Merge pull request #307 from stefanprodan/release-6.5.1

Release 6.5.1
2026-04-07 03:26:54 +00:00 · 2023-10-02 21:04:32 +03:00 · 2023-10-02 20:58:27 +03:00 · 2023-10-02 20:57:13 +03:00 · 2023-10-02 20:46:06 +03:00 · 2023-10-02 20:45:20 +03:00
206 changed files with 16683 additions and 5100 deletions
--- a/.gitattributes
+++ b/.gitattributes
@@ -0,0 +1 @@
+timoni/podinfo/cue.mod/** linguist-vendored
--- a/.github/actions/helm/action.yml
+++ b/.github/actions/helm/action.yml
@@ -1,33 +0,0 @@
-name: Setup Helm CLI
-description: A GitHub Action for running Helm commands
-author: Stefan Prodan
-branding:
-  color: blue
-  icon: command
-inputs:
-  version:
-    description: "Helm version"
-    required: true
-runs:
-  using: composite
-  steps:
-    - name: "Download helm binary to tmp"
-      shell: bash
-      run: |
-        VERSION=${{ inputs.version }}
-        BIN_URL="https://get.helm.sh/helm-v${VERSION}-linux-amd64.tar.gz"
-        curl -sL ${BIN_URL} -o /tmp/helm.tar.gz
-        mkdir -p /tmp/helm
-        tar -C /tmp/helm/ -zxvf /tmp/helm.tar.gz
-    - name: "Add helm binary to /usr/local/bin"
-      shell: bash
-      run: |
-        sudo cp /tmp/helm/linux-amd64/helm /usr/local/bin
-    - name: "Cleanup tmp"
-      shell: bash
-      run: |
-        rm -rf /tmp/helm/ /tmp/helm.tar.gz
-    - name: "Verify correct installation of binary"
-      shell: bash
-      run: |
-        helm version
--- a/.github/actions/kubeconform/action.yml
+++ b/.github/actions/kubeconform/action.yml
@@ -0,0 +1,38 @@
+name: Setup kubeconform
+description: A GitHub Action for running kubeconform commands
+author: Stefan Prodan
+branding:
+  color: blue
+  icon: command
+inputs:
+  version:
+    description: "kubeconform version e.g. 0.5.0 (defaults to latest stable release)"
+    required: false
+  arch:
+    description: "arch can be amd64 or arm64"
+    required: true
+    default: "amd64"
+runs:
+  using: composite
+  steps:
+    - name: "Download binary to the GH runner cache"
+      shell: bash
+      run: |  
+        ARCH=${{ inputs.arch }}
+        VERSION=${{ inputs.version }}
+
+        if [ -z $VERSION ]; then
+          VERSION=$(curl https://api.github.com/repos/yannh/kubeconform/releases/latest -sL | grep tag_name | sed -E 's/.*"([^"]+)".*/\1/' | cut -c 2-)
+        fi
+        
+        BIN_URL="https://github.com/yannh/kubeconform/releases/download/v${VERSION}/kubeconform-linux-${ARCH}.tar.gz"
+        BIN_DIR=$RUNNER_TOOL_CACHE/kubeconform/$VERSION/$ARCH
+        
+        if [[ ! -x "$BIN_DIR/kind" ]]; then
+          mkdir -p $BIN_DIR
+          cd $BIN_DIR
+          curl -sL $BIN_URL | tar xz
+          chmod +x kubeconform
+        fi
+        
+        echo "$BIN_DIR" >> "$GITHUB_PATH"
--- a/.github/policy/kubernetes.rego
+++ b/.github/policy/kubernetes.rego
@@ -1,51 +0,0 @@
-package kubernetes
-
-name = input.metadata.name
-
-kind = input.kind
-
-is_service {
-	input.kind = "Service"
-}
-
-is_deployment {
-	input.kind = "Deployment"
-}
-
-is_pod {
-	input.kind = "Pod"
-}
-
-split_image(image) = [image, "latest"] {
-	not contains(image, ":")
-}
-
-split_image(image) = [image_name, tag] {
-	[image_name, tag] = split(image, ":")
-}
-
-pod_containers(pod) = all_containers {
-	keys = {"containers", "initContainers"}
-	all_containers = [c | keys[k]; c = pod.spec[k][_]]
-}
-
-containers[container] {
-	pods[pod]
-	all_containers = pod_containers(pod)
-	container = all_containers[_]
-}
-
-containers[container] {
-	all_containers = pod_containers(input)
-	container = all_containers[_]
-}
-
-pods[pod] {
-	is_deployment
-	pod = input.spec.template
-}
-
-pods[pod] {
-	is_pod
-	pod = input
-}
--- a/.github/policy/rules.rego
+++ b/.github/policy/rules.rego
@@ -1,43 +0,0 @@
-package main
-
-import data.kubernetes
-
-name = input.metadata.name
-
-# Deny containers with latest image tag
-deny[msg] {
-	kubernetes.containers[container]
-	[image_name, "latest"] = kubernetes.split_image(container.image)
-	msg = sprintf("%s in the %s %s has an image %s, using the latest tag", [container.name, kubernetes.kind, kubernetes.name, image_name])
-}
-
-# Deny services without app label selector
-service_labels {
-  input.spec.selector["app"]
-}
-deny[msg] {
-  kubernetes.is_service
-  not service_labels
-  msg = sprintf("Service %s should set app label selector", [name])
-}
-
-# Deny deployments without app label selector
-match_labels {
-  input.spec.selector.matchLabels["app"]
-}
-deny[msg] {
-  kubernetes.is_deployment
-  not match_labels
-  msg = sprintf("Service %s should set app label selector", [name])
-}
-
-# Warn if deployments have no prometheus pod annotations
-annotations {
-  input.spec.template.metadata.annotations["prometheus.io/scrape"]
-  input.spec.template.metadata.annotations["prometheus.io/port"]
-}
-warn[msg] {
-  kubernetes.is_deployment
-  not annotations
-  msg = sprintf("Deployment %s should set prometheus.io/scrape and prometheus.io/port pod annotations", [name])
-}
--- a/.github/workflows/cve-scan.yml
+++ b/.github/workflows/cve-scan.yml
@@ -5,12 +5,15 @@ on:
    branches:
      - 'master'

+permissions:
+  contents: read
+
 jobs:
  trivy:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
      - name: Build image
        id: build
        run: |
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -6,28 +6,28 @@ on:
    branches:
      - 'master'

+permissions:
+  contents: read
+
 jobs:
  kind-helm:
-    strategy:
-      matrix:
-        helm-version:
-          - 3.8.1
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
      - name: Setup Kubernetes
-        uses: engineerd/setup-kind@v0.5.0
+        uses: helm/kind-action@v1.8.0
        with:
-          version: v0.11.1
+          version: v0.20.0
+          cluster_name: kind
      - name: Build container image
        run: |
          ./test/build.sh
          kind load docker-image test/podinfo:latest
      - name: Setup Helm
-        uses: ./.github/actions/helm
+        uses: azure/setup-helm@v3
        with:
-          version: ${{ matrix.helm-version }}
+          version: v3.12.3
      - name: Deploy
        run: ./test/deploy.sh
      - name: Run integration tests
@@ -36,3 +36,42 @@ jobs:
        if: failure()
        run: |
          kubectl logs -l app=podinfo || true
+  kind-timoni:
+    runs-on: ubuntu-latest
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
+    env:
+      PODINFO_IMAGE_URL: "test/podinfo"
+      PODINFO_MODULE_URL: "oci://localhost:5000/podinfo"
+      PODINFO_VERSION: "0.0.0-devel"
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Setup Timoni
+        uses: stefanprodan/timoni/actions/setup@main
+      - name: Setup Kubernetes
+        uses: helm/kind-action@v1.8.0
+        with:
+          version: v0.20.0
+          cluster_name: kind
+      - name: Build container
+        run: |
+          docker build -t ${PODINFO_IMAGE_URL}:${PODINFO_VERSION} --build-arg "REVISION=${GITHUB_SHA}"  -f Dockerfile.xx .
+          kind load docker-image ${PODINFO_IMAGE_URL}:${PODINFO_VERSION}
+      - name: Build module
+        run: |
+          timoni mod push ./timoni/podinfo ${PODINFO_MODULE_URL} -v ${PODINFO_VERSION}
+      - name: Apply bundle
+        run: |
+          timoni bundle apply -f ./timoni/bundles/test.podinfo.cue --runtime-from-env
+      - name: Verify status
+        run: |
+          timoni -n podinfo status backend
+          timoni -n podinfo status frontend
+      - name: Debug failure
+        if: failure()
+        run: |
+          kubectl -n podinfo get all || true
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,36 +6,43 @@ on:
      - '*'

 permissions:
-  contents: write # needed to write releases
-  id-token: write # needed for keyless signing
-  packages: write # needed for ghcr access
+  contents: read

 jobs:
  release:
    runs-on: ubuntu-latest
+    permissions:
+      contents: write # needed to write releases
+      id-token: write # needed for keyless signing
+      packages: write # needed for ghcr access
    steps:
-      - uses: actions/checkout@v2
-      - uses: imjasonh/setup-crane@v0.1
-      - uses: sigstore/cosign-installer@main
-      - name: Setup Helm
-        uses: ./.github/actions/helm
+      - uses: actions/checkout@v4
+      - uses: sigstore/cosign-installer@v3
+      - uses: fluxcd/flux2/action@main
+      - uses: stefanprodan/timoni/actions/setup@main
+      - name: Setup Go
+        uses: actions/setup-go@v4
        with:
-          version: 3.8.1
+          go-version: 1.21.x
+      - name: Setup Helm
+        uses: azure/setup-helm@v3
+        with:
+          version: v3.12.3
      - name: Setup QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v3
        with:
          platforms: all
      - name: Setup Docker Buildx
        id: buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v3
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
        with:
          registry: ghcr.io
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.GHCR_TOKEN }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Login to Docker Hub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
@@ -46,43 +53,64 @@ jobs:
          if [[ $GITHUB_REF == refs/tags/* ]]; then
            VERSION=${GITHUB_REF/refs\/tags\//}
          fi
-          echo ::set-output name=BUILD_DATE::$(date -u +'%Y-%m-%dT%H:%M:%SZ')
-          echo ::set-output name=VERSION::${VERSION}
-      - name: Publish multi-arch image
-        uses: docker/build-push-action@v2
+          echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
+          echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
+          echo "REVISION=${GITHUB_SHA}" >> $GITHUB_OUTPUT
+      - name: Generate images meta
+        id: meta
+        uses: docker/metadata-action@v5
        with:
+          images: |
+            docker.io/stefanprodan/podinfo
+            ghcr.io/stefanprodan/podinfo
+          tags: |
+            type=raw,value=${{ steps.prep.outputs.VERSION }}
+            type=raw,value=latest
+      - name: Publish multi-arch image
+        uses: docker/build-push-action@v5
+        with:
+          sbom: true
+          provenance: true
          push: true
          builder: ${{ steps.buildx.outputs.name }}
          context: .
          file: ./Dockerfile.xx
+          build-args: |
+            REVISION=${{ steps.prep.outputs.REVISION }}
          platforms: linux/amd64,linux/arm/v7,linux/arm64
-          tags: |
-            docker.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }}
-            docker.io/stefanprodan/podinfo:latest
-            ghcr.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }}
-          labels: |
-            org.opencontainers.image.title=${{ github.event.repository.name }}
-            org.opencontainers.image.description=${{ github.event.repository.description }}
-            org.opencontainers.image.source=${{ github.event.repository.html_url }}
-            org.opencontainers.image.url=${{ github.event.repository.html_url }}
-            org.opencontainers.image.revision=${{ github.sha }}
-            org.opencontainers.image.version=${{ steps.prep.outputs.VERSION }}
-            org.opencontainers.image.created=${{ steps.prep.outputs.BUILD_DATE }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+      - name: Publish Timoni module to GHCR
+        run: |
+          timoni mod push ./timoni/podinfo oci://ghcr.io/stefanprodan/modules/podinfo \
+          --sign cosign \
+          --version ${{ steps.prep.outputs.VERSION }} \
+          -a 'org.opencontainers.image.source=https://github.com/stefanprodan/podinfo' \
+          -a 'org.opencontainers.image.licenses=Apache-2.0' \
+          -a 'org.opencontainers.image.description=A timoni.sh module for deploying Podinfo.' \
+          -a 'org.opencontainers.image.documentation=https://github.com/stefanprodan/podinfo/blob/main/timoni/podinfo/README.md'
      - name: Publish Helm chart to GHCR
        run: |
          helm package charts/podinfo
          helm push podinfo-${{ steps.prep.outputs.VERSION }}.tgz oci://ghcr.io/stefanprodan/charts
          rm podinfo-${{ steps.prep.outputs.VERSION }}.tgz
-      - name: Sign images
+      - name: Publish Flux OCI artifact to GHCR
+        run: |
+          flux push artifact oci://ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }} \
+            --path="./kustomize" \
+            --source="${{ github.event.repository.html_url }}" \
+            --revision="${GITHUB_REF_NAME}/${GITHUB_SHA}"
+          flux tag artifact oci://ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }} --tag latest
+      - name: Sign OCI artifacts
        env:
          COSIGN_EXPERIMENTAL: 1
        run: |
-          cosign sign docker.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }}
-          cosign sign docker.io/stefanprodan/podinfo:latest
-          cosign sign ghcr.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }}
-          cosign sign ghcr.io/stefanprodan/charts/podinfo:${{ steps.prep.outputs.VERSION }}
+          cosign sign docker.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }} --yes
+          cosign sign ghcr.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }} --yes
+          cosign sign ghcr.io/stefanprodan/charts/podinfo:${{ steps.prep.outputs.VERSION }} --yes
+          cosign sign ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }} --yes
      - name: Publish base image
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v5
        with:
          push: true
          builder: ${{ steps.buildx.outputs.name }}
@@ -96,16 +124,16 @@ jobs:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Publish config artifact
        run: |
-          cd kustomize
-          tar -cf config.tar * --numeric-owner --owner=0 --group=0
-          crane append -f config.tar -t ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }}
-          crane tag ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }} latest
-          rm config.tar
+          flux push artifact oci://ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }} \
+            --path="./kustomize" \
+            --source="${{ github.event.repository.html_url }}" \
+            --revision="${GITHUB_REF_NAME}/${GITHUB_SHA}"
+          flux tag artifact oci://ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }} --tag latest
      - name: Sign config artifact
        run: |
          echo "$COSIGN_KEY" > /tmp/cosign.key
-          cosign sign -key /tmp/cosign.key ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }}
-          cosign sign -key /tmp/cosign.key ghcr.io/stefanprodan/podinfo-deploy:latest
+          cosign sign -key /tmp/cosign.key ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }} --yes
+          cosign sign -key /tmp/cosign.key ghcr.io/stefanprodan/podinfo-deploy:latest --yes
        env:
          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
          COSIGN_KEY: ${{secrets.COSIGN_KEY}}
@@ -115,7 +143,7 @@ jobs:
          echo 'CHANGELOG' > /tmp/release.txt
          github-release-notes -org stefanprodan -repo podinfo -since-latest-release >> /tmp/release.txt
      - name: Publish release
-        uses: goreleaser/goreleaser-action@v1
+        uses: goreleaser/goreleaser-action@v5
        with:
          version: latest
          args: release --release-notes=/tmp/release.txt --skip-validate
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -6,30 +6,52 @@ on:
    branches:
      - 'master'

+permissions:
+  contents: read
+
+env:
+  KUBERNETES_VERSION: 1.26.0
+
 jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
-      - name: Restore Go cache
-        uses: actions/cache@v1
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: ${{ runner.os }}-go-
+        uses: actions/checkout@v4
      - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v4
        with:
-          go-version: 1.17.x
+          go-version: 1.21.x
+          cache-dependency-path: |
+            **/go.sum
+            **/go.mod
+      - name: Setup kubectl
+        uses: azure/setup-kubectl@v3
+        with:
+          version: v${{ env.KUBERNETES_VERSION }}
+      - name: Setup kubeconform
+        uses: ./.github/actions/kubeconform
+      - name: Setup Helm
+        uses: azure/setup-helm@v3
+        with:
+          version: v3.10.3
+      - name: Setup CUE
+        uses: cue-lang/setup-cue@v1.0.0
+      - name: Setup Timoni
+        uses: stefanprodan/timoni/actions/setup@main
      - name: Run unit tests
        run: make test
-      - name: Setup CUE
-        uses: cue-lang/setup-cue@main
-      - name: Verify CUE formatting
-        working-directory: ./cue
+      - name: Validate Helm chart
        run: |
-          cue fmt .
+          helm lint ./charts/podinfo/
+          helm template ./charts/podinfo/ | kubeconform -strict -summary -kubernetes-version ${{ env.KUBERNETES_VERSION }}
+      - name: Validate Kustomize overlay
+        run: |
+          kubectl kustomize ./kustomize/ | kubeconform -strict -summary -kubernetes-version ${{ env.KUBERNETES_VERSION }}
+      - name: Verify CUE formatting
+        working-directory: ./timoni/podinfo
+        run: |
+          cue fmt ./..
          status=$(git status . --porcelain)
          [[ -z "$status" ]] || {
            echo "CUE files are not correctly formatted"
@@ -37,27 +59,14 @@ jobs:
            git diff
            exit 1
          }
-      - name: Validate CUE
-        working-directory: ./cue
-        run: cue vet --all-errors --concrete .
+      - name: Validate Timoni module
+        working-directory: ./timoni/podinfo
+        run: |
+          timoni mod lint . 
+          timoni build podinfo . -f test_values.cue | kubeconform -strict -summary -skip=ServiceMonitor -kubernetes-version ${{ env.KUBERNETES_VERSION }}
      - name: Check if working tree is dirty
        run: |
          if [[ $(git diff --stat) != '' ]]; then
            echo 'run make test and commit changes'
            exit 1
          fi
-      - name: Validate Helm chart
-        uses: stefanprodan/kube-tools@v1
-        with:
-          kubectl: 1.19.11
-          helm: 2.17.0
-          helmv3: 3.6.0
-          command: |
-            helmv3 template ./charts/podinfo | kubeval --strict --kubernetes-version 1.19.11 --schema-location https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master
-      - name: Validate kustomization
-        uses: stefanprodan/kube-tools@v1
-        with:
-          kubectl: 1.19.11
-          command: |
-            kustomize build ./kustomize | kubeval --strict --kubernetes-version 1.19.11 --schema-location https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master
-            kustomize build ./kustomize | conftest test -p .github/policy -
--- a/.gitignore
+++ b/.gitignore
@@ -19,4 +19,7 @@ release/
 build/
 gcloud/
 dist/
-bin/
+bin/
+cue/cue.mod/gen/
+cue/go.mod
+cue/go.sum
--- a/4
+++ b/4
@@ -1,4 +1,4 @@
-FROM golang:1.17-alpine as builder
+FROM golang:1.21-alpine as builder

 ARG REVISION

@@ -18,7 +18,7 @@ RUN CGO_ENABLED=0 go build -ldflags "-s -w \
    -X github.com/stefanprodan/podinfo/pkg/version.REVISION=${REVISION}" \
    -a -o bin/podcli cmd/podcli/*

-FROM alpine:3.15
+FROM alpine:3.18

 ARG BUILD_DATE
 ARG VERSION
--- a/Dockerfile.base
+++ b/Dockerfile.base
@@ -1,4 +1,4 @@
-FROM golang:1.17
+FROM golang:1.21

 WORKDIR /workspace

--- a/Dockerfile.xx
+++ b/Dockerfile.xx
@@ -1,5 +1,5 @@
-ARG GO_VERSION=1.17
-ARG XX_VERSION=1.1.0
+ARG GO_VERSION=1.21
+ARG XX_VERSION=1.2.0

 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx

@@ -28,7 +28,7 @@ RUN xx-go build -ldflags "-s -w \
    -X github.com/stefanprodan/podinfo/pkg/version.REVISION=${REVISION}" \
    -a -o bin/podcli cmd/podcli/*

-FROM alpine:3.15
+FROM alpine:3.18

 ARG BUILD_DATE
 ARG VERSION
--- a/22
+++ b/22
@@ -24,7 +24,10 @@ build:
 	GIT_COMMIT=$$(git rev-list -1 HEAD) && CGO_ENABLED=0 go build  -ldflags "-s -w -X github.com/stefanprodan/podinfo/pkg/version.REVISION=$(GIT_COMMIT)" -a -o ./bin/podcli ./cmd/podcli/*

 tidy:
-	rm -f go.sum; go mod tidy -compat=1.17
+	rm -f go.sum; go mod tidy -compat=1.21
+
+vet:
+	go vet ./...

 fmt:
 	gofmt -l -s -w ./
@@ -79,18 +82,19 @@ version-set:
 	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/webapp/backend/deployment.yaml && \
 	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/bases/frontend/deployment.yaml && \
 	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/bases/backend/deployment.yaml && \
-	/usr/bin/sed -i '' "s/$$current/$$next/g" cue/main.cue && \
-	echo "Version $$next set in code, deployment, chart and kustomize"
+	/usr/bin/sed -i '' "s/$$current/$$next/g" timoni/podinfo/values.cue && \
+	echo "Version $$next set in code, deployment, module, chart and kustomize"

 release:
-	git tag $(VERSION)
+	git tag -s -m $(VERSION) $(VERSION)
 	git push origin $(VERSION)

 swagger:
-	go get github.com/swaggo/swag/cmd/swag
+	go install github.com/swaggo/swag/cmd/swag@latest
+	go get github.com/swaggo/swag/gen@latest
+	go get github.com/swaggo/swag/cmd/swag@latest
 	cd pkg/api && $$(go env GOPATH)/bin/swag init -g server.go

-.PHONY: cue
-cue:
-	@cd cue && cue fmt ./... && cue vet --all-errors --concrete ./...
-	@cd cue && cue gen
+.PHONY: timoni-build
+timoni-build:
+	@timoni build podinfo ./timoni/podinfo -f ./timoni/podinfo/test_values.cue
--- a/README.md
+++ b/README.md
@@ -20,11 +20,11 @@ Specifications:
 * 12-factor app with viper
 * Fault injection (random errors and latency)
 * Swagger docs
-* Helm and Kustomize installers
+* Timoni, Helm and Kustomize installers
 * End-to-End testing with Kubernetes Kind and Helm
-* Kustomize testing with GitHub Actions and Open Policy Agent
 * Multi-arch container image with Docker buildx and Github Actions
 * Container image signing with Sigstore cosign
+* SBOMs and SLSA Provenance embedded in the container image
 * CVE scanning with Trivy

 Web API:
@@ -66,16 +66,23 @@ To access the Swagger UI open `<podinfo-host>/swagger/index.html` in a browser.

 ### Guides

-* [GitOps Progressive Deliver with Flagger, Helm v3 and Linkerd](https://helm.workshop.flagger.dev/intro/)
-* [GitOps Progressive Deliver on EKS with Flagger and AppMesh](https://eks.handson.flagger.dev/prerequisites/)
-* [Automated canary deployments with Flagger and Istio](https://medium.com/google-cloud/automated-canary-deployments-with-flagger-and-istio-ac747827f9d1)
-* [Kubernetes autoscaling with Istio metrics](https://medium.com/google-cloud/kubernetes-autoscaling-with-istio-metrics-76442253a45a)
-* [Autoscaling EKS on Fargate with custom metrics](https://aws.amazon.com/blogs/containers/autoscaling-eks-on-fargate-with-custom-metrics/)
-* [Managing Helm releases the GitOps way](https://medium.com/google-cloud/managing-helm-releases-the-gitops-way-207a6ac6ff0e)
-* [Securing EKS Ingress With Contour And Let’s Encrypt The GitOps Way](https://aws.amazon.com/blogs/containers/securing-eks-ingress-contour-lets-encrypt-gitops/)
+* [Getting started with Timoni](https://timoni.sh/quickstart/)
+* [Getting started with Flux](https://fluxcd.io/flux/get-started/)
+* [Progressive Deliver with Flagger and Linkerd](https://docs.flagger.app/tutorials/linkerd-progressive-delivery)
+* [Automated canary deployments with Kubernetes Gateway API](https://docs.flagger.app/tutorials/gatewayapi-progressive-delivery)

 ### Install

+To install Podinfo on Kubernetes the minimum required version is **Kubernetes v1.23**.
+
+#### Timoni
+
+Install with [Timoni](https://timoni.sh):
+
+```bash
+timoni -n default apply podinfo oci://ghcr.io/stefanprodan/modules/podinfo
+```
+
 #### Helm

 Install from github.io:
@@ -89,7 +96,7 @@ helm upgrade --install --wait frontend \
 --set backend=http://backend-podinfo:9898/echo \
 podinfo/podinfo

-helm test frontend
+helm test frontend --namespace test

 helm upgrade --install --wait backend \
 --namespace test \
--- a/charts/podinfo/Chart.yaml
+++ b/charts/podinfo/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
-version: 6.1.2
-appVersion: 6.1.2
+version: 6.5.1
+appVersion: 6.5.1
 name: podinfo
 engine: gotpl
 description: Podinfo Helm chart for Kubernetes
@@ -10,4 +10,4 @@ maintainers:
  name: stefanprodan
 sources:
 - https://github.com/stefanprodan/podinfo
-kubeVersion: ">=1.19.0-0"
+kubeVersion: ">=1.23.0-0"
--- a/charts/podinfo/README.md
+++ b/charts/podinfo/README.md
@@ -9,7 +9,23 @@ for end-to-end testing and workshops.

 ## Installing the Chart

-To install the chart with the release name `my-release`:
+The Podinfo charts are published to
+[GitHub Container Registry](https://github.com/stefanprodan/podinfo/pkgs/container/charts%2Fpodinfo)
+and signed with [Cosign](https://github.com/sigstore/cosign) & GitHub Actions OIDC.
+
+To install the chart with the release name `my-release` from GHCR:
+
+```console
+$ helm upgrade -i my-release oci://ghcr.io/stefanprodan/charts/podinfo
+```
+
+To verify a chart with Cosign:
+
+```console
+$ cosign verify ghcr.io/stefanprodan/charts/podinfo:<VERSION>
+```
+
+Alternatively, you can install the chart from GitHub pages:

 ```console
 $ helm repo add podinfo https://stefanprodan.github.io/podinfo
@@ -34,60 +50,62 @@ The command removes all the Kubernetes components associated with the chart and

 The following tables lists the configurable parameters of the podinfo chart and their default values.

-Parameter | Default | Description
--- | --- | ---
-`replicaCount` | `1` | Desired number of pods
-`logLevel` | `info` | Log level: `debug`, `info`, `warn`, `error`
-`backend` | `None` | Echo backend URL
-`backends` | `[]` | Array of echo backend URLs
-`cache` | `None` | Redis address in the format `<host>:<port>`
-`redis.enabled` | `false` | Create Redis deployment for caching purposes
-`ui.color` | `#34577c` |  UI color
-`ui.message` | `None` |  UI greetings message
-`ui.logo` | `None` |  UI logo
-`faults.delay` | `false` | Random HTTP response delays between 0 and 5 seconds
-`faults.error` | `false` | 1/3 chances of a random HTTP response error
-`faults.unhealthy` | `false` | When set, the healthy state is never reached
-`faults.unready` | `false` | When set, the ready state is never reached
-`faults.testFail` | `false` | When set, a helm test is included which always fails
-`faults.testTimeout` | `false` | When set, a helm test is included which always times out
-`image.repository` | `stefanprodan/podinfo` | Image repository
-`image.tag` | `<VERSION>` | Image tag
-`image.pullPolicy` | `IfNotPresent` | Image pull policy
-`service.enabled` | `true` | Create a Kubernetes Service, should be disabled when using [Flagger](https://flagger.app)
-`service.type` | `ClusterIP` | Type of the Kubernetes Service
-`service.metricsPort` | `9797` | Prometheus metrics endpoint port
-`service.httpPort` | `9898` | Container HTTP port
-`service.externalPort` | `9898` | ClusterIP HTTP port
-`service.grpcPort` | `9999` | ClusterIP gPRC port
-`service.grpcService` | `podinfo` | gPRC service name
-`service.nodePort` | `31198` | NodePort for the HTTP endpoint
-`h2c.enabled` | `false` | Allow upgrading to h2c (non-TLS version of HTTP/2)
-`hpa.enabled` | `false` | Enables the Kubernetes HPA
-`hpa.maxReplicas` | `10` | Maximum amount of pods
-`hpa.cpu` | `None` | Target CPU usage per pod
-`hpa.memory` | `None` | Target memory usage per pod
-`hpa.requests` | `None` | Target HTTP requests per second per pod
-`serviceAccount.enabled` | `false` | Whether a service account should be created
-`serviceAccount.name` | `None` | The name of the service account to use, if not set and create is true, a name is generated using the fullname template
-`securityContext` | `{}` | The security context to be set on the podinfo container
-`linkerd.profile.enabled` | `false` | Create Linkerd service profile
-`serviceMonitor.enabled` | `false` | Whether a Prometheus Operator service monitor should be created
-`serviceMonitor.interval` | `15s` | Prometheus scraping interval
-`serviceMonitor.additionalLabels` | `{}` | Add additional labels to the service monitor |
-`ingress.enabled` | `false` | Enables Ingress
-`ingress.className ` | `""` | Use ingressClassName
-`ingress.annotations` | `{}` | Ingress annotations
-`ingress.hosts` | `[]` | Ingress accepted hosts
-`ingress.tls` | `[]` | Ingress TLS configuration
-`resources.requests.cpu` | `1m` | Pod CPU request
-`resources.requests.memory` | `16Mi` | Pod memory request
-`resources.limits.cpu` | `None` | Pod CPU limit
-`resources.limits.memory` | `None` | Pod memory limit
-`nodeSelector` | `{}` | Node labels for pod assignment
-`tolerations` | `[]` | List of node taints to tolerate
-`affinity` | `None` | Node/pod affinities
-`podAnnotations` | `{}` | Pod annotations
+| Parameter                         | Default                | Description                                                                                                            |
+| --------------------------------- | ---------------------- | ---------------------------------------------------------------------------------------------------------------------- |
+| `replicaCount`                    | `1`                    | Desired number of pods                                                                                                 |
+| `logLevel`                        | `info`                 | Log level: `debug`, `info`, `warn`, `error`                                                                            |
+| `backend`                         | `None`                 | Echo backend URL                                                                                                       |
+| `backends`                        | `[]`                   | Array of echo backend URLs                                                                                             |
+| `cache`                           | `None`                 | Redis address in the format `tcp://<host>:<port>`                                                                      |
+| `redis.enabled`                   | `false`                | Create Redis deployment for caching purposes                                                                           |
+| `ui.color`                        | `#34577c`              | UI color                                                                                                               |
+| `ui.message`                      | `None`                 | UI greetings message                                                                                                   |
+| `ui.logo`                         | `None`                 | UI logo                                                                                                                |
+| `faults.delay`                    | `false`                | Random HTTP response delays between 0 and 5 seconds                                                                    |
+| `faults.error`                    | `false`                | 1/3 chances of a random HTTP response error                                                                            |
+| `faults.unhealthy`                | `false`                | When set, the healthy state is never reached                                                                           |
+| `faults.unready`                  | `false`                | When set, the ready state is never reached                                                                             |
+| `faults.testFail`                 | `false`                | When set, a helm test is included which always fails                                                                   |
+| `faults.testTimeout`              | `false`                | When set, a helm test is included which always times out                                                               |
+| `image.repository`                | `stefanprodan/podinfo` | Image repository                                                                                                       |
+| `image.tag`                       | `<VERSION>`            | Image tag                                                                                                              |
+| `image.pullPolicy`                | `IfNotPresent`         | Image pull policy                                                                                                      |
+| `service.enabled`                 | `true`                 | Create a Kubernetes Service, should be disabled when using [Flagger](https://flagger.app)                              |
+| `service.type`                    | `ClusterIP`            | Type of the Kubernetes Service                                                                                         |
+| `service.metricsPort`             | `9797`                 | Prometheus metrics endpoint port                                                                                       |
+| `service.httpPort`                | `9898`                 | Container HTTP port                                                                                                    |
+| `service.externalPort`            | `9898`                 | ClusterIP HTTP port                                                                                                    |
+| `service.grpcPort`                | `9999`                 | ClusterIP gPRC port                                                                                                    |
+| `service.grpcService`             | `podinfo`              | gPRC service name                                                                                                      |
+| `service.nodePort`                | `31198`                | NodePort for the HTTP endpoint                                                                                         |
+| `h2c.enabled`                     | `false`                | Allow upgrading to h2c (non-TLS version of HTTP/2)                                                                     |
+| `hpa.enabled`                     | `false`                | Enables the Kubernetes HPA                                                                                             |
+| `hpa.maxReplicas`                 | `10`                   | Maximum amount of pods                                                                                                 |
+| `hpa.cpu`                         | `None`                 | Target CPU usage per pod                                                                                               |
+| `hpa.memory`                      | `None`                 | Target memory usage per pod                                                                                            |
+| `hpa.requests`                    | `None`                 | Target HTTP requests per second per pod                                                                                |
+| `serviceAccount.enabled`          | `false`                | Whether a service account should be created                                                                            |
+| `serviceAccount.name`             | `None`                 | The name of the service account to use, if not set and create is true, a name is generated using the fullname template |
+| `serviceAccount.imagePullSecrets` | `[]`                   | List of image pull secrets if pulling from private registries.                                                         |
+| `securityContext`                 | `{}`                   | The security context to be set on the podinfo container                                                                |
+| `linkerd.profile.enabled`         | `false`                | Create Linkerd service profile                                                                                         |
+| `serviceMonitor.enabled`          | `false`                | Whether a Prometheus Operator service monitor should be created                                                        |
+| `serviceMonitor.interval`         | `15s`                  | Prometheus scraping interval                                                                                           |
+| `serviceMonitor.additionalLabels` | `{}`                   | Add additional labels to the service monitor                                                                           |
+| `ingress.enabled`                 | `false`                | Enables Ingress                                                                                                        |
+| `ingress.className `              | `""`                   | Use ingressClassName                                                                                                   |
+| `ingress.additionalLabels`        | `{}`                   | Add additional labels to the ingress                                                                                   |
+| `ingress.annotations`             | `{}`                   | Ingress annotations                                                                                                    |
+| `ingress.hosts`                   | `[]`                   | Ingress accepted hosts                                                                                                 |
+| `ingress.tls`                     | `[]`                   | Ingress TLS configuration                                                                                              |
+| `resources.requests.cpu`          | `1m`                   | Pod CPU request                                                                                                        |
+| `resources.requests.memory`       | `16Mi`                 | Pod memory request                                                                                                     |
+| `resources.limits.cpu`            | `None`                 | Pod CPU limit                                                                                                          |
+| `resources.limits.memory`         | `None`                 | Pod memory limit                                                                                                       |
+| `nodeSelector`                    | `{}`                   | Node labels for pod assignment                                                                                         |
+| `tolerations`                     | `[]`                   | List of node taints to tolerate                                                                                        |
+| `affinity`                        | `None`                 | Node/pod affinities                                                                                                    |
+| `podAnnotations`                  | `{}`                   | Pod annotations                                                                                                        |

 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,

@@ -110,14 +128,3 @@ $ helm install my-release podinfo/podinfo -f values.yaml
 ```

