+
+	// The time zone name for the given schedule, see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones.
+	// If not specified, this will default to the time zone of the kube-controller-manager process.
+	// The set of valid time zone names and the time zone offset is loaded from the system-wide time zone
+	// database by the API server during CronJob validation and the controller manager during execution.
+	// If no system-wide time zone database can be found a bundled version of the database is used instead.
+	// If the time zone name becomes invalid during the lifetime of a CronJob or due to a change in host
+	// configuration, the controller will stop creating new new Jobs and will create a system event with the
+	// reason UnknownTimeZone.
+	// More information can be found in https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#time-zones
+	// +optional
+	timeZone?: null | string @go(TimeZone,*string) @protobuf(8,bytes,opt)
+
+	// Optional deadline in seconds for starting the job if it misses scheduled
+	// time for any reason.  Missed jobs executions will be counted as failed ones.
+	// +optional
+	startingDeadlineSeconds?: null | int64 @go(StartingDeadlineSeconds,*int64) @protobuf(2,varint,opt)
+
+	// Specifies how to treat concurrent executions of a Job.
+	// Valid values are:
+	//
+	// - "Allow" (default): allows CronJobs to run concurrently;
+	// - "Forbid": forbids concurrent runs, skipping next run if previous run hasn't finished yet;
+	// - "Replace": cancels currently running job and replaces it with a new one
+	// +optional
+	concurrencyPolicy?: #ConcurrencyPolicy @go(ConcurrencyPolicy) @protobuf(3,bytes,opt,casttype=ConcurrencyPolicy)
+
+	// This flag tells the controller to suspend subsequent executions, it does
+	// not apply to already started executions.  Defaults to false.
+	// +optional
+	suspend?: null | bool @go(Suspend,*bool) @protobuf(4,varint,opt)
+
+	// Specifies the job that will be created when executing a CronJob.
+	jobTemplate: #JobTemplateSpec @go(JobTemplate) @protobuf(5,bytes,opt)
+
+	// The number of successful finished jobs to retain. Value must be non-negative integer.
+	// Defaults to 3.
+	// +optional
+	successfulJobsHistoryLimit?: null | int32 @go(SuccessfulJobsHistoryLimit,*int32) @protobuf(6,varint,opt)
+
+	// The number of failed finished jobs to retain. Value must be non-negative integer.
+	// Defaults to 1.
+	// +optional
+	failedJobsHistoryLimit?: null | int32 @go(FailedJobsHistoryLimit,*int32) @protobuf(7,varint,opt)
+}
+
+// ConcurrencyPolicy describes how the job will be handled.
+// Only one of the following concurrent policies may be specified.
+// If none of the following policies is specified, the default one
+// is AllowConcurrent.
+// +enum
+#ConcurrencyPolicy: string // #enumConcurrencyPolicy
+
+#enumConcurrencyPolicy:
+	#AllowConcurrent |
+	#ForbidConcurrent |
+	#ReplaceConcurrent
+
+// AllowConcurrent allows CronJobs to run concurrently.
+#AllowConcurrent: #ConcurrencyPolicy & "Allow"
+
+// ForbidConcurrent forbids concurrent runs, skipping next run if previous
+// hasn't finished yet.
+#ForbidConcurrent: #ConcurrencyPolicy & "Forbid"
+
+// ReplaceConcurrent cancels currently running job and replaces it with a new one.
+#ReplaceConcurrent: #ConcurrencyPolicy & "Replace"
+
+// CronJobStatus represents the current state of a cron job.
+#CronJobStatus: {
+	// A list of pointers to currently running jobs.
+	// +optional
+	// +listType=atomic
+	active?: [...corev1.#ObjectReference] @go(Active,[]corev1.ObjectReference) @protobuf(1,bytes,rep)
+
+	// Information when was the last time the job was successfully scheduled.