 > **Tip**: You can use the default [values.yaml](values.yaml)
-
-## Upgrading the chart
-
-### To =< 5.0.0
-
-Version 5.0.0 is a major update.
-
-* The chart now follows the new Kubernetes label recommendations:
-<https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/>
-
-The simplest way to update is to do a force upgrade, which recreates the resources by doing a delete and an install.
--- a/charts/podinfo/templates/deployment.yaml
+++ b/charts/podinfo/templates/deployment.yaml
@@ -73,7 +73,7 @@ spec:
            {{- if .Values.cache }}
            - --cache-server={{ .Values.cache }}
            {{- else if .Values.redis.enabled }}
-            - --cache-server={{ template "podinfo.fullname" . }}-redis:6379
+            - --cache-server=tcp://{{ template "podinfo.fullname" . }}-redis:6379
            {{- end }}
            - --level={{ .Values.logLevel }}
            - --random-delay={{ .Values.faults.delay }}
@@ -129,6 +129,22 @@ spec:
              containerPort: {{ .Values.service.grpcPort }}
              protocol: TCP
            {{- end }}
+          {{- if .Values.probes.startup.enable }}
+          startupProbe:
+            exec:
+              command:
+              - podcli
+              - check
+              - http
+              - localhost:{{ .Values.service.httpPort | default 9898 }}/healthz
+            {{- with .Values.probes.startup }}
+            initialDelaySeconds: {{ .initialDelaySeconds | default 1 }}
+            timeoutSeconds: {{ .timeoutSeconds | default 5 }}
+            failureThreshold: {{ .failureThreshold | default 3 }}
+            successThreshold: {{ .successThreshold | default 1 }}
+            periodSeconds: {{ .periodSeconds | default 10 }}
+            {{- end }}
+            {{- end }}
          livenessProbe:
            exec:
              command:
@@ -136,8 +152,13 @@ spec:
              - check
              - http
              - localhost:{{ .Values.service.httpPort | default 9898 }}/healthz
-            initialDelaySeconds: 1
-            timeoutSeconds: 5
+            {{- with .Values.probes.liveness }}
+            initialDelaySeconds: {{ .initialDelaySeconds | default 1 }}
+            timeoutSeconds: {{ .timeoutSeconds | default 5 }}
+            failureThreshold: {{ .failureThreshold | default 3 }}
+            successThreshold: {{ .successThreshold | default 1 }}
+            periodSeconds: {{ .periodSeconds | default 10 }}
+            {{- end }}
          readinessProbe:
            exec:
              command:
@@ -145,8 +166,13 @@ spec:
              - check
              - http
              - localhost:{{ .Values.service.httpPort | default 9898 }}/readyz
-            initialDelaySeconds: 1
-            timeoutSeconds: 5
+            {{- with .Values.probes.readiness }}
+            initialDelaySeconds: {{ .initialDelaySeconds | default 1 }}
+            timeoutSeconds: {{ .timeoutSeconds | default 5 }}
+            failureThreshold: {{ .failureThreshold | default 3 }}
+            successThreshold: {{ .successThreshold | default 1 }}
+            periodSeconds: {{ .periodSeconds | default 10 }}
+            {{- end }}
          volumeMounts:
          - name: data
            mountPath: /data
--- a/charts/podinfo/templates/hpa.yaml
+++ b/charts/podinfo/templates/hpa.yaml
@@ -1,5 +1,5 @@
 {{- if .Values.hpa.enabled -}}
-apiVersion: autoscaling/v2beta2
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
  name: {{ template "podinfo.fullname" . }}
--- a/charts/podinfo/templates/ingress.yaml
+++ b/charts/podinfo/templates/ingress.yaml
@@ -7,6 +7,9 @@ metadata:
  name: {{ $fullName }}
  labels:
    {{- include "podinfo.labels" . | nindent 4 }}
+    {{- with .Values.ingress.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
  {{- with .Values.ingress.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
--- a/charts/podinfo/templates/serviceaccount.yaml
+++ b/charts/podinfo/templates/serviceaccount.yaml
@@ -5,4 +5,8 @@ metadata:
  name: {{ template "podinfo.serviceAccountName" . }}
  labels:
    {{- include "podinfo.labels" . | nindent 4 }}
+{{- with .Values.serviceAccount.imagePullSecrets }}
+imagePullSecrets:
+  {{- toYaml . | nindent 2 }}
 {{- end -}}
+{{- end -}}
--- a/charts/podinfo/values-prod.yaml
+++ b/charts/podinfo/values-prod.yaml
@@ -8,7 +8,7 @@ backends: []

 image:
  repository: ghcr.io/stefanprodan/podinfo
-  tag: 6.1.2
+  tag: 6.5.1
  pullPolicy: IfNotPresent

 ui:
@@ -77,13 +77,13 @@ hpa:
  # average http requests per second per pod (k8s-prometheus-adapter)
  requests:

-# Redis address in the format <host>:<port>
+# Redis address in the format tcp://<host>:<port>
 cache: ""
 # Redis deployment
 redis:
  enabled: true
  repository: redis
-  tag: 6.0.8
+  tag: 7.0.7

 serviceAccount:
  # Specifies whether a service account should be created
@@ -91,6 +91,8 @@ serviceAccount:
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name:
+  # List of image pull secrets if pulling from private registries
+  imagePullSecrets: []

 # set container security context
 securityContext: {}
@@ -98,6 +100,7 @@ securityContext: {}
 ingress:
  enabled: false
  className: ""
+  additionalLabels: {}
  annotations: {}
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
--- a/charts/podinfo/values.yaml
+++ b/charts/podinfo/values.yaml
@@ -8,7 +8,7 @@ backends: []

 image:
  repository: ghcr.io/stefanprodan/podinfo
-  tag: 6.1.2
+  tag: 6.5.1
  pullPolicy: IfNotPresent

 ui:
@@ -81,13 +81,13 @@ hpa:
  # average http requests per second per pod (k8s-prometheus-adapter)
  requests:

-# Redis address in the format <host>:<port>
+# Redis address in the format tcp://<host>:<port>
 cache: ""
 # Redis deployment
 redis:
  enabled: false
  repository: redis
-  tag: 6.0.8
+  tag: 7.0.7

 serviceAccount:
  # Specifies whether a service account should be created
@@ -95,6 +95,8 @@ serviceAccount:
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name:
+  # List of image pull secrets if pulling from private registries
+  imagePullSecrets: []

 # set container security context
 securityContext: {}
@@ -102,6 +104,7 @@ securityContext: {}
 ingress:
  enabled: false
  className: ""
+  additionalLabels: {}
  annotations: {}
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
@@ -138,3 +141,25 @@ tolerations: []
 affinity: {}

 podAnnotations: {}
+
+# https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+probes:
+  readiness:
+    initialDelaySeconds: 1
+    timeoutSeconds: 5
+    failureThreshold: 3
+    successThreshold: 1
+    periodSeconds: 10
+  liveness:
+    initialDelaySeconds: 1
+    timeoutSeconds: 5
+    failureThreshold: 3
+    successThreshold: 1
+    periodSeconds: 10
+  startup:
+    enable: false
+    initialDelaySeconds: 10
+    timeoutSeconds: 5
+    failureThreshold: 20
+    successThreshold: 1
+    periodSeconds: 10
--- a/cmd/podinfo/main.go
+++ b/cmd/podinfo/main.go
@@ -2,7 +2,6 @@ package main

 import (
 	"fmt"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"strconv"
@@ -18,6 +17,7 @@ import (
 	"github.com/stefanprodan/podinfo/pkg/grpc"
 	"github.com/stefanprodan/podinfo/pkg/signals"
 	"github.com/stefanprodan/podinfo/pkg/version"
+	go_grpc "google.golang.org/grpc"
 )

 func main() {
@@ -33,7 +33,7 @@ func main() {
 	fs.StringSlice("backend-url", []string{}, "backend service URL")
 	fs.Duration("http-client-timeout", 2*time.Minute, "client timeout duration")
 	fs.Duration("http-server-timeout", 30*time.Second, "server read and write timeout duration")
-	fs.Duration("http-server-shutdown-timeout", 5*time.Second, "server graceful shutdown timeout duration")
+	fs.Duration("server-shutdown-timeout", 5*time.Second, "server graceful shutdown timeout duration")
 	fs.String("data-path", "/data", "data local path")
 	fs.String("config-path", "", "config dir path")
 	fs.String("cert-path", "/data/cert", "certificate path for HTTPS port")
@@ -52,7 +52,7 @@ func main() {
 	fs.Bool("unready", false, "when set, ready state is never reached")
 	fs.Int("stress-cpu", 0, "number of CPU cores with 100 load")
 	fs.Int("stress-memory", 0, "MB of data to load into memory")
-	fs.String("cache-server", "", "Redis address in the format <host>:<port>")
+	fs.String("cache-server", "", "Redis address in the format 'tcp://<host>:<port>'")
 	fs.String("otel-service-name", "", "service name for reporting to open telemetry address, when not set tracing is disabled")

 	versionFlag := fs.BoolP("version", "v", false, "get version number")
@@ -135,9 +135,10 @@ func main() {
 	}

 	// start gRPC server
+	var grpcServer *go_grpc.Server
 	if grpcCfg.Port > 0 {
 		grpcSrv, _ := grpc.NewServer(&grpcCfg, logger)
-		go grpcSrv.ListenAndServe()
+		grpcServer = grpcSrv.ListenAndServe()
 	}

 	// load HTTP server config
@@ -155,8 +156,12 @@ func main() {

 	// start HTTP server
 	srv, _ := api.NewServer(&srvCfg, logger)
+	httpServer, httpsServer, healthy, ready := srv.ListenAndServe()
+
+	// graceful shutdown
 	stopCh := signals.SetupSignalHandler()
-	srv.ListenAndServe(stopCh)
+	sd, _ := signals.NewShutdown(srvCfg.ServerShutdownTimeout, logger)
+	sd.Graceful(stopCh, httpServer, httpsServer, grpcServer, healthy, ready)
 }

 func initZap(logLevel string) (*zap.Logger, error) {
@@ -238,12 +243,12 @@ func beginStressTest(cpus int, mem int, logger *zap.Logger) {
 			logger.Error("memory stress failed", zap.Error(err))
 		}

-		stressMemoryPayload, err = ioutil.ReadFile(path)
+		stressMemoryPayload, err = os.ReadFile(path)
 		f.Close()
 		os.Remove(path)
 		if err != nil {
 			logger.Error("memory stress failed", zap.Error(err))
 		}
-		logger.Info("starting CPU stress", zap.Int("memory", len(stressMemoryPayload)))
+		logger.Info("starting MEMORY stress", zap.Int("memory", len(stressMemoryPayload)))
 	}
 }
--- a/cue/README.md
+++ b/cue/README.md
@@ -1,15 +0,0 @@
-# CUE Demo
-
-This directory contains a [cuelang module](https://cuelang.org/docs/) and tooling to generate podinfo resources.
-
-It defines a `podinfo.#Application` definition which takes a `podinfo.#Config` as input. The `podinfo.#Config` definition is modelled on the `podinfo` Helm chart `values.yaml` file.
-
-## Configuration
-
-Configure the application in `main.cue`.
-
-## Generate the manifests
-
-```shell
-cue gen
-```
--- a/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/acme/v1/const_go_gen.cue
+++ b/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/acme/v1/const_go_gen.cue
@@ -1,7 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/acme/v1
-
-package v1
-
-#ACMEFinalizer: "finalizer.acme.cert-manager.io"
--- a/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/acme/v1/doc_go_gen.cue
+++ b/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/acme/v1/doc_go_gen.cue
@@ -1,8 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/acme/v1
-
-// Package v1 is the v1 version of the API.
-// +k8s:deepcopy-gen=package,register
-// +groupName=acme.cert-manager.io
-package v1
--- a/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/acme/v1/types_challenge_go_gen.cue
+++ b/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/acme/v1/types_challenge_go_gen.cue
@@ -1,128 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/acme/v1
-
-package v1
-
-import (
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
-)
-
-// Challenge is a type to represent a Challenge request with an ACME server
-// +k8s:openapi-gen=true
-// +kubebuilder:printcolumn:name="State",type="string",JSONPath=".status.state"
-// +kubebuilder:printcolumn:name="Domain",type="string",JSONPath=".spec.dnsName"
-// +kubebuilder:printcolumn:name="Reason",type="string",JSONPath=".status.reason",description="",priority=1
-// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC."
-// +kubebuilder:subresource:status
-// +kubebuilder:resource:path=challenges
-#Challenge: {
-	metav1.#TypeMeta
-	metadata: metav1.#ObjectMeta @go(ObjectMeta)
-	spec:     #ChallengeSpec     @go(Spec)
-
-	// +optional
-	status: #ChallengeStatus @go(Status)
-}
-
-// ChallengeList is a list of Challenges
-#ChallengeList: {
-	metav1.#TypeMeta
-	metadata: metav1.#ListMeta @go(ListMeta)
-	items: [...#Challenge] @go(Items,[]Challenge)
-}
-
-#ChallengeSpec: {
-	// The URL of the ACME Challenge resource for this challenge.
-	// This can be used to lookup details about the status of this challenge.
-	url: string @go(URL)
-
-	// The URL to the ACME Authorization resource that this
-	// challenge is a part of.
-	authorizationURL: string @go(AuthorizationURL)
-
-	// dnsName is the identifier that this challenge is for, e.g. example.com.
-	// If the requested DNSName is a 'wildcard', this field MUST be set to the
-	// non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`.
-	dnsName: string @go(DNSName)
-
-	// wildcard will be true if this challenge is for a wildcard identifier,
-	// for example '*.example.com'.
-	// +optional
-	wildcard: bool @go(Wildcard)
-
-	// The type of ACME challenge this resource represents.
-	// One of "HTTP-01" or "DNS-01".
-	type: #ACMEChallengeType @go(Type)
-
-	// The ACME challenge token for this challenge.
-	// This is the raw value returned from the ACME server.
-	token: string @go(Token)
-
-	// The ACME challenge key for this challenge
-	// For HTTP01 challenges, this is the value that must be responded with to
-	// complete the HTTP01 challenge in the format:
-	// `<private key JWK thumbprint>.<key from acme server for challenge>`.
-	// For DNS01 challenges, this is the base64 encoded SHA256 sum of the
-	// `<private key JWK thumbprint>.<key from acme server for challenge>`
-	// text that must be set as the TXT record content.
-	key: string @go(Key)
-
-	// Contains the domain solving configuration that should be used to
-	// solve this challenge resource.
-	solver: #ACMEChallengeSolver @go(Solver)
-
-	// References a properly configured ACME-type Issuer which should
-	// be used to create this Challenge.
-	// If the Issuer does not exist, processing will be retried.
-	// If the Issuer is not an 'ACME' Issuer, an error will be returned and the
-	// Challenge will be marked as failed.
-	issuerRef: cmmeta.#ObjectReference @go(IssuerRef)
-}
-
-// The type of ACME challenge. Only HTTP-01 and DNS-01 are supported.
-// +kubebuilder:validation:Enum=HTTP-01;DNS-01
-#ACMEChallengeType: string // #enumACMEChallengeType
-
-#enumACMEChallengeType:
-	#ACMEChallengeTypeHTTP01 |
-	#ACMEChallengeTypeDNS01
-
-// ACMEChallengeTypeHTTP01 denotes a Challenge is of type http-01
-// More info: https://letsencrypt.org/docs/challenge-types/#http-01-challenge
-#ACMEChallengeTypeHTTP01: #ACMEChallengeType & "HTTP-01"
-
-// ACMEChallengeTypeDNS01 denotes a Challenge is of type dns-01
-// More info: https://letsencrypt.org/docs/challenge-types/#dns-01-challenge
-#ACMEChallengeTypeDNS01: #ACMEChallengeType & "DNS-01"
-
-#ChallengeStatus: {
-	// Used to denote whether this challenge should be processed or not.
-	// This field will only be set to true by the 'scheduling' component.
-	// It will only be set to false by the 'challenges' controller, after the
-	// challenge has reached a final state or timed out.
-	// If this field is set to false, the challenge controller will not take
-	// any more action.
-	// +optional
-	processing: bool @go(Processing)
-
-	// presented will be set to true if the challenge values for this challenge
-	// are currently 'presented'.
-	// This *does not* imply the self check is passing. Only that the values
-	// have been 'submitted' for the appropriate challenge mechanism (i.e. the
-	// DNS01 TXT record has been presented, or the HTTP01 configuration has been
-	// configured).
-	// +optional
-	presented: bool @go(Presented)
-
-	// Contains human readable information on why the Challenge is in the
-	// current state.
-	// +optional
-	reason?: string @go(Reason)
-
-	// Contains the current 'state' of the challenge.
-	// If not set, the state of the challenge is unknown.
-	// +optional
-	state?: #State @go(State)
-}
--- a/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/acme/v1/types_go_gen.cue
+++ b/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/acme/v1/types_go_gen.cue
@@ -1,41 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/acme/v1
-
-package v1
-
-// ACMECertificateHTTP01IngressNameOverride is annotation to override ingress name.
-// If this annotation is specified on a Certificate or Order resource when
-// using the HTTP01 solver type, the ingress.name field of the HTTP01
-// solver's configuration will be set to the value given here.
-// This is especially useful for users of Ingress controllers that maintain
-// a 1:1 mapping between endpoint IP and Ingress resource.
-#ACMECertificateHTTP01IngressNameOverride: "acme.cert-manager.io/http01-override-ingress-name"
-
-// ACMECertificateHTTP01IngressClassOverride is annotation to override ingress class.
-// If this annotation is specified on a Certificate or Order resource when
-// using the HTTP01 solver type, the ingress.class field of the HTTP01
-// solver's configuration will be set to the value given here.
-// This is especially useful for users deploying many different ingress
-// classes into a single cluster that want to be able to re-use a single
-// solver for each ingress class.
-#ACMECertificateHTTP01IngressClassOverride: "acme.cert-manager.io/http01-override-ingress-class"
-
-// IngressEditInPlaceAnnotationKey is used to toggle the use of ingressClass instead
-// of ingress on the created Certificate resource
-#IngressEditInPlaceAnnotationKey: "acme.cert-manager.io/http01-edit-in-place"
-
-// DomainLabelKey is added to the labels of a Pod serving an ACME challenge.
-// Its value will be the hash of the domain name that is being verified.
-#DomainLabelKey: "acme.cert-manager.io/http-domain"
-
-// TokenLabelKey is added to the labels of a Pod serving an ACME challenge.
-// Its value will be the hash of the challenge token that is being served by the pod.
-#TokenLabelKey: "acme.cert-manager.io/http-token"
-
-// SolverIdentificationLabelKey is added to the labels of a Pod serving an ACME challenge.
-// Its value will be the "true" if the Pod is an HTTP-01 solver.
-#SolverIdentificationLabelKey: "acme.cert-manager.io/http01-solver"
-
-#OrderKind:     "Order"
-#ChallengeKind: "Challenge"
--- a/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/acme/v1/types_issuer_go_gen.cue
+++ b/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/acme/v1/types_issuer_go_gen.cue
@@ -1,591 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/acme/v1
-
-package v1
-
-import (
-	cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
-	corev1 "k8s.io/api/core/v1"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
-)
-
-// ACMEIssuer contains the specification for an ACME issuer.
-// This uses the RFC8555 specification to obtain certificates by completing
-// 'challenges' to prove ownership of domain identifiers.
-// Earlier draft versions of the ACME specification are not supported.
-#ACMEIssuer: {
-	// Email is the email address to be associated with the ACME account.
-	// This field is optional, but it is strongly recommended to be set.
-	// It will be used to contact you in case of issues with your account or
-	// certificates, including expiry notification emails.
-	// This field may be updated after the account is initially registered.
-	// +optional
-	email?: string @go(Email)
-
-	// Server is the URL used to access the ACME server's 'directory' endpoint.
-	// For example, for Let's Encrypt's staging endpoint, you would use:
-	// "https://acme-staging-v02.api.letsencrypt.org/directory".
-	// Only ACME v2 endpoints (i.e. RFC 8555) are supported.
-	server: string @go(Server)
-
-	// PreferredChain is the chain to use if the ACME server outputs multiple.
-	// PreferredChain is no guarantee that this one gets delivered by the ACME
-	// endpoint.
-	// For example, for Let's Encrypt's DST crosssign you would use:
-	// "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA.
-	// This value picks the first certificate bundle in the ACME alternative
-	// chains that has a certificate with this value as its issuer's CN
-	// +optional
-	// +kubebuilder:validation:MaxLength=64
-	preferredChain: string @go(PreferredChain)
-
-	// Enables or disables validation of the ACME server TLS certificate.
-	// If true, requests to the ACME server will not have their TLS certificate
-	// validated (i.e. insecure connections will be allowed).
-	// Only enable this option in development environments.
-	// The cert-manager system installed roots will be used to verify connections
-	// to the ACME server if this is false.
-	// Defaults to false.
-	// +optional
-	skipTLSVerify?: bool @go(SkipTLSVerify)
-
-	// ExternalAccountBinding is a reference to a CA external account of the ACME
-	// server.
-	// If set, upon registration cert-manager will attempt to associate the given
-	// external account credentials with the registered ACME account.
-	// +optional
-	externalAccountBinding?: null | #ACMEExternalAccountBinding @go(ExternalAccountBinding,*ACMEExternalAccountBinding)
-
-	// PrivateKey is the name of a Kubernetes Secret resource that will be used to
-	// store the automatically generated ACME account private key.
-	// Optionally, a `key` may be specified to select a specific entry within
-	// the named Secret resource.
-	// If `key` is not specified, a default of `tls.key` will be used.
-	privateKeySecretRef: cmmeta.#SecretKeySelector @go(PrivateKey)
-
-	// Solvers is a list of challenge solvers that will be used to solve
-	// ACME challenges for the matching domains.
-	// Solver configurations must be provided in order to obtain certificates
-	// from an ACME server.
-	// For more information, see: https://cert-manager.io/docs/configuration/acme/
-	// +optional
-	solvers?: [...#ACMEChallengeSolver] @go(Solvers,[]ACMEChallengeSolver)
-
-	// Enables or disables generating a new ACME account key.
-	// If true, the Issuer resource will *not* request a new account but will expect
-	// the account key to be supplied via an existing secret.
-	// If false, the cert-manager system will generate a new ACME account key
-	// for the Issuer.
-	// Defaults to false.
-	// +optional
-	disableAccountKeyGeneration?: bool @go(DisableAccountKeyGeneration)
-
-	// Enables requesting a Not After date on certificates that matches the
-	// duration of the certificate. This is not supported by all ACME servers
-	// like Let's Encrypt. If set to true when the ACME server does not support
-	// it it will create an error on the Order.
-	// Defaults to false.
-	// +optional
-	enableDurationFeature?: bool @go(EnableDurationFeature)
-}
-
-// ACMEExternalAccountBinding is a reference to a CA external account of the ACME
-// server.
-#ACMEExternalAccountBinding: {
-	// keyID is the ID of the CA key that the External Account is bound to.
-	keyID: string @go(KeyID)
-
-	// keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes
-	// Secret which holds the symmetric MAC key of the External Account Binding.
-	// The `key` is the index string that is paired with the key data in the
-	// Secret and should not be confused with the key data itself, or indeed with
-	// the External Account Binding keyID above.
-	// The secret key stored in the Secret **must** be un-padded, base64 URL
-	// encoded data.
-	keySecretRef: cmmeta.#SecretKeySelector @go(Key)
-
-	// Deprecated: keyAlgorithm field exists for historical compatibility
-	// reasons and should not be used. The algorithm is now hardcoded to HS256
-	// in golang/x/crypto/acme.
-	// +optional
-	keyAlgorithm?: #HMACKeyAlgorithm @go(KeyAlgorithm)
-}
-
-// HMACKeyAlgorithm is the name of a key algorithm used for HMAC encryption
-// +kubebuilder:validation:Enum=HS256;HS384;HS512
-#HMACKeyAlgorithm: string // #enumHMACKeyAlgorithm
-
-#enumHMACKeyAlgorithm:
-	#HS256 |
-	#HS384 |
-	#HS512
-
-#HS256: #HMACKeyAlgorithm & "HS256"
-#HS384: #HMACKeyAlgorithm & "HS384"
-#HS512: #HMACKeyAlgorithm & "HS512"
-
-// An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of.
-// A selector may be provided to use different solving strategies for different DNS names.
-// Only one of HTTP01 or DNS01 must be provided.
-#ACMEChallengeSolver: {
-	// Selector selects a set of DNSNames on the Certificate resource that
-	// should be solved using this challenge solver.
-	// If not specified, the solver will be treated as the 'default' solver
-	// with the lowest priority, i.e. if any other solver has a more specific
-	// match, it will be used instead.
-	// +optional
-	selector?: null | #CertificateDNSNameSelector @go(Selector,*CertificateDNSNameSelector)
-
-	// Configures cert-manager to attempt to complete authorizations by
-	// performing the HTTP01 challenge flow.
-	// It is not possible to obtain certificates for wildcard domain names
-	// (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
-	// +optional
-	http01?: null | #ACMEChallengeSolverHTTP01 @go(HTTP01,*ACMEChallengeSolverHTTP01)
-
-	// Configures cert-manager to attempt to complete authorizations by
-	// performing the DNS01 challenge flow.
-	// +optional
-	dns01?: null | #ACMEChallengeSolverDNS01 @go(DNS01,*ACMEChallengeSolverDNS01)
-}
-
-// CertificateDNSNameSelector selects certificates using a label selector, and
-// can optionally select individual DNS names within those certificates.
-// If both MatchLabels and DNSNames are empty, this selector will match all
-// certificates and DNS names within them.
-#CertificateDNSNameSelector: {
-	// A label selector that is used to refine the set of certificate's that
-	// this challenge solver will apply to.
-	// +optional
-	matchLabels?: {[string]: string} @go(MatchLabels,map[string]string)
-
-	// List of DNSNames that this solver will be used to solve.
-	// If specified and a match is found, a dnsNames selector will take
-	// precedence over a dnsZones selector.
-	// If multiple solvers match with the same dnsNames value, the solver
-	// with the most matching labels in matchLabels will be selected.
-	// If neither has more matches, the solver defined earlier in the list
-	// will be selected.
-	// +optional
-	dnsNames?: [...string] @go(DNSNames,[]string)
-
-	// List of DNSZones that this solver will be used to solve.
-	// The most specific DNS zone match specified here will take precedence
-	// over other DNS zone matches, so a solver specifying sys.example.com
-	// will be selected over one specifying example.com for the domain
-	// www.sys.example.com.
-	// If multiple solvers match with the same dnsZones value, the solver
-	// with the most matching labels in matchLabels will be selected.
-	// If neither has more matches, the solver defined earlier in the list
-	// will be selected.
-	// +optional
-	dnsZones?: [...string] @go(DNSZones,[]string)
-}
-
-// ACMEChallengeSolverHTTP01 contains configuration detailing how to solve
-// HTTP01 challenges within a Kubernetes cluster.
-// Typically this is accomplished through creating 'routes' of some description
-// that configure ingress controllers to direct traffic to 'solver pods', which
-// are responsible for responding to the ACME server's HTTP requests.
-// Only one of Ingress / Gateway can be specified.
-#ACMEChallengeSolverHTTP01: {
-	// The ingress based HTTP01 challenge solver will solve challenges by
-	// creating or modifying Ingress resources in order to route requests for
-	// '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
-	// provisioned by cert-manager for each Challenge to be completed.
-	// +optional
-	ingress?: null | #ACMEChallengeSolverHTTP01Ingress @go(Ingress,*ACMEChallengeSolverHTTP01Ingress)
-
-	// The Gateway API is a sig-network community API that models service networking
-	// in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
-	// create HTTPRoutes with the specified labels in the same namespace as the challenge.
-	// This solver is experimental, and fields / behaviour may change in the future.
-	// +optional
-	gatewayHTTPRoute?: null | #ACMEChallengeSolverHTTP01GatewayHTTPRoute @go(GatewayHTTPRoute,*ACMEChallengeSolverHTTP01GatewayHTTPRoute)
-}
-
-#ACMEChallengeSolverHTTP01Ingress: {
-	// Optional service type for Kubernetes solver service. Supported values
-	// are NodePort or ClusterIP. If unset, defaults to NodePort.
-	// +optional
-	serviceType?: corev1.#ServiceType @go(ServiceType)
-
-	// The ingress class to use when creating Ingress resources to solve ACME
-	// challenges that use this challenge solver.
-	// Only one of 'class' or 'name' may be specified.
-	// +optional
-	class?: null | string @go(Class,*string)
-
-	// The name of the ingress resource that should have ACME challenge solving
-	// routes inserted into it in order to solve HTTP01 challenges.
-	// This is typically used in conjunction with ingress controllers like
-	// ingress-gce, which maintains a 1:1 mapping between external IPs and
-	// ingress resources.
-	// +optional
-	name?: string @go(Name)
-
-	// Optional pod template used to configure the ACME challenge solver pods
-	// used for HTTP01 challenges.
-	// +optional
-	podTemplate?: null | #ACMEChallengeSolverHTTP01IngressPodTemplate @go(PodTemplate,*ACMEChallengeSolverHTTP01IngressPodTemplate)
-
-	// Optional ingress template used to configure the ACME challenge solver
-	// ingress used for HTTP01 challenges.
-	// +optional
-	ingressTemplate?: null | #ACMEChallengeSolverHTTP01IngressTemplate @go(IngressTemplate,*ACMEChallengeSolverHTTP01IngressTemplate)
-}
-
-// The ACMEChallengeSolverHTTP01GatewayHTTPRoute solver will create HTTPRoute objects for a Gateway class
-// routing to an ACME challenge solver pod.
-#ACMEChallengeSolverHTTP01GatewayHTTPRoute: {
-	// Optional service type for Kubernetes solver service. Supported values
-	// are NodePort or ClusterIP. If unset, defaults to NodePort.
-	// +optional
-	serviceType?: corev1.#ServiceType @go(ServiceType)
-
-	// The labels that cert-manager will use when creating the temporary
-	// HTTPRoute needed for solving the HTTP-01 challenge. These labels
-	// must match the label selector of at least one Gateway.
-	labels?: {[string]: string} @go(Labels,map[string]string)
-}
-
-#ACMEChallengeSolverHTTP01IngressPodTemplate: {
-	// ObjectMeta overrides for the pod used to solve HTTP01 challenges.
-	// Only the 'labels' and 'annotations' fields may be set.
-	// If labels or annotations overlap with in-built values, the values here
-	// will override the in-built values.
-	// +optional
-	metadata: #ACMEChallengeSolverHTTP01IngressPodObjectMeta @go(ACMEChallengeSolverHTTP01IngressPodObjectMeta)
-
-	// PodSpec defines overrides for the HTTP01 challenge solver pod.
-	// Only the 'priorityClassName', 'nodeSelector', 'affinity',
-	// 'serviceAccountName' and 'tolerations' fields are supported currently.
-	// All other fields will be ignored.
-	// +optional
-	spec: #ACMEChallengeSolverHTTP01IngressPodSpec @go(Spec)
-}
-
-#ACMEChallengeSolverHTTP01IngressPodObjectMeta: {
-	// Annotations that should be added to the create ACME HTTP01 solver pods.
-	// +optional
-	annotations?: {[string]: string} @go(Annotations,map[string]string)
-
-	// Labels that should be added to the created ACME HTTP01 solver pods.
-	// +optional
-	labels?: {[string]: string} @go(Labels,map[string]string)
-}
-
-#ACMEChallengeSolverHTTP01IngressPodSpec: {
-	// NodeSelector is a selector which must be true for the pod to fit on a node.
-	// Selector which must match a node's labels for the pod to be scheduled on that node.
-	// More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
-	// +optional
-	nodeSelector?: {[string]: string} @go(NodeSelector,map[string]string)
-
-	// If specified, the pod's scheduling constraints
-	// +optional
-	affinity?: null | corev1.#Affinity @go(Affinity,*corev1.Affinity)
-
-	// If specified, the pod's tolerations.
-	// +optional
-	tolerations?: [...corev1.#Toleration] @go(Tolerations,[]corev1.Toleration)
-
-	// If specified, the pod's priorityClassName.
-	// +optional
-	priorityClassName?: string @go(PriorityClassName)
-
-	// If specified, the pod's service account
-	// +optional
-	serviceAccountName?: string @go(ServiceAccountName)
-}
-
-#ACMEChallengeSolverHTTP01IngressTemplate: {
-	// ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
-	// Only the 'labels' and 'annotations' fields may be set.
-	// If labels or annotations overlap with in-built values, the values here
-	// will override the in-built values.
-	// +optional
-	metadata: #ACMEChallengeSolverHTTP01IngressObjectMeta @go(ACMEChallengeSolverHTTP01IngressObjectMeta)
-}
-
-#ACMEChallengeSolverHTTP01IngressObjectMeta: {
-	// Annotations that should be added to the created ACME HTTP01 solver ingress.
-	// +optional
-	annotations?: {[string]: string} @go(Annotations,map[string]string)
-
-	// Labels that should be added to the created ACME HTTP01 solver ingress.
-	// +optional
-	labels?: {[string]: string} @go(Labels,map[string]string)
-}
-
-// Used to configure a DNS01 challenge provider to be used when solving DNS01
-// challenges.
-// Only one DNS provider may be configured per solver.
-#ACMEChallengeSolverDNS01: {
-	// CNAMEStrategy configures how the DNS01 provider should handle CNAME
-	// records when found in DNS zones.
-	// +optional
-	cnameStrategy?: #CNAMEStrategy @go(CNAMEStrategy)
-
-	// Use the Akamai DNS zone management API to manage DNS01 challenge records.
-	// +optional
-	akamai?: null | #ACMEIssuerDNS01ProviderAkamai @go(Akamai,*ACMEIssuerDNS01ProviderAkamai)
-
-	// Use the Google Cloud DNS API to manage DNS01 challenge records.
-	// +optional
-	cloudDNS?: null | #ACMEIssuerDNS01ProviderCloudDNS @go(CloudDNS,*ACMEIssuerDNS01ProviderCloudDNS)
-
-	// Use the Cloudflare API to manage DNS01 challenge records.
-	// +optional
-	cloudflare?: null | #ACMEIssuerDNS01ProviderCloudflare @go(Cloudflare,*ACMEIssuerDNS01ProviderCloudflare)
-
-	// Use the AWS Route53 API to manage DNS01 challenge records.
-	// +optional
-	route53?: null | #ACMEIssuerDNS01ProviderRoute53 @go(Route53,*ACMEIssuerDNS01ProviderRoute53)
-
-	// Use the Microsoft Azure DNS API to manage DNS01 challenge records.
-	// +optional
-	azureDNS?: null | #ACMEIssuerDNS01ProviderAzureDNS @go(AzureDNS,*ACMEIssuerDNS01ProviderAzureDNS)
-
-	// Use the DigitalOcean DNS API to manage DNS01 challenge records.
-	// +optional
-	digitalocean?: null | #ACMEIssuerDNS01ProviderDigitalOcean @go(DigitalOcean,*ACMEIssuerDNS01ProviderDigitalOcean)
-
-	// Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
-	// DNS01 challenge records.
-	// +optional
-	acmeDNS?: null | #ACMEIssuerDNS01ProviderAcmeDNS @go(AcmeDNS,*ACMEIssuerDNS01ProviderAcmeDNS)
-
-	// Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
-	// to manage DNS01 challenge records.
-	// +optional
-	rfc2136?: null | #ACMEIssuerDNS01ProviderRFC2136 @go(RFC2136,*ACMEIssuerDNS01ProviderRFC2136)
-
-	// Configure an external webhook based DNS01 challenge solver to manage
-	// DNS01 challenge records.
-	// +optional
-	webhook?: null | #ACMEIssuerDNS01ProviderWebhook @go(Webhook,*ACMEIssuerDNS01ProviderWebhook)
-}
-
-// CNAMEStrategy configures how the DNS01 provider should handle CNAME records
-// when found in DNS zones.
-// By default, the None strategy will be applied (i.e. do not follow CNAMEs).
-// +kubebuilder:validation:Enum=None;Follow
-#CNAMEStrategy: string
-
-// NoneStrategy indicates that no CNAME resolution strategy should be used
-// when determining which DNS zone to update during DNS01 challenges.
-#NoneStrategy: "None"
-
-// FollowStrategy will cause cert-manager to recurse through CNAMEs in
-// order to determine which DNS zone to update during DNS01 challenges.
-// This is useful if you do not want to grant cert-manager access to your
-// root DNS zone, and instead delegate the _acme-challenge.example.com
-// subdomain to some other, less privileged domain.
-#FollowStrategy: "Follow"
-
-// ACMEIssuerDNS01ProviderAkamai is a structure containing the DNS
-// configuration for Akamai DNS—Zone Record Management API
-#ACMEIssuerDNS01ProviderAkamai: {
-	serviceConsumerDomain: string                    @go(ServiceConsumerDomain)
-	clientTokenSecretRef:  cmmeta.#SecretKeySelector @go(ClientToken)
-	clientSecretSecretRef: cmmeta.#SecretKeySelector @go(ClientSecret)
-	accessTokenSecretRef:  cmmeta.#SecretKeySelector @go(AccessToken)
-}
-
-// ACMEIssuerDNS01ProviderCloudDNS is a structure containing the DNS
-// configuration for Google Cloud DNS
-#ACMEIssuerDNS01ProviderCloudDNS: {
-	// +optional
-	serviceAccountSecretRef?: null | cmmeta.#SecretKeySelector @go(ServiceAccount,*cmmeta.SecretKeySelector)
-	project:                  string                           @go(Project)
-
-	// HostedZoneName is an optional field that tells cert-manager in which
-	// Cloud DNS zone the challenge record has to be created.
-	// If left empty cert-manager will automatically choose a zone.
-	// +optional
-	hostedZoneName?: string @go(HostedZoneName)
-}
-
-// ACMEIssuerDNS01ProviderCloudflare is a structure containing the DNS
-// configuration for Cloudflare.
-// One of `apiKeySecretRef` or `apiTokenSecretRef` must be provided.
-#ACMEIssuerDNS01ProviderCloudflare: {
-	// Email of the account, only required when using API key based authentication.
-	// +optional
-	email?: string @go(Email)
-
-	// API key to use to authenticate with Cloudflare.
-	// Note: using an API token to authenticate is now the recommended method
-	// as it allows greater control of permissions.
-	// +optional
-	apiKeySecretRef?: null | cmmeta.#SecretKeySelector @go(APIKey,*cmmeta.SecretKeySelector)
-
-	// API token used to authenticate with Cloudflare.
-	// +optional
-	apiTokenSecretRef?: null | cmmeta.#SecretKeySelector @go(APIToken,*cmmeta.SecretKeySelector)
-}
-
-// ACMEIssuerDNS01ProviderDigitalOcean is a structure containing the DNS
-// configuration for DigitalOcean Domains
-#ACMEIssuerDNS01ProviderDigitalOcean: {
-	tokenSecretRef: cmmeta.#SecretKeySelector @go(Token)
-}
-
-// ACMEIssuerDNS01ProviderRoute53 is a structure containing the Route 53
-// configuration for AWS
-#ACMEIssuerDNS01ProviderRoute53: {
-	// The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata
-	// see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
-	// +optional
-	accessKeyID?: string @go(AccessKeyID)
-
-	// The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata
-	// https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
-	// +optional
-	secretAccessKeySecretRef: cmmeta.#SecretKeySelector @go(SecretAccessKey)
-
-	// Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
-	// or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
-	// +optional
-	role?: string @go(Role)
-
-	// If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
-	// +optional
-	hostedZoneID?: string @go(HostedZoneID)
-
-	// Always set the region when using AccessKeyID and SecretAccessKey
-	region: string @go(Region)
-}
-
-// ACMEIssuerDNS01ProviderAzureDNS is a structure containing the
-// configuration for Azure DNS
-#ACMEIssuerDNS01ProviderAzureDNS: {
-	// if both this and ClientSecret are left unset MSI will be used
-	// +optional
-	clientID?: string @go(ClientID)
-
-	// if both this and ClientID are left unset MSI will be used
-	// +optional
-	clientSecretSecretRef?: null | cmmeta.#SecretKeySelector @go(ClientSecret,*cmmeta.SecretKeySelector)
-
-	// ID of the Azure subscription
-	subscriptionID: string @go(SubscriptionID)
-
-	// when specifying ClientID and ClientSecret then this field is also needed
-	// +optional
-	tenantID?: string @go(TenantID)
-
-	// resource group the DNS zone is located in
-	resourceGroupName: string @go(ResourceGroupName)
-
-	// name of the DNS zone that should be used
-	// +optional
-	hostedZoneName?: string @go(HostedZoneName)
-
-	// name of the Azure environment (default AzurePublicCloud)
-	// +optional
-	environment?: #AzureDNSEnvironment @go(Environment)
-
-	// managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID
-	// +optional
-	managedIdentity?: null | #AzureManagedIdentity @go(ManagedIdentity,*AzureManagedIdentity)
-}
-
-#AzureManagedIdentity: {
-	// client ID of the managed identity, can not be used at the same time as resourceID
-	// +optional
-	clientID?: string @go(ClientID)
-
-	// resource ID of the managed identity, can not be used at the same time as clientID
-	// +optional
-	resourceID?: string @go(ResourceID)
-}
-
-// +kubebuilder:validation:Enum=AzurePublicCloud;AzureChinaCloud;AzureGermanCloud;AzureUSGovernmentCloud
-#AzureDNSEnvironment: string // #enumAzureDNSEnvironment
-
-#enumAzureDNSEnvironment:
-	#AzurePublicCloud |
-	#AzureChinaCloud |
-	#AzureGermanCloud |
-	#AzureUSGovernmentCloud
-
-#AzurePublicCloud:       #AzureDNSEnvironment & "AzurePublicCloud"
-#AzureChinaCloud:        #AzureDNSEnvironment & "AzureChinaCloud"
-#AzureGermanCloud:       #AzureDNSEnvironment & "AzureGermanCloud"
-#AzureUSGovernmentCloud: #AzureDNSEnvironment & "AzureUSGovernmentCloud"
-
-// ACMEIssuerDNS01ProviderAcmeDNS is a structure containing the
-// configuration for ACME-DNS servers
-#ACMEIssuerDNS01ProviderAcmeDNS: {
-	host:             string                    @go(Host)
-	accountSecretRef: cmmeta.#SecretKeySelector @go(AccountSecret)
-}
-
-// ACMEIssuerDNS01ProviderRFC2136 is a structure containing the
-// configuration for RFC2136 DNS
-#ACMEIssuerDNS01ProviderRFC2136: {
-	// The IP address or hostname of an authoritative DNS server supporting
-	// RFC2136 in the form host:port. If the host is an IPv6 address it must be
-	// enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
-	// This field is required.
-	nameserver: string @go(Nameserver)
-
-	// The name of the secret containing the TSIG value.
-	// If ``tsigKeyName`` is defined, this field is required.
-	// +optional
-	tsigSecretSecretRef?: cmmeta.#SecretKeySelector @go(TSIGSecret)
-
-	// The TSIG Key name configured in the DNS.
-	// If ``tsigSecretSecretRef`` is defined, this field is required.
-	// +optional
-	tsigKeyName?: string @go(TSIGKeyName)
-
-	// The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
-	// when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
-	// Supported values are (case-insensitive): ``HMACMD5`` (default),
-	// ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
-	// +optional
-	tsigAlgorithm?: string @go(TSIGAlgorithm)
-}
-
-// ACMEIssuerDNS01ProviderWebhook specifies configuration for a webhook DNS01
-// provider, including where to POST ChallengePayload resources.
-#ACMEIssuerDNS01ProviderWebhook: {
-	// The API group name that should be used when POSTing ChallengePayload
-	// resources to the webhook apiserver.
-	// This should be the same as the GroupName specified in the webhook
-	// provider implementation.
-	groupName: string @go(GroupName)
-
-	// The name of the solver to use, as defined in the webhook provider
-	// implementation.
-	// This will typically be the name of the provider, e.g. 'cloudflare'.
-	solverName: string @go(SolverName)
-
-	// Additional configuration that should be passed to the webhook apiserver
-	// when challenges are processed.
-	// This can contain arbitrary JSON data.
-	// Secret values should not be specified in this stanza.
-	// If secret values are needed (e.g. credentials for a DNS service), you
-	// should use a SecretKeySelector to reference a Secret resource.
-	// For details on the schema of this field, consult the webhook provider
-	// implementation's documentation.
-	// +optional
-	config?: null | apiextensionsv1.#JSON @go(Config,*apiextensionsv1.JSON)
-}
-
-#ACMEIssuerStatus: {
-	// URI is the unique account identifier, which can also be used to retrieve
-	// account details from the CA
-	// +optional
-	uri?: string @go(URI)
-
-	// LastRegisteredEmail is the email associated with the latest registered
-	// ACME account, in order to track changes made to registered account
-	// associated with the  Issuer
-	// +optional
-	lastRegisteredEmail?: string @go(LastRegisteredEmail)
-}
--- a/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/acme/v1/types_order_go_gen.cue
+++ b/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/acme/v1/types_order_go_gen.cue
@@ -1,228 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/acme/v1
-
-package v1
-
-import (
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
-)
-
-// Order is a type to represent an Order with an ACME server
-// +k8s:openapi-gen=true
-#Order: {
-	metav1.#TypeMeta
-	metadata: metav1.#ObjectMeta @go(ObjectMeta)
-	spec:     #OrderSpec         @go(Spec)
-
-	// +optional
-	status: #OrderStatus @go(Status)
-}
-
-// OrderList is a list of Orders
-#OrderList: {
-	metav1.#TypeMeta
-	metadata: metav1.#ListMeta @go(ListMeta)
-	items: [...#Order] @go(Items,[]Order)
-}
-
-#OrderSpec: {
-	// Certificate signing request bytes in DER encoding.
-	// This will be used when finalizing the order.
-	// This field must be set on the order.
-	request: bytes @go(Request,[]byte)
-
-	// IssuerRef references a properly configured ACME-type Issuer which should
-	// be used to create this Order.
-	// If the Issuer does not exist, processing will be retried.
-	// If the Issuer is not an 'ACME' Issuer, an error will be returned and the
-	// Order will be marked as failed.
-	issuerRef: cmmeta.#ObjectReference @go(IssuerRef)
-
-	// CommonName is the common name as specified on the DER encoded CSR.
-	// If specified, this value must also be present in `dnsNames` or `ipAddresses`.
-	// This field must match the corresponding field on the DER encoded CSR.
-	// +optional
-	commonName?: string @go(CommonName)
-
-	// DNSNames is a list of DNS names that should be included as part of the Order
-	// validation process.
-	// This field must match the corresponding field on the DER encoded CSR.
-	//+optional
-	dnsNames?: [...string] @go(DNSNames,[]string)
-
-	// IPAddresses is a list of IP addresses that should be included as part of the Order
-	// validation process.
-	// This field must match the corresponding field on the DER encoded CSR.
-	// +optional
-	ipAddresses?: [...string] @go(IPAddresses,[]string)
-
-	// Duration is the duration for the not after date for the requested certificate.
-	// this is set on order creation as pe the ACME spec.
-	// +optional
-	duration?: null | metav1.#Duration @go(Duration,*metav1.Duration)
-}
-
-#OrderStatus: {
-	// URL of the Order.
-	// This will initially be empty when the resource is first created.
-	// The Order controller will populate this field when the Order is first processed.
-	// This field will be immutable after it is initially set.
-	// +optional
-	url?: string @go(URL)
-
-	// FinalizeURL of the Order.
-	// This is used to obtain certificates for this order once it has been completed.
-	// +optional
-	finalizeURL?: string @go(FinalizeURL)
-
-	// Authorizations contains data returned from the ACME server on what
-	// authorizations must be completed in order to validate the DNS names
-	// specified on the Order.
-	// +optional
-	authorizations?: [...#ACMEAuthorization] @go(Authorizations,[]ACMEAuthorization)
-
-	// Certificate is a copy of the PEM encoded certificate for this Order.
-	// This field will be populated after the order has been successfully
-	// finalized with the ACME server, and the order has transitioned to the
-	// 'valid' state.
-	// +optional
-	certificate?: bytes @go(Certificate,[]byte)
-
-	// State contains the current state of this Order resource.
-	// States 'success' and 'expired' are 'final'
-	// +optional
-	state?: #State @go(State)
-
-	// Reason optionally provides more information about a why the order is in
-	// the current state.
-	// +optional
-	reason?: string @go(Reason)
-
-	// FailureTime stores the time that this order failed.
-	// This is used to influence garbage collection and back-off.
-	// +optional
-	failureTime?: null | metav1.#Time @go(FailureTime,*metav1.Time)
-}
-
-// ACMEAuthorization contains data returned from the ACME server on an
-// authorization that must be completed in order validate a DNS name on an ACME
-// Order resource.
-#ACMEAuthorization: {
-	// URL is the URL of the Authorization that must be completed
-	url: string @go(URL)
-
-	// Identifier is the DNS name to be validated as part of this authorization
-	// +optional
-	identifier?: string @go(Identifier)
-
-	// Wildcard will be true if this authorization is for a wildcard DNS name.
-	// If this is true, the identifier will be the *non-wildcard* version of
-	// the DNS name.
-	// For example, if '*.example.com' is the DNS name being validated, this
-	// field will be 'true' and the 'identifier' field will be 'example.com'.
-	// +optional
-	wildcard?: null | bool @go(Wildcard,*bool)
-
-	// InitialState is the initial state of the ACME authorization when first
-	// fetched from the ACME server.
-	// If an Authorization is already 'valid', the Order controller will not
-	// create a Challenge resource for the authorization. This will occur when
-	// working with an ACME server that enables 'authz reuse' (such as Let's
-	// Encrypt's production endpoint).
-	// If not set and 'identifier' is set, the state is assumed to be pending
-	// and a Challenge will be created.
-	// +optional
-	initialState?: #State @go(InitialState)
-
-	// Challenges specifies the challenge types offered by the ACME server.
-	// One of these challenge types will be selected when validating the DNS
-	// name and an appropriate Challenge resource will be created to perform
-	// the ACME challenge process.
-	// +optional
-	challenges?: [...#ACMEChallenge] @go(Challenges,[]ACMEChallenge)
-}
-
-// Challenge specifies a challenge offered by the ACME server for an Order.
-// An appropriate Challenge resource can be created to perform the ACME
-// challenge process.
-#ACMEChallenge: {
-	// URL is the URL of this challenge. It can be used to retrieve additional
-	// metadata about the Challenge from the ACME server.
-	url: string @go(URL)
-
-	// Token is the token that must be presented for this challenge.
-	// This is used to compute the 'key' that must also be presented.
-	token: string @go(Token)
-
-	// Type is the type of challenge being offered, e.g. 'http-01', 'dns-01',
-	// 'tls-sni-01', etc.
-	// This is the raw value retrieved from the ACME server.
-	// Only 'http-01' and 'dns-01' are supported by cert-manager, other values
-	// will be ignored.
-	type: string @go(Type)
-}
-
-// State represents the state of an ACME resource, such as an Order.
-// The possible options here map to the corresponding values in the
-// ACME specification.
-// Full details of these values can be found here: https://tools.ietf.org/html/draft-ietf-acme-acme-15#section-7.1.6
-// Clients utilising this type must also gracefully handle unknown
-// values, as the contents of this enumeration may be added to over time.
-// +kubebuilder:validation:Enum=valid;ready;pending;processing;invalid;expired;errored
-#State: string // #enumState
-
-#enumState:
-	#Unknown |
-	#Valid |
-	#Ready |
-	#Pending |
-	#Processing |
-	#Invalid |
-	#Expired |
-	#Errored
-
-// Unknown is not a real state as part of the ACME spec.
-// It is used to represent an unrecognised value.
-#Unknown: #State & ""
-
-// Valid signifies that an ACME resource is in a valid state.
-// If an order is 'valid', it has been finalized with the ACME server and
-// the certificate can be retrieved from the ACME server using the
-// certificate URL stored in the Order's status subresource.
-// This is a final state.
-#Valid: #State & "valid"
-
-// Ready signifies that an ACME resource is in a ready state.
-// If an order is 'ready', all of its challenges have been completed
-// successfully and the order is ready to be finalized.
-// Once finalized, it will transition to the Valid state.
-// This is a transient state.
-#Ready: #State & "ready"
-
-// Pending signifies that an ACME resource is still pending and is not yet ready.
-// If an Order is marked 'Pending', the validations for that Order are still in progress.
-// This is a transient state.
-#Pending: #State & "pending"
-
-// Processing signifies that an ACME resource is being processed by the server.
-// If an Order is marked 'Processing', the validations for that Order are currently being processed.
-// This is a transient state.
-#Processing: #State & "processing"
-
-// Invalid signifies that an ACME resource is invalid for some reason.
-// If an Order is marked 'invalid', one of its validations be have invalid for some reason.
-// This is a final state.
-#Invalid: #State & "invalid"
-
-// Expired signifies that an ACME resource has expired.
-// If an Order is marked 'Expired', one of its validations may have expired or the Order itself.
-// This is a final state.
-#Expired: #State & "expired"
-
-// Errored signifies that the ACME resource has errored for some reason.
-// This is a catch-all state, and is used for marking internal cert-manager
-// errors such as validation failures.
-// This is a final state.
-#Errored: #State & "errored"
--- a/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/certmanager/v1/const_go_gen.cue
+++ b/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/certmanager/v1/const_go_gen.cue
@@ -1,27 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/certmanager/v1
-
-package v1
-
-import "time"
-
-// minimum permitted certificate duration by cert-manager
-#MinimumCertificateDuration: time.#Duration & 3600000000000
-
-// default certificate duration if Issuer.spec.duration is not set
-#DefaultCertificateDuration: time.#Duration & 7776000000000000
-
-// minimum certificate duration before certificate expiration
-#MinimumRenewBefore: time.#Duration & 300000000000
-
-// Deprecated: the default is now 2/3 of Certificate's duration
-#DefaultRenewBefore: time.#Duration & 2592000000000000
-
-// Default index key for the Secret reference for Token authentication
-#DefaultVaultTokenAuthSecretKey: "token"
-
-// Default mount path location for Kubernetes ServiceAccount authentication
-// (/v1/auth/kubernetes). The endpoint will then be called at `/login`, so
-// left as the default, `/v1/auth/kubernetes/login` will be called.
-#DefaultVaultKubernetesAuthMountPath: "/v1/auth/kubernetes"
--- a/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/certmanager/v1/doc_go_gen.cue
+++ b/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/certmanager/v1/doc_go_gen.cue
@@ -1,9 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/certmanager/v1
-
-// Package v1 is the v1 version of the API.
-// +k8s:deepcopy-gen=package,register
-// +groupName=cert-manager.io
-// +groupGoName=Certmanager
-package v1
--- a/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/certmanager/v1/generic_issuer_go_gen.cue
+++ b/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/certmanager/v1/generic_issuer_go_gen.cue
@@ -1,7 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/certmanager/v1
-
-package v1
-
-#GenericIssuer: _
--- a/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/certmanager/v1/types_certificate_go_gen.cue
+++ b/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/certmanager/v1/types_certificate_go_gen.cue
@@ -1,496 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/certmanager/v1
-
-package v1
-
-import (
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
-)
-
-// A Certificate resource should be created to ensure an up to date and signed
-// x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`.
-//
-// The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`).
-// +k8s:openapi-gen=true
-#Certificate: {
-	metav1.#TypeMeta
-	metadata?: metav1.#ObjectMeta @go(ObjectMeta)
-
-	// Desired state of the Certificate resource.
-	spec: #CertificateSpec @go(Spec)
-
-	// Status of the Certificate. This is set and managed automatically.
-	// +optional
-	status: #CertificateStatus @go(Status)
-}
-
-// CertificateList is a list of Certificates
-#CertificateList: {
-	metav1.#TypeMeta
-	metadata: metav1.#ListMeta @go(ListMeta)
-	items: [...#Certificate] @go(Items,[]Certificate)
-}
-
-// +kubebuilder:validation:Enum=RSA;ECDSA;Ed25519
-#PrivateKeyAlgorithm: string // #enumPrivateKeyAlgorithm
-
-#enumPrivateKeyAlgorithm:
-	#RSAKeyAlgorithm |
-	#ECDSAKeyAlgorithm |
-	#Ed25519KeyAlgorithm
-
-// Denotes the RSA private key type.
-#RSAKeyAlgorithm: #PrivateKeyAlgorithm & "RSA"
-
-// Denotes the ECDSA private key type.
-#ECDSAKeyAlgorithm: #PrivateKeyAlgorithm & "ECDSA"
-
-// Denotes the Ed25519 private key type.
-#Ed25519KeyAlgorithm: #PrivateKeyAlgorithm & "Ed25519"
-
-// +kubebuilder:validation:Enum=PKCS1;PKCS8
-#PrivateKeyEncoding: string // #enumPrivateKeyEncoding
-
-#enumPrivateKeyEncoding:
-	#PKCS1 |
-	#PKCS8
-
-// PKCS1 key encoding will produce PEM files that include the type of
-// private key as part of the PEM header, e.g. `BEGIN RSA PRIVATE KEY`.
-// If the keyAlgorithm is set to 'ECDSA', this will produce private keys
-// that use the `BEGIN EC PRIVATE KEY` header.
-#PKCS1: #PrivateKeyEncoding & "PKCS1"
-
-// PKCS8 key encoding will produce PEM files with the `BEGIN PRIVATE KEY`
-// header. It encodes the keyAlgorithm of the private key as part of the
-// DER encoded PEM block.
-#PKCS8: #PrivateKeyEncoding & "PKCS8"
-
-// CertificateSpec defines the desired state of Certificate.
-// A valid Certificate requires at least one of a CommonName, DNSName, or
-// URISAN to be valid.
-#CertificateSpec: {
-	// Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
-	// +optional
-	subject?: null | #X509Subject @go(Subject,*X509Subject)
-
-	// CommonName is a common name to be used on the Certificate.
-	// The CommonName should have a length of 64 characters or fewer to avoid
-	// generating invalid CSRs.
-	// This value is ignored by TLS clients when any subject alt name is set.
-	// This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4
-	// +optional
-	commonName?: string @go(CommonName)
-
-	// The requested 'duration' (i.e. lifetime) of the Certificate. This option
-	// may be ignored/overridden by some issuer types. If unset this defaults to
-	// 90 days. Certificate will be renewed either 2/3 through its duration or
-	// `renewBefore` period before its expiry, whichever is later. Minimum
-	// accepted duration is 1 hour. Value must be in units accepted by Go
-	// time.ParseDuration https://golang.org/pkg/time/#ParseDuration
-	// +optional
-	duration?: null | metav1.#Duration @go(Duration,*metav1.Duration)
-
-	// How long before the currently issued certificate's expiry
-	// cert-manager should renew the certificate. The default is 2/3 of the
-	// issued certificate's duration. Minimum accepted value is 5 minutes.
-	// Value must be in units accepted by Go time.ParseDuration
-	// https://golang.org/pkg/time/#ParseDuration
-	// +optional
-	renewBefore?: null | metav1.#Duration @go(RenewBefore,*metav1.Duration)
-
-	// DNSNames is a list of DNS subjectAltNames to be set on the Certificate.
-	// +optional
-	dnsNames?: [...string] @go(DNSNames,[]string)
-
-	// IPAddresses is a list of IP address subjectAltNames to be set on the Certificate.
-	// +optional
-	ipAddresses?: [...string] @go(IPAddresses,[]string)
-
-	// URIs is a list of URI subjectAltNames to be set on the Certificate.
-	// +optional
-	uris?: [...string] @go(URIs,[]string)
-
-	// EmailAddresses is a list of email subjectAltNames to be set on the Certificate.
-	// +optional
-	emailAddresses?: [...string] @go(EmailAddresses,[]string)
-
-	// SecretName is the name of the secret resource that will be automatically
-	// created and managed by this Certificate resource.
-	// It will be populated with a private key and certificate, signed by the
-	// denoted issuer.
-	secretName: string @go(SecretName)
-
-	// SecretTemplate defines annotations and labels to be copied to the
-	// Certificate's Secret. Labels and annotations on the Secret will be changed
-	// as they appear on the SecretTemplate when added or removed. SecretTemplate
-	// annotations are added in conjunction with, and cannot overwrite, the base
-	// set of annotations cert-manager sets on the Certificate's Secret.
-	// +optional
-	secretTemplate?: null | #CertificateSecretTemplate @go(SecretTemplate,*CertificateSecretTemplate)
-
-	// Keystores configures additional keystore output formats stored in the
-	// `secretName` Secret resource.
-	// +optional
-	keystores?: null | #CertificateKeystores @go(Keystores,*CertificateKeystores)
-
-	// IssuerRef is a reference to the issuer for this certificate.
-	// If the `kind` field is not set, or set to `Issuer`, an Issuer resource
-	// with the given name in the same namespace as the Certificate will be used.
-	// If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the
-	// provided name will be used.
-	// The `name` field in this stanza is required at all times.
-	issuerRef: cmmeta.#ObjectReference @go(IssuerRef)
-
-	// IsCA will mark this Certificate as valid for certificate signing.
-	// This will automatically add the `cert sign` usage to the list of `usages`.
-	// +optional
-	isCA?: bool @go(IsCA)
-
-	// Usages is the set of x509 usages that are requested for the certificate.
-	// Defaults to `digital signature` and `key encipherment` if not specified.
-	// +optional
-	usages?: [...#KeyUsage] @go(Usages,[]KeyUsage)
-
-	// Options to control private keys used for the Certificate.
-	// +optional
-	privateKey?: null | #CertificatePrivateKey @go(PrivateKey,*CertificatePrivateKey)
-
-	// EncodeUsagesInRequest controls whether key usages should be present
-	// in the CertificateRequest
-	// +optional
-	encodeUsagesInRequest?: null | bool @go(EncodeUsagesInRequest,*bool)
-
-	// revisionHistoryLimit is the maximum number of CertificateRequest revisions
-	// that are maintained in the Certificate's history. Each revision represents
-	// a single `CertificateRequest` created by this Certificate, either when it
-	// was created, renewed, or Spec was changed. Revisions will be removed by
-	// oldest first if the number of revisions exceeds this number. If set,
-	// revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`),
-	// revisions will not be garbage collected. Default value is `nil`.
-	// +kubebuilder:validation:ExclusiveMaximum=false
-	// +optional
-	revisionHistoryLimit?: null | int32 @go(RevisionHistoryLimit,*int32)
-
-	// AdditionalOutputFormats defines extra output formats of the private key
-	// and signed certificate chain to be written to this Certificate's target
-	// Secret. This is an Alpha Feature and is only enabled with the
-	// `--feature-gates=AdditionalCertificateOutputFormats=true` option on both
-	// the controller and webhook components.
-	// +optional
-	additionalOutputFormats?: [...#CertificateAdditionalOutputFormat] @go(AdditionalOutputFormats,[]CertificateAdditionalOutputFormat)
-}
-
-// CertificatePrivateKey contains configuration options for private keys
-// used by the Certificate controller.
-// This allows control of how private keys are rotated.
-#CertificatePrivateKey: {
-	// RotationPolicy controls how private keys should be regenerated when a
-	// re-issuance is being processed.
-	// If set to Never, a private key will only be generated if one does not
-	// already exist in the target `spec.secretName`. If one does exists but it
-	// does not have the correct algorithm or size, a warning will be raised
-	// to await user intervention.
-	// If set to Always, a private key matching the specified requirements
-	// will be generated whenever a re-issuance occurs.
-	// Default is 'Never' for backward compatibility.
-	// +optional
-	rotationPolicy?: #PrivateKeyRotationPolicy @go(RotationPolicy)
-
-	// The private key cryptography standards (PKCS) encoding for this
-	// certificate's private key to be encoded in.
-	// If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1
-	// and PKCS#8, respectively.
-	// Defaults to `PKCS1` if not specified.
-	// +optional
-	encoding?: #PrivateKeyEncoding @go(Encoding)
-
-	// Algorithm is the private key algorithm of the corresponding private key
-	// for this certificate. If provided, allowed values are either `RSA`,`Ed25519` or `ECDSA`
-	// If `algorithm` is specified and `size` is not provided,
-	// key size of 256 will be used for `ECDSA` key algorithm and
-	// key size of 2048 will be used for `RSA` key algorithm.
-	// key size is ignored when using the `Ed25519` key algorithm.
-	// +optional
-	algorithm?: #PrivateKeyAlgorithm @go(Algorithm)
-
-	// Size is the key bit size of the corresponding private key for this certificate.
-	// If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`,
-	// and will default to `2048` if not specified.
-	// If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`,
-	// and will default to `256` if not specified.
-	// If `algorithm` is set to `Ed25519`, Size is ignored.
-	// No other values are allowed.
-	// +optional
-	size?: int @go(Size)
-}
-
-// Denotes how private keys should be generated or sourced when a Certificate
-// is being issued.
-#PrivateKeyRotationPolicy: string
-
-// CertificateOutputFormatType specifies which additional output formats should
-// be written to the Certificate's target Secret.
-// Allowed values are `DER` or `CombinedPEM`.
-// When Type is set to `DER` an additional entry `key.der` will be written to
-// the Secret, containing the binary format of the private key.
-// When Type is set to `CombinedPEM` an additional entry `tls-combined.pem`
-// will be written to the Secret, containing the PEM formatted private key and
-// signed certificate chain (tls.key + tls.crt concatenated).
-// +kubebuilder:validation:Enum=DER;CombinedPEM
-#CertificateOutputFormatType: string // #enumCertificateOutputFormatType
-
-#enumCertificateOutputFormatType:
-	#CertificateOutputFormatDER |
-	#CertificateOutputFormatCombinedPEM
-
-// CertificateOutputFormatDERKey is the name of the data entry in the Secret
-// resource used to store the DER formatted private key.
-#CertificateOutputFormatDERKey: "key.der"
-
-// CertificateOutputFormatDER  writes the Certificate's private key in DER
-// binary format to the `key.der` target Secret Data key.
-#CertificateOutputFormatDER: #CertificateOutputFormatType & "DER"
-
-// CertificateOutputFormatCombinedPEMKey is the name of the data entry in the Secret
-// resource used to store the combined PEM (key + signed certificate).
-#CertificateOutputFormatCombinedPEMKey: "tls-combined.pem"
-
-// CertificateOutputFormatCombinedPEM  writes the Certificate's signed
-// certificate chain and private key, in PEM format, to the
-// `tls-combined.pem` target Secret Data key. The value at this key will
-// include the private key PEM document, followed by at least one new line
-// character, followed by the chain of signed certificate PEM documents
-// (`<private key> + \n + <signed certificate chain>`).
-#CertificateOutputFormatCombinedPEM: #CertificateOutputFormatType & "CombinedPEM"
-
-// CertificateAdditionalOutputFormat defines an additional output format of a
-// Certificate resource. These contain supplementary data formats of the signed
-// certificate chain and paired private key.
-#CertificateAdditionalOutputFormat: {
-	// Type is the name of the format type that should be written to the
-	// Certificate's target Secret.
-	type: #CertificateOutputFormatType @go(Type)
-}
-
-// X509Subject Full X509 name specification
-#X509Subject: {
-	// Organizations to be used on the Certificate.
-	// +optional
-	organizations?: [...string] @go(Organizations,[]string)
-
-	// Countries to be used on the Certificate.
-	// +optional
-	countries?: [...string] @go(Countries,[]string)
-
-	// Organizational Units to be used on the Certificate.
-	// +optional
-	organizationalUnits?: [...string] @go(OrganizationalUnits,[]string)
-
-	// Cities to be used on the Certificate.
-	// +optional
-	localities?: [...string] @go(Localities,[]string)
-
-	// State/Provinces to be used on the Certificate.
-	// +optional
-	provinces?: [...string] @go(Provinces,[]string)
-
-	// Street addresses to be used on the Certificate.
-	// +optional
-	streetAddresses?: [...string] @go(StreetAddresses,[]string)
-
-	// Postal codes to be used on the Certificate.
-	// +optional
-	postalCodes?: [...string] @go(PostalCodes,[]string)
-
-	// Serial number to be used on the Certificate.
-	// +optional
-	serialNumber?: string @go(SerialNumber)
-}
-
-// CertificateKeystores configures additional keystore output formats to be
-// created in the Certificate's output Secret.
-#CertificateKeystores: {
-	// JKS configures options for storing a JKS keystore in the
-	// `spec.secretName` Secret resource.
-	// +optional
-	jks?: null | #JKSKeystore @go(JKS,*JKSKeystore)
-
-	// PKCS12 configures options for storing a PKCS12 keystore in the
-	// `spec.secretName` Secret resource.
-	// +optional
-	pkcs12?: null | #PKCS12Keystore @go(PKCS12,*PKCS12Keystore)
-}
-
-// JKS configures options for storing a JKS keystore in the `spec.secretName`
-// Secret resource.
-#JKSKeystore: {
-	// Create enables JKS keystore creation for the Certificate.
-	// If true, a file named `keystore.jks` will be created in the target
-	// Secret resource, encrypted using the password stored in
-	// `passwordSecretRef`.
-	// The keystore file will only be updated upon re-issuance.
-	// A file named `truststore.jks` will also be created in the target
-	// Secret resource, encrypted using the password stored in
-	// `passwordSecretRef` containing the issuing Certificate Authority
-	create: bool @go(Create)
-
-	// PasswordSecretRef is a reference to a key in a Secret resource
-	// containing the password used to encrypt the JKS keystore.
-	passwordSecretRef: cmmeta.#SecretKeySelector @go(PasswordSecretRef)
-}
-
-// PKCS12 configures options for storing a PKCS12 keystore in the
-// `spec.secretName` Secret resource.
-#PKCS12Keystore: {
-	// Create enables PKCS12 keystore creation for the Certificate.
-	// If true, a file named `keystore.p12` will be created in the target
-	// Secret resource, encrypted using the password stored in
-	// `passwordSecretRef`.
-	// The keystore file will only be updated upon re-issuance.
-	// A file named `truststore.p12` will also be created in the target
-	// Secret resource, encrypted using the password stored in
-	// `passwordSecretRef` containing the issuing Certificate Authority
-	create: bool @go(Create)
-
-	// PasswordSecretRef is a reference to a key in a Secret resource
-	// containing the password used to encrypt the PKCS12 keystore.
-	passwordSecretRef: cmmeta.#SecretKeySelector @go(PasswordSecretRef)
-}
-
-// CertificateStatus defines the observed state of Certificate
-#CertificateStatus: {
-	// List of status conditions to indicate the status of certificates.
-	// Known condition types are `Ready` and `Issuing`.
-	// +optional
-	conditions?: [...#CertificateCondition] @go(Conditions,[]CertificateCondition)
-
-	// LastFailureTime is the time as recorded by the Certificate controller
-	// of the most recent failure to complete a CertificateRequest for this
-	// Certificate resource.
-	// If set, cert-manager will not re-request another Certificate until
-	// 1 hour has elapsed from this time.
-	// +optional
-	lastFailureTime?: null | metav1.#Time @go(LastFailureTime,*metav1.Time)
-
-	// The time after which the certificate stored in the secret named
-	// by this resource in spec.secretName is valid.
-	// +optional
-	notBefore?: null | metav1.#Time @go(NotBefore,*metav1.Time)
-
-	// The expiration time of the certificate stored in the secret named
-	// by this resource in `spec.secretName`.
-	// +optional
-	notAfter?: null | metav1.#Time @go(NotAfter,*metav1.Time)
-
-	// RenewalTime is the time at which the certificate will be next
-	// renewed.
-	// If not set, no upcoming renewal is scheduled.
-	// +optional
-	renewalTime?: null | metav1.#Time @go(RenewalTime,*metav1.Time)
-
-	// The current 'revision' of the certificate as issued.
-	//
-	// When a CertificateRequest resource is created, it will have the
-	// `cert-manager.io/certificate-revision` set to one greater than the
-	// current value of this field.
-	//
-	// Upon issuance, this field will be set to the value of the annotation
-	// on the CertificateRequest resource used to issue the certificate.
-	//
-	// Persisting the value on the CertificateRequest resource allows the
-	// certificates controller to know whether a request is part of an old
-	// issuance or if it is part of the ongoing revision's issuance by
-	// checking if the revision value in the annotation is greater than this
-	// field.
-	// +optional
-	revision?: null | int @go(Revision,*int)
-
-	// The name of the Secret resource containing the private key to be used
-	// for the next certificate iteration.
-	// The keymanager controller will automatically set this field if the
-	// `Issuing` condition is set to `True`.
-	// It will automatically unset this field when the Issuing condition is
-	// not set or False.
-	// +optional
-	nextPrivateKeySecretName?: null | string @go(NextPrivateKeySecretName,*string)
-}
-
-// CertificateCondition contains condition information for an Certificate.
-#CertificateCondition: {
-	// Type of the condition, known values are (`Ready`, `Issuing`).
-	type: #CertificateConditionType @go(Type)
-
-	// Status of the condition, one of (`True`, `False`, `Unknown`).
-	status: cmmeta.#ConditionStatus @go(Status)
-
-	// LastTransitionTime is the timestamp corresponding to the last status
-	// change of this condition.
-	// +optional
-	lastTransitionTime?: null | metav1.#Time @go(LastTransitionTime,*metav1.Time)
-
-	// Reason is a brief machine readable explanation for the condition's last
-	// transition.
-	// +optional
-	reason?: string @go(Reason)
-
-	// Message is a human readable description of the details of the last
-	// transition, complementing reason.
-	// +optional
-	message?: string @go(Message)
-
-	// If set, this represents the .metadata.generation that the condition was
-	// set based upon.
-	// For instance, if .metadata.generation is currently 12, but the
-	// .status.condition[x].observedGeneration is 9, the condition is out of date
-	// with respect to the current state of the Certificate.
-	// +optional
-	observedGeneration?: int64 @go(ObservedGeneration)
-}
-
-// CertificateConditionType represents an Certificate condition value.
-#CertificateConditionType: string // #enumCertificateConditionType
-
-#enumCertificateConditionType:
-	#CertificateConditionReady |
-	#CertificateConditionIssuing
-
-// CertificateConditionReady indicates that a certificate is ready for use.
-// This is defined as:
-// - The target secret exists
-// - The target secret contains a certificate that has not expired
-// - The target secret contains a private key valid for the certificate
-// - The commonName and dnsNames attributes match those specified on the Certificate
-#CertificateConditionReady: #CertificateConditionType & "Ready"
-
-// A condition added to Certificate resources when an issuance is required.
-// This condition will be automatically added and set to true if:
-//   * No keypair data exists in the target Secret
-//   * The data stored in the Secret cannot be decoded
-//   * The private key and certificate do not have matching public keys
-//   * If a CertificateRequest for the current revision exists and the
-//     certificate data stored in the Secret does not match the
-//    `status.certificate` on the CertificateRequest.
-//   * If no CertificateRequest resource exists for the current revision,
-//     the options on the Certificate resource are compared against the
-//     x509 data in the Secret, similar to what's done in earlier versions.
-//     If there is a mismatch, an issuance is triggered.
-// This condition may also be added by external API consumers to trigger
-// a re-issuance manually for any other reason.
-//
-// It will be removed by the 'issuing' controller upon completing issuance.
-#CertificateConditionIssuing: #CertificateConditionType & "Issuing"
-
-// CertificateSecretTemplate defines the default labels and annotations
-// to be copied to the Kubernetes Secret resource named in `CertificateSpec.secretName`.