+	// +optional
+	lastScheduleTime?: null | metav1.#Time @go(LastScheduleTime,*metav1.Time) @protobuf(4,bytes,opt)
+
+	// Information when was the last time the job successfully completed.
+	// +optional
+	lastSuccessfulTime?: null | metav1.#Time @go(LastSuccessfulTime,*metav1.Time) @protobuf(5,bytes,opt)
+}

timoni/podinfo/cue.mod/gen/k8s.io/api/certificates/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/certificates/v1
+
+package v1
+
+#GroupName: "certificates.k8s.io"

timoni/podinfo/cue.mod/gen/k8s.io/api/certificates/v1/types_go_gen.cue

@@ -0,0 +1,318 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/certificates/v1
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/api/core/v1"
+)
+
+// CertificateSigningRequest objects provide a mechanism to obtain x509 certificates
+// by submitting a certificate signing request, and having it asynchronously approved and issued.
+//
+// Kubelets use this API to obtain:
+//  1. client certificates to authenticate to kube-apiserver (with the "kubernetes.io/kube-apiserver-client-kubelet" signerName).
+//  2. serving certificates for TLS endpoints kube-apiserver can connect to securely (with the "kubernetes.io/kubelet-serving" signerName).
+//
+// This API can be used to request client certificates to authenticate to kube-apiserver
+// (with the "kubernetes.io/kube-apiserver-client" signerName),
+// or to obtain certificates from custom non-Kubernetes signers.
+#CertificateSigningRequest: {
+	metav1.#TypeMeta
+
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// spec contains the certificate request, and is immutable after creation.
+	// Only the request, signerName, expirationSeconds, and usages fields can be set on creation.
+	// Other fields are derived by Kubernetes and cannot be modified by users.
+	spec: #CertificateSigningRequestSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// status contains information about whether the request is approved or denied,
+	// and the certificate issued by the signer, or the failure condition indicating signer failure.
+	// +optional
+	status?: #CertificateSigningRequestStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// CertificateSigningRequestSpec contains the certificate request.
+#CertificateSigningRequestSpec: {
+	// request contains an x509 certificate signing request encoded in a "CERTIFICATE REQUEST" PEM block.
+	// When serialized as JSON or YAML, the data is additionally base64-encoded.
+	// +listType=atomic
+	request: bytes @go(Request,[]byte) @protobuf(1,bytes,opt)
+
+	// signerName indicates the requested signer, and is a qualified name.
+	//
+	// List/watch requests for CertificateSigningRequests can filter on this field using a "spec.signerName=NAME" fieldSelector.
+	//
+	// Well-known Kubernetes signers are:
+	//  1. "kubernetes.io/kube-apiserver-client": issues client certificates that can be used to authenticate to kube-apiserver.
+	//   Requests for this signer are never auto-approved by kube-controller-manager, can be issued by the "csrsigning" controller in kube-controller-manager.
+	//  2. "kubernetes.io/kube-apiserver-client-kubelet": issues client certificates that kubelets use to authenticate to kube-apiserver.
+	//   Requests for this signer can be auto-approved by the "csrapproving" controller in kube-controller-manager, and can be issued by the "csrsigning" controller in kube-controller-manager.
+	//  3. "kubernetes.io/kubelet-serving" issues serving certificates that kubelets use to serve TLS endpoints, which kube-apiserver can connect to securely.
+	//   Requests for this signer are never auto-approved by kube-controller-manager, and can be issued by the "csrsigning" controller in kube-controller-manager.
+	//
+	// More details are available at https://k8s.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers
+	//
+	// Custom signerNames can also be specified. The signer defines:
+	//  1. Trust distribution: how trust (CA bundles) are distributed.
+	//  2. Permitted subjects: and behavior when a disallowed subject is requested.
+	//  3. Required, permitted, or forbidden x509 extensions in the request (including whether subjectAltNames are allowed, which types, restrictions on allowed values) and behavior when a disallowed extension is requested.