-#CertificateSecretTemplate: {
-	// Annotations is a key value map to be copied to the target Kubernetes Secret.
-	// +optional
-	annotations?: {[string]: string} @go(Annotations,map[string]string)
-
-	// Labels is a key value map to be copied to the target Kubernetes Secret.
-	// +optional
-	labels?: {[string]: string} @go(Labels,map[string]string)
-}
--- a/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/certmanager/v1/types_certificaterequest_go_gen.cue
+++ b/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/certmanager/v1/types_certificaterequest_go_gen.cue
@@ -1,195 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/certmanager/v1
-
-package v1
-
-import (
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
-)
-
-// Pending indicates that a CertificateRequest is still in progress.
-#CertificateRequestReasonPending: "Pending"
-
-// Failed indicates that a CertificateRequest has failed, either due to
-// timing out or some other critical failure.
-#CertificateRequestReasonFailed: "Failed"
-
-// Issued indicates that a CertificateRequest has been completed, and that
-// the `status.certificate` field is set.
-#CertificateRequestReasonIssued: "Issued"
-
-// Denied is a Ready condition reason that indicates that a
-// CertificateRequest has been denied, and the CertificateRequest will never
-// be issued.
-#CertificateRequestReasonDenied: "Denied"
-
-// A CertificateRequest is used to request a signed certificate from one of the
-// configured issuers.
-//
-// All fields within the CertificateRequest's `spec` are immutable after creation.
-// A CertificateRequest will either succeed or fail, as denoted by its `status.state`
-// field.
-//
-// A CertificateRequest is a one-shot resource, meaning it represents a single
-// point in time request for a certificate and cannot be re-used.
-// +k8s:openapi-gen=true
-#CertificateRequest: {
-	metav1.#TypeMeta
-	metadata?: metav1.#ObjectMeta @go(ObjectMeta)
-
-	// Desired state of the CertificateRequest resource.
-	spec: #CertificateRequestSpec @go(Spec)
-
-	// Status of the CertificateRequest. This is set and managed automatically.
-	// +optional
-	status: #CertificateRequestStatus @go(Status)
-}
-
-// CertificateRequestList is a list of Certificates
-#CertificateRequestList: {
-	metav1.#TypeMeta
-	metadata: metav1.#ListMeta @go(ListMeta)
-	items: [...#CertificateRequest] @go(Items,[]CertificateRequest)
-}
-
-// CertificateRequestSpec defines the desired state of CertificateRequest
-#CertificateRequestSpec: {
-	// The requested 'duration' (i.e. lifetime) of the Certificate.
-	// This option may be ignored/overridden by some issuer types.
-	// +optional
-	duration?: null | metav1.#Duration @go(Duration,*metav1.Duration)
-
-	// IssuerRef is a reference to the issuer for this CertificateRequest.  If
-	// the `kind` field is not set, or set to `Issuer`, an Issuer resource with
-	// the given name in the same namespace as the CertificateRequest will be
-	// used.  If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with
-	// the provided name will be used. The `name` field in this stanza is
-	// required at all times. The group field refers to the API group of the
-	// issuer which defaults to `cert-manager.io` if empty.
-	issuerRef: cmmeta.#ObjectReference @go(IssuerRef)
-
-	// The PEM-encoded x509 certificate signing request to be submitted to the
-	// CA for signing.
-	request: bytes @go(Request,[]byte)
-
-	// IsCA will request to mark the certificate as valid for certificate signing
-	// when submitting to the issuer.
-	// This will automatically add the `cert sign` usage to the list of `usages`.
-	// +optional
-	isCA?: bool @go(IsCA)
-
-	// Usages is the set of x509 usages that are requested for the certificate.
-	// If usages are set they SHOULD be encoded inside the CSR spec
-	// Defaults to `digital signature` and `key encipherment` if not specified.
-	// +optional
-	usages?: [...#KeyUsage] @go(Usages,[]KeyUsage)
-
-	// Username contains the name of the user that created the CertificateRequest.
-	// Populated by the cert-manager webhook on creation and immutable.
-	// +optional
-	username?: string @go(Username)
-
-	// UID contains the uid of the user that created the CertificateRequest.
-	// Populated by the cert-manager webhook on creation and immutable.
-	// +optional
-	uid?: string @go(UID)
-
-	// Groups contains group membership of the user that created the CertificateRequest.
-	// Populated by the cert-manager webhook on creation and immutable.
-	// +listType=atomic
-	// +optional
-	groups?: [...string] @go(Groups,[]string)
-
-	// Extra contains extra attributes of the user that created the CertificateRequest.
-	// Populated by the cert-manager webhook on creation and immutable.
-	// +optional
-	extra?: {[string]: [...string]} @go(Extra,map[string][]string)
-}
-
-// CertificateRequestStatus defines the observed state of CertificateRequest and
-// resulting signed certificate.
-#CertificateRequestStatus: {
-	// List of status conditions to indicate the status of a CertificateRequest.
-	// Known condition types are `Ready` and `InvalidRequest`.
-	// +optional
-	conditions?: [...#CertificateRequestCondition] @go(Conditions,[]CertificateRequestCondition)
-
-	// The PEM encoded x509 certificate resulting from the certificate
-	// signing request.
-	// If not set, the CertificateRequest has either not been completed or has
-	// failed. More information on failure can be found by checking the
-	// `conditions` field.
-	// +optional
-	certificate?: bytes @go(Certificate,[]byte)
-
-	// The PEM encoded x509 certificate of the signer, also known as the CA
-	// (Certificate Authority).
-	// This is set on a best-effort basis by different issuers.
-	// If not set, the CA is assumed to be unknown/not available.
-	// +optional
-	ca?: bytes @go(CA,[]byte)
-
-	// FailureTime stores the time that this CertificateRequest failed. This is
-	// used to influence garbage collection and back-off.
-	// +optional
-	failureTime?: null | metav1.#Time @go(FailureTime,*metav1.Time)
-}
-
-// CertificateRequestCondition contains condition information for a CertificateRequest.
-#CertificateRequestCondition: {
-	// Type of the condition, known values are (`Ready`, `InvalidRequest`,
-	// `Approved`, `Denied`).
-	type: #CertificateRequestConditionType @go(Type)
-
-	// Status of the condition, one of (`True`, `False`, `Unknown`).
-	status: cmmeta.#ConditionStatus @go(Status)
-
-	// LastTransitionTime is the timestamp corresponding to the last status
-	// change of this condition.
-	// +optional
-	lastTransitionTime?: null | metav1.#Time @go(LastTransitionTime,*metav1.Time)
-
-	// Reason is a brief machine readable explanation for the condition's last
-	// transition.
-	// +optional
-	reason?: string @go(Reason)
-
-	// Message is a human readable description of the details of the last
-	// transition, complementing reason.
-	// +optional
-	message?: string @go(Message)
-}
-
-// CertificateRequestConditionType represents an Certificate condition value.
-#CertificateRequestConditionType: string // #enumCertificateRequestConditionType
-
-#enumCertificateRequestConditionType:
-	#CertificateRequestConditionReady |
-	#CertificateRequestConditionInvalidRequest |
-	#CertificateRequestConditionApproved |
-	#CertificateRequestConditionDenied
-
-// CertificateRequestConditionReady indicates that a certificate is ready for use.
-// This is defined as:
-// - The target certificate exists in CertificateRequest.Status
-#CertificateRequestConditionReady: #CertificateRequestConditionType & "Ready"
-
-// CertificateRequestConditionInvalidRequest indicates that a certificate
-// signer has refused to sign the request due to at least one of the input
-// parameters being invalid. Additional information about why the request
-// was rejected can be found in the `reason` and `message` fields.
-#CertificateRequestConditionInvalidRequest: #CertificateRequestConditionType & "InvalidRequest"
-
-// CertificateRequestConditionApproved indicates that a certificate request
-// is approved and ready for signing. Condition must never have a status of
-// `False`, and cannot be modified once set. Cannot be set alongside
-// `Denied`.
-#CertificateRequestConditionApproved: #CertificateRequestConditionType & "Approved"
-
-// CertificateRequestConditionDenied indicates that a certificate request is
-// denied, and must never be signed. Condition must never have a status of
-// `False`, and cannot be modified once set. Cannot be set alongside
-// `Approved`.
-#CertificateRequestConditionDenied: #CertificateRequestConditionType & "Denied"
--- a/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/certmanager/v1/types_go_gen.cue
+++ b/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/certmanager/v1/types_go_gen.cue
@@ -1,195 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/certmanager/v1
-
-package v1
-
-// Annotation key for DNS subjectAltNames.
-#AltNamesAnnotationKey: "cert-manager.io/alt-names"
-
-// Annotation key for IP subjectAltNames.
-#IPSANAnnotationKey: "cert-manager.io/ip-sans"
-
-// Annotation key for URI subjectAltNames.
-#URISANAnnotationKey: "cert-manager.io/uri-sans"
-
-// Annotation key for certificate common name.
-#CommonNameAnnotationKey: "cert-manager.io/common-name"
-
-// Duration key for certificate duration.
-#DurationAnnotationKey: "cert-manager.io/duration"
-
-// Annotation key for certificate renewBefore.
-#RenewBeforeAnnotationKey: "cert-manager.io/renew-before"
-
-// Annotation key for certificate key usages.
-#UsagesAnnotationKey: "cert-manager.io/usages"
-
-// Annotation key the 'name' of the Issuer resource.
-#IssuerNameAnnotationKey: "cert-manager.io/issuer-name"
-
-// Annotation key for the 'kind' of the Issuer resource.
-#IssuerKindAnnotationKey: "cert-manager.io/issuer-kind"
-
-// Annotation key for the 'group' of the Issuer resource.
-#IssuerGroupAnnotationKey: "cert-manager.io/issuer-group"
-
-// Annotation key for the name of the certificate that a resource is related to.
-#CertificateNameKey: "cert-manager.io/certificate-name"
-
-// Annotation key used to denote whether a Secret is named on a Certificate
-// as a 'next private key' Secret resource.
-#IsNextPrivateKeySecretLabelKey: "cert-manager.io/next-private-key"
-
-// IngressIssuerNameAnnotationKey holds the issuerNameAnnotation value which can be
-// used to override the issuer specified on the created Certificate resource.
-#IngressIssuerNameAnnotationKey: "cert-manager.io/issuer"
-
-// IngressClusterIssuerNameAnnotationKey holds the clusterIssuerNameAnnotation value which
-// can be used to override the issuer specified on the created Certificate resource. The Certificate
-// will reference the specified *ClusterIssuer* instead of normal issuer.
-#IngressClusterIssuerNameAnnotationKey: "cert-manager.io/cluster-issuer"
-
-// IngressACMEIssuerHTTP01IngressClassAnnotationKey holds the acmeIssuerHTTP01IngressClassAnnotation value
-// which can be used to override the http01 ingressClass if the challenge type is set to http01
-#IngressACMEIssuerHTTP01IngressClassAnnotationKey: "acme.cert-manager.io/http01-ingress-class"
-
-// IngressClassAnnotationKey picks a specific "class" for the Ingress. The
-// controller only processes Ingresses with this annotation either unset, or
-// set to either the configured value or the empty string.
-#IngressClassAnnotationKey: "kubernetes.io/ingress.class"
-
-// Annotation added to CertificateRequest resources to denote the name of
-// a Secret resource containing the private key used to sign the CSR stored
-// on the resource.
-// This annotation *may* not be present, and is used by the 'self signing'
-// issuer type to self-sign certificates.
-#CertificateRequestPrivateKeyAnnotationKey: "cert-manager.io/private-key-secret-name"
-
-// Annotation to declare the CertificateRequest "revision", belonging to a Certificate Resource
-#CertificateRequestRevisionAnnotationKey: "cert-manager.io/certificate-revision"
-
-// IssueTemporaryCertificateAnnotation is an annotation that can be added to
-// Certificate resources.
-// If it is present, a temporary internally signed certificate will be
-// stored in the target Secret resource whilst the real Issuer is processing
-// the certificate request.
-#IssueTemporaryCertificateAnnotation: "cert-manager.io/issue-temporary-certificate"
-
-#ClusterIssuerKind:      "ClusterIssuer"
-#IssuerKind:             "Issuer"
-#CertificateKind:        "Certificate"
-#CertificateRequestKind: "CertificateRequest"
-
-// WantInjectAnnotation is the annotation that specifies that a particular
-// object wants injection of CAs.  It takes the form of a reference to a certificate
-// as namespace/name.  The certificate is expected to have the is-serving-for annotations.
-#WantInjectAnnotation: "cert-manager.io/inject-ca-from"
-
-// WantInjectAPIServerCAAnnotation will - if set to "true" - make the cainjector
-// inject the CA certificate for the Kubernetes apiserver into the resource.
-// It discovers the apiserver's CA by inspecting the service account credentials
-// mounted into the cainjector pod.
-#WantInjectAPIServerCAAnnotation: "cert-manager.io/inject-apiserver-ca"
-
-// WantInjectFromSecretAnnotation is the annotation that specifies that a particular
-// object wants injection of CAs.  It takes the form of a reference to a Secret
-// as namespace/name.
-#WantInjectFromSecretAnnotation: "cert-manager.io/inject-ca-from-secret"
-
-// AllowsInjectionFromSecretAnnotation is an annotation that must be added
-// to Secret resource that want to denote that they can be directly
-// injected into injectables that have a `inject-ca-from-secret` annotation.
-// If an injectable references a Secret that does NOT have this annotation,
-// the cainjector will refuse to inject the secret.
-#AllowsInjectionFromSecretAnnotation: "cert-manager.io/allow-direct-injection"
-
-// VenafiCustomFieldsAnnotationKey is the annotation that passes on JSON encoded custom fields to the Venafi issuer
-// This will only work with Venafi TPP v19.3 and higher
-// The value is an array with objects containing the name and value keys
-// for example: `[{"name": "custom-field", "value": "custom-value"}]`
-#VenafiCustomFieldsAnnotationKey: "venafi.cert-manager.io/custom-fields"
-
-// VenafiPickupIDAnnotationKey is the annotation key used to record the
-// Venafi Pickup ID of a certificate signing request that has been submitted
-// to the Venafi API for collection later.
-#VenafiPickupIDAnnotationKey: "venafi.cert-manager.io/pickup-id"
-
-// KeyUsage specifies valid usage contexts for keys.
-// See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3
-//      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
-// Valid KeyUsage values are as follows:
-// "signing",
-// "digital signature",
-// "content commitment",
-// "key encipherment",
-// "key agreement",
-// "data encipherment",
-// "cert sign",
-// "crl sign",
-// "encipher only",
-// "decipher only",
-// "any",
-// "server auth",
-// "client auth",
-// "code signing",
-// "email protection",
-// "s/mime",
-// "ipsec end system",
-// "ipsec tunnel",
-// "ipsec user",
-// "timestamping",
-// "ocsp signing",
-// "microsoft sgc",
-// "netscape sgc"
-// +kubebuilder:validation:Enum="signing";"digital signature";"content commitment";"key encipherment";"key agreement";"data encipherment";"cert sign";"crl sign";"encipher only";"decipher only";"any";"server auth";"client auth";"code signing";"email protection";"s/mime";"ipsec end system";"ipsec tunnel";"ipsec user";"timestamping";"ocsp signing";"microsoft sgc";"netscape sgc"
-#KeyUsage: string // #enumKeyUsage
-
-#enumKeyUsage:
-	#UsageSigning |
-	#UsageDigitalSignature |
-	#UsageContentCommitment |
-	#UsageKeyEncipherment |
-	#UsageKeyAgreement |
-	#UsageDataEncipherment |
-	#UsageCertSign |
-	#UsageCRLSign |
-	#UsageEncipherOnly |
-	#UsageDecipherOnly |
-	#UsageAny |
-	#UsageServerAuth |
-	#UsageClientAuth |
-	#UsageCodeSigning |
-	#UsageEmailProtection |
-	#UsageSMIME |
-	#UsageIPsecEndSystem |
-	#UsageIPsecTunnel |
-	#UsageIPsecUser |
-	#UsageTimestamping |
-	#UsageOCSPSigning |
-	#UsageMicrosoftSGC |
-	#UsageNetscapeSGC
-
-#UsageSigning:           #KeyUsage & "signing"
-#UsageDigitalSignature:  #KeyUsage & "digital signature"
-#UsageContentCommitment: #KeyUsage & "content commitment"
-#UsageKeyEncipherment:   #KeyUsage & "key encipherment"
-#UsageKeyAgreement:      #KeyUsage & "key agreement"
-#UsageDataEncipherment:  #KeyUsage & "data encipherment"
-#UsageCertSign:          #KeyUsage & "cert sign"
-#UsageCRLSign:           #KeyUsage & "crl sign"
-#UsageEncipherOnly:      #KeyUsage & "encipher only"
-#UsageDecipherOnly:      #KeyUsage & "decipher only"
-#UsageAny:               #KeyUsage & "any"
-#UsageServerAuth:        #KeyUsage & "server auth"
-#UsageClientAuth:        #KeyUsage & "client auth"
-#UsageCodeSigning:       #KeyUsage & "code signing"
-#UsageEmailProtection:   #KeyUsage & "email protection"
-#UsageSMIME:             #KeyUsage & "s/mime"
-#UsageIPsecEndSystem:    #KeyUsage & "ipsec end system"
-#UsageIPsecTunnel:       #KeyUsage & "ipsec tunnel"
-#UsageIPsecUser:         #KeyUsage & "ipsec user"
-#UsageTimestamping:      #KeyUsage & "timestamping"
-#UsageOCSPSigning:       #KeyUsage & "ocsp signing"
-#UsageMicrosoftSGC:      #KeyUsage & "microsoft sgc"
-#UsageNetscapeSGC:       #KeyUsage & "netscape sgc"
--- a/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/certmanager/v1/types_issuer_go_gen.cue
+++ b/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/certmanager/v1/types_issuer_go_gen.cue
@@ -1,316 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/certmanager/v1
-
-package v1
-
-import (
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	cmacme "github.com/jetstack/cert-manager/pkg/apis/acme/v1"
-	cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
-)
-
-// A ClusterIssuer represents a certificate issuing authority which can be
-// referenced as part of `issuerRef` fields.
-// It is similar to an Issuer, however it is cluster-scoped and therefore can
-// be referenced by resources that exist in *any* namespace, not just the same
-// namespace as the referent.
-#ClusterIssuer: {
-	metav1.#TypeMeta
-	metadata?: metav1.#ObjectMeta @go(ObjectMeta)
-
-	// Desired state of the ClusterIssuer resource.
-	spec: #IssuerSpec @go(Spec)
-
-	// Status of the ClusterIssuer. This is set and managed automatically.
-	// +optional
-	status: #IssuerStatus @go(Status)
-}
-
-// ClusterIssuerList is a list of Issuers
-#ClusterIssuerList: {
-	metav1.#TypeMeta
-	metadata: metav1.#ListMeta @go(ListMeta)
-	items: [...#ClusterIssuer] @go(Items,[]ClusterIssuer)
-}
-
-// An Issuer represents a certificate issuing authority which can be
-// referenced as part of `issuerRef` fields.
-// It is scoped to a single namespace and can therefore only be referenced by
-// resources within the same namespace.
-#Issuer: {
-	metav1.#TypeMeta
-	metadata?: metav1.#ObjectMeta @go(ObjectMeta)
-
-	// Desired state of the Issuer resource.
-	spec: #IssuerSpec @go(Spec)
-
-	// Status of the Issuer. This is set and managed automatically.
-	// +optional
-	status: #IssuerStatus @go(Status)
-}
-
-// IssuerList is a list of Issuers
-#IssuerList: {
-	metav1.#TypeMeta
-	metadata: metav1.#ListMeta @go(ListMeta)
-	items: [...#Issuer] @go(Items,[]Issuer)
-}
-
-// IssuerSpec is the specification of an Issuer. This includes any
-// configuration required for the issuer.
-#IssuerSpec: {
-	#IssuerConfig
-}
-
-// The configuration for the issuer.
-// Only one of these can be set.
-#IssuerConfig: {
-	// ACME configures this issuer to communicate with a RFC8555 (ACME) server
-	// to obtain signed x509 certificates.
-	// +optional
-	acme?: null | cmacme.#ACMEIssuer @go(ACME,*cmacme.ACMEIssuer)
-
-	// CA configures this issuer to sign certificates using a signing CA keypair
-	// stored in a Secret resource.
-	// This is used to build internal PKIs that are managed by cert-manager.
-	// +optional
-	ca?: null | #CAIssuer @go(CA,*CAIssuer)
-
-	// Vault configures this issuer to sign certificates using a HashiCorp Vault
-	// PKI backend.
-	// +optional
-	vault?: null | #VaultIssuer @go(Vault,*VaultIssuer)
-
-	// SelfSigned configures this issuer to 'self sign' certificates using the
-	// private key used to create the CertificateRequest object.
-	// +optional
-	selfSigned?: null | #SelfSignedIssuer @go(SelfSigned,*SelfSignedIssuer)
-
-	// Venafi configures this issuer to sign certificates using a Venafi TPP
-	// or Venafi Cloud policy zone.
-	// +optional
-	venafi?: null | #VenafiIssuer @go(Venafi,*VenafiIssuer)
-}
-
-// Configures an issuer to sign certificates using a Venafi TPP
-// or Cloud policy zone.
-#VenafiIssuer: {
-	// Zone is the Venafi Policy Zone to use for this issuer.
-	// All requests made to the Venafi platform will be restricted by the named
-	// zone policy.
-	// This field is required.
-	zone: string @go(Zone)
-
-	// TPP specifies Trust Protection Platform configuration settings.
-	// Only one of TPP or Cloud may be specified.
-	// +optional
-	tpp?: null | #VenafiTPP @go(TPP,*VenafiTPP)
-
-	// Cloud specifies the Venafi cloud configuration settings.
-	// Only one of TPP or Cloud may be specified.
-	// +optional
-	cloud?: null | #VenafiCloud @go(Cloud,*VenafiCloud)
-}
-
-// VenafiTPP defines connection configuration details for a Venafi TPP instance
-#VenafiTPP: {
-	// URL is the base URL for the vedsdk endpoint of the Venafi TPP instance,
-	// for example: "https://tpp.example.com/vedsdk".
-	url: string @go(URL)
-
-	// CredentialsRef is a reference to a Secret containing the username and
-	// password for the TPP server.
-	// The secret must contain two keys, 'username' and 'password'.
-	credentialsRef: cmmeta.#LocalObjectReference @go(CredentialsRef)
-
-	// CABundle is a PEM encoded TLS certificate to use to verify connections to
-	// the TPP instance.
-	// If specified, system roots will not be used and the issuing CA for the
-	// TPP instance must be verifiable using the provided root.
-	// If not specified, the connection will be verified using the cert-manager
-	// system root certificates.
-	// +optional
-	caBundle?: bytes @go(CABundle,[]byte)
-}
-
-// VenafiCloud defines connection configuration details for Venafi Cloud
-#VenafiCloud: {
-	// URL is the base URL for Venafi Cloud.
-	// Defaults to "https://api.venafi.cloud/v1".
-	// +optional
-	url?: string @go(URL)
-
-	// APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
-	apiTokenSecretRef: cmmeta.#SecretKeySelector @go(APITokenSecretRef)
-}
-
-// Configures an issuer to 'self sign' certificates using the
-// private key used to create the CertificateRequest object.
-#SelfSignedIssuer: {
-	// The CRL distribution points is an X.509 v3 certificate extension which identifies
-	// the location of the CRL from which the revocation of this certificate can be checked.
-	// If not set certificate will be issued without CDP. Values are strings.
-	// +optional
-	crlDistributionPoints?: [...string] @go(CRLDistributionPoints,[]string)
-}
-
-// Configures an issuer to sign certificates using a HashiCorp Vault
-// PKI backend.
-#VaultIssuer: {
-	// Auth configures how cert-manager authenticates with the Vault server.
-	auth: #VaultAuth @go(Auth)
-
-	// Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".
-	server: string @go(Server)
-
-	// Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g:
-	// "my_pki_mount/sign/my-role-name".
-	path: string @go(Path)
-
-	// Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1"
-	// More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-	// +optional
-	namespace?: string @go(Namespace)
-
-	// PEM-encoded CA bundle (base64-encoded) used to validate Vault server
-	// certificate. Only used if the Server URL is using HTTPS protocol. This
-	// parameter is ignored for plain HTTP protocol connection. If not set the
-	// system root certificates are used to validate the TLS connection.
-	// +optional
-	caBundle?: bytes @go(CABundle,[]byte)
-}
-
-// Configuration used to authenticate with a Vault server.
-// Only one of `tokenSecretRef`, `appRole` or `kubernetes` may be specified.
-#VaultAuth: {
-	// TokenSecretRef authenticates with Vault by presenting a token.
-	// +optional
-	tokenSecretRef?: null | cmmeta.#SecretKeySelector @go(TokenSecretRef,*cmmeta.SecretKeySelector)
-
-	// AppRole authenticates with Vault using the App Role auth mechanism,
-	// with the role and secret stored in a Kubernetes Secret resource.
-	// +optional
-	appRole?: null | #VaultAppRole @go(AppRole,*VaultAppRole)
-
-	// Kubernetes authenticates with Vault by passing the ServiceAccount
-	// token stored in the named Secret resource to the Vault server.
-	// +optional
-	kubernetes?: null | #VaultKubernetesAuth @go(Kubernetes,*VaultKubernetesAuth)
-}
-
-// VaultAppRole authenticates with Vault using the App Role auth mechanism,
-// with the role and secret stored in a Kubernetes Secret resource.
-#VaultAppRole: {
-	// Path where the App Role authentication backend is mounted in Vault, e.g:
-	// "approle"
-	path: string @go(Path)
-
-	// RoleID configured in the App Role authentication backend when setting
-	// up the authentication backend in Vault.
-	roleId: string @go(RoleId)
-
-	// Reference to a key in a Secret that contains the App Role secret used
-	// to authenticate with Vault.
-	// The `key` field must be specified and denotes which entry within the Secret
-	// resource is used as the app role secret.
-	secretRef: cmmeta.#SecretKeySelector @go(SecretRef)
-}
-
-// Authenticate against Vault using a Kubernetes ServiceAccount token stored in
-// a Secret.
-#VaultKubernetesAuth: {
-	// The Vault mountPath here is the mount path to use when authenticating with
-	// Vault. For example, setting a value to `/v1/auth/foo`, will use the path
-	// `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
-	// default value "/v1/auth/kubernetes" will be used.
-	// +optional
-	mountPath?: string @go(Path)
-
-	// The required Secret field containing a Kubernetes ServiceAccount JWT used
-	// for authenticating with Vault. Use of 'ambient credentials' is not
-	// supported.
-	secretRef: cmmeta.#SecretKeySelector @go(SecretRef)
-
-	// A required field containing the Vault Role to assume. A Role binds a
-	// Kubernetes ServiceAccount with a set of Vault policies.
-	role: string @go(Role)
-}
-
-#CAIssuer: {
-	// SecretName is the name of the secret used to sign Certificates issued
-	// by this Issuer.
-	secretName: string @go(SecretName)
-
-	// The CRL distribution points is an X.509 v3 certificate extension which identifies
-	// the location of the CRL from which the revocation of this certificate can be checked.
-	// If not set, certificates will be issued without distribution points set.
-	// +optional
-	crlDistributionPoints?: [...string] @go(CRLDistributionPoints,[]string)
-
-	// The OCSP server list is an X.509 v3 extension that defines a list of
-	// URLs of OCSP responders. The OCSP responders can be queried for the
-	// revocation status of an issued certificate. If not set, the
-	// certificate will be issued with no OCSP servers set. For example, an
-	// OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
-	// +optional
-	ocspServers?: [...string] @go(OCSPServers,[]string)
-}
-
-// IssuerStatus contains status information about an Issuer
-#IssuerStatus: {
-	// List of status conditions to indicate the status of a CertificateRequest.
-	// Known condition types are `Ready`.
-	// +optional
-	conditions?: [...#IssuerCondition] @go(Conditions,[]IssuerCondition)
-
-	// ACME specific status options.
-	// This field should only be set if the Issuer is configured to use an ACME
-	// server to issue certificates.
-	// +optional
-	acme?: null | cmacme.#ACMEIssuerStatus @go(ACME,*cmacme.ACMEIssuerStatus)
-}
-
-// IssuerCondition contains condition information for an Issuer.
-#IssuerCondition: {
-	// Type of the condition, known values are (`Ready`).
-	type: #IssuerConditionType @go(Type)
-
-	// Status of the condition, one of (`True`, `False`, `Unknown`).
-	status: cmmeta.#ConditionStatus @go(Status)
-
-	// LastTransitionTime is the timestamp corresponding to the last status
-	// change of this condition.
-	// +optional
-	lastTransitionTime?: null | metav1.#Time @go(LastTransitionTime,*metav1.Time)
-
-	// Reason is a brief machine readable explanation for the condition's last
-	// transition.
-	// +optional
-	reason?: string @go(Reason)
-
-	// Message is a human readable description of the details of the last
-	// transition, complementing reason.
-	// +optional
-	message?: string @go(Message)
-
-	// If set, this represents the .metadata.generation that the condition was
-	// set based upon.
-	// For instance, if .metadata.generation is currently 12, but the
-	// .status.condition[x].observedGeneration is 9, the condition is out of date
-	// with respect to the current state of the Issuer.
-	// +optional
-	observedGeneration?: int64 @go(ObservedGeneration)
-}
-
-// IssuerConditionType represents an Issuer condition value.
-#IssuerConditionType: string // #enumIssuerConditionType
-
-#enumIssuerConditionType:
-	#IssuerConditionReady
-
-// IssuerConditionReady represents the fact that a given Issuer condition
-// is in ready state and able to issue certificates.
-// If the `status` of this condition is `False`, CertificateRequest controllers
-// should prevent attempts to sign certificates.
-#IssuerConditionReady: #IssuerConditionType & "Ready"
--- a/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/meta/v1/doc_go_gen.cue
+++ b/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/meta/v1/doc_go_gen.cue
@@ -1,9 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/meta/v1
-
-// Package v1 contains meta types for cert-manager APIs
-// +k8s:deepcopy-gen=package
-// +gencrdrefdocs:force
-// +groupName=meta.cert-manager.io
-package v1
--- a/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/meta/v1/types_go_gen.cue
+++ b/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/meta/v1/types_go_gen.cue
@@ -1,64 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/meta/v1
-
-package v1
-
-// ConditionStatus represents a condition's status.
-// +kubebuilder:validation:Enum=True;False;Unknown
-#ConditionStatus: string // #enumConditionStatus
-
-#enumConditionStatus:
-	#ConditionTrue |
-	#ConditionFalse |
-	#ConditionUnknown
-
-// ConditionTrue represents the fact that a given condition is true
-#ConditionTrue: #ConditionStatus & "True"
-
-// ConditionFalse represents the fact that a given condition is false
-#ConditionFalse: #ConditionStatus & "False"
-
-// ConditionUnknown represents the fact that a given condition is unknown
-#ConditionUnknown: #ConditionStatus & "Unknown"
-
-// A reference to an object in the same namespace as the referent.
-// If the referent is a cluster-scoped resource (e.g. a ClusterIssuer),
-// the reference instead refers to the resource with the given name in the
-// configured 'cluster resource namespace', which is set as a flag on the
-// controller component (and defaults to the namespace that cert-manager
-// runs in).
-#LocalObjectReference: {
-	// Name of the resource being referred to.
-	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-	name: string @go(Name)
-}
-
-// ObjectReference is a reference to an object with a given name, kind and group.
-#ObjectReference: {
-	// Name of the resource being referred to.
-	name: string @go(Name)
-
-	// Kind of the resource being referred to.
-	// +optional
-	kind?: string @go(Kind)
-
-	// Group of the resource being referred to.
-	// +optional
-	group?: string @go(Group)
-}
-
-// A reference to a specific 'key' within a Secret resource.
-// In some instances, `key` is a required field.
-#SecretKeySelector: {
-	#LocalObjectReference
-
-	// The key of the entry in the Secret resource's `data` field to be used.
-	// Some instances of this field may be defaulted, in others it may be
-	// required.
-	// +optional
-	key?: string @go(Key)
-}
-
-// Used as a data key in Secret resources to store a CA certificate.
-#TLSCAKey: "ca.crt"
--- a/cue/cue.mod/gen/k8s.io/apimachinery/pkg/types/nodename_go_gen.cue
+++ b/cue/cue.mod/gen/k8s.io/apimachinery/pkg/types/nodename_go_gen.cue
@@ -1,31 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go k8s.io/apimachinery/pkg/types
-
-package types
-
-// NodeName is a type that holds a api.Node's Name identifier.
-// Being a type captures intent and helps make sure that the node name
-// is not confused with similar concepts (the hostname, the cloud provider id,
-// the cloud provider name etc)
-//
-// To clarify the various types:
-//
-// * Node.Name is the Name field of the Node in the API.  This should be stored in a NodeName.
-//   Unfortunately, because Name is part of ObjectMeta, we can't store it as a NodeName at the API level.
-//
-// * Hostname is the hostname of the local machine (from uname -n).
-//   However, some components allow the user to pass in a --hostname-override flag,
-//   which will override this in most places. In the absence of anything more meaningful,
-//   kubelet will use Hostname as the Node.Name when it creates the Node.
-//
-// * The cloudproviders have the own names: GCE has InstanceName, AWS has InstanceId.
-//
-//   For GCE, InstanceName is the Name of an Instance object in the GCE API.  On GCE, Instance.Name becomes the
-//   Hostname, and thus it makes sense also to use it as the Node.Name.  But that is GCE specific, and it is up
-//   to the cloudprovider how to do this mapping.
-//
-//   For AWS, the InstanceID is not yet suitable for use as a Node.Name, so we actually use the
-//   PrivateDnsName for the Node.Name.  And this is _not_ always the same as the hostname: if
-//   we are using a custom DHCP domain it won't be.
-#NodeName: string
--- a/cue/cue.mod/gen/time/format_go_gen.cue
+++ b/cue/cue.mod/gen/time/format_go_gen.cue
@@ -1,68 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go time
-
-package time
-
-#Layout:      "01/02 03:04:05PM '06 -0700"
-#ANSIC:       "Mon Jan _2 15:04:05 2006"
-#UnixDate:    "Mon Jan _2 15:04:05 MST 2006"
-#RubyDate:    "Mon Jan 02 15:04:05 -0700 2006"
-#RFC822:      "02 Jan 06 15:04 MST"
-#RFC822Z:     "02 Jan 06 15:04 -0700"
-#RFC850:      "Monday, 02-Jan-06 15:04:05 MST"
-#RFC1123:     "Mon, 02 Jan 2006 15:04:05 MST"
-#RFC1123Z:    "Mon, 02 Jan 2006 15:04:05 -0700"
-#RFC3339:     "2006-01-02T15:04:05Z07:00"
-#RFC3339Nano: "2006-01-02T15:04:05.999999999Z07:00"
-#Kitchen:     "3:04PM"
-
-// Handy time stamps.
-#Stamp:                     "Jan _2 15:04:05"
-#StampMilli:                "Jan _2 15:04:05.000"
-#StampMicro:                "Jan _2 15:04:05.000000"
-#StampNano:                 "Jan _2 15:04:05.000000000"
-_#stdLongMonth:             257
-_#stdMonth:                 258
-_#stdNumMonth:              259
-_#stdZeroMonth:             260
-_#stdLongWeekDay:           261
-_#stdWeekDay:               262
-_#stdDay:                   263
-_#stdUnderDay:              264
-_#stdZeroDay:               265
-_#stdUnderYearDay:          266
-_#stdZeroYearDay:           267
-_#stdHour:                  524
-_#stdHour12:                525
-_#stdZeroHour12:            526
-_#stdMinute:                527
-_#stdZeroMinute:            528
-_#stdSecond:                529
-_#stdZeroSecond:            530
-_#stdLongYear:              275
-_#stdYear:                  276
-_#stdPM:                    533
-_#stdpm:                    534
-_#stdTZ:                    23
-_#stdISO8601TZ:             24
-_#stdISO8601SecondsTZ:      25
-_#stdISO8601ShortTZ:        26
-_#stdISO8601ColonTZ:        27
-_#stdISO8601ColonSecondsTZ: 28
-_#stdNumTZ:                 29
-_#stdNumSecondsTz:          30
-_#stdNumShortTZ:            31
-_#stdNumColonTZ:            32
-_#stdNumColonSecondsTZ:     33
-_#stdFracSecond0:           34
-_#stdFracSecond9:           35
-_#stdNeedDate:              256
-_#stdNeedClock:             512
-_#stdArgShift:              16
-_#stdSeparatorShift:        28
-_#stdMask:                  65535
-
-_#lowerhex:  "0123456789abcdef"
-_#runeSelf:  0x80
-_#runeError: 65533 // '\uFFFD'
--- a/cue/cue.mod/gen/time/time_go_gen.cue
+++ b/cue/cue.mod/gen/time/time_go_gen.cue
@@ -1,266 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go time
-
-// Package time provides functionality for measuring and displaying time.
-//
-// The calendrical calculations always assume a Gregorian calendar, with
-// no leap seconds.
-//
-// Monotonic Clocks
-//
-// Operating systems provide both a “wall clock,” which is subject to
-// changes for clock synchronization, and a “monotonic clock,” which is
-// not. The general rule is that the wall clock is for telling time and
-// the monotonic clock is for measuring time. Rather than split the API,
-// in this package the Time returned by time.Now contains both a wall
-// clock reading and a monotonic clock reading; later time-telling
-// operations use the wall clock reading, but later time-measuring
-// operations, specifically comparisons and subtractions, use the
-// monotonic clock reading.
-//
-// For example, this code always computes a positive elapsed time of
-// approximately 20 milliseconds, even if the wall clock is changed during
-// the operation being timed:
-//
-// start := time.Now()
-// ... operation that takes 20 milliseconds ...
-// t := time.Now()
-// elapsed := t.Sub(start)
-//
-// Other idioms, such as time.Since(start), time.Until(deadline), and
-// time.Now().Before(deadline), are similarly robust against wall clock
-// resets.
-//
-// The rest of this section gives the precise details of how operations
-// use monotonic clocks, but understanding those details is not required
-// to use this package.
-//
-// The Time returned by time.Now contains a monotonic clock reading.
-// If Time t has a monotonic clock reading, t.Add adds the same duration to
-// both the wall clock and monotonic clock readings to compute the result.
-// Because t.AddDate(y, m, d), t.Round(d), and t.Truncate(d) are wall time
-// computations, they always strip any monotonic clock reading from their results.
-// Because t.In, t.Local, and t.UTC are used for their effect on the interpretation
-// of the wall time, they also strip any monotonic clock reading from their results.
-// The canonical way to strip a monotonic clock reading is to use t = t.Round(0).
-//
-// If Times t and u both contain monotonic clock readings, the operations
-// t.After(u), t.Before(u), t.Equal(u), and t.Sub(u) are carried out
-// using the monotonic clock readings alone, ignoring the wall clock
-// readings. If either t or u contains no monotonic clock reading, these
-// operations fall back to using the wall clock readings.
-//
-// On some systems the monotonic clock will stop if the computer goes to sleep.
-// On such a system, t.Sub(u) may not accurately reflect the actual
-// time that passed between t and u.
-//
-// Because the monotonic clock reading has no meaning outside
-// the current process, the serialized forms generated by t.GobEncode,
-// t.MarshalBinary, t.MarshalJSON, and t.MarshalText omit the monotonic
-// clock reading, and t.Format provides no format for it. Similarly, the
-// constructors time.Date, time.Parse, time.ParseInLocation, and time.Unix,
-// as well as the unmarshalers t.GobDecode, t.UnmarshalBinary.
-// t.UnmarshalJSON, and t.UnmarshalText always create times with
-// no monotonic clock reading.
-//
-// Note that the Go == operator compares not just the time instant but
-// also the Location and the monotonic clock reading. See the
-// documentation for the Time type for a discussion of equality
-// testing for Time values.
-//
-// For debugging, the result of t.String does include the monotonic
-// clock reading if present. If t != u because of different monotonic clock readings,
-// that difference will be visible when printing t.String() and u.String().
-//
-package time
-
-// A Time represents an instant in time with nanosecond precision.
-//
-// Programs using times should typically store and pass them as values,
-// not pointers. That is, time variables and struct fields should be of
-// type time.Time, not *time.Time.
-//
-// A Time value can be used by multiple goroutines simultaneously except
-// that the methods GobDecode, UnmarshalBinary, UnmarshalJSON and
-// UnmarshalText are not concurrency-safe.
-//
-// Time instants can be compared using the Before, After, and Equal methods.
-// The Sub method subtracts two instants, producing a Duration.
-// The Add method adds a Time and a Duration, producing a Time.
-//
-// The zero value of type Time is January 1, year 1, 00:00:00.000000000 UTC.
-// As this time is unlikely to come up in practice, the IsZero method gives
-// a simple way of detecting a time that has not been initialized explicitly.
-//
-// Each Time has associated with it a Location, consulted when computing the
-// presentation form of the time, such as in the Format, Hour, and Year methods.
-// The methods Local, UTC, and In return a Time with a specific location.
-// Changing the location in this way changes only the presentation; it does not
-// change the instant in time being denoted and therefore does not affect the
-// computations described in earlier paragraphs.
-//
-// Representations of a Time value saved by the GobEncode, MarshalBinary,
-// MarshalJSON, and MarshalText methods store the Time.Location's offset, but not
-// the location name. They therefore lose information about Daylight Saving Time.
-//
-// In addition to the required “wall clock” reading, a Time may contain an optional
-// reading of the current process's monotonic clock, to provide additional precision
-// for comparison or subtraction.
-// See the “Monotonic Clocks” section in the package documentation for details.
-//
-// Note that the Go == operator compares not just the time instant but also the
-// Location and the monotonic clock reading. Therefore, Time values should not
-// be used as map or database keys without first guaranteeing that the
-// identical Location has been set for all values, which can be achieved
-// through use of the UTC or Local method, and that the monotonic clock reading
-// has been stripped by setting t = t.Round(0). In general, prefer t.Equal(u)
-// to t == u, since t.Equal uses the most accurate comparison available and
-// correctly handles the case when only one of its arguments has a monotonic
-// clock reading.
-//
-#Time: _
-
-_#hasMonotonic: 9223372036854775808
-_#maxWall:      int64 & 68043243391
-_#minWall:      int64 & 59453308800
-_#nsecMask:     1073741823
-_#nsecShift:    30
-
-// A Month specifies a month of the year (January = 1, ...).
-#Month: int // #enumMonth
-
-#enumMonth:
-	#January |
-	#February |
-	#March |
-	#April |
-	#May |
-	#June |
-	#July |
-	#August |
-	#September |
-	#October |
-	#November |
-	#December
-
-#values_Month: {
-	January:   #January
-	February:  #February
-	March:     #March
-	April:     #April
-	May:       #May
-	June:      #June
-	July:      #July
-	August:    #August
-	September: #September
-	October:   #October
-	November:  #November
-	December:  #December
-}
-
-#January:   #Month & 1
-#February:  #Month & 2
-#March:     #Month & 3
-#April:     #Month & 4
-#May:       #Month & 5
-#June:      #Month & 6
-#July:      #Month & 7
-#August:    #Month & 8
-#September: #Month & 9
-#October:   #Month & 10
-#November:  #Month & 11
-#December:  #Month & 12
-
-// A Weekday specifies a day of the week (Sunday = 0, ...).
-#Weekday: int // #enumWeekday
-
-#enumWeekday:
-	#Sunday |
-	#Monday |
-	#Tuesday |
-	#Wednesday |
-	#Thursday |
-	#Friday |
-	#Saturday
-
-#values_Weekday: {
-	Sunday:    #Sunday
-	Monday:    #Monday
-	Tuesday:   #Tuesday
-	Wednesday: #Wednesday
-	Thursday:  #Thursday
-	Friday:    #Friday
-	Saturday:  #Saturday
-}
-
-#Sunday:    #Weekday & 0
-#Monday:    #Weekday & 1
-#Tuesday:   #Weekday & 2
-#Wednesday: #Weekday & 3
-#Thursday:  #Weekday & 4
-#Friday:    #Weekday & 5
-#Saturday:  #Weekday & 6
-
-// The unsigned zero year for internal calculations.
-// Must be 1 mod 400, and times before it will not compute correctly,
-// but otherwise can be changed at will.
-_#absoluteZeroYear: -292277022399
-
-// The year of the zero Time.
-// Assumed by the unixToInternal computation below.
-_#internalYear: 1
-
-// Offsets to convert between internal and absolute or Unix times.
-_#absoluteToInternal: int64 & -9223371966579724800
-_#internalToAbsolute: int64 & 9223371966579724800
-_#unixToInternal:     int64 & 62135596800
-_#internalToUnix:     int64 & -62135596800
-_#wallToInternal:     int64 & 59453308800
-_#internalToWall:     int64 & -59453308800
-
-// A Duration represents the elapsed time between two instants
-// as an int64 nanosecond count. The representation limits the
-// largest representable duration to approximately 290 years.
-#Duration: int64 // #enumDuration
-
-#enumDuration:
-	_#minDuration |
-	_#maxDuration |
-	#Nanosecond |
-	#Microsecond |
-	#Millisecond |
-	#Second |
-	#Minute |
-	#Hour
-
-#values_Duration: {
-	minDuration: _#minDuration
-	maxDuration: _#maxDuration
-	Nanosecond:  #Nanosecond
-	Microsecond: #Microsecond
-	Millisecond: #Millisecond
-	Second:      #Second
-	Minute:      #Minute
-	Hour:        #Hour
-}
-
-_#minDuration: #Duration & -9223372036854775808
-_#maxDuration: #Duration & 9223372036854775807
-
-#Nanosecond:  #Duration & 1
-#Microsecond: #Duration & 1000
-#Millisecond: #Duration & 1000000
-#Second:      #Duration & 1000000000
-#Minute:      #Duration & 60000000000
-#Hour:        #Duration & 3600000000000
-
-_#secondsPerMinute: 60
-_#secondsPerHour:   3600
-_#secondsPerDay:    86400
-_#secondsPerWeek:   604800
-_#daysPer400Years:  146097
-_#daysPer100Years:  36524
-_#daysPer4Years:    1461
-
-_#timeBinaryVersion: 1
--- a/cue/cue.mod/gen/time/zoneinfo_go_gen.cue
+++ b/cue/cue.mod/gen/time/zoneinfo_go_gen.cue
@@ -1,19 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go time
-
-package time
-
-// A Location maps time instants to the zone in use at that time.
-// Typically, the Location represents the collection of time offsets
-// in use in a geographical area. For many Locations the time offset varies
-// depending on whether daylight savings time is in use at the time instant.
-#Location: {
-}
-
-_#alpha: -9223372036854775808
-_#omega: 9223372036854775807
-
-_#ruleJulian:       _#ruleKind & 0
-_#ruleDOY:          _#ruleKind & 1
-_#ruleMonthWeekDay: _#ruleKind & 2
--- a/cue/cue.mod/gen/time/zoneinfo_read_go_gen.cue
+++ b/cue/cue.mod/gen/time/zoneinfo_read_go_gen.cue
@@ -1,11 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go time
-
-package time
-
-_#maxFileSize: 10485760
-
-_#seekStart:   0
-_#seekCurrent: 1
-_#seekEnd:     2
--- a/cue/cue.mod/module.cue
+++ b/cue/cue.mod/module.cue
@@ -1 +0,0 @@
-module: "github.com/stefanprodan/podinfo/cue"
--- a/cue/go.mod
+++ b/cue/go.mod
@@ -1,23 +0,0 @@
-module github.com/stefanprodan/podinfo/cue
-
-go 1.17
-
-require (
-	github.com/go-logr/logr v1.2.0 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/google/go-cmp v0.5.5 // indirect
-	github.com/google/gofuzz v1.1.0 // indirect
-	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.2 // indirect
-	golang.org/x/net v0.0.0-20211209124913-491a49abca63 // indirect
-	golang.org/x/text v0.3.7 // indirect
-	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
-	k8s.io/api v0.23.5 // indirect
-	k8s.io/apimachinery v0.23.5 // indirect
-	k8s.io/klog/v2 v2.30.0 // indirect
-	k8s.io/utils v0.0.0-20211116205334-6203023598ed // indirect
-	sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6 // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect
-)
--- a/cue/go.sum
+++ b/cue/go.sum
@@ -1,231 +0,0 @@
-cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
-github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
-github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
-github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
-github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
-github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
-github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
-github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
-github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
-github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
-github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
-github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
-github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
-github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
-github.com/getkin/kin-openapi v0.76.0/go.mod h1:660oXbgy5JFMKreazJaQTw7o+X00qeSyhcnluiMv+Xg=
-github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
-github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
-github.com/go-logr/logr v1.2.0 h1:QK40JKJyMdUDz+h+xvCsru/bJhvG0UxvePV0ufL/AcE=
-github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
-github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
-github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8=
-github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
-github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
-github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
-github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
-github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
-github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
-github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
-github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
-github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
-github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
-github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=
-github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g=
-github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2cUuW7uA/OeU=
-github.com/googleapis/gnostic v0.5.5/go.mod h1:7+EbHbldMins07ALC74bsA81Ovc97DwqyJO1AENw9kA=
-github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
-github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
-github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
-github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
-github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
-github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
-github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
-github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
-github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c=
-github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
-github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
-github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
-github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
-github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
-github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
-github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY=
-github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
-github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
-github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
-github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8=
-github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
-golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
-golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
-golang.org/x/net v0.0.0-20211209124913-491a49abca63 h1:iocB37TsdFuN6IBRZ+ry36wrkoV51/tl5vOWqkcPGvY=
-golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210831042530-f4d43177bf5e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
-golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
-golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200505023115-26f46d2f7ef8/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
-google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
-google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
-google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
-google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
-google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
-google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
-google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
-google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
-google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
-google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
-google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
-google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
-google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
-gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
-gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
-gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
-gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-k8s.io/api v0.23.5 h1:zno3LUiMubxD/V1Zw3ijyKO3wxrhbUF1Ck+VjBvfaoA=
-k8s.io/api v0.23.5/go.mod h1:Na4XuKng8PXJ2JsploYYrivXrINeTaycCGcYgF91Xm8=
-k8s.io/apimachinery v0.23.5 h1:Va7dwhp8wgkUPWsEXk6XglXWU4IKYLKNlv8VkX7SDM0=
-k8s.io/apimachinery v0.23.5/go.mod h1:BEuFMMBaIbcOqVIJqNZJXGFTP4W6AycEpb5+m/97hrM=
-k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
-k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
-k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
-k8s.io/klog/v2 v2.30.0 h1:bUO6drIvCIsvZ/XFgfxoGFQU/a4Qkh0iAlvUR7vlHJw=
-k8s.io/klog/v2 v2.30.0/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
-k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65/go.mod h1:sX9MT8g7NVZM5lVL/j8QyCCJe8YSMW30QvGZWaCIDIk=
-k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
-k8s.io/utils v0.0.0-20211116205334-6203023598ed h1:ck1fRPWPJWsMd8ZRFsWc6mh/zHp5fZ/shhbrgPUxDAE=
-k8s.io/utils v0.0.0-20211116205334-6203023598ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
-sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6 h1:fD1pz4yfdADVNfFmcP2aBEtudwUQ1AlLnRBALr33v3s=
-sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6/go.mod h1:p4QtZmO4uMYipTQNzagwnNoseA6OxSUutVw05NhYDRs=
-sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
-sigs.k8s.io/structured-merge-diff/v4 v4.2.1 h1:bKCqE9GvQ5tiVHn5rfn1r+yao3aLQEaLzkkmAkf+A6Y=
-sigs.k8s.io/structured-merge-diff/v4 v4.2.1/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4=
-sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
--- a/cue/main.cue
+++ b/cue/main.cue
@@ -1,27 +0,0 @@
-package main
-
-import (
-	podinfo "github.com/stefanprodan/podinfo/cue/podinfo"
-)
-
-resources: (podinfo.#Application & {
-	input: {
-		meta: {
-			name: "podinfo"
-			annotations: {
-				"app.kubernetes.io/part-of": "podinfo"
-			}
-		}
-		image: {
-			repository: "ghcr.io/stefanprodan/podinfo"
-			tag:        "6.1.2"
-		}
-		resources: requests: cpu: "100m"
-		hpa: {
-			enabled:     true
-			minReplicas: 2
-			maxReplicas: 4
-			cpu:         99
-		}
-	}
-}).out
--- a/cue/main_tool.cue
+++ b/cue/main_tool.cue
@@ -1,12 +0,0 @@
-package main
-
-import (
-	"tool/cli"
-	"encoding/yaml"
-)
-
-command: gen: {
-	task: print: cli.Print & {
-		text: yaml.MarshalStream([ for x in resources {x}])
-	}
-}
--- a/cue/podinfo/app.cue
+++ b/cue/podinfo/app.cue
@@ -1,21 +0,0 @@
-package podinfo
-
-#Application: {
-	input: #Config
-	out: {
-		sa:     #ServiceAccount & {_config: input}
-		deploy: #Deployment & {
-			_config:         input
-			_serviceAccount: sa.metadata.name
-		}
-		service: #Service & {_config: input}}
-	if input.hpa.enabled == true {
-		out: hpa: #HorizontalPodAutoscaler & {_config: input}
-	}
-	if input.serviceMonitor.enabled == true {
-		out: serviceMonitor: #ServiceMonitor & {_config: input}
-	}
-	if input.ingress.enabled == true {
-		out: ingress: #Ingress & {_config: input}
-	}
-}
--- a/cue/podinfo/certificate.cue
+++ b/cue/podinfo/certificate.cue
@@ -1,24 +0,0 @@
-package podinfo
-
-import (
-	certmanv1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
-	"encoding/yaml"
-)
-
-#certConfig: {
-	dnsNames: [string]
-	tlsSecretName: string
-	issuerRef:     string
-}
-
-#Certificate: certmanv1.#Certificate & {
-	_config:    #Config
-	apiVersion: "v1"
-	kind:       "Certificate"
-	metadata:   _config.meta
-	spec:       certmanv1.#CertificateSpec & {
-		dnsNames:   _config.cert.dnsNames
-		secretName: _config.cert.tlsSecretName
-		issuerRef:  yaml.Marshal(_config.cert.issuerRef)
-	}
-}
--- a/cue/podinfo/config.cue
+++ b/cue/podinfo/config.cue
@@ -1,59 +0,0 @@
-package podinfo
-
-import (
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	corev1 "k8s.io/api/core/v1"
-)
-
-#Config: {
-	meta: metav1.#ObjectMeta
-	image: {
-		repository: *"ghcr.io/stefanprodan/podinfo" | string
-		tag:        string
-		pullPolicy: *"IfNotPresent" | string
-	}
-	selectorLabels: {
-		"app.kubernetes.io/name": meta.name
-	}
-	replicas: *1 | int
-	service:  #serviceConfig
-	host:     string
-	cache:    string
-	backends: [string]
-	logLevel: *"info" | string
-	faults: {
-		delay:     *false | bool
-		error:     *false | bool
-		unhealthy: *false | bool
-		unready:   *false | bool
-	}
-	h2c: {
-		enabled: *false | bool
-	}
-	ui: {
-		color:   *"#34577c" | string
-		message: *"" | string
-		logo:    *"" | string
-	}
-	podAnnotations: {[ string]: string}
-	securityContext: corev1.#PodSecurityContext
-	resources:       *{
-		requests: {
-			cpu:    "1m"
-			memory: "16Mi"
-		}
-	} | corev1.#ResourceRequirements
-	nodeSelector: {[ string]: string}
-	affinity: corev1.#Affinity
-	tolerations: [ ...corev1.#Toleration]
-	tls: {
-		enabled:    *false | bool
-		port:       *9899 | int
-		certPath:   *"/data/cert" | string
-		secretName: *"" | string
-	}
-	cert:           #certConfig
-	hpa:            #hpaConfig
-	ingress:        #ingressConfig
-	serviceMonitor: #serviceMonConfig
-}
--- a/cue/podinfo/deployment.cue
+++ b/cue/podinfo/deployment.cue
@@ -1,123 +0,0 @@
-package podinfo
-
-import (
-	appsv1 "k8s.io/api/apps/v1"
-	corev1 "k8s.io/api/core/v1"
-)
-
-#Deployment: appsv1.#Deployment & {
-	_config:         #Config
-	_serviceAccount: string
-	apiVersion:      "apps/v1"
-	kind:            "Deployment"
-	metadata:        _config.meta
-	spec:            appsv1.#DeploymentSpec & {
-		if _config.hpa.enabled == false {
-			replicas: _config.replicas
-		}
-		strategy: {
-			type: "RollingUpdate"
-			rollingUpdate: maxUnavailable: 1
-		}
-		selector: matchLabels: _config.selectorLabels
-		template: {
-			metadata: {
-				labels: _config.selectorLabels
-				annotations: {
-					"prometheus.io/scrape": "true"
-					"prometheus.io/port":   "\(_config.service.metricsPort)"
-					_config.podAnnotations
-				}
-			}
-			spec: corev1.#PodSpec & {
-				terminationGracePeriodSeconds: 30
-				serviceAccountName:            _serviceAccount
-				containers: [
-					{
-						name:            "podinfo"
-						image:           "\(_config.image.repository):\(_config.image.tag)"
-						imagePullPolicy: _config.image.pullPolicy
-						securityContext: _config.securityContext
-						command: [
-							"./podinfo",
-							"--port=\(_config.service.httpPort)",
-							"--port-metrics=\(_config.service.metricsPort)",
-							"--grpc-port=\(_config.service.grpcPort)",
-							"--level=\(_config.logLevel)",
-							"--random-delay=\(_config.faults.delay)",
-							"--random-error=\(_config.faults.error)",
-						]
-						ports: [
-							{
-								name:          "http"
-								containerPort: _config.service.httpPort
-								protocol:      "TCP"
-							},
-							{
-								name:          "http-metrics"
-								containerPort: _config.service.metricsPort
-								protocol:      "TCP"
-							},
-							{
-								name:          "grpc"
-								containerPort: _config.service.grpcPort
-								protocol:      "TCP"
-							},
-						]
-						livenessProbe: {
-							exec: {
-								command: [
-									"podcli",
-									"check",
-									"http",
-									"localhost:\(_config.service.httpPort)/healthz",
-								]
-							}
-							initialDelaySeconds: 1
-							timeoutSeconds:      5
-						}
-						readinessProbe: {
-							exec: {
-								command: [
-									"podcli",
-									"check",
-									"http",
-									"localhost:\(_config.service.httpPort)/readyz",
-								]
-							}
-							initialDelaySeconds: 1
-							timeoutSeconds:      5
-						}
-						volumeMounts: [
-							{
-								name:      "data"
-								mountPath: "/data"
-							},
-							if _config.tls.secretName != "" {
-								name:      "tls"
-								mountPath: _config.tls.certPath
-								readOnly:  true
-							},
-						]
-						resources: _config.resources
-					},
-				]
-				nodeSelector: _config.nodeSelector
-				affinity:     _config.affinity
-				tolerations:  _config.tolerations
-				volumes: [
-					{
-						name: "data"
-						emptyDir: {}
-					},
-					if _config.tls.secretName != "" {
-						name: "tls"
-						secret: {
-							secretName: _config.tls.secretName
-						}
-					},
-				]
-			}
-		}
-	}
-}
--- a/cue/podinfo/ingress.cue
+++ b/cue/podinfo/ingress.cue
@@ -1,48 +0,0 @@
-package podinfo
-
-import (
-	netv1 "k8s.io/api/networking/v1"
-)
-
-#ingressConfig: {
-	svcName:   string
-	svcPort:   int
-	enabled:   *false | bool
-	className: *"" | string
-	tls: [{
-		hosts: [string]
-		secretName: string
-	}]
-	hosts: [{
-		host: "podinfo.local"
-		paths: [{
-			path:     "/"
-			pathType: "ImplementationSpecific"
-		}]
-	}]
-}
-
-#Ingress: netv1.#Ingress & {
-	_config:    #Config
-	apiVersion: "networking.k8s.io/v1"
-	kind:       "Ingress"
-	metadata:   _config.meta
-	spec:       netv1.#IngressSpec & {
-		ingressClassName: _config.ingress.className
-		tls: [ for t in _config.ingress.tls {
-			hosts:      t.hosts
-			secretName: t.secretName
-		}]
-		rules: [ for h in _config.ingress.hosts {
-			host: h.host
-			http: paths: [ for p in h.paths {
-				path:     p.path
-				pathType: p.pathType
-				backend: service: {
-					name: _config.meta.name
-					port: number: _config.service.externalPort
-				}
-			}]
-		}]
-	}
-}
--- a/cue/podinfo/service.cue
+++ b/cue/podinfo/service.cue
@@ -1,43 +0,0 @@
-package podinfo
-
-import (
-	corev1 "k8s.io/api/core/v1"
-)
-
-#serviceConfig: {
-	type:         *"ClusterIP" | string
-	externalPort: *9898 | int
-	httpPort:     *9898 | int
-	metricsPort:  *9797 | int
-	grpcPort:     *9999 | int
-	grpcService:  "podinfo" | string
-	nodePort:     *31198 | int
-}
-
-#Service: corev1.#Service & {
-	_config:    #Config
-	apiVersion: "v1"
-	kind:       "Service"
-	metadata:   _config.meta
-	spec:       corev1.#ServiceSpec & {
-		type:     "ClusterIP"
-		selector: _config.selectorLabels
-		ports: [{
-			name:       "http"
-			port:       _config.service.externalPort
-			targetPort: _config.service.httpPort
-			protocol:   "TCP"
-		}, if _config.tls.enabled == true {
-			name:       "https"
-			port:       _config.tls.port
-			targetPort: "https"
-			protocol:   "TCP"
-		}, if _config.service.grpcPort != _|_ {
-			name:       "grpc"
-			port:       _config.service.grpcPort
-			targetPort: "grpc"
-			protocol:   "TCP"
-		},
-		]
-	}
-}
--- a/cue/podinfo/servicemonitor.cue
+++ b/cue/podinfo/servicemonitor.cue
@@ -1,23 +0,0 @@
-package podinfo
-
-#serviceMonConfig: {
-	enabled:  *false | bool
-	interval: *"15s" | string
-	matchLabels: {}
-}
-
-#ServiceMonitor: {
-	_config:    #Config
-	apiVersion: "monitoring.coreos.com/v1"
-	kind:       "ServiceMonitor"
-	metadata:   _config.meta
-	spec: {
-		endpoints: [{
-			path:     "/metrics"
-			port:     "http"
-			interval: _config.serviceMonitor.interval
-		}]
-		namespaceSelector: matchNames: _config.meta.namespace
-		selector: matchLabels:         _config.selectorLabels
-	}
-}
--- a/deploy/bases/backend/deployment.yaml
+++ b/deploy/bases/backend/deployment.yaml
@@ -23,7 +23,7 @@ spec:
    spec:
      containers:
      - name: backend
-        image: ghcr.io/stefanprodan/podinfo:6.1.2
+        image: ghcr.io/stefanprodan/podinfo:6.5.1
        imagePullPolicy: IfNotPresent
        ports:
        - name: http
--- a/deploy/bases/backend/hpa.yaml
+++ b/deploy/bases/backend/hpa.yaml
@@ -1,4 +1,4 @@
-apiVersion: autoscaling/v2beta2
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
  name: backend
--- a/deploy/bases/cache/deployment.yaml
+++ b/deploy/bases/cache/deployment.yaml
@@ -13,7 +13,7 @@ spec:
    spec:
      containers:
        - name: redis
-          image: redis:6.0.1
+          image: redis:7.0.7
          imagePullPolicy: IfNotPresent
          command:
            - redis-server
--- a/deploy/bases/frontend/deployment.yaml
+++ b/deploy/bases/frontend/deployment.yaml
@@ -23,7 +23,7 @@ spec:
    spec:
      containers:
      - name: frontend
-        image: ghcr.io/stefanprodan/podinfo:6.1.2
+        image: ghcr.io/stefanprodan/podinfo:6.5.1
        imagePullPolicy: IfNotPresent
        ports:
        - name: http
--- a/deploy/bases/frontend/hpa.yaml
+++ b/deploy/bases/frontend/hpa.yaml
@@ -1,4 +1,4 @@
-apiVersion: autoscaling/v2beta2
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
  name: frontend
--- a/deploy/secure/backend/hpa.yaml
+++ b/deploy/secure/backend/hpa.yaml
@@ -1,4 +1,4 @@
-apiVersion: autoscaling/v2beta2
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
  name: backend
--- a/deploy/secure/frontend/hpa.yaml
+++ b/deploy/secure/frontend/hpa.yaml
@@ -1,4 +1,4 @@
-apiVersion: autoscaling/v2beta2
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
  name: frontend
--- a/deploy/webapp/backend/deployment.yaml
+++ b/deploy/webapp/backend/deployment.yaml
@@ -25,7 +25,7 @@ spec:
      serviceAccountName: webapp
      containers:
      - name: backend
-        image: ghcr.io/stefanprodan/podinfo:6.1.2
+        image: ghcr.io/stefanprodan/podinfo:6.5.1
        imagePullPolicy: IfNotPresent
        ports:
        - name: http
--- a/deploy/webapp/backend/hpa.yaml
+++ b/deploy/webapp/backend/hpa.yaml
@@ -1,4 +1,4 @@
-apiVersion: autoscaling/v2beta2
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
  name: backend
--- a/deploy/webapp/frontend/deployment.yaml
+++ b/deploy/webapp/frontend/deployment.yaml
@@ -25,7 +25,7 @@ spec:
      serviceAccountName: webapp
      containers:
      - name: frontend
-        image: ghcr.io/stefanprodan/podinfo:6.1.2
+        image: ghcr.io/stefanprodan/podinfo:6.5.1
        imagePullPolicy: IfNotPresent
        ports:
        - name: http
--- a/deploy/webapp/frontend/hpa.yaml
+++ b/deploy/webapp/frontend/hpa.yaml
@@ -1,4 +1,4 @@
-apiVersion: autoscaling/v2beta2
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
  name: frontend
--- a/go.mod
+++ b/go.mod
@@ -1,84 +1,86 @@
 module github.com/stefanprodan/podinfo