+	//  4. Required, permitted, or forbidden key usages / extended key usages.
+	//  5. Expiration/certificate lifetime: whether it is fixed by the signer, configurable by the admin.
+	//  6. Whether or not requests for CA certificates are allowed.
+	signerName: string @go(SignerName) @protobuf(7,bytes,opt)
+
+	// expirationSeconds is the requested duration of validity of the issued
+	// certificate. The certificate signer may issue a certificate with a different
+	// validity duration so a client must check the delta between the notBefore and
+	// and notAfter fields in the issued certificate to determine the actual duration.
+	//
+	// The v1.22+ in-tree implementations of the well-known Kubernetes signers will
+	// honor this field as long as the requested duration is not greater than the
+	// maximum duration they will honor per the --cluster-signing-duration CLI
+	// flag to the Kubernetes controller manager.
+	//
+	// Certificate signers may not honor this field for various reasons:
+	//
+	//   1. Old signer that is unaware of the field (such as the in-tree
+	//      implementations prior to v1.22)
+	//   2. Signer whose configured maximum is shorter than the requested duration
+	//   3. Signer whose configured minimum is longer than the requested duration
+	//
+	// The minimum valid value for expirationSeconds is 600, i.e. 10 minutes.
+	//
+	// +optional
+	expirationSeconds?: null | int32 @go(ExpirationSeconds,*int32) @protobuf(8,varint,opt)
+
+	// usages specifies a set of key usages requested in the issued certificate.
+	//
+	// Requests for TLS client certificates typically request: "digital signature", "key encipherment", "client auth".
+	//
+	// Requests for TLS serving certificates typically request: "key encipherment", "digital signature", "server auth".
+	//
+	// Valid values are:
+	//  "signing", "digital signature", "content commitment",
+	//  "key encipherment", "key agreement", "data encipherment",
+	//  "cert sign", "crl sign", "encipher only", "decipher only", "any",
+	//  "server auth", "client auth",
+	//  "code signing", "email protection", "s/mime",
+	//  "ipsec end system", "ipsec tunnel", "ipsec user",
+	//  "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"
+	// +listType=atomic
+	usages?: [...#KeyUsage] @go(Usages,[]KeyUsage) @protobuf(5,bytes,opt)
+
+	// username contains the name of the user that created the CertificateSigningRequest.
+	// Populated by the API server on creation and immutable.
+	// +optional
+	username?: string @go(Username) @protobuf(2,bytes,opt)
+
+	// uid contains the uid of the user that created the CertificateSigningRequest.
+	// Populated by the API server on creation and immutable.
+	// +optional
+	uid?: string @go(UID) @protobuf(3,bytes,opt)
+
+	// groups contains group membership of the user that created the CertificateSigningRequest.
+	// Populated by the API server on creation and immutable.
+	// +listType=atomic
+	// +optional
+	groups?: [...string] @go(Groups,[]string) @protobuf(4,bytes,rep)
+
+	// extra contains extra attributes of the user that created the CertificateSigningRequest.
+	// Populated by the API server on creation and immutable.
+	// +optional
+	extra?: {[string]: #ExtraValue} @go(Extra,map[string]ExtraValue) @protobuf(6,bytes,rep)
+}
+
+// "kubernetes.io/kube-apiserver-client" signer issues client certificates that can be used to authenticate to kube-apiserver.
+// Never auto-approved by kube-controller-manager.
+// Can be issued by the "csrsigning" controller in kube-controller-manager.
+#KubeAPIServerClientSignerName: "kubernetes.io/kube-apiserver-client"
+
+// "kubernetes.io/kube-apiserver-client-kubelet" issues client certificates that kubelets use to authenticate to kube-apiserver.
+// Can be auto-approved by the "csrapproving" controller in kube-controller-manager.
+// Can be issued by the "csrsigning" controller in kube-controller-manager.