-go 1.17
+go 1.21

 require (
-	github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751
-	github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e
-	github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1
-	github.com/fatih/color v1.9.0
-	github.com/fsnotify/fsnotify v1.4.9
-	github.com/gomodule/redigo v1.8.4
+	github.com/chzyer/readline v1.5.1
+	github.com/fatih/color v1.15.0
+	github.com/fsnotify/fsnotify v1.6.0
+	github.com/golang-jwt/jwt/v4 v4.5.0
+	github.com/gomodule/redigo v1.8.9
 	github.com/gorilla/mux v1.8.0
-	github.com/gorilla/websocket v1.4.2
-	github.com/prometheus/client_golang v1.11.0
-	github.com/spf13/cobra v1.2.1
+	github.com/gorilla/websocket v1.5.0
+	github.com/prometheus/client_golang v1.17.0
+	github.com/spf13/cobra v1.7.0
 	github.com/spf13/pflag v1.0.5
-	github.com/spf13/viper v1.8.1
-	github.com/swaggo/http-swagger v1.0.0
-	github.com/swaggo/swag v1.7.6
-	go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux v0.28.0
-	go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.28.0
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.28.0
-	go.opentelemetry.io/contrib/propagators/aws v1.3.0
-	go.opentelemetry.io/contrib/propagators/b3 v1.3.0
-	go.opentelemetry.io/contrib/propagators/jaeger v1.3.0
-	go.opentelemetry.io/contrib/propagators/ot v1.3.0
-	go.opentelemetry.io/otel v1.3.0
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.3.0
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.3.0
-	go.opentelemetry.io/otel/sdk v1.3.0
-	go.opentelemetry.io/otel/trace v1.3.0
-	go.uber.org/zap v1.19.1
-	golang.org/x/net v0.0.0-20211216030914-fe4d6282115f
-	google.golang.org/grpc v1.43.0
+	github.com/spf13/viper v1.16.0
+	github.com/swaggo/http-swagger v1.3.4
+	github.com/swaggo/swag v1.16.2
+	go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux v0.45.0
+	go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.45.0
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0
+	go.opentelemetry.io/contrib/propagators/aws v1.20.0
+	go.opentelemetry.io/contrib/propagators/b3 v1.20.0
+	go.opentelemetry.io/contrib/propagators/jaeger v1.20.0
+	go.opentelemetry.io/contrib/propagators/ot v1.20.0
+	go.opentelemetry.io/otel v1.19.0
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.19.0
+	go.opentelemetry.io/otel/sdk v1.19.0
+	go.opentelemetry.io/otel/trace v1.19.0
+	go.uber.org/zap v1.26.0
+	golang.org/x/net v0.15.0
+	google.golang.org/grpc v1.58.2
 )