+#KubeAPIServerClientKubeletSignerName: "kubernetes.io/kube-apiserver-client-kubelet"
+
+// "kubernetes.io/kubelet-serving" issues serving certificates that kubelets use to serve TLS endpoints,
+// which kube-apiserver can connect to securely.
+// Never auto-approved by kube-controller-manager.
+// Can be issued by the "csrsigning" controller in kube-controller-manager.
+#KubeletServingSignerName: "kubernetes.io/kubelet-serving"
+
+// ExtraValue masks the value so protobuf can generate
+// +protobuf.nullable=true
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+#ExtraValue: [...string]
+
+// CertificateSigningRequestStatus contains conditions used to indicate
+// approved/denied/failed status of the request, and the issued certificate.
+#CertificateSigningRequestStatus: {
+	// conditions applied to the request. Known conditions are "Approved", "Denied", and "Failed".
+	// +listType=map
+	// +listMapKey=type
+	// +optional
+	conditions?: [...#CertificateSigningRequestCondition] @go(Conditions,[]CertificateSigningRequestCondition) @protobuf(1,bytes,rep)
+
+	// certificate is populated with an issued certificate by the signer after an Approved condition is present.
+	// This field is set via the /status subresource. Once populated, this field is immutable.
+	//
+	// If the certificate signing request is denied, a condition of type "Denied" is added and this field remains empty.
+	// If the signer cannot issue the certificate, a condition of type "Failed" is added and this field remains empty.
+	//
+	// Validation requirements:
+	//  1. certificate must contain one or more PEM blocks.
+	//  2. All PEM blocks must have the "CERTIFICATE" label, contain no headers, and the encoded data
+	//   must be a BER-encoded ASN.1 Certificate structure as described in section 4 of RFC5280.
+	//  3. Non-PEM content may appear before or after the "CERTIFICATE" PEM blocks and is unvalidated,
+	//   to allow for explanatory text as described in section 5.2 of RFC7468.
+	//
+	// If more than one PEM block is present, and the definition of the requested spec.signerName
+	// does not indicate otherwise, the first block is the issued certificate,
+	// and subsequent blocks should be treated as intermediate certificates and presented in TLS handshakes.
+	//
+	// The certificate is encoded in PEM format.
+	//
+	// When serialized as JSON or YAML, the data is additionally base64-encoded, so it consists of:
+	//
+	//     base64(
+	//     -----BEGIN CERTIFICATE-----
+	//     ...
+	//     -----END CERTIFICATE-----
+	//     )
+	//
+	// +listType=atomic
+	// +optional
+	certificate?: bytes @go(Certificate,[]byte) @protobuf(2,bytes,opt)
+}
+
+// RequestConditionType is the type of a CertificateSigningRequestCondition
+#RequestConditionType: string // #enumRequestConditionType
+
+#enumRequestConditionType:
+	#CertificateApproved |
+	#CertificateDenied |
+	#CertificateFailed
+
+// Approved indicates the request was approved and should be issued by the signer.
+#CertificateApproved: #RequestConditionType & "Approved"
+
+// Denied indicates the request was denied and should not be issued by the signer.
+#CertificateDenied: #RequestConditionType & "Denied"
+
+// Failed indicates the signer failed to issue the certificate.
+#CertificateFailed: #RequestConditionType & "Failed"
+
+// CertificateSigningRequestCondition describes a condition of a CertificateSigningRequest object
+#CertificateSigningRequestCondition: {
+	// type of the condition. Known conditions are "Approved", "Denied", and "Failed".
+	//
+	// An "Approved" condition is added via the /approval subresource,
+	// indicating the request was approved and should be issued by the signer.
+	//
+	// A "Denied" condition is added via the /approval subresource,
+	// indicating the request was denied and should not be issued by the signer.
+	//
+	// A "Failed" condition is added via the /status subresource,
+	// indicating the signer failed to issue the certificate.
+	//
+	// Approved and Denied conditions are mutually exclusive.