+// Fix CVE-2022-32149
+replace golang.org/x/text => golang.org/x/text v0.13.0
+
+// Fix CVE-2022-28948
+replace gopkg.in/yaml.v3 => gopkg.in/yaml.v3 v3.0.1
+
 require (
 	github.com/KyleBanks/depth v1.2.1 // indirect
-	github.com/PuerkitoBio/purell v1.1.1 // indirect
-	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/cenkalti/backoff/v4 v4.1.2 // indirect
-	github.com/cespare/xxhash/v2 v2.1.1 // indirect
-	github.com/felixge/httpsnoop v1.0.2 // indirect
-	github.com/go-logr/logr v1.2.1 // indirect
-	github.com/go-logr/stdr v1.2.0 // indirect
+	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/felixge/httpsnoop v1.0.3 // indirect
+	github.com/go-logr/logr v1.2.4 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
-	github.com/go-openapi/jsonreference v0.19.5 // indirect
-	github.com/go-openapi/spec v0.20.3 // indirect
-	github.com/go-openapi/swag v0.19.14 // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
-	github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect
+	github.com/go-openapi/jsonreference v0.20.0 // indirect
+	github.com/go-openapi/spec v0.20.6 // indirect
+	github.com/go-openapi/swag v0.19.15 // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
-	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
-	github.com/magiconair/properties v1.8.5 // indirect
+	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mailru/easyjson v0.7.6 // indirect
-	github.com/mattn/go-colorable v0.1.4 // indirect
-	github.com/mattn/go-isatty v0.0.12 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
-	github.com/mitchellh/mapstructure v1.4.1 // indirect
-	github.com/pelletier/go-toml v1.9.3 // indirect
-	github.com/prometheus/client_model v0.2.0 // indirect
-	github.com/prometheus/common v0.26.0 // indirect
-	github.com/prometheus/procfs v0.6.0 // indirect
-	github.com/spf13/afero v1.6.0 // indirect
-	github.com/spf13/cast v1.3.1 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.17 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/pelletier/go-toml/v2 v2.0.8 // indirect
+	github.com/prometheus/client_model v0.4.1-0.20230718164431-9a2bf3000d16 // indirect
+	github.com/prometheus/common v0.44.0 // indirect
+	github.com/prometheus/procfs v0.11.1 // indirect
+	github.com/spf13/afero v1.9.5 // indirect
+	github.com/spf13/cast v1.5.1 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
-	github.com/subosito/gotenv v1.2.0 // indirect
-	github.com/swaggo/files v0.0.0-20190704085106-630677cd5c14 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.3.0 // indirect
-	go.opentelemetry.io/otel/internal/metric v0.26.0 // indirect
-	go.opentelemetry.io/otel/metric v0.26.0 // indirect
-	go.opentelemetry.io/proto/otlp v0.11.0 // indirect
-	go.uber.org/atomic v1.7.0 // indirect
-	go.uber.org/multierr v1.6.0 // indirect
-	golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40 // indirect
-	golang.org/x/text v0.3.6 // indirect
-	golang.org/x/tools v0.1.5 // indirect
-	google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c // indirect
-	google.golang.org/protobuf v1.27.1 // indirect
-	gopkg.in/ini.v1 v1.62.0 // indirect
+	github.com/subosito/gotenv v1.4.2 // indirect
+	github.com/swaggo/files v0.0.0-20220610200504-28940afbdbfe // indirect
+	go.opentelemetry.io/otel/metric v1.19.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.0.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	golang.org/x/sys v0.12.0 // indirect
+	golang.org/x/text v0.13.0 // indirect
+	golang.org/x/tools v0.7.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20230711160842-782d3b101e98 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98 // indirect
+	google.golang.org/protobuf v1.31.0 // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -3,6 +3,7 @@ cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMT
 cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
 cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU=
 cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
+cloud.google.com/go v0.44.3/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
 cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc=
 cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0=
 cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To=
@@ -15,9 +16,7 @@ cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOY
 cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY=
 cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI=
 cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk=
-cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg=
-cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8=
-cloud.google.com/go v0.81.0/go.mod h1:mk/AM35KwGk/Nm2YSeZbxXdrNK3KZOYHmLkOqC2V6E0=
+cloud.google.com/go v0.75.0/go.mod h1:VGuuCn7PG0dwsd5XPVm2Mm3wlh3EL55/79EKB6hlPTY=
 cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
 cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
 cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
@@ -26,7 +25,6 @@ cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4g
 cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ=
 cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
 cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
-cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk=
 cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
 cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw=
 cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA=
@@ -36,116 +34,74 @@ cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0Zeo
 cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk=
 cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
 cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
+cloud.google.com/go/storage v1.14.0/go.mod h1:GrKmX003DSIwi9o29oFT7YDnHYwZoctc3fOKtUw0Xmo=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/KyleBanks/depth v1.2.1 h1:5h8fQADFrWtarTdtDudMmGsC7GPbOAu6RVB3ffsVFHc=
 github.com/KyleBanks/depth v1.2.1/go.mod h1:jzSb9d0L43HxTQfT+oSA1EEp2q+ne2uh6XgeJcm8brE=
-github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tNFfI=
-github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
-github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M=
-github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
-github.com/agiledragon/gomonkey/v2 v2.3.1 h1:k+UnUY0EMNYUFUAQVETGY9uUTxjMdnUkP0ARyJS1zzs=
-github.com/agiledragon/gomonkey/v2 v2.3.1/go.mod h1:ap1AmDzcVOAz1YpeJ3TCzIgstoaWLA6jbbgxfB4w2iY=
-github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
-github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 h1:JYp7IbQjafoB+tBA3gMyHYHrpOtNuDiK/uB5uXxq5wM=
-github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
-github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
-github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
-github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
-github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
-github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
-github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
-github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
-github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
-github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
-github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
-github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
-github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqOes/6LfM=
-github.com/cenkalti/backoff/v4 v4.1.2 h1:6Yo7N8UP2K6LWZnW94DLVSSrbobcWdVzAYOisuDPIFo=
-github.com/cenkalti/backoff/v4 v4.1.2/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw=
+github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM=
+github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
-github.com/cespare/xxhash/v2 v2.1.1 h1:6MnRN8NT7+YBpUIWxHtefFZOKTAPgGjpQSxqLNn0+qY=
-github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/chzyer/logex v1.1.10 h1:Swpa1K6QvQznwJRcfTfQJmTE72DqScAa40E+fbHEXEE=
+github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
+github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
-github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e h1:fY5BOSpyZCqRo5OhCuC+XN+r/bBCmeuuJtjz+bCNIf8=
+github.com/chzyer/logex v1.2.1 h1:XHDu3E6q+gdHgsdTPH6ImJMIp436vR6MPtH8gP05QzM=
+github.com/chzyer/logex v1.2.1/go.mod h1:JLbx6lG2kDbNRFnfkgvh4eRJRPX1QCoOIWomwysCBrQ=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
-github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1 h1:q763qf9huN11kDQavWsoZXJNW3xEE4JJyHa5Q25/sd8=
+github.com/chzyer/readline v1.5.1 h1:upd/6fQk4src78LMRzh5vItIt361/o4uq553V8B5sGI=
+github.com/chzyer/readline v1.5.1/go.mod h1:Eh+b79XXUwfKfcPLepksvw2tcLE/Ct21YObkaSkeBlk=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
+github.com/chzyer/test v1.0.0 h1:p3BQDXSxOhOG0P9z6/hGnII4LGiEPOYBhs8asl/fC04=
+github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38GC8=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
-github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI=
-github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
-github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
-github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
-github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
+github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1 h1:CaO/zOnF8VvUfEbhRatPcwKVWamvbYd8tQGRWacE9kU=
-github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1/go.mod h1:+hnT3ywWDTAFrW5aE+u2Sa/wT555ZqwoCS+pk3p6ry4=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
-github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
-github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
-github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
-github.com/fatih/color v1.9.0 h1:8xPHl4/q1VyqGIPif1F+1V3Y3lSmrq01EabUW3CoW5s=
-github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU=
-github.com/felixge/httpsnoop v1.0.2 h1:+nS9g82KMXccJ/wp0zyRW9ZBHFETmMGtkk+2CTTrW4o=
-github.com/felixge/httpsnoop v1.0.2/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
-github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
-github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/go-chi/chi v4.0.2+incompatible h1:maB6vn6FqCxrpz4FqWdh4+lwpyZIQS7YEAUcHlgXVRs=
-github.com/go-chi/chi v4.0.2+incompatible/go.mod h1:eB3wogJHnLi3x/kFX2A+IbTBlXxmMeXJVKy9tTv1XzQ=
+github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs=
+github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBDUSsw=
+github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk=
+github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/frankban/quicktest v1.14.4 h1:g2rn0vABPOOXmZUj+vbmUp0lPoXEMuhTpIluN0XL9UY=
+github.com/frankban/quicktest v1.14.4/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
+github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
+github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
-github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
-github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
-github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
-github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
-github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
-github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
-github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.2.1 h1:DX7uPQ4WgAWfoh+NGGlbJQswnYIVvz0SRlLS3rPZQDA=
-github.com/go-logr/logr v1.2.1/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/stdr v1.2.0 h1:j4LrlVXgrbIWO83mmQUnK0Hi+YnbD+vzrE1z/EphbFE=
-github.com/go-logr/stdr v1.2.0/go.mod h1:YkVgnZu1ZjjL7xTxrfm/LLZBfkhTqSR1ydtm6jTKKwI=
+github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
+github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
 github.com/go-openapi/jsonpointer v0.19.5 h1:gZr+CIYByUqjcgeLXnQu2gHYQC9o73G2XUeOFYEICuY=
 github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
-github.com/go-openapi/jsonreference v0.19.4/go.mod h1:RdybgQwPxbL4UEjuAruzK1x3nE69AqPYEJeo/TWfEeg=
-github.com/go-openapi/jsonreference v0.19.5 h1:1WJP/wi4OjB4iV8KVbH73rQaoialJrqv8gitZLxGLtM=
-github.com/go-openapi/jsonreference v0.19.5/go.mod h1:RdybgQwPxbL4UEjuAruzK1x3nE69AqPYEJeo/TWfEeg=
-github.com/go-openapi/spec v0.19.14/go.mod h1:gwrgJS15eCUgjLpMjBJmbZezCsw88LmgeEip0M63doA=
-github.com/go-openapi/spec v0.20.0/go.mod h1:+81FIL1JwC5P3/Iuuozq3pPE9dXdIEGxFutcFKaVbmU=
-github.com/go-openapi/spec v0.20.3 h1:uH9RQ6vdyPSs2pSy9fL8QPspDF2AMIMPtmK5coSSjtQ=
-github.com/go-openapi/spec v0.20.3/go.mod h1:gG4F8wdEDN+YPBMVnzE85Rbhf+Th2DTvA9nFPQ5AYEg=
+github.com/go-openapi/jsonreference v0.20.0 h1:MYlu0sBgChmCfJxxUKZ8g1cPWFOB37YSZqewK7OKeyA=
+github.com/go-openapi/jsonreference v0.20.0/go.mod h1:Ag74Ico3lPc+zR+qjn4XBUmXymS4zJbYVCZmcgkasdo=
+github.com/go-openapi/spec v0.20.6 h1:ich1RQ3WDbfoeTqTAb+5EIxNmpKVJZWBNah9RAT0jIQ=
+github.com/go-openapi/spec v0.20.6/go.mod h1:2OpW+JddWPrpXSCIX8eOx7lZ5iyuWj3RYR6VaaBKcWA=
 github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
-github.com/go-openapi/swag v0.19.11/go.mod h1:Uc0gKkdR+ojzsEpjh39QChyu92vPgIr72POcgHMAgSY=
-github.com/go-openapi/swag v0.19.12/go.mod h1:eFdyEBkTdoAf/9RXBvj4cr1nH7GD8Kzo5HTt47gr72M=
-github.com/go-openapi/swag v0.19.14 h1:gm3vOOXfiuw5i9p5N9xJvfjvuofpyvLA9Wr6QfK5Fng=
-github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
-github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
-github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
-github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/go-openapi/swag v0.19.15 h1:D2NRCBzS9/pEY3gP9Nl8aDqGUcPFrwG2p+CNFrLyrCM=
+github.com/go-openapi/swag v0.19.15/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
+github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
+github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
+github.com/golang/glog v1.1.0 h1:/d3pCKDPWNnvIWe0vVUpNP32qc8U3PDVxySP/y360qE=
+github.com/golang/glog v1.1.0/go.mod h1:pfYeQZ3JWZoXTV5sFc986z3HTpwQs9At6P4ImfuP3NQ=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -156,7 +112,6 @@ github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt
 github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
 github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
 github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4=
-github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
@@ -172,11 +127,10 @@ github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QD
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM=
-github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw=
-github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/gomodule/redigo v1.8.4 h1:Z5JUg94HMTR1XpwBaSH4vq3+PNSIykBLxMdglbw10gg=
-github.com/gomodule/redigo v1.8.4/go.mod h1:P9dn9mFrCBvWhGE1wpxx6fgq7BAeLBk+UUUzlpkBYO0=
+github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
+github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/gomodule/redigo v1.8.9 h1:Sl3u+2BI/kk+VEatbj0scLdrFhjPmbxOc1myhDP41ws=
+github.com/gomodule/redigo v1.8.9/go.mod h1:7ArFNvsTjH8GMMzB4uy1snslv2BwmginuMs06a1uzZE=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
@@ -187,12 +141,10 @@ github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.6 h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWdhFyr0ZUNZcxQ=
-github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
 github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
@@ -205,249 +157,161 @@ github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hf
 github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
-github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8=
-github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
-github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
+github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g=
 github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI=
 github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
-github.com/gorilla/websocket v1.4.2 h1:+/TMaTYc4QFitKJxsQ7Yye35DkWvkdLcvGKqM+x0Ufc=
-github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo=
-github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
-github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q=
-github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8=
-github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
-github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
-github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
-github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM=
-github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
-github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU=
-github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU=
-github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4=
-github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
-github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
-github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90=
+github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=
+github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 h1:YBftPWNWd4WwGqtY2yeZL2ef8rHAxPBD8KFhJpmcqms=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0/go.mod h1:YN5jB8ie0yfIUg6VvR9Kz84aCaG7AsGZnLjhHbUqwPg=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
-github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64=
-github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ=
-github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I=
-github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
-github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
-github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
+github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
+github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
-github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
-github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
-github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
-github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
-github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo=
-github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
-github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
-github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
-github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/magiconair/properties v1.8.5 h1:b6kJs+EmPFMYGkow9GiUyCyOvIwYetYJ3fSaWak/Gls=
-github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60=
+github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY=
+github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
 github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.7.6 h1:8yTIVnZgCoiM1TgqoeTl+LfU5Jg6/xL3QhGQnimLYnA=
 github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
-github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
-github.com/mattn/go-colorable v0.1.4 h1:snbPLB8fVfU9iwbbo30TPtbLRzwWu6aJS6Xh4eaaviA=
-github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
-github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
-github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
-github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE=
-github.com/mattn/go-isatty v0.0.12 h1:wuysRhFDzyxgEmMf5xjvJ2M9dZoWAXNNr5LSBS7uHXY=
-github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
-github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
-github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
-github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
-github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
-github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
-github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
-github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg=
-github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY=
-github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
-github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
-github.com/mitchellh/mapstructure v1.4.1 h1:CpVNEelQCZBooIPDn+AR3NpivK/TIKU8bDxdASFVQag=
-github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
-github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
-github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
+github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
+github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
+github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-isatty v0.0.17 h1:BTarxUcIeDqL27Mc+vyvdWYSL28zpIhv3RoTdsLMPng=
+github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
+github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
+github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
+github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
-github.com/otiai10/copy v1.7.0 h1:hVoPiN+t+7d2nzzwMiDHPSOogsWAStewq3TwU05+clE=
-github.com/otiai10/copy v1.7.0/go.mod h1:rmRl6QPdJj6EiUqXQ/4Nn2lLXoNQjFCQbbNrxgc/t3U=
-github.com/otiai10/curr v0.0.0-20150429015615-9b4961190c95/go.mod h1:9qAhocn7zKJG+0mI8eUu6xqkFDYS2kb2saOteoSB3cE=
-github.com/otiai10/curr v1.0.0/go.mod h1:LskTG5wDwr8Rs+nNQ+1LlxRjAtTZZjtJW4rMXl6j4vs=
-github.com/otiai10/mint v1.3.0/go.mod h1:F5AjcsTsWUqX+Na9fpHb52P8pcRX2CI6A3ctIT91xUo=
-github.com/otiai10/mint v1.3.3/go.mod h1:/yxELlJQ0ufhjUwhshSj+wFjZ78CnZ48/1wtmBH1OTc=
-github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
-github.com/pelletier/go-toml v1.9.3 h1:zeC5b1GviRUyKYd6OJPvBU/mcVDVoL1OhT17FCt5dSQ=
-github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
-github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pelletier/go-toml/v2 v2.0.8 h1:0ctb6s9mE31h0/lhu+J6OPmVeDxJn+kYnJc2jZR9tGQ=
+github.com/pelletier/go-toml/v2 v2.0.8/go.mod h1:vuYfssBdrU2XDZ9bYydBu6t+6a6PYNcZljzZR9VXg+4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI=
+github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qRg=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
-github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
-github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
-github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M=
-github.com/prometheus/client_golang v1.11.0 h1:HNkLOAEQMIDv/K+04rukrLx6ch7msSRwf3/SASFAGtQ=
-github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0=
-github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
-github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/client_golang v1.17.0 h1:rl2sfwZMtSthVU752MqfjQozy7blglC+1SOtjMAMh+Q=
+github.com/prometheus/client_golang v1.17.0/go.mod h1:VeL+gMmOAxkS2IqfCq0ZmHSL+LjWfWDUmp1mBz9JgUY=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/client_model v0.2.0 h1:uq5h0d+GuxiXLJLNABMgp2qUWDPiLvgCzz2dUR+/W/M=
-github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
-github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
-github.com/prometheus/common v0.26.0 h1:iMAkS2TDoNWnKM+Kopnx/8tnEStIfpYA0ur0xQzzhMQ=
-github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc=
-github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
-github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
-github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
-github.com/prometheus/procfs v0.6.0 h1:mxy4L2jP6qMonqmq+aTtOx1ifVWUgG/TAmntgbh3xv4=
-github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
-github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
+github.com/prometheus/client_model v0.4.1-0.20230718164431-9a2bf3000d16 h1:v7DLqVdK4VrYkVD5diGdl4sxJurKJEMnODWRJlxV9oM=
+github.com/prometheus/client_model v0.4.1-0.20230718164431-9a2bf3000d16/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU=
+github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdOOfY=
+github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY=
+github.com/prometheus/procfs v0.11.1 h1:xRC8Iq1yyca5ypa9n1EZnWZkt7dwcoRPQwX/5gwaUuI=
+github.com/prometheus/procfs v0.11.1/go.mod h1:eesXgaPo1q7lBpVMoMy0ZOFTth9hBn4W/y0/p/ScXhY=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
-github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
-github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
-github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
-github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
-github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
-github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d h1:zE9ykElWQ6/NYmHa3jpm/yHnI4xSofP+UP6SpjHcSeM=
-github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
-github.com/smartystreets/goconvey v1.6.4 h1:fv0U8FUIMPNf1L9lnHLvLhgicrIVChEkdzIKYqbNC9s=
-github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
-github.com/spf13/afero v1.6.0 h1:xoax2sJ2DT8S8xA2paPFjDCScCNeWsg75VG0DLRreiY=
-github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I=
-github.com/spf13/cast v1.3.1 h1:nFm6S0SMdyzrzcmThSipiEubIDy8WEXKNZ0UOgiRpng=
-github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
-github.com/spf13/cobra v1.2.1 h1:+KmjbUw1hriSNMF55oPrkZcb27aECyrj8V2ytv7kWDw=
-github.com/spf13/cobra v1.2.1/go.mod h1:ExllRjgxM/piMAM+3tAZvg8fsklGAf3tPfi+i8t68Nk=
+github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
+github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
+github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/spf13/afero v1.9.5 h1:stMpOSZFs//0Lv29HduCmli3GUfpFoF3Y1Q/aXj/wVM=
+github.com/spf13/afero v1.9.5/go.mod h1:UBogFpq8E9Hx+xc5CNTTEpTnuHVmXDwZcZcE1eb/UhQ=
+github.com/spf13/cast v1.5.1 h1:R+kOtfhWQE6TVQzY+4D7wJLBgkdVasCEFxSUBYBYIlA=
+github.com/spf13/cast v1.5.1/go.mod h1:b9PdjNptOpzXr7Rq1q9gJML/2cdGQAo69NKzQ10KN48=
+github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
+github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
 github.com/spf13/jwalterweatherman v1.1.0 h1:ue6voC5bR5F8YxI5S67j9i582FU4Qvo2bmqnqMYADFk=
 github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spf13/viper v1.8.1 h1:Kq1fyeebqsBfbjZj4EL7gj2IO0mMaiyjYUWcUsl2O44=
-github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns=
+github.com/spf13/viper v1.16.0 h1:rGGH0XDZhdUOryiDWjmIvUSWpbNqisK8Wk0Vyefw8hc=
+github.com/spf13/viper v1.16.0/go.mod h1:yg78JgCJcbrQOvV9YLXgkLaZqUidkY9K+Dd1FofRzQg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/subosito/gotenv v1.2.0 h1:Slr1R9HxAlEKefgq5jn9U+DnETlIUa6HfgEzj0g5d7s=
-github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
-github.com/swaggo/files v0.0.0-20190704085106-630677cd5c14 h1:PyYN9JH5jY9j6av01SpfRMb+1DWg/i3MbGOKPxJ2wjM=
-github.com/swaggo/files v0.0.0-20190704085106-630677cd5c14/go.mod h1:gxQT6pBGRuIGunNf/+tSOB5OHvguWi8Tbt82WOkf35E=
-github.com/swaggo/http-swagger v1.0.0 h1:ksYgVBCYmAaxFsGVGojlPROgYfiQQSllETTWMtHJHTo=
-github.com/swaggo/http-swagger v1.0.0/go.mod h1:cKIcshBU9yEAnfWv6ZzVKSsEf8h5ozxB8/zHQWyOQ/8=
-github.com/swaggo/swag v1.7.0/go.mod h1:BdPIL73gvS9NBsdi7M1JOxLvlbfvNRaBP8m6WT6Aajo=
-github.com/swaggo/swag v1.7.6 h1:UbAqHyXkW2J+cDjs5S43MkuYR7a6stB7Am7SK8NBmRg=
-github.com/swaggo/swag v1.7.6/go.mod h1:7vLqNYEtYoIsD14wXgy9oDS65MNiDANrPtbk9rnLuj0=
-github.com/urfave/cli/v2 v2.3.0/go.mod h1:LJmUH05zAU44vOAcrfzZQKsZbVcdbOG8rtL3/XcUArI=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.3/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/subosito/gotenv v1.4.2 h1:X1TuBLAMDFbaTAChgCBLu3DU3UPyELpnF2jjJ2cz/S8=
+github.com/subosito/gotenv v1.4.2/go.mod h1:ayKnFf/c6rvx/2iiLrJUk1e6plDbT3edrFNGqEflhK0=
+github.com/swaggo/files v0.0.0-20220610200504-28940afbdbfe h1:K8pHPVoTgxFJt1lXuIzzOX7zZhZFldJQK/CgKx9BFIc=
+github.com/swaggo/files v0.0.0-20220610200504-28940afbdbfe/go.mod h1:lKJPbtWzJ9JhsTN1k1gZgleJWY/cqq0psdoMmaThG3w=
+github.com/swaggo/http-swagger v1.3.4 h1:q7t/XLx0n15H1Q9/tk3Y9L4n210XzJF5WtnDX64a5ww=
+github.com/swaggo/http-swagger v1.3.4/go.mod h1:9dAh0unqMBAlbp1uE2Uc2mQTxNMU/ha4UbucIg1MFkQ=
+github.com/swaggo/swag v1.16.2 h1:28Pp+8DkQoV+HLzLx8RGJZXNGKbFqnuvSbAAtoxiY04=
+github.com/swaggo/swag v1.16.2/go.mod h1:6YzXnDcpr0767iOejs318CwYkCQqyGer6BizOg03f+E=
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
-go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs=
-go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g=
-go.etcd.io/etcd/client/v2 v2.305.0/go.mod h1:h9puh54ZTgAKtEbut2oe9P4L/oqKCVB6xsXlzd7alYQ=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
 go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
-go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
-go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux v0.28.0 h1:jGqTKfqtAbO+89WoLP7PuuOp2qCjaf+WkEDblYKL43k=
-go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux v0.28.0/go.mod h1:M4oIwAKStYVkLiVuW0+yPXrwd+pjss8kr547uaJ0cJQ=
-go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.28.0 h1:3bv6d9BPHoaZLcl7OBYlmymaxAt0mngfDFkulGw2LXY=
-go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.28.0/go.mod h1:y6HdV2Mk43TiOiNvrxczQQX2enNN9sQVR9lXfnJj6JQ=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.28.0 h1:hpEoMBvKLC6CqFZogJypr9IHwwSNF3ayEkNzD502QAM=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.28.0/go.mod h1:Ihno+mNBfZlT0Qot3XyRTdZ/9U/Cg2Pfgj75DTdIfq4=
-go.opentelemetry.io/contrib/propagators/aws v1.3.0 h1:BHhTUInxLQ6duq167/RIYERH6JM/33kYqePoCmSJsoM=
-go.opentelemetry.io/contrib/propagators/aws v1.3.0/go.mod h1:ugiMjPVWkdZy6FcU7YVYXF5jgLqiigf9TjDY+aRLjdw=
-go.opentelemetry.io/contrib/propagators/b3 v1.3.0 h1:f+JfMSDNm2u+fekYYjyoixk+DWDTDAGD3SC50y61koE=
-go.opentelemetry.io/contrib/propagators/b3 v1.3.0/go.mod h1:qzi0km8qO3l2jxB5aDg4Q9xyqV4HKnCWZYpVYDTUIT0=
-go.opentelemetry.io/contrib/propagators/jaeger v1.3.0 h1:yBy4QZXuMA7s3+uhLK556NdmjKpj3RjGMaW+WMLU6CM=
-go.opentelemetry.io/contrib/propagators/jaeger v1.3.0/go.mod h1:igceHZGoCcIJavRTG1dS7+9Vnoid4qa7SZPa7doupq8=
-go.opentelemetry.io/contrib/propagators/ot v1.3.0 h1:hqFpnicJXKy8l8PfwFWhRSt/TgOHCpugKiXsPP1zJUc=
-go.opentelemetry.io/contrib/propagators/ot v1.3.0/go.mod h1:Gpwe4R8j9Zbw7aaADYSQRE1U0o41j0TwnHxuhwRLklk=
-go.opentelemetry.io/otel v1.3.0 h1:APxLf0eiBwLl+SOXiJJCVYzA1OOJNyAoV8C5RNRyy7Y=
-go.opentelemetry.io/otel v1.3.0/go.mod h1:PWIKzi6JCp7sM0k9yZ43VX+T345uNbAkDKwHVjb2PTs=
-go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.3.0 h1:R/OBkMoGgfy2fLhs2QhkCI1w4HLEQX92GCcJB6SSdNk=
-go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.3.0/go.mod h1:VpP4/RMn8bv8gNo9uK7/IMY4mtWLELsS+JIP0inH0h4=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.3.0 h1:giGm8w67Ja7amYNfYMdme7xSp2pIxThWopw8+QP51Yk=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.3.0/go.mod h1:hO1KLR7jcKaDDKDkvI9dP/FIhpmna5lkqPUQdEjFAM8=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.3.0 h1:VQbUHoJqytHHSJ1OZodPH9tvZZSVzUHjPHpkO85sT6k=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.3.0/go.mod h1:keUU7UfnwWTWpJ+FWnyqmogPa82nuU5VUANFq49hlMY=
-go.opentelemetry.io/otel/internal/metric v0.26.0 h1:dlrvawyd/A+X8Jp0EBT4wWEe4k5avYaXsXrBr4dbfnY=
-go.opentelemetry.io/otel/internal/metric v0.26.0/go.mod h1:CbBP6AxKynRs3QCbhklyLUtpfzbqCLiafV9oY2Zj1Jk=
-go.opentelemetry.io/otel/metric v0.26.0 h1:VaPYBTvA13h/FsiWfxa3yZnZEm15BhStD8JZQSA773M=
-go.opentelemetry.io/otel/metric v0.26.0/go.mod h1:c6YL0fhRo4YVoNs6GoByzUgBp36hBL523rECoZA5UWg=
-go.opentelemetry.io/otel/sdk v1.3.0 h1:3278edCoH89MEJ0Ky8WQXVmDQv3FX4ZJ3Pp+9fJreAI=
-go.opentelemetry.io/otel/sdk v1.3.0/go.mod h1:rIo4suHNhQwBIPg9axF8V9CA72Wz2mKF1teNrup8yzs=
-go.opentelemetry.io/otel/trace v1.3.0 h1:doy8Hzb1RJ+I3yFhtDmwNc7tIyw1tNMOIsyPzp1NOGY=
-go.opentelemetry.io/otel/trace v1.3.0/go.mod h1:c/VDhno8888bvQYmbYLqe41/Ldmr/KKunbvWM4/fEjk=
-go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
-go.opentelemetry.io/proto/otlp v0.11.0 h1:cLDgIBTf4lLOlztkhzAEdQsJ4Lj+i5Wc9k6Nn0K1VyU=
-go.opentelemetry.io/proto/otlp v0.11.0/go.mod h1:QpEjXPrNQzrFDZgoTo49dgHR9RYRSrg3NAKnUGl9YpQ=
-go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw=
-go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
-go.uber.org/goleak v1.1.11-0.20210813005559-691160354723/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ=
-go.uber.org/goleak v1.1.12 h1:gZAh5/EyT/HQwlpkCy6wTpqfH9H8Lz8zbm3dZh+OyzA=
-go.uber.org/goleak v1.1.12/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ=
-go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4=
-go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
-go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo=
-go.uber.org/zap v1.19.1 h1:ue41HOKd1vGURxrmeKIgELGb3jPW9DMUDGtsinblHwI=
-go.uber.org/zap v1.19.1/go.mod h1:j3DNczoxDZroyBnOT1L/Q79cfUMGZxlv/9dzN7SM1rI=
-golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux v0.45.0 h1:CaagQrotQLgtDlHU6u9pE/Mf4mAwiLD8wrReIVt06lY=
+go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux v0.45.0/go.mod h1:LOjFy00/ZMyMYfKFPta6kZe2cDUc1sNo/qtv1pSORWA=
+go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.45.0 h1:2ea0IkZBsWH+HA2GkD+7+hRw2u97jzdFyRtXuO14a1s=
+go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.45.0/go.mod h1:4m3RnBBb+7dB9d21y510oO1pdB1V4J6smNf14WXcBFQ=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0 h1:x8Z78aZx8cOF0+Kkazoc7lwUNMGy0LrzEMxTm4BbTxg=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0/go.mod h1:62CPTSry9QZtOaSsE3tOzhx6LzDhHnXJ6xHeMNNiM6Q=
+go.opentelemetry.io/contrib/propagators/aws v1.20.0 h1:PByDRx6xPygwFP+L3FTlOifJoCB10T2LdRBZcDYMTJw=
+go.opentelemetry.io/contrib/propagators/aws v1.20.0/go.mod h1:MPJhNHiRW57k/q+apqUJqWxs2pfrGMCZ2nhh9/2imko=
+go.opentelemetry.io/contrib/propagators/b3 v1.20.0 h1:Yty9Vs4F3D6/liF1o6FNt0PvN85h/BJJ6DQKJ3nrcM0=
+go.opentelemetry.io/contrib/propagators/b3 v1.20.0/go.mod h1:On4VgbkqYL18kbJlWsa18+cMNe6rYpBnPi1ARI/BrsU=
+go.opentelemetry.io/contrib/propagators/jaeger v1.20.0 h1:iVhNKkMIpzyZqxk8jkDU2n4DFTD+FbpGacvooxEvyyc=
+go.opentelemetry.io/contrib/propagators/jaeger v1.20.0/go.mod h1:cpSABr0cm/AH/HhbJjn+AudBVUMgZWdfN3Gb+ZqxSZc=
+go.opentelemetry.io/contrib/propagators/ot v1.20.0 h1:duH7mgL6VGQH7e7QEAVOFkCQXWpCb4PjTtrhdrYrJRQ=
+go.opentelemetry.io/contrib/propagators/ot v1.20.0/go.mod h1:gijQzxOq0JLj9lyZhTvqjDddGV/zaNagpPIn+2r8CEI=
+go.opentelemetry.io/otel v1.19.0 h1:MuS/TNf4/j4IXsZuJegVzI1cwut7Qc00344rgH7p8bs=
+go.opentelemetry.io/otel v1.19.0/go.mod h1:i0QyjOq3UPoTzff0PJB2N66fb4S0+rSbSB15/oyH9fY=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0 h1:Mne5On7VWdx7omSrSSZvM4Kw7cS7NQkOOmLcgscI51U=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0/go.mod h1:IPtUMKL4O3tH5y+iXVyAXqpAwMuzC1IrxVS81rummfE=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.19.0 h1:3d+S281UTjM+AbF31XSOYn1qXn3BgIdWl8HNEpx08Jk=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.19.0/go.mod h1:0+KuTDyKL4gjKCF75pHOX4wuzYDUZYfAQdSu43o+Z2I=
+go.opentelemetry.io/otel/metric v1.19.0 h1:aTzpGtV0ar9wlV4Sna9sdJyII5jTVJEvKETPiOKwvpE=
+go.opentelemetry.io/otel/metric v1.19.0/go.mod h1:L5rUsV9kM1IxCj1MmSdS+JQAcVm319EUrDVLrt7jqt8=
+go.opentelemetry.io/otel/sdk v1.19.0 h1:6USY6zH+L8uMH8L3t1enZPR3WFEmSTADlqldyHtJi3o=
+go.opentelemetry.io/otel/sdk v1.19.0/go.mod h1:NedEbbS4w3C6zElbLdPJKOpJQOrGUJ+GfzpjUvI0v1A=
+go.opentelemetry.io/otel/trace v1.19.0 h1:DFVQmlVbfVeOuBRrwdtaehRrWiL1JoVs9CPIQ1Dzxpg=
+go.opentelemetry.io/otel/trace v1.19.0/go.mod h1:mfaSyvGyEJEI0nyV2I4qhNQnbBOUUmYZpYojqMnX2vo=
+go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I=
+go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM=
+go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A=
+go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4=
+go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
+go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
+go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo=
+go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -471,7 +335,6 @@ golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRu
 golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
 golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
 golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
@@ -482,13 +345,12 @@ golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.4.2 h1:Gz96sIWK3OalVv/I/qNygP42zyoKp3xptRVCWRFEBvo=
-golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.9.0 h1:KENHtAZL2y3NLMYZeHY9DW8HW8V+kQyJsY/V9JlKvCs=
+golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@@ -496,11 +358,9 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn
 golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
-golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -517,15 +377,15 @@ golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81R
 golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201207224615-747e23833adb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc=
-golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
-golang.org/x/net v0.0.0-20211216030914-fe4d6282115f h1:hEYJvxw1lSnWIl8X9ofsYMklzaDs90JI2az5YMd4fPM=
-golang.org/x/net v0.0.0-20211216030914-fe4d6282115f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.15.0 h1:ugBLEUaxABaB5AJqW9enI0ACdci2RUd4eP51NTBvuJ8=
+golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -535,9 +395,6 @@ golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -548,30 +405,21 @@ golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -583,8 +431,6 @@ golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -592,37 +438,31 @@ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40 h1:JWgyZ1qgdTaF3N3oxC+MdTV7qvEEgHo3otj+HB5CM7Q=
-golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0 h1:CM0HF96J0hcLAwsHPJZjfdNzs0gftsLfgKt57wWHJ0o=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M=
-golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
@@ -632,7 +472,6 @@ golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgw
 golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191112195655-aa38f8e97acc/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
@@ -655,26 +494,23 @@ golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roY
 golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE=
 golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20201120155355-20be4ac4bd6e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20201208062317-e652b2f42cc7/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
-golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.5 h1:ouewzE6p+/VEB31YYnTbEJdi8pFqKp4P4n85vwo3DHA=
-golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/tools v0.7.0 h1:W4OVu8VVOaIO0yzWMNdepAulS7YfoS3Zabrm8DOXXU4=
+golang.org/x/tools v0.7.0/go.mod h1:4pg6aUX35JBAogB10C9AtvVL+qowtN4pT3CGSQex14s=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
@@ -695,9 +531,6 @@ google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz513
 google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg=
 google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE=
 google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8=
-google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU=
-google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94=
-google.golang.org/api v0.44.0/go.mod h1:EBOGZqzyhtvMDoxwS97ctnh0zUmYY6CxqXsc1AvkYD8=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
@@ -728,7 +561,6 @@ google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfG
 google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
 google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA=
@@ -740,13 +572,14 @@ google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6D
 google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210222152913-aa3ee6e6a81c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A=
-google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c h1:wtujag7C+4D6KMoulW9YauvK2lgdvCMS260jsqqBXr0=
-google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0=
+google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20230711160842-782d3b101e98 h1:Z0hjGZePRE0ZBWotvtrwxFNrNE9CUAGtplaDK5NNI/g=
+google.golang.org/genproto v0.0.0-20230711160842-782d3b101e98/go.mod h1:S7mY02OqCJTD0E1OiQy1F72PWFB4bZJ87cAtLPYgDR0=
+google.golang.org/genproto/googleapis/api v0.0.0-20230711160842-782d3b101e98 h1:FmF5cCW94Ij59cfpoLiwTgodWmm60eEV0CjlsVg2fuw=
+google.golang.org/genproto/googleapis/api v0.0.0-20230711160842-782d3b101e98/go.mod h1:rsr7RhLuwsDKL7RmgDDCUc6yaGr1iqceVb5Wv6f6YvQ=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98 h1:bVf09lpb+OJbByTj913DRJioFFAjf/ZGxEz7MajTp2U=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98/go.mod h1:TUfxEVdsvPg18p6AslUXFoLdpED4oBnGwyqk3dV1XzM=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
@@ -760,16 +593,11 @@ google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3Iji
 google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0=
 google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
 google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8=
 google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
-google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
-google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
-google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
-google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
-google.golang.org/grpc v1.43.0 h1:Eeu7bZtDZ2DpRCsLhUlcrLnvYaMK1Gz86a+hMVvELmM=
-google.golang.org/grpc v1.43.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
+google.golang.org/grpc v1.58.2 h1:SXUpjxeVF3FKrTYQI4f4KvbGD5u2xccdYdurwowix5I=
+google.golang.org/grpc v1.58.2/go.mod h1:tgX3ZQDlNJGU96V6yHh1T/JeoBQ2TXdr43YbYSsCJk0=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -782,30 +610,21 @@ google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGj
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.27.1 h1:SnqbnDw1V7RiZcXPx5MEeqPv2s79L9i7BJUlG/+RurQ=
-google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
+google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
+google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
-gopkg.in/ini.v1 v1.62.0 h1:duBzk771uxoUuOlyRLkHsygud9+5lrlGjdFBb4mSKDU=
-gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
-gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
+gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
-gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
--- a/kustomize/deployment.yaml
+++ b/kustomize/deployment.yaml
@@ -23,7 +23,7 @@ spec:
    spec:
      containers:
      - name: podinfod
-        image: ghcr.io/stefanprodan/podinfo:6.1.2
+        image: ghcr.io/stefanprodan/podinfo:6.5.1
        imagePullPolicy: IfNotPresent
        ports:
        - name: http
--- a/kustomize/hpa.yaml
+++ b/kustomize/hpa.yaml
@@ -1,4 +1,4 @@
-apiVersion: autoscaling/v2beta2
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
  name: podinfo
--- a/pkg/api/cache.go
+++ b/pkg/api/cache.go
@@ -2,7 +2,7 @@ package api