+	// Approved, Denied, and Failed conditions cannot be removed once added.
+	//
+	// Only one condition of a given type is allowed.
+	type: #RequestConditionType @go(Type) @protobuf(1,bytes,opt,casttype=RequestConditionType)
+
+	// status of the condition, one of True, False, Unknown.
+	// Approved, Denied, and Failed conditions may not be "False" or "Unknown".
+	status: v1.#ConditionStatus @go(Status) @protobuf(6,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus)
+
+	// reason indicates a brief reason for the request state
+	// +optional
+	reason?: string @go(Reason) @protobuf(2,bytes,opt)
+
+	// message contains a human readable message with details about the request state
+	// +optional
+	message?: string @go(Message) @protobuf(3,bytes,opt)
+
+	// lastUpdateTime is the time of the last update to this condition
+	// +optional
+	lastUpdateTime?: metav1.#Time @go(LastUpdateTime) @protobuf(4,bytes,opt)
+
+	// lastTransitionTime is the time the condition last transitioned from one status to another.
+	// If unset, when a new condition type is added or an existing condition's status is changed,
+	// the server defaults this to the current time.
+	// +optional
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(5,bytes,opt)
+}
+
+// CertificateSigningRequestList is a collection of CertificateSigningRequest objects
+#CertificateSigningRequestList: {
+	metav1.#TypeMeta
+
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// items is a collection of CertificateSigningRequest objects
+	items: [...#CertificateSigningRequest] @go(Items,[]CertificateSigningRequest) @protobuf(2,bytes,rep)
+}
+
+// KeyUsage specifies valid usage contexts for keys.
+// See:
+//
+//	https://tools.ietf.org/html/rfc5280#section-4.2.1.3
+//	https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+//
+// +enum
+#KeyUsage: string // #enumKeyUsage
+
+#enumKeyUsage:
+	#UsageSigning |
+	#UsageDigitalSignature |
+	#UsageContentCommitment |
+	#UsageKeyEncipherment |
+	#UsageKeyAgreement |
+	#UsageDataEncipherment |
+	#UsageCertSign |
+	#UsageCRLSign |
+	#UsageEncipherOnly |
+	#UsageDecipherOnly |
+	#UsageAny |
+	#UsageServerAuth |
+	#UsageClientAuth |
+	#UsageCodeSigning |
+	#UsageEmailProtection |
+	#UsageSMIME |
+	#UsageIPsecEndSystem |
+	#UsageIPsecTunnel |
+	#UsageIPsecUser |
+	#UsageTimestamping |
+	#UsageOCSPSigning |
+	#UsageMicrosoftSGC |
+	#UsageNetscapeSGC
+
+#UsageSigning:           #KeyUsage & "signing"
+#UsageDigitalSignature:  #KeyUsage & "digital signature"
+#UsageContentCommitment: #KeyUsage & "content commitment"
+#UsageKeyEncipherment:   #KeyUsage & "key encipherment"
+#UsageKeyAgreement:      #KeyUsage & "key agreement"
+#UsageDataEncipherment:  #KeyUsage & "data encipherment"
+#UsageCertSign:          #KeyUsage & "cert sign"
+#UsageCRLSign:           #KeyUsage & "crl sign"
+#UsageEncipherOnly:      #KeyUsage & "encipher only"
+#UsageDecipherOnly:      #KeyUsage & "decipher only"
+#UsageAny:               #KeyUsage & "any"
+#UsageServerAuth:        #KeyUsage & "server auth"
+#UsageClientAuth:        #KeyUsage & "client auth"
+#UsageCodeSigning:       #KeyUsage & "code signing"
+#UsageEmailProtection:   #KeyUsage & "email protection"
+#UsageSMIME:             #KeyUsage & "s/mime"
+#UsageIPsecEndSystem:    #KeyUsage & "ipsec end system"
+#UsageIPsecTunnel:       #KeyUsage & "ipsec tunnel"
+#UsageIPsecUser:         #KeyUsage & "ipsec user"
+#UsageTimestamping:      #KeyUsage & "timestamping"
+#UsageOCSPSigning:       #KeyUsage & "ocsp signing"
+#UsageMicrosoftSGC:      #KeyUsage & "microsoft sgc"
+#UsageNetscapeSGC:       #KeyUsage & "netscape sgc"

timoni/podinfo/cue.mod/gen/k8s.io/api/coordination/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/coordination/v1
+
+package v1
+
+#GroupName: "coordination.k8s.io"

timoni/podinfo/cue.mod/gen/k8s.io/api/coordination/v1/types_go_gen.cue

@@ -0,0 +1,61 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/coordination/v1
+
+package v1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// Lease defines a lease concept.
+#Lease: {
+	metav1.#TypeMeta
+
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// spec contains the specification of the Lease.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	spec?: #LeaseSpec @go(Spec) @protobuf(2,bytes,opt)
+}
+
+// LeaseSpec is a specification of a Lease.
+#LeaseSpec: {
+	// holderIdentity contains the identity of the holder of a current lease.
+	// +optional
+	holderIdentity?: null | string @go(HolderIdentity,*string) @protobuf(1,bytes,opt)
+
+	// leaseDurationSeconds is a duration that candidates for a lease need
+	// to wait to force acquire it. This is measure against time of last
+	// observed renewTime.
+	// +optional
+	leaseDurationSeconds?: null | int32 @go(LeaseDurationSeconds,*int32) @protobuf(2,varint,opt)
+
+	// acquireTime is a time when the current lease was acquired.
+	// +optional
+	acquireTime?: null | metav1.#MicroTime @go(AcquireTime,*metav1.MicroTime) @protobuf(3,bytes,opt)
+
+	// renewTime is a time when the current holder of a lease has last
+	// updated the lease.
+	// +optional
+	renewTime?: null | metav1.#MicroTime @go(RenewTime,*metav1.MicroTime) @protobuf(4,bytes,opt)
+
+	// leaseTransitions is the number of transitions of a lease between
+	// holders.
+	// +optional
+	leaseTransitions?: null | int32 @go(LeaseTransitions,*int32) @protobuf(5,varint,opt)
+}
+
+// LeaseList is a list of Lease objects.
+#LeaseList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// items is a list of schema objects.
+	items: [...#Lease] @go(Items,[]Lease) @protobuf(2,bytes,rep)
+}

timoni/podinfo/cue.mod/gen/k8s.io/api/core/v1/annotation_key_constants_go_gen.cue

@@ -0,0 +1,147 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/core/v1
+
+package v1
+
+// ImagePolicyFailedOpenKey is added to pods created by failing open when the image policy
+// webhook backend fails.
+#ImagePolicyFailedOpenKey: "alpha.image-policy.k8s.io/failed-open"
+
+// MirrorAnnotationKey represents the annotation key set by kubelets when creating mirror pods
+#MirrorPodAnnotationKey: "kubernetes.io/config.mirror"
+
+// TolerationsAnnotationKey represents the key of tolerations data (json serialized)
+// in the Annotations of a Pod.
+#TolerationsAnnotationKey: "scheduler.alpha.kubernetes.io/tolerations"
+
+// TaintsAnnotationKey represents the key of taints data (json serialized)
+// in the Annotations of a Node.
+#TaintsAnnotationKey: "scheduler.alpha.kubernetes.io/taints"
+
+// SeccompPodAnnotationKey represents the key of a seccomp profile applied
+// to all containers of a pod.
+// Deprecated: set a pod security context `seccompProfile` field.
+#SeccompPodAnnotationKey: "seccomp.security.alpha.kubernetes.io/pod"
+
+// SeccompContainerAnnotationKeyPrefix represents the key of a seccomp profile applied
+// to one container of a pod.