 import (
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"net/url"
 	"time"
@@ -20,6 +20,7 @@ import (
 // @Tags HTTP API
 // @Accept json
 // @Produce json
+// @Param key path string true "Key to save to"
 // @Router /cache/{key} [post]
 // @Success 202
 func (s *Server) cacheWriteHandler(w http.ResponseWriter, r *http.Request) {
@@ -32,7 +33,7 @@ func (s *Server) cacheWriteHandler(w http.ResponseWriter, r *http.Request) {
 	}

 	key := mux.Vars(r)["key"]
-	body, err := ioutil.ReadAll(r.Body)
+	body, err := io.ReadAll(r.Body)
 	if err != nil {
 		s.ErrorResponse(w, r, span, "reading the request body failed", http.StatusBadRequest)
 		return
@@ -56,6 +57,7 @@ func (s *Server) cacheWriteHandler(w http.ResponseWriter, r *http.Request) {
 // @Tags HTTP API
 // @Accept json
 // @Produce json
+// @Param key path string true "Key to delete"
 // @Router /cache/{key} [delete]
 // @Success 202
 func (s *Server) cacheDeleteHandler(w http.ResponseWriter, r *http.Request) {
@@ -87,6 +89,7 @@ func (s *Server) cacheDeleteHandler(w http.ResponseWriter, r *http.Request) {
 // @Tags HTTP API
 // @Accept json
 // @Produce json
+// @Param key path string true "Key to load from cache"
 // @Router /cache/{key} [get]
 // @Success 200 {string} string value
 func (s *Server) cacheReadHandler(w http.ResponseWriter, r *http.Request) {
@@ -138,7 +141,7 @@ func (s *Server) getCacheConn() (redis.Conn, error) {
 	return redis.Dial("tcp", redisUrl.Host, opts...)
 }

-func (s *Server) startCachePool(ticker *time.Ticker, stopCh <-chan struct{}) {
+func (s *Server) startCachePool(ticker *time.Ticker) {
 	if s.config.CacheServer == "" {
 		return
 	}
@@ -166,8 +169,6 @@ func (s *Server) startCachePool(ticker *time.Ticker, stopCh <-chan struct{}) {
 		setVersion()
 		for {
 			select {
-			case <-stopCh:
-				return
 			case <-ticker.C:
 				setVersion()
 			}
--- a/pkg/api/chunked.go
+++ b/pkg/api/chunked.go
@@ -15,6 +15,7 @@ import (
 // @Tags HTTP API
 // @Accept json
 // @Produce json
+// @Param seconds path int true "seconds to wait for"
 // @Router /chunked/{seconds} [get]
 // @Success 200 {object} api.MapResponse
 func (s *Server) chunkedHandler(w http.ResponseWriter, r *http.Request) {
--- a/pkg/api/delay.go
+++ b/pkg/api/delay.go
@@ -49,6 +49,7 @@ func (m *RandomDelayMiddleware) Handler(next http.Handler) http.Handler {
 // @Tags HTTP API
 // @Accept json
 // @Produce json
+// @Param seconds path int true "seconds to wait for"
 // @Router /delay/{seconds} [get]
 // @Success 200 {object} api.MapResponse
 func (s *Server) delayHandler(w http.ResponseWriter, r *http.Request) {
--- a/pkg/api/docs/docs.go
+++ b/pkg/api/docs/docs.go
@@ -1,22 +1,13 @@
-// GENERATED BY THE COMMAND ABOVE; DO NOT EDIT
-// This file was generated by swaggo/swag
-
+// Package docs Code generated by swaggo/swag. DO NOT EDIT
 package docs

-import (
-	"bytes"
-	"encoding/json"
-	"strings"
+import "github.com/swaggo/swag"

-	"github.com/alecthomas/template"
-	"github.com/swaggo/swag"
-)
-
-var doc = `{
+const docTemplate = `{
    "schemes": {{ marshal .Schemes }},
    "swagger": "2.0",
    "info": {
-        "description": "{{.Description}}",
+        "description": "{{escape .Description}}",
        "title": "{{.Title}}",
        "contact": {
            "name": "Source Code",
@@ -110,6 +101,15 @@ var doc = `{
                    "HTTP API"
                ],
                "summary": "Get payload from cache",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Key to load from cache",
+                        "name": "key",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
                "responses": {
                    "200": {
                        "description": "OK",
@@ -131,9 +131,18 @@ var doc = `{
                    "HTTP API"
                ],
                "summary": "Save payload in cache",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Key to save to",
+                        "name": "key",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
                "responses": {
                    "202": {
-                        "description": ""
+                        "description": "Accepted"
                    }
                }
            },
@@ -149,9 +158,18 @@ var doc = `{
                    "HTTP API"
                ],
                "summary": "Delete payload from cache",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Key to delete",
+                        "name": "key",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
                "responses": {
                    "202": {
-                        "description": ""
+                        "description": "Accepted"
                    }
                }
            }
@@ -169,6 +187,15 @@ var doc = `{
                    "HTTP API"
                ],
                "summary": "Chunked transfer encoding",
+                "parameters": [
+                    {
+                        "type": "integer",
+                        "description": "seconds to wait for",
+                        "name": "seconds",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
                "responses": {
                    "200": {
                        "description": "OK",
@@ -192,6 +219,15 @@ var doc = `{
                    "HTTP API"
                ],
                "summary": "Delay",
+                "parameters": [
+                    {
+                        "type": "integer",
+                        "description": "seconds to wait for",
+                        "name": "seconds",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
                "responses": {
                    "200": {
                        "description": "OK",
@@ -303,7 +339,8 @@ var doc = `{
                "tags": [
                    "HTTP API"
                ],
-                "summary": "Panic"
+                "summary": "Panic",
+                "responses": {}
            }
        },
        "/readyz": {
@@ -388,6 +425,15 @@ var doc = `{
                    "HTTP API"
                ],
                "summary": "Status code",
+                "parameters": [
+                    {
+                        "type": "integer",
+                        "description": "status code to return",
+                        "name": "code",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
                "responses": {
                    "200": {
                        "description": "OK",
@@ -434,6 +480,15 @@ var doc = `{
                    "HTTP API"
                ],
                "summary": "Download file",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "hash value",
+                        "name": "hash",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
                "responses": {
                    "200": {
                        "description": "file",
@@ -610,49 +665,20 @@ var doc = `{
    }
 }`

-type swaggerInfo struct {
-	Version     string
-	Host        string
-	BasePath    string
-	Schemes     []string
-	Title       string
-	Description string
-}
-
 // SwaggerInfo holds exported Swagger Info so clients can modify it
-var SwaggerInfo = swaggerInfo{
-	Version:     "2.0",
-	Host:        "localhost:9898",
-	BasePath:    "/",
-	Schemes:     []string{"http", "https"},
-	Title:       "Podinfo API",
-	Description: "Go microservice template for Kubernetes.",
-}
-
-type s struct{}
-
-func (s *s) ReadDoc() string {
-	sInfo := SwaggerInfo
-	sInfo.Description = strings.Replace(sInfo.Description, "\n", "\\n", -1)
-
-	t, err := template.New("swagger_info").Funcs(template.FuncMap{
-		"marshal": func(v interface{}) string {
-			a, _ := json.Marshal(v)
-			return string(a)
-		},
-	}).Parse(doc)
-	if err != nil {
-		return doc
-	}
-
-	var tpl bytes.Buffer
-	if err := t.Execute(&tpl, sInfo); err != nil {
-		return doc
-	}
-
-	return tpl.String()
+var SwaggerInfo = &swag.Spec{
+	Version:          "2.0",
+	Host:             "localhost:9898",
+	BasePath:         "/",
+	Schemes:          []string{"http", "https"},
+	Title:            "Podinfo API",
+	Description:      "Go microservice template for Kubernetes.",
+	InfoInstanceName: "swagger",
+	SwaggerTemplate:  docTemplate,
+	LeftDelim:        "{{",
+	RightDelim:       "}}",
 }

 func init() {
-	swag.Register(swag.Name, &s{})
+	swag.Register(SwaggerInfo.InstanceName(), SwaggerInfo)
 }
--- a/pkg/api/docs/swagger.json
+++ b/pkg/api/docs/swagger.json
@@ -99,6 +99,15 @@
                    "HTTP API"
                ],
                "summary": "Get payload from cache",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Key to load from cache",
+                        "name": "key",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
                "responses": {
                    "200": {
                        "description": "OK",
@@ -120,9 +129,18 @@
                    "HTTP API"
                ],
                "summary": "Save payload in cache",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Key to save to",
+                        "name": "key",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
                "responses": {
                    "202": {
-                        "description": ""
+                        "description": "Accepted"
                    }
                }
            },
@@ -138,9 +156,18 @@
                    "HTTP API"
                ],
                "summary": "Delete payload from cache",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Key to delete",
+                        "name": "key",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
                "responses": {
                    "202": {
-                        "description": ""
+                        "description": "Accepted"
                    }
                }
            }
@@ -158,6 +185,15 @@
                    "HTTP API"
                ],
                "summary": "Chunked transfer encoding",
+                "parameters": [
+                    {
+                        "type": "integer",
+                        "description": "seconds to wait for",
+                        "name": "seconds",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
                "responses": {
                    "200": {
                        "description": "OK",
@@ -181,6 +217,15 @@
                    "HTTP API"
                ],
                "summary": "Delay",
+                "parameters": [
+                    {
+                        "type": "integer",
+                        "description": "seconds to wait for",
+                        "name": "seconds",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
                "responses": {
                    "200": {
                        "description": "OK",
@@ -292,7 +337,8 @@
                "tags": [
                    "HTTP API"
                ],
-                "summary": "Panic"
+                "summary": "Panic",
+                "responses": {}
            }
        },
        "/readyz": {
@@ -377,6 +423,15 @@
                    "HTTP API"
                ],
                "summary": "Status code",
+                "parameters": [
+                    {
+                        "type": "integer",
+                        "description": "status code to return",
+                        "name": "code",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
                "responses": {
                    "200": {
                        "description": "OK",
@@ -423,6 +478,15 @@
                    "HTTP API"
                ],
                "summary": "Download file",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "hash value",
+                        "name": "hash",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
                "responses": {
                    "200": {
                        "description": "file",
--- a/pkg/api/docs/swagger.yaml
+++ b/pkg/api/docs/swagger.yaml
@@ -103,11 +103,17 @@ paths:
      consumes:
      - application/json
      description: deletes the key and its value from cache
+      parameters:
+      - description: Key to delete
+        in: path
+        name: key
+        required: true
+        type: string
      produces:
      - application/json
      responses:
        "202":
-          description: ""
+          description: Accepted
      summary: Delete payload from cache
      tags:
      - HTTP API
@@ -115,6 +121,12 @@ paths:
      consumes:
      - application/json
      description: returns the content from cache if key exists
+      parameters:
+      - description: Key to load from cache
+        in: path
+        name: key
+        required: true
+        type: string
      produces:
      - application/json
      responses:
@@ -129,11 +141,17 @@ paths:
      consumes:
      - application/json
      description: writes the posted content in cache
+      parameters:
+      - description: Key to save to
+        in: path
+        name: key
+        required: true
+        type: string
      produces:
      - application/json
      responses:
        "202":
-          description: ""
+          description: Accepted
      summary: Save payload in cache
      tags:
      - HTTP API
@@ -143,6 +161,12 @@ paths:
      - application/json
      description: uses transfer-encoding type chunked to give a partial response
        and then waits for the specified period
+      parameters:
+      - description: seconds to wait for
+        in: path
+        name: seconds
+        required: true
+        type: integer
      produces:
      - application/json
      responses:
@@ -158,6 +182,12 @@ paths:
      consumes:
      - application/json
      description: waits for the specified period
+      parameters:
+      - description: seconds to wait for
+        in: path
+        name: seconds
+        required: true
+        type: integer
      produces:
      - application/json
      responses:
@@ -233,6 +263,7 @@ paths:
  /panic:
    get:
      description: crashes the process with exit code 255
+      responses: {}
      summary: Panic
      tags:
      - HTTP API
@@ -287,6 +318,12 @@ paths:
      consumes:
      - application/json
      description: sets the response status code to the specified code
+      parameters:
+      - description: status code to return
+        in: path
+        name: code
+        required: true
+        type: integer
      produces:
      - application/json
      responses:
@@ -318,6 +355,12 @@ paths:
      consumes:
      - application/json
      description: returns the content of the file /data/hash if exists
+      parameters:
+      - description: hash value
+        in: path
+        name: hash
+        required: true
+        type: string
      produces:
      - text/plain
      responses:
--- a/pkg/api/echo.go
+++ b/pkg/api/echo.go
@@ -4,7 +4,7 @@ import (
 	"bytes"
 	"context"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"net/http/httptrace"
 	"sync"
@@ -27,7 +27,7 @@ func (s *Server) echoHandler(w http.ResponseWriter, r *http.Request) {
 	ctx, span := s.tracer.Start(r.Context(), "echoHandler")
 	defer span.End()

-	body, err := ioutil.ReadAll(r.Body)
+	body, err := io.ReadAll(r.Body)
 	if err != nil {
 		s.logger.Error("reading the request body failed", zap.Error(err))
 		s.ErrorResponse(w, r, span, "invalid request body", http.StatusBadRequest)
@@ -78,7 +78,7 @@ func (s *Server) echoHandler(w http.ResponseWriter, r *http.Request) {
 				}

 				// forward the received body
-				rbody, err := ioutil.ReadAll(resp.Body)
+				rbody, err := io.ReadAll(resp.Body)
 				if err != nil {
 					s.logger.Error(
 						"reading the backend request body failed",
--- a/pkg/api/echo_test.go
+++ b/pkg/api/echo_test.go
@@ -8,27 +8,41 @@ import (
 )

 func TestEchoHandler(t *testing.T) {
-	expected := `{"test": true}`
-	req, err := http.NewRequest("POST", "/api/echo", strings.NewReader(expected))
-	if err != nil {
-		t.Fatal(err)
+	cases := []struct {
+		url      string
+		method   string
+		expected string
+	}{
+		{url: "/api/echo", method: "POST", expected: `{"test": true}`},
+		{url: "/api/echo", method: "PUT", expected: `{"test": true}`},
+		{url: "/echo", method: "PUT", expected: `{"test": true}`},
+		{url: "/echo/", method: "POST", expected: `{"test": true}`},
+		{url: "/echo/test", method: "POST", expected: `{"test": true}`},
+		{url: "/echo/test/", method: "POST", expected: `{"test": true}`},
+		{url: "/echo/test/test123-test", method: "POST", expected: `{"test": true}`},
 	}

-	rr := httptest.NewRecorder()
 	srv := NewMockServer()
 	handler := http.HandlerFunc(srv.echoHandler)

-	handler.ServeHTTP(rr, req)
+	for _, c := range cases {
+		req, err := http.NewRequest(c.method, c.url, strings.NewReader(c.expected))
+		if err != nil {
+			t.Fatal(err)
+		}
+		rr := httptest.NewRecorder()
+		handler.ServeHTTP(rr, req)

-	// Check the status code is what we expect.
-	if status := rr.Code; status != http.StatusAccepted {
-		t.Errorf("handler returned wrong status code: got %v want %v",
-			status, http.StatusAccepted)
-	}
+		// Check the status code is what we expect.
+		if status := rr.Code; status != http.StatusAccepted {
+			t.Errorf("handler returned wrong status code: got %v want %v",
+				status, http.StatusAccepted)
+		}

-	// Check the response body is what we expect.
-	if rr.Body.String() != expected {
-		t.Fatalf("handler returned unexpected body:\ngot \n%v \nwant \n%s",
-			rr.Body.String(), expected)
+		// Check the response body is what we expect.
+		if rr.Body.String() != c.expected {
+			t.Fatalf("handler returned unexpected body:\ngot \n%v \nwant \n%s",
+				rr.Body.String(), c.expected)
+		}
 	}
 }
--- a/pkg/api/mock.go
+++ b/pkg/api/mock.go
@@ -11,17 +11,17 @@ import (

 func NewMockServer() *Server {
 	config := &Config{
-		Port:                      "9898",
-		HttpServerShutdownTimeout: 5 * time.Second,
-		HttpServerTimeout:         30 * time.Second,
-		BackendURL:                []string{},
-		ConfigPath:                "/config",
-		DataPath:                  "/data",
-		HttpClientTimeout:         30 * time.Second,
-		UIColor:                   "blue",
-		UIPath:                    ".ui",
-		UIMessage:                 "Greetings",
-		Hostname:                  "localhost",
+		Port:                  "9898",
+		ServerShutdownTimeout: 5 * time.Second,
+		HttpServerTimeout:     30 * time.Second,
+		BackendURL:            []string{},
+		ConfigPath:            "/config",
+		DataPath:              "/data",
+		HttpClientTimeout:     30 * time.Second,
+		UIColor:               "blue",
+		UIPath:                ".ui",
+		UIMessage:             "Greetings",
+		Hostname:              "localhost",
 	}

 	logger, _ := zap.NewDevelopment()
--- a/pkg/api/panic.go
+++ b/pkg/api/panic.go
@@ -2,6 +2,7 @@ package api

 import (
 	"net/http"
+	"os"
 )

 // Panic godoc
@@ -10,5 +11,6 @@ import (
 // @Tags HTTP API
 // @Router /panic [get]
 func (s *Server) panicHandler(w http.ResponseWriter, r *http.Request) {
-	s.logger.Panic("Panic command received")
+	s.logger.Info("Panic command received")
+	os.Exit(255)
 }
--- a/pkg/api/server.go
+++ b/pkg/api/server.go
@@ -14,7 +14,6 @@ import (
 	"github.com/gomodule/redigo/redis"
 	"github.com/gorilla/mux"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
-	"github.com/spf13/viper"
 	_ "github.com/stefanprodan/podinfo/pkg/api/docs"
 	"github.com/stefanprodan/podinfo/pkg/fscache"
 	httpSwagger "github.com/swaggo/http-swagger"
@@ -47,32 +46,32 @@ var (
 )

 type Config struct {
-	HttpClientTimeout         time.Duration `mapstructure:"http-client-timeout"`
-	HttpServerTimeout         time.Duration `mapstructure:"http-server-timeout"`
-	HttpServerShutdownTimeout time.Duration `mapstructure:"http-server-shutdown-timeout"`
-	BackendURL                []string      `mapstructure:"backend-url"`
-	UILogo                    string        `mapstructure:"ui-logo"`
-	UIMessage                 string        `mapstructure:"ui-message"`
-	UIColor                   string        `mapstructure:"ui-color"`
-	UIPath                    string        `mapstructure:"ui-path"`
-	DataPath                  string        `mapstructure:"data-path"`
-	ConfigPath                string        `mapstructure:"config-path"`
-	CertPath                  string        `mapstructure:"cert-path"`
-	Host                      string        `mapstructure:"host"`
-	Port                      string        `mapstructure:"port"`
-	SecurePort                string        `mapstructure:"secure-port"`
-	PortMetrics               int           `mapstructure:"port-metrics"`
-	Hostname                  string        `mapstructure:"hostname"`
-	H2C                       bool          `mapstructure:"h2c"`
-	RandomDelay               bool          `mapstructure:"random-delay"`
-	RandomDelayUnit           string        `mapstructure:"random-delay-unit"`
-	RandomDelayMin            int           `mapstructure:"random-delay-min"`
-	RandomDelayMax            int           `mapstructure:"random-delay-max"`
-	RandomError               bool          `mapstructure:"random-error"`
-	Unhealthy                 bool          `mapstructure:"unhealthy"`
-	Unready                   bool          `mapstructure:"unready"`
-	JWTSecret                 string        `mapstructure:"jwt-secret"`
-	CacheServer               string        `mapstructure:"cache-server"`
+	HttpClientTimeout     time.Duration `mapstructure:"http-client-timeout"`
+	HttpServerTimeout     time.Duration `mapstructure:"http-server-timeout"`
+	ServerShutdownTimeout time.Duration `mapstructure:"server-shutdown-timeout"`
+	BackendURL            []string      `mapstructure:"backend-url"`
+	UILogo                string        `mapstructure:"ui-logo"`
+	UIMessage             string        `mapstructure:"ui-message"`
+	UIColor               string        `mapstructure:"ui-color"`
+	UIPath                string        `mapstructure:"ui-path"`
+	DataPath              string        `mapstructure:"data-path"`
+	ConfigPath            string        `mapstructure:"config-path"`
+	CertPath              string        `mapstructure:"cert-path"`
+	Host                  string        `mapstructure:"host"`
+	Port                  string        `mapstructure:"port"`
+	SecurePort            string        `mapstructure:"secure-port"`
+	PortMetrics           int           `mapstructure:"port-metrics"`
+	Hostname              string        `mapstructure:"hostname"`
+	H2C                   bool          `mapstructure:"h2c"`
+	RandomDelay           bool          `mapstructure:"random-delay"`
+	RandomDelayUnit       string        `mapstructure:"random-delay-unit"`
+	RandomDelayMin        int           `mapstructure:"random-delay-min"`
+	RandomDelayMax        int           `mapstructure:"random-delay-max"`
+	RandomError           bool          `mapstructure:"random-error"`
+	Unhealthy             bool          `mapstructure:"unhealthy"`
+	Unready               bool          `mapstructure:"unready"`
+	JWTSecret             string        `mapstructure:"jwt-secret"`
+	CacheServer           string        `mapstructure:"cache-server"`
 }

 type Server struct {
@@ -101,7 +100,8 @@ func (s *Server) registerHandlers() {
 	s.router.HandleFunc("/", s.indexHandler).HeadersRegexp("User-Agent", "^Mozilla.*").Methods("GET")
 	s.router.HandleFunc("/", s.infoHandler).Methods("GET")
 	s.router.HandleFunc("/version", s.versionHandler).Methods("GET")
-	s.router.HandleFunc("/echo", s.echoHandler).Methods("POST")
+	s.router.HandleFunc("/echo", s.echoHandler)
+	s.router.PathPrefix("/echo/").HandlerFunc(s.echoHandler)
 	s.router.HandleFunc("/env", s.envHandler).Methods("GET", "POST")
 	s.router.HandleFunc("/headers", s.echoHeadersHandler).Methods("GET", "POST")
 	s.router.HandleFunc("/delay/{wait:[0-9]+}", s.delayHandler).Methods("GET").Name("delay")
@@ -120,7 +120,8 @@ func (s *Server) registerHandlers() {
 	s.router.HandleFunc("/token", s.tokenGenerateHandler).Methods("POST")
 	s.router.HandleFunc("/token/validate", s.tokenValidateHandler).Methods("GET")
 	s.router.HandleFunc("/api/info", s.infoHandler).Methods("GET")
-	s.router.HandleFunc("/api/echo", s.echoHandler).Methods("POST")
+	s.router.HandleFunc("/api/echo", s.echoHandler)
+	s.router.PathPrefix("/api/echo/").HandlerFunc(s.echoHandler)
 	s.router.HandleFunc("/ws/echo", s.echoWsHandler)
 	s.router.HandleFunc("/chunked", s.chunkedHandler)
 	s.router.HandleFunc("/chunked/{wait:[0-9]+}", s.chunkedHandler)
@@ -153,7 +154,7 @@ func (s *Server) registerMiddlewares() {
 	}
 }

-func (s *Server) ListenAndServe(stopCh <-chan struct{}) {
+func (s *Server) ListenAndServe() (*http.Server, *http.Server, *int32, *int32) {
 	ctx := context.Background()

 	go s.startMetricsServer()
@@ -183,7 +184,7 @@ func (s *Server) ListenAndServe(stopCh <-chan struct{}) {

 	// start redis connection pool
 	ticker := time.NewTicker(30 * time.Second)
-	s.startCachePool(ticker, stopCh)
+	s.startCachePool(ticker)

 	// create the http server
 	srv := s.startServer()
@@ -199,48 +200,7 @@ func (s *Server) ListenAndServe(stopCh <-chan struct{}) {
 		atomic.StoreInt32(&ready, 1)
 	}

-	// wait for SIGTERM or SIGINT
-	<-stopCh
-	ctx, cancel := context.WithTimeout(ctx, s.config.HttpServerShutdownTimeout)
-	defer cancel()
-
-	// all calls to /healthz and /readyz will fail from now on
-	atomic.StoreInt32(&healthy, 0)
-	atomic.StoreInt32(&ready, 0)
-
-	// close cache pool
-	if s.pool != nil {
-		_ = s.pool.Close()
-	}
-
-	s.logger.Info("Shutting down HTTP/HTTPS server", zap.Duration("timeout", s.config.HttpServerShutdownTimeout))
-
-	// wait for Kubernetes readiness probe to remove this instance from the load balancer
-	// the readiness check interval must be lower than the timeout
-	if viper.GetString("level") != "debug" {
-		time.Sleep(3 * time.Second)
-	}
-
-	// stop OpenTelemetry tracer provider
-	if s.tracerProvider != nil {
-		if err := s.tracerProvider.Shutdown(ctx); err != nil {
-			s.logger.Warn("stopping tracer provider", zap.Error(err))
-		}
-	}
-
-	// determine if the http server was started
-	if srv != nil {
-		if err := srv.Shutdown(ctx); err != nil {
-			s.logger.Warn("HTTP server graceful shutdown failed", zap.Error(err))
-		}
-	}
-
-	// determine if the secure server was started
-	if secureSrv != nil {
-		if err := secureSrv.Shutdown(ctx); err != nil {
-			s.logger.Warn("HTTPS server graceful shutdown failed", zap.Error(err))
-		}
-	}
+	return srv, secureSrv, &healthy, &ready
 }

 func (s *Server) startServer() *http.Server {
--- a/pkg/api/status.go
+++ b/pkg/api/status.go
@@ -14,6 +14,7 @@ import (
 // @Tags HTTP API
 // @Accept json
 // @Produce json
+// @Param code path int true "status code to return"
 // @Router /status/{code} [get]
 // @Success 200 {object} api.MapResponse
 func (s *Server) statusHandler(w http.ResponseWriter, r *http.Request) {
--- a/pkg/api/store.go
+++ b/pkg/api/store.go
@@ -3,8 +3,9 @@ package api
 import (
 	"crypto/sha1"
 	"encoding/hex"
-	"io/ioutil"
+	"io"
 	"net/http"
+	"os"
 	"path"

 	"github.com/gorilla/mux"
@@ -23,14 +24,14 @@ func (s *Server) storeWriteHandler(w http.ResponseWriter, r *http.Request) {
 	_, span := s.tracer.Start(r.Context(), "storeWriteHandler")
 	defer span.End()

-	body, err := ioutil.ReadAll(r.Body)
+	body, err := io.ReadAll(r.Body)
 	if err != nil {
 		s.ErrorResponse(w, r, span, "reading the request body failed", http.StatusBadRequest)
 		return
 	}

 	hash := hash(string(body))
-	err = ioutil.WriteFile(path.Join(s.config.DataPath, hash), body, 0644)
+	err = os.WriteFile(path.Join(s.config.DataPath, hash), body, 0644)
 	if err != nil {
 		s.logger.Warn("writing file failed", zap.Error(err), zap.String("file", path.Join(s.config.DataPath, hash)))
 		s.ErrorResponse(w, r, span, "writing file failed", http.StatusInternalServerError)
@@ -45,6 +46,7 @@ func (s *Server) storeWriteHandler(w http.ResponseWriter, r *http.Request) {
 // @Tags HTTP API
 // @Accept json
 // @Produce plain
+// @Param hash path string true "hash value"
 // @Router /store/{hash} [get]
 // @Success 200 {string} string "file"
 func (s *Server) storeReadHandler(w http.ResponseWriter, r *http.Request) {
@@ -52,7 +54,7 @@ func (s *Server) storeReadHandler(w http.ResponseWriter, r *http.Request) {
 	defer span.End()

 	hash := mux.Vars(r)["hash"]
-	content, err := ioutil.ReadFile(path.Join(s.config.DataPath, hash))
+	content, err := os.ReadFile(path.Join(s.config.DataPath, hash))
 	if err != nil {
 		s.logger.Warn("reading file failed", zap.Error(err), zap.String("file", path.Join(s.config.DataPath, hash)))
 		s.ErrorResponse(w, r, span, "reading file failed", http.StatusInternalServerError)
--- a/pkg/api/token.go
+++ b/pkg/api/token.go
@@ -2,13 +2,12 @@ package api

 import (
 	"fmt"
+	"io"
 	"net/http"
 	"strings"
 	"time"

-	"io/ioutil"
-
-	"github.com/dgrijalva/jwt-go/v4"
+	"github.com/golang-jwt/jwt/v4"
 	"go.uber.org/zap"
 )

@@ -29,7 +28,7 @@ func (s *Server) tokenGenerateHandler(w http.ResponseWriter, r *http.Request) {
 	_, span := s.tracer.Start(r.Context(), "tokenGenerateHandler")
 	defer span.End()

-	body, err := ioutil.ReadAll(r.Body)
+	body, err := io.ReadAll(r.Body)
 	if err != nil {
 		s.logger.Error("reading the request body failed", zap.Error(err))
 		s.ErrorResponse(w, r, span, "invalid request body", http.StatusBadRequest)
@@ -47,7 +46,7 @@ func (s *Server) tokenGenerateHandler(w http.ResponseWriter, r *http.Request) {
 		user,
 		jwt.StandardClaims{
 			Issuer:    "podinfo",
-			ExpiresAt: jwt.At(expiresAt),
+			ExpiresAt: expiresAt.Unix(),
 		},
 	}

@@ -60,7 +59,7 @@ func (s *Server) tokenGenerateHandler(w http.ResponseWriter, r *http.Request) {

 	var result = TokenResponse{
 		Token:     t,
-		ExpiresAt: time.Unix(claims.StandardClaims.ExpiresAt.Unix(), 0),
+		ExpiresAt: time.Unix(claims.StandardClaims.ExpiresAt, 0),
 	}

 	s.JSONResponse(w, r, result)
@@ -110,7 +109,7 @@ func (s *Server) tokenValidateHandler(w http.ResponseWriter, r *http.Request) {
 		} else {
 			var result = TokenValidationResponse{
 				TokenName: claims.Name,
-				ExpiresAt: time.Unix(claims.StandardClaims.ExpiresAt.Unix(), 0),
+				ExpiresAt: time.Unix(claims.StandardClaims.ExpiresAt, 0),
 			}
 			s.JSONResponse(w, r, result)
 		}
--- a/pkg/fscache/fscache.go
+++ b/pkg/fscache/fscache.go
@@ -2,8 +2,8 @@ package fscache

 import (
 	"errors"
-	"io/ioutil"
 	"log"
+	"os"
 	"path/filepath"
 	"strings"
 	"sync"
@@ -77,7 +77,7 @@ func (w *Watcher) Watch() {
 // updateCache reads files content and loads them into the cache
 func (w *Watcher) updateCache() error {
 	fileMap := make(map[string]string)
-	files, err := ioutil.ReadDir(w.dir)
+	files, err := os.ReadDir(w.dir)
 	if err != nil {
 		return err
 	}
@@ -86,7 +86,7 @@ func (w *Watcher) updateCache() error {
 	for _, file := range files {
 		name := filepath.Base(file.Name())
 		if !file.IsDir() && !strings.Contains(name, "..") {
-			b, err := ioutil.ReadFile(filepath.Join(w.dir, file.Name()))
+			b, err := os.ReadFile(filepath.Join(w.dir, file.Name()))
 			if err != nil {
 				return err
 			}
--- a/pkg/grpc/server.go
+++ b/pkg/grpc/server.go
@@ -30,7 +30,7 @@ func NewServer(config *Config, logger *zap.Logger) (*Server, error) {
 	return srv, nil
 }

-func (s *Server) ListenAndServe() {
+func (s *Server) ListenAndServe() *grpc.Server {
 	listener, err := net.Listen("tcp", fmt.Sprintf(":%v", s.config.Port))
 	if err != nil {
 		s.logger.Fatal("failed to listen", zap.Int("port", s.config.Port))
@@ -42,7 +42,11 @@ func (s *Server) ListenAndServe() {
 	grpc_health_v1.RegisterHealthServer(srv, server)
 	server.SetServingStatus(s.config.ServiceName, grpc_health_v1.HealthCheckResponse_SERVING)