+// Deprecated: set a container security context `seccompProfile` field.
+#SeccompContainerAnnotationKeyPrefix: "container.seccomp.security.alpha.kubernetes.io/"
+
+// SeccompProfileRuntimeDefault represents the default seccomp profile used by container runtime.
+// Deprecated: set a pod or container security context `seccompProfile` of type "RuntimeDefault" instead.
+#SeccompProfileRuntimeDefault: "runtime/default"
+
+// SeccompProfileNameUnconfined is the unconfined seccomp profile.
+#SeccompProfileNameUnconfined: "unconfined"
+
+// SeccompLocalhostProfileNamePrefix is the prefix for specifying profiles loaded from the node's disk.
+#SeccompLocalhostProfileNamePrefix: "localhost/"
+
+// AppArmorBetaContainerAnnotationKeyPrefix is the prefix to an annotation key specifying a container's apparmor profile.
+#AppArmorBetaContainerAnnotationKeyPrefix: "container.apparmor.security.beta.kubernetes.io/"
+
+// AppArmorBetaDefaultProfileAnnotationKey is the annotation key specifying the default AppArmor profile.
+#AppArmorBetaDefaultProfileAnnotationKey: "apparmor.security.beta.kubernetes.io/defaultProfileName"
+
+// AppArmorBetaAllowedProfilesAnnotationKey is the annotation key specifying the allowed AppArmor profiles.
+#AppArmorBetaAllowedProfilesAnnotationKey: "apparmor.security.beta.kubernetes.io/allowedProfileNames"
+
+// AppArmorBetaProfileRuntimeDefault is the profile specifying the runtime default.
+#AppArmorBetaProfileRuntimeDefault: "runtime/default"
+
+// AppArmorBetaProfileNamePrefix is the prefix for specifying profiles loaded on the node.
+#AppArmorBetaProfileNamePrefix: "localhost/"
+
+// AppArmorBetaProfileNameUnconfined is the Unconfined AppArmor profile
+#AppArmorBetaProfileNameUnconfined: "unconfined"
+
+// DeprecatedSeccompProfileDockerDefault represents the default seccomp profile used by docker.
+// Deprecated: set a pod or container security context `seccompProfile` of type "RuntimeDefault" instead.
+#DeprecatedSeccompProfileDockerDefault: "docker/default"
+
+// PreferAvoidPodsAnnotationKey represents the key of preferAvoidPods data (json serialized)
+// in the Annotations of a Node.
+#PreferAvoidPodsAnnotationKey: "scheduler.alpha.kubernetes.io/preferAvoidPods"
+
+// ObjectTTLAnnotationKey represents a suggestion for kubelet for how long it can cache
+// an object (e.g. secret, config map) before fetching it again from apiserver.
+// This annotation can be attached to node.
+#ObjectTTLAnnotationKey: "node.alpha.kubernetes.io/ttl"
+
+// annotation key prefix used to identify non-convertible json paths.
+#NonConvertibleAnnotationPrefix: "non-convertible.kubernetes.io"
+_#kubectlPrefix:                 "kubectl.kubernetes.io/"
+
+// LastAppliedConfigAnnotation is the annotation used to store the previous
+// configuration of a resource for use in a three way diff by UpdateApplyAnnotation.
+#LastAppliedConfigAnnotation: "kubectl.kubernetes.io/last-applied-configuration"
+
+// AnnotationLoadBalancerSourceRangesKey is the key of the annotation on a service to set allowed ingress ranges on their LoadBalancers
+//
+// It should be a comma-separated list of CIDRs, e.g. `0.0.0.0/0` to
+// allow full access (the default) or `18.0.0.0/8,56.0.0.0/8` to allow
+// access only from the CIDRs currently allocated to MIT & the USPS.
+//
+// Not all cloud providers support this annotation, though AWS & GCE do.
+#AnnotationLoadBalancerSourceRangesKey: "service.beta.kubernetes.io/load-balancer-source-ranges"
+
+// EndpointsLastChangeTriggerTime is the annotation key, set for endpoints objects, that
+// represents the timestamp (stored as RFC 3339 date-time string, e.g. '2018-10-22T19:32:52.1Z')
+// of the last change, of some Pod or Service object, that triggered the endpoints object change.
+// In other words, if a Pod / Service changed at time T0, that change was observed by endpoints
+// controller at T1, and the Endpoints object was changed at T2, the
+// EndpointsLastChangeTriggerTime would be set to T0.
+//
+// The "endpoints change trigger" here means any Pod or Service change that resulted in the
+// Endpoints object change.
+//
+// Given the definition of the "endpoints change trigger", please note that this annotation will
+// be set ONLY for endpoints object changes triggered by either Pod or Service change. If the
+// Endpoints object changes due to other reasons, this annotation won't be set (or updated if it's
+// already set).
+//
+// This annotation will be used to compute the in-cluster network programming latency SLI, see
+// https://github.com/kubernetes/community/blob/master/sig-scalability/slos/network_programming_latency.md
+#EndpointsLastChangeTriggerTime: "endpoints.kubernetes.io/last-change-trigger-time"
+
+// EndpointsOverCapacity will be set on an Endpoints resource when it
+// exceeds the maximum capacity of 1000 addresses. Initially the Endpoints
+// controller will set this annotation with a value of "warning". In a
+// future release, the controller may set this annotation with a value of
+// "truncated" to indicate that any addresses exceeding the limit of 1000
+// have been truncated from the Endpoints resource.
+#EndpointsOverCapacity: "endpoints.kubernetes.io/over-capacity"
+
+// MigratedPluginsAnnotationKey is the annotation key, set for CSINode objects, that is a comma-separated
+// list of in-tree plugins that will be serviced by the CSI backend on the Node represented by CSINode.
+// This annotation is used by the Attach Detach Controller to determine whether to use the in-tree or
+// CSI Backend for a volume plugin on a specific node.
+#MigratedPluginsAnnotationKey: "storage.alpha.kubernetes.io/migrated-plugins"
+
+// PodDeletionCost can be used to set to an int32 that represent the cost of deleting
+// a pod compared to other pods belonging to the same ReplicaSet. Pods with lower
+// deletion cost are preferred to be deleted before pods with higher deletion cost.
+// Note that this is honored on a best-effort basis, and so it does not offer guarantees on
+// pod deletion order.
+// The implicit deletion cost for pods that don't set the annotation is 0, negative values are permitted.
+//
+// This annotation is beta-level and is only honored when PodDeletionCost feature is enabled.
+#PodDeletionCost: "controller.kubernetes.io/pod-deletion-cost"
+
+// DeprecatedAnnotationTopologyAwareHints can be used to enable or disable
+// Topology Aware Hints for a Service. This may be set to "Auto" or
+// "Disabled". Any other value is treated as "Disabled". This annotation has
+// been deprecated in favor of the "service.kubernetes.io/topology-mode"
+// annotation.
+#DeprecatedAnnotationTopologyAwareHints: "service.kubernetes.io/topology-aware-hints"
+
+// AnnotationTopologyMode can be used to enable or disable Topology Aware
+// Routing for a Service. Well known values are "Auto" and "Disabled".
+// Implementations may choose to develop new topology approaches, exposing
+// them with domain-prefixed values. For example, "example.com/lowest-rtt"
+// could be a valid implementation-specific value for this annotation. These
+// heuristics will often populate topology hints on EndpointSlices, but that
+// is not a requirement.
+#AnnotationTopologyMode: "service.kubernetes.io/topology-mode"

timoni/podinfo/cue.mod/gen/k8s.io/api/core/v1/doc_go_gen.cue

@@ -0,0 +1,6 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/core/v1
+
+// Package v1 is the v1 version of the core API.
+package v1