-	if err := srv.Serve(listener); err != nil {
-		s.logger.Fatal("failed to serve", zap.Error(err))
-	}
+	go func() {
+		if err := srv.Serve(listener); err != nil {
+			s.logger.Fatal("failed to serve", zap.Error(err))
+		}
+	}()
+
+	return srv
 }
--- a/pkg/signals/shutdown.go
+++ b/pkg/signals/shutdown.go
@@ -0,0 +1,83 @@
+package signals
+
+import (
+	"context"
+	"net/http"
+	"sync/atomic"
+	"time"
+
+	"github.com/gomodule/redigo/redis"
+	"github.com/spf13/viper"
+	sdktrace "go.opentelemetry.io/otel/sdk/trace"
+	"go.uber.org/zap"
+	"google.golang.org/grpc"
+)
+
+type Shutdown struct {
+	logger                *zap.Logger
+	pool                  *redis.Pool
+	tracerProvider        *sdktrace.TracerProvider
+	serverShutdownTimeout time.Duration
+}
+
+func NewShutdown(serverShutdownTimeout time.Duration, logger *zap.Logger) (*Shutdown, error) {
+	srv := &Shutdown{
+		logger:                logger,
+		serverShutdownTimeout: serverShutdownTimeout,
+	}
+
+	return srv, nil
+}
+
+func (s *Shutdown) Graceful(stopCh <-chan struct{}, httpServer *http.Server, httpsServer *http.Server, grpcServer *grpc.Server, healthy *int32, ready *int32) {
+	ctx := context.Background()
+
+	// wait for SIGTERM or SIGINT
+	<-stopCh
+	ctx, cancel := context.WithTimeout(ctx, s.serverShutdownTimeout)
+	defer cancel()
+
+	// all calls to /healthz and /readyz will fail from now on
+	atomic.StoreInt32(healthy, 0)
+	atomic.StoreInt32(ready, 0)
+
+	// close cache pool
+	if s.pool != nil {
+		_ = s.pool.Close()
+	}
+
+	s.logger.Info("Shutting down HTTP/HTTPS server", zap.Duration("timeout", s.serverShutdownTimeout))
+
+	// wait for Kubernetes readiness probe to remove this instance from the load balancer
+	// the readiness check interval must be lower than the timeout
+	if viper.GetString("level") != "debug" {
+		time.Sleep(3 * time.Second)
+	}
+
+	// stop OpenTelemetry tracer provider
+	if s.tracerProvider != nil {
+		if err := s.tracerProvider.Shutdown(ctx); err != nil {
+			s.logger.Warn("stopping tracer provider", zap.Error(err))
+		}
+	}
+
+	// determine if the GRPC was started
+	if grpcServer != nil {
+		s.logger.Info("Shutting down GRPC server", zap.Duration("timeout", s.serverShutdownTimeout))
+		grpcServer.GracefulStop()
+	}
+
+	// determine if the http server was started
+	if httpServer != nil {
+		if err := httpServer.Shutdown(ctx); err != nil {
+			s.logger.Warn("HTTP server graceful shutdown failed", zap.Error(err))
+		}
+	}
+
+	// determine if the secure server was started
+	if httpsServer != nil {
+		if err := httpsServer.Shutdown(ctx); err != nil {
+			s.logger.Warn("HTTPS server graceful shutdown failed", zap.Error(err))
+		}
+	}
+}
--- a/pkg/signals/signal_posix.go
+++ b/pkg/signals/signal_posix.go
@@ -8,4 +8,4 @@ import (
 	"syscall"
 )

-var shutdownSignals = []os.Signal{os.Interrupt, syscall.SIGTERM}
+var shutdownSignals = []os.Signal{os.Interrupt, syscall.SIGTERM, syscall.SIGINT}
--- a/pkg/version/version.go
+++ b/pkg/version/version.go
@@ -1,4 +1,4 @@
 package version

-var VERSION = "6.1.2"
+var VERSION = "6.5.1"
 var REVISION = "unknown"
--- a/test/deploy.sh
+++ b/test/deploy.sh
@@ -24,4 +24,6 @@ helm upgrade --install podinfo ./charts/podinfo \
    --set image.tag=latest \
    --set tls.enabled=true \
    --set certificate.create=true \
+    --set hpa.enabled=true \
+    --set hpa.cpu=95 \
    --namespace=default
--- a/timoni/bundles/test.podinfo.cue
+++ b/timoni/bundles/test.podinfo.cue
@@ -0,0 +1,66 @@
+bundle: {
+	apiVersion: "v1alpha1"
+	name:       "podinfo"
+
+	_modURL: "oci://ghcr.io/stefanprodan/modules/podinfo" @timoni(runtime:string:PODINFO_MODULE_URL)
+	_imgURL: "ghcr.io/stefanprodan/modules/podinfo"       @timoni(runtime:string:PODINFO_IMAGE_URL)
+	_imgTag: "latest"                                     @timoni(runtime:string:PODINFO_VERSION)
+
+	instances: {
+		backend: {
+			module: url: _modURL
+			namespace: "podinfo"
+			values: {
+				image: {
+					repository: _imgURL
+					tag:        _imgTag
+				}
+				resources: requests: {
+					cpu:    "100m"
+					memory: "128Mi"
+				}
+				autoscaling: {
+					enabled:     true
+					minReplicas: 1
+					maxReplicas: 10
+					cpu:         90
+				}
+			}
+		}
+		frontend: {
+			module: url: _modURL
+			namespace: "podinfo"
+			values: {
+				image: {
+					repository: _imgURL
+					tag:        _imgTag
+				}
+				ui: backend: "http://backend.podinfo.svc.cluster.local/echo"
+				replicas: 2
+				podSecurityContext: {
+					runAsUser:  100
+					runAsGroup: 101
+					fsGroup:    101
+				}
+				securityContext: {
+					allowPrivilegeEscalation: false
+					readOnlyRootFilesystem:   true
+					runAsNonRoot:             true
+					capabilities: drop: ["ALL"]
+					seccompProfile: type: "RuntimeDefault"
+				}
+				ingress: {
+					enabled:   true
+					className: "nginx"
+					host:      "podinfo.local"
+					tls:       true
+					annotations: {
+						"nginx.ingress.kubernetes.io/ssl-redirect":       "false"
+						"nginx.ingress.kubernetes.io/force-ssl-redirect": "false"
+						"cert-manager.io/cluster-issuer":                 "self-signed"
+					}
+				}
+			}
+		}
+	}
+}
--- a/timoni/podinfo/README.md
+++ b/timoni/podinfo/README.md
@@ -0,0 +1,139 @@
+# Podinfo
+
+[Podinfo](https://github.com/stefanprodan/podinfo) is a tiny web application
+made with Go that showcases best practices of running microservices in Kubernetes.
+
+## Module Repository
+
+This module is available on GitHub Container Registry at
+[ghcr.io/stefanprodan/modules/podinfo](https://github.com/stefanprodan/podinfo/pkgs/container/modules%2Fpodinfo).
+
+## Install
+
+To create an instance using the default values:
+
+```shell
+timoni -n default apply podinfo oci://ghcr.io/stefanprodan/modules/podinfo
+```
+
+To install a specific module version:
+
+```shell
+timoni -n default apply podinfo oci://ghcr.io/stefanprodan/modules/podinfo -v 6.5.0
+```
+
+To change the [default configuration](#configuration),
+create one or more `values.cue` files and apply them to the instance.
+
+For example, create a file `my-values.cue` with the following content:
+
+```cue
+values: {
+	resources: requests: {
+		cpu:    "100m"
+		memory: "128Mi"
+	}
+}
+```
+
+And apply the values with:
+
+```shell
+timoni -n default apply podinfo oci://ghcr.io/stefanprodan/modules/podinfo \
+--values ./my-values.cue
+```
+
+## Uninstall
+
+To uninstall an instance and delete all its Kubernetes resources:
+
+```shell
+timoni -n default delete podinfo
+```
+
+## Configuration
+
+### General values
+
+| Key                          | Type                                    | Default                        | Description                                                                                                                                  |
+|------------------------------|-----------------------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------|
+| `image: tag:`                | `string`                                | `<latest version>`             | Container image tag                                                                                                                          |
+| `image: digest:`             | `string`                                | `""`                           | Container image digest, takes precedence over `tag` when specified                                                                           |
+| `image: repository:`         | `string`                                | `ghcr.io/stefanprodan/podinfo` | Container image repository                                                                                                                   |
+| `image: pullPolicy:`         | `string`                                | `IfNotPresent`                 | [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy)                                     |
+| `metadata: labels:`          | `{[ string]: string}`                   | `{}`                           | Common labels for all resources                                                                                                              |
+| `metadata: annotations:`     | `{[ string]: string}`                   | `{}`                           | Common annotations for all resources                                                                                                         |
+| `podAnnotations:`            | `{[ string]: string}`                   | `{}`                           | Annotations applied to pods                                                                                                                  |
+| `imagePullSecrets:`          | `[...corev1.LocalObjectReference]`      | `[]`                           | [Kubernetes image pull secrets](https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod)                 |
+| `tolerations:`               | `[ ...corev1.#Toleration]`              | `[]`                           | [Kubernetes toleration](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration)                                        |
+| `affinity:`                  | `corev1.#Affinity`                      | `{}`                           | [Kubernetes affinity and anti-affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) |
+| `resources:`                 | `corev1.#ResourceRequirements`          | `{}`                           | [Kubernetes resource requests and limits](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers)                     |
+| `topologySpreadConstraints:` | `[...corev1.#TopologySpreadConstraint]` | `[]`                           | [Kubernetes pod topology spread constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints)            |
+| `podSecurityContext:`        | `corev1.#PodSecurityContext`            | `{}`                           | [Kubernetes pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context)                                 |
+| `securityContext:`           | `corev1.#SecurityContext`               | `{}`                           | [Kubernetes container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context)                           |
+
+#### Recommended values
+
+Comply with the
+restricted [Kubernetes pod security standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/):
+
+```cue
+values: {
+	podSecurityContext: {
+		runAsUser:  100
+		runAsGroup: 101
+		fsGroup:    101
+	}
+	securityContext: {
+		allowPrivilegeEscalation: false
+		readOnlyRootFilesystem:   true
+		runAsNonRoot:             true
+		capabilities: drop: ["ALL"]
+		seccompProfile: type: "RuntimeDefault"
+	}
+}
+```
+
+### Autoscaling values
+
+| Key                         | Type     | Default       | Description                                                                                                  |
+|-----------------------------|----------|---------------|--------------------------------------------------------------------------------------------------------------|
+| `replicas:`                 | `int`    | `1`           | Number of pods when autoscaling is disabled                                                                  |
+| `autoscaling: enabled:`     | `bool`   | `false`       | Enable [Kubernetes HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) creation |
+| `autoscaling: minReplicas:` | `int`    | `replicas`    | Minimum number of pods                                                                                       |
+| `autoscaling: maxReplicas:` | `int`    | `minReplicas` | Maximum number of pods                                                                                       |
+| `autoscaling: cpu:`         | `int`    | `99`          | CPU average utilization (percentage)                                                                         |
+| `autoscaling: memory:`      | `string` | `""`          | memory average value (e.g. `1024Mi`)                                                                         |
+
+### Ingress values
+
+| Key                     | Type                  | Default         | Description                                                                                            |
+|-------------------------|-----------------------|-----------------|--------------------------------------------------------------------------------------------------------|
+| `service: port:`        | `int`                 | `80`            | Kubernetes Service ClusterIP port                                                                      |
+| `ingress: enabled:`     | `bool`                | `false`         | Enable [Kubernetes Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) creation |
+| `ingress: tls:`         | `bool`                | `false`         | Enable TLS (requires cert-manager)                                                                     |
+| `ingress: host:`        | `string`              | `podinfo.local` | Ingress host                                                                                           |
+| `ingress: className:`   | `string`              | `""`            | Ingress class name                                                                                     |
+| `ingress: annotations:` | `{[ string]: string}` | `{}`            | Annotations applied to ingress                                                                         |
+
+### Monitoring values
+
+| Key                     | Type   | Default | Description                                                                   |
+|-------------------------|--------|---------|-------------------------------------------------------------------------------|
+| `monitoring: enabled:`  | `bool` | `false` | Enable [Prometheus ServiceMonitor](https://prometheus-operator.dev/) creation |
+| `monitoring: interval:` | `int`  | `15`    | Prometheus scrape interval in seconds                                         |
+
+### Cashing values
+
+| Key                  | Type     | Default | Description                                             |
+|----------------------|----------|---------|---------------------------------------------------------|
+| `caching: enabled:`  | `bool`   | `false` | Enable Redis caching                                    |
+| `caching: redisURL:` | `string` | `""`    | Redis URL in the format `tcp://:[password]@host[:port]` |
+
+### UI values
+
+| Key            | Type     | Default   | Description      |
+|----------------|----------|-----------|------------------|
+| `ui: color:`   | `string` | `#34577c` | Background color |
+| `ui: message:` | `string` | `""`      | Greeting message |
+| `ui: backend:` | `string` | `""`      | Backend URL      |
--- a/timoni/podinfo/cue.mod/gen/k8s.io/api/admission/v1/register_go_gen.cue
+++ b/timoni/podinfo/cue.mod/gen/k8s.io/api/admission/v1/register_go_gen.cue
@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/admission/v1
+
+package v1
+
+#GroupName: "admission.k8s.io"
--- a/timoni/podinfo/cue.mod/gen/k8s.io/api/admission/v1/types_go_gen.cue
+++ b/timoni/podinfo/cue.mod/gen/k8s.io/api/admission/v1/types_go_gen.cue
@@ -0,0 +1,172 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/admission/v1
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	authenticationv1 "k8s.io/api/authentication/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// AdmissionReview describes an admission review request/response.
+#AdmissionReview: {
+	metav1.#TypeMeta
+
+	// Request describes the attributes for the admission request.
+	// +optional
+	request?: null | #AdmissionRequest @go(Request,*AdmissionRequest) @protobuf(1,bytes,opt)
+
+	// Response describes the attributes for the admission response.
+	// +optional
+	response?: null | #AdmissionResponse @go(Response,*AdmissionResponse) @protobuf(2,bytes,opt)
+}
+
+// AdmissionRequest describes the admission.Attributes for the admission request.
+#AdmissionRequest: {
+	// UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are
+	// otherwise identical (parallel requests, requests when earlier requests did not modify etc)
+	// The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request.
+	// It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
+	uid: types.#UID @go(UID) @protobuf(1,bytes,opt)
+
+	// Kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale)
+	kind: metav1.#GroupVersionKind @go(Kind) @protobuf(2,bytes,opt)
+
+	// Resource is the fully-qualified resource being requested (for example, v1.pods)
+	resource: metav1.#GroupVersionResource @go(Resource) @protobuf(3,bytes,opt)
+
+	// SubResource is the subresource being requested, if any (for example, "status" or "scale")
+	// +optional
+	subResource?: string @go(SubResource) @protobuf(4,bytes,opt)
+
+	// RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).
+	// If this is specified and differs from the value in "kind", an equivalent match and conversion was performed.
+	//
+	// For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
+	// `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
+	// an API request to apps/v1beta1 deployments would be converted and sent to the webhook
+	// with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for),
+	// and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request).
+	//
+	// See documentation for the "matchPolicy" field in the webhook configuration type for more details.
+	// +optional
+	requestKind?: null | metav1.#GroupVersionKind @go(RequestKind,*metav1.GroupVersionKind) @protobuf(13,bytes,opt)
+
+	// RequestResource is the fully-qualified resource of the original API request (for example, v1.pods).
+	// If this is specified and differs from the value in "resource", an equivalent match and conversion was performed.
+	//
+	// For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
+	// `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
+	// an API request to apps/v1beta1 deployments would be converted and sent to the webhook
+	// with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for),
+	// and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request).
+	//
+	// See documentation for the "matchPolicy" field in the webhook configuration type.
+	// +optional
+	requestResource?: null | metav1.#GroupVersionResource @go(RequestResource,*metav1.GroupVersionResource) @protobuf(14,bytes,opt)
+
+	// RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale")
+	// If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed.
+	// See documentation for the "matchPolicy" field in the webhook configuration type.
+	// +optional
+	requestSubResource?: string @go(RequestSubResource) @protobuf(15,bytes,opt)
+
+	// Name is the name of the object as presented in the request.  On a CREATE operation, the client may omit name and
+	// rely on the server to generate the name.  If that is the case, this field will contain an empty string.
+	// +optional
+	name?: string @go(Name) @protobuf(5,bytes,opt)
+
+	// Namespace is the namespace associated with the request (if any).
+	// +optional
+	namespace?: string @go(Namespace) @protobuf(6,bytes,opt)
+
+	// Operation is the operation being performed. This may be different than the operation
+	// requested. e.g. a patch can result in either a CREATE or UPDATE Operation.
+	operation: #Operation @go(Operation) @protobuf(7,bytes,opt)
+
+	// UserInfo is information about the requesting user
+	userInfo: authenticationv1.#UserInfo @go(UserInfo) @protobuf(8,bytes,opt)
+
+	// Object is the object from the incoming request.
+	// +optional
+	object?: runtime.#RawExtension @go(Object) @protobuf(9,bytes,opt)
+
+	// OldObject is the existing object. Only populated for DELETE and UPDATE requests.
+	// +optional
+	oldObject?: runtime.#RawExtension @go(OldObject) @protobuf(10,bytes,opt)
+
+	// DryRun indicates that modifications will definitely not be persisted for this request.
+	// Defaults to false.
+	// +optional
+	dryRun?: null | bool @go(DryRun,*bool) @protobuf(11,varint,opt)
+
+	// Options is the operation option structure of the operation being performed.
+	// e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be
+	// different than the options the caller provided. e.g. for a patch request the performed
+	// Operation might be a CREATE, in which case the Options will a
+	// `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.
+	// +optional
+	options?: runtime.#RawExtension @go(Options) @protobuf(12,bytes,opt)
+}
+
+// AdmissionResponse describes an admission response.
+#AdmissionResponse: {
+	// UID is an identifier for the individual request/response.
+	// This must be copied over from the corresponding AdmissionRequest.
+	uid: types.#UID @go(UID) @protobuf(1,bytes,opt)
+
+	// Allowed indicates whether or not the admission request was permitted.
+	allowed: bool @go(Allowed) @protobuf(2,varint,opt)
+
+	// Result contains extra details into why an admission request was denied.
+	// This field IS NOT consulted in any way if "Allowed" is "true".
+	// +optional
+	status?: null | metav1.#Status @go(Result,*metav1.Status) @protobuf(3,bytes,opt)
+
+	// The patch body. Currently we only support "JSONPatch" which implements RFC 6902.
+	// +optional
+	patch?: bytes @go(Patch,[]byte) @protobuf(4,bytes,opt)
+
+	// The type of Patch. Currently we only allow "JSONPatch".
+	// +optional
+	patchType?: null | #PatchType @go(PatchType,*PatchType) @protobuf(5,bytes,opt)
+
+	// AuditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted).
+	// MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controller will prefix the keys with
+	// admission webhook name (e.g. imagepolicy.example.com/error=image-blacklisted). AuditAnnotations will be provided by
+	// the admission webhook to add additional context to the audit log for this request.
+	// +optional
+	auditAnnotations?: {[string]: string} @go(AuditAnnotations,map[string]string) @protobuf(6,bytes,opt)
+
+	// warnings is a list of warning messages to return to the requesting API client.
+	// Warning messages describe a problem the client making the API request should correct or be aware of.
+	// Limit warnings to 120 characters if possible.
+	// Warnings over 256 characters and large numbers of warnings may be truncated.
+	// +optional
+	warnings?: [...string] @go(Warnings,[]string) @protobuf(7,bytes,rep)
+}
+
+// PatchType is the type of patch being used to represent the mutated object
+#PatchType: string // #enumPatchType
+
+#enumPatchType:
+	#PatchTypeJSONPatch
+
+#PatchTypeJSONPatch: #PatchType & "JSONPatch"
+
+// Operation is the type of resource operation being checked for admission control
+#Operation: string // #enumOperation
+
+#enumOperation:
+	#Create |
+	#Update |
+	#Delete |
+	#Connect
+
+#Create:  #Operation & "CREATE"
+#Update:  #Operation & "UPDATE"
+#Delete:  #Operation & "DELETE"
+#Connect: #Operation & "CONNECT"
--- a/timoni/podinfo/cue.mod/gen/k8s.io/api/admissionregistration/v1/doc_go_gen.cue
+++ b/timoni/podinfo/cue.mod/gen/k8s.io/api/admissionregistration/v1/doc_go_gen.cue
@@ -0,0 +1,9 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/admissionregistration/v1
+
+// Package v1 is the v1 version of the API.
+// AdmissionConfiguration and AdmissionPluginConfiguration are legacy static admission plugin configuration
+// MutatingWebhookConfiguration and ValidatingWebhookConfiguration are for the
+// new dynamic admission controller configuration.
+package v1
--- a/timoni/podinfo/cue.mod/gen/k8s.io/api/admissionregistration/v1/register_go_gen.cue
+++ b/timoni/podinfo/cue.mod/gen/k8s.io/api/admissionregistration/v1/register_go_gen.cue
@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/admissionregistration/v1
+
+package v1
+
+#GroupName: "admissionregistration.k8s.io"
--- a/timoni/podinfo/cue.mod/gen/k8s.io/api/admissionregistration/v1/types_go_gen.cue
+++ b/timoni/podinfo/cue.mod/gen/k8s.io/api/admissionregistration/v1/types_go_gen.cue
@@ -0,0 +1,645 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/admissionregistration/v1
+
+package v1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// Rule is a tuple of APIGroups, APIVersion, and Resources.It is recommended
+// to make sure that all the tuple expansions are valid.
+#Rule: {
+	// APIGroups is the API groups the resources belong to. '*' is all groups.
+	// If '*' is present, the length of the slice must be one.
+	// Required.
+	// +listType=atomic
+	apiGroups?: [...string] @go(APIGroups,[]string) @protobuf(1,bytes,rep)
+
+	// APIVersions is the API versions the resources belong to. '*' is all versions.
+	// If '*' is present, the length of the slice must be one.
+	// Required.
+	// +listType=atomic
+	apiVersions?: [...string] @go(APIVersions,[]string) @protobuf(2,bytes,rep)
+
+	// Resources is a list of resources this rule applies to.
+	//
+	// For example:
+	// 'pods' means pods.
+	// 'pods/log' means the log subresource of pods.
+	// '*' means all resources, but not subresources.
+	// 'pods/*' means all subresources of pods.
+	// '*/scale' means all scale subresources.
+	// '*/*' means all resources and their subresources.
+	//
+	// If wildcard is present, the validation rule will ensure resources do not
+	// overlap with each other.
+	//
+	// Depending on the enclosing object, subresources might not be allowed.
+	// Required.
+	// +listType=atomic
+	resources?: [...string] @go(Resources,[]string) @protobuf(3,bytes,rep)
+
+	// scope specifies the scope of this rule.
+	// Valid values are "Cluster", "Namespaced", and "*"
+	// "Cluster" means that only cluster-scoped resources will match this rule.
+	// Namespace API objects are cluster-scoped.
+	// "Namespaced" means that only namespaced resources will match this rule.
+	// "*" means that there are no scope restrictions.
+	// Subresources match the scope of their parent resource.
+	// Default is "*".
+	//
+	// +optional
+	scope?: null | #ScopeType @go(Scope,*ScopeType) @protobuf(4,bytes,rep)
+}
+
+// ScopeType specifies a scope for a Rule.
+// +enum
+#ScopeType: string // #enumScopeType
+
+#enumScopeType:
+	#ClusterScope |
+	#NamespacedScope |
+	#AllScopes
+
+// ClusterScope means that scope is limited to cluster-scoped objects.
+// Namespace objects are cluster-scoped.
+#ClusterScope: #ScopeType & "Cluster"
+
+// NamespacedScope means that scope is limited to namespaced objects.
+#NamespacedScope: #ScopeType & "Namespaced"
+
+// AllScopes means that all scopes are included.
+#AllScopes: #ScopeType & "*"
+
+// FailurePolicyType specifies a failure policy that defines how unrecognized errors from the admission endpoint are handled.
+// +enum
+#FailurePolicyType: string // #enumFailurePolicyType
+
+#enumFailurePolicyType:
+	#Ignore |
+	#Fail
+
+// Ignore means that an error calling the webhook is ignored.
+#Ignore: #FailurePolicyType & "Ignore"
+
+// Fail means that an error calling the webhook causes the admission to fail.
+#Fail: #FailurePolicyType & "Fail"
+
+// MatchPolicyType specifies the type of match policy.
+// +enum
+#MatchPolicyType: string // #enumMatchPolicyType
+
+#enumMatchPolicyType:
+	#Exact |
+	#Equivalent
+
+// Exact means requests should only be sent to the webhook if they exactly match a given rule.
+#Exact: #MatchPolicyType & "Exact"
+
+// Equivalent means requests should be sent to the webhook if they modify a resource listed in rules via another API group or version.
+#Equivalent: #MatchPolicyType & "Equivalent"
+
+// SideEffectClass specifies the types of side effects a webhook may have.
+// +enum
+#SideEffectClass: string // #enumSideEffectClass
+
+#enumSideEffectClass:
+	#SideEffectClassUnknown |
+	#SideEffectClassNone |
+	#SideEffectClassSome |
+	#SideEffectClassNoneOnDryRun
+
+// SideEffectClassUnknown means that no information is known about the side effects of calling the webhook.
+// If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail.
+#SideEffectClassUnknown: #SideEffectClass & "Unknown"
+
+// SideEffectClassNone means that calling the webhook will have no side effects.
+#SideEffectClassNone: #SideEffectClass & "None"
+
+// SideEffectClassSome means that calling the webhook will possibly have side effects.
+// If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail.
+#SideEffectClassSome: #SideEffectClass & "Some"
+
+// SideEffectClassNoneOnDryRun means that calling the webhook will possibly have side effects, but if the
+// request being reviewed has the dry-run attribute, the side effects will be suppressed.
+#SideEffectClassNoneOnDryRun: #SideEffectClass & "NoneOnDryRun"
+
+// ValidatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and object without changing it.
+#ValidatingWebhookConfiguration: {
+	metav1.#TypeMeta
+
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Webhooks is a list of webhooks and the affected resources and operations.
+	// +optional
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	webhooks?: [...#ValidatingWebhook] @go(Webhooks,[]ValidatingWebhook) @protobuf(2,bytes,rep,name=Webhooks)
+}
+
+// ValidatingWebhookConfigurationList is a list of ValidatingWebhookConfiguration.
+#ValidatingWebhookConfigurationList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// List of ValidatingWebhookConfiguration.
+	items: [...#ValidatingWebhookConfiguration] @go(Items,[]ValidatingWebhookConfiguration) @protobuf(2,bytes,rep)
+}
+
+// MutatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and may change the object.
+#MutatingWebhookConfiguration: {
+	metav1.#TypeMeta
+
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Webhooks is a list of webhooks and the affected resources and operations.
+	// +optional
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	webhooks?: [...#MutatingWebhook] @go(Webhooks,[]MutatingWebhook) @protobuf(2,bytes,rep,name=Webhooks)
+}
+
+// MutatingWebhookConfigurationList is a list of MutatingWebhookConfiguration.
+#MutatingWebhookConfigurationList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// List of MutatingWebhookConfiguration.
+	items: [...#MutatingWebhookConfiguration] @go(Items,[]MutatingWebhookConfiguration) @protobuf(2,bytes,rep)
+}
+
+// ValidatingWebhook describes an admission webhook and the resources and operations it applies to.
+#ValidatingWebhook: {
+	// The name of the admission webhook.
+	// Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
+	// "imagepolicy" is the name of the webhook, and kubernetes.io is the name
+	// of the organization.
+	// Required.
+	name: string @go(Name) @protobuf(1,bytes,opt)
+
+	// ClientConfig defines how to communicate with the hook.
+	// Required
+	clientConfig: #WebhookClientConfig @go(ClientConfig) @protobuf(2,bytes,opt)
+
+	// Rules describes what operations on what resources/subresources the webhook cares about.
+	// The webhook cares about an operation if it matches _any_ Rule.
+	// However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks
+	// from putting the cluster in a state which cannot be recovered from without completely
+	// disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called
+	// on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
+	rules?: [...#RuleWithOperations] @go(Rules,[]RuleWithOperations) @protobuf(3,bytes,rep)
+
+	// FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
+	// allowed values are Ignore or Fail. Defaults to Fail.
+	// +optional
+	failurePolicy?: null | #FailurePolicyType @go(FailurePolicy,*FailurePolicyType) @protobuf(4,bytes,opt,casttype=FailurePolicyType)
+
+	// matchPolicy defines how the "rules" list is used to match incoming requests.
+	// Allowed values are "Exact" or "Equivalent".
+	//
+	// - Exact: match a request only if it exactly matches a specified rule.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
+	//
+	// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
+	//
+	// Defaults to "Equivalent"
+	// +optional
+	matchPolicy?: null | #MatchPolicyType @go(MatchPolicy,*MatchPolicyType) @protobuf(9,bytes,opt,casttype=MatchPolicyType)
+
+	// NamespaceSelector decides whether to run the webhook on an object based
+	// on whether the namespace for that object matches the selector. If the
+	// object itself is a namespace, the matching is performed on
+	// object.metadata.labels. If the object is another cluster scoped resource,
+	// it never skips the webhook.
+	//
+	// For example, to run the webhook on any objects whose namespace is not
+	// associated with "runlevel" of "0" or "1";  you will set the selector as
+	// follows:
+	// "namespaceSelector": {
+	//   "matchExpressions": [
+	//     {
+	//       "key": "runlevel",
+	//       "operator": "NotIn",
+	//       "values": [
+	//         "0",
+	//         "1"
+	//       ]
+	//     }
+	//   ]
+	// }
+	//
+	// If instead you want to only run the webhook on any objects whose
+	// namespace is associated with the "environment" of "prod" or "staging";
+	// you will set the selector as follows:
+	// "namespaceSelector": {
+	//   "matchExpressions": [
+	//     {
+	//       "key": "environment",
+	//       "operator": "In",
+	//       "values": [
+	//         "prod",
+	//         "staging"
+	//       ]
+	//     }
+	//   ]
+	// }
+	//
+	// See
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
+	// for more examples of label selectors.
+	//
+	// Default to the empty LabelSelector, which matches everything.
+	// +optional
+	namespaceSelector?: null | metav1.#LabelSelector @go(NamespaceSelector,*metav1.LabelSelector) @protobuf(5,bytes,opt)
+
+	// ObjectSelector decides whether to run the webhook based on if the
+	// object has matching labels. objectSelector is evaluated against both
+	// the oldObject and newObject that would be sent to the webhook, and
+	// is considered to match if either object matches the selector. A null
+	// object (oldObject in the case of create, or newObject in the case of
+	// delete) or an object that cannot have labels (like a
+	// DeploymentRollback or a PodProxyOptions object) is not considered to
+	// match.
+	// Use the object selector only if the webhook is opt-in, because end
+	// users may skip the admission webhook by setting the labels.
+	// Default to the empty LabelSelector, which matches everything.
+	// +optional
+	objectSelector?: null | metav1.#LabelSelector @go(ObjectSelector,*metav1.LabelSelector) @protobuf(10,bytes,opt)
+
+	// SideEffects states whether this webhook has side effects.
+	// Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
+	// Webhooks with side effects MUST implement a reconciliation system, since a request may be
+	// rejected by a future step in the admission chain and the side effects therefore need to be undone.
+	// Requests with the dryRun attribute will be auto-rejected if they match a webhook with
+	// sideEffects == Unknown or Some.
+	sideEffects?: null | #SideEffectClass @go(SideEffects,*SideEffectClass) @protobuf(6,bytes,opt,casttype=SideEffectClass)
+
+	// TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
+	// the webhook call will be ignored or the API call will fail based on the
+	// failure policy.
+	// The timeout value must be between 1 and 30 seconds.
+	// Default to 10 seconds.
+	// +optional
+	timeoutSeconds?: null | int32 @go(TimeoutSeconds,*int32) @protobuf(7,varint,opt)
+
+	// AdmissionReviewVersions is an ordered list of preferred `AdmissionReview`
+	// versions the Webhook expects. API server will try to use first version in
+	// the list which it supports. If none of the versions specified in this list
+	// supported by API server, validation will fail for this object.
+	// If a persisted webhook configuration specifies allowed versions and does not
+	// include any versions known to the API Server, calls to the webhook will fail
+	// and be subject to the failure policy.
+	admissionReviewVersions: [...string] @go(AdmissionReviewVersions,[]string) @protobuf(8,bytes,rep)
+
+	// MatchConditions is a list of conditions that must be met for a request to be sent to this
+	// webhook. Match conditions filter requests that have already been matched by the rules,
+	// namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
+	// There are a maximum of 64 match conditions allowed.
+	//
+	// The exact matching logic is (in order):
+	//   1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.
+	//   2. If ALL matchConditions evaluate to TRUE, the webhook is called.
+	//   3. If any matchCondition evaluates to an error (but none are FALSE):
+	//      - If failurePolicy=Fail, reject the request
+	//      - If failurePolicy=Ignore, the error is ignored and the webhook is skipped
+	//
+	// This is a beta feature and managed by the AdmissionWebhookMatchConditions feature gate.
+	//
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=name
+	// +featureGate=AdmissionWebhookMatchConditions
+	// +optional
+	matchConditions?: [...#MatchCondition] @go(MatchConditions,[]MatchCondition) @protobuf(11,bytes,opt)
+}
+
+// MutatingWebhook describes an admission webhook and the resources and operations it applies to.
+#MutatingWebhook: {
+	// The name of the admission webhook.
+	// Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
+	// "imagepolicy" is the name of the webhook, and kubernetes.io is the name
+	// of the organization.
+	// Required.
+	name: string @go(Name) @protobuf(1,bytes,opt)
+
+	// ClientConfig defines how to communicate with the hook.
+	// Required
+	clientConfig: #WebhookClientConfig @go(ClientConfig) @protobuf(2,bytes,opt)
+
+	// Rules describes what operations on what resources/subresources the webhook cares about.
+	// The webhook cares about an operation if it matches _any_ Rule.
+	// However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks
+	// from putting the cluster in a state which cannot be recovered from without completely
+	// disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called
+	// on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
+	rules?: [...#RuleWithOperations] @go(Rules,[]RuleWithOperations) @protobuf(3,bytes,rep)
+
+	// FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
+	// allowed values are Ignore or Fail. Defaults to Fail.
+	// +optional
+	failurePolicy?: null | #FailurePolicyType @go(FailurePolicy,*FailurePolicyType) @protobuf(4,bytes,opt,casttype=FailurePolicyType)
+
+	// matchPolicy defines how the "rules" list is used to match incoming requests.
+	// Allowed values are "Exact" or "Equivalent".
+	//
+	// - Exact: match a request only if it exactly matches a specified rule.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
+	//
+	// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
+	//
+	// Defaults to "Equivalent"
+	// +optional
+	matchPolicy?: null | #MatchPolicyType @go(MatchPolicy,*MatchPolicyType) @protobuf(9,bytes,opt,casttype=MatchPolicyType)
+
+	// NamespaceSelector decides whether to run the webhook on an object based
+	// on whether the namespace for that object matches the selector. If the
+	// object itself is a namespace, the matching is performed on
+	// object.metadata.labels. If the object is another cluster scoped resource,
+	// it never skips the webhook.
+	//
+	// For example, to run the webhook on any objects whose namespace is not
+	// associated with "runlevel" of "0" or "1";  you will set the selector as
+	// follows:
+	// "namespaceSelector": {
+	//   "matchExpressions": [
+	//     {
+	//       "key": "runlevel",
+	//       "operator": "NotIn",
+	//       "values": [
+	//         "0",
+	//         "1"
+	//       ]
+	//     }
+	//   ]
+	// }
+	//
+	// If instead you want to only run the webhook on any objects whose
+	// namespace is associated with the "environment" of "prod" or "staging";
+	// you will set the selector as follows:
+	// "namespaceSelector": {
+	//   "matchExpressions": [
+	//     {
+	//       "key": "environment",
+	//       "operator": "In",
+	//       "values": [
+	//         "prod",
+	//         "staging"
+	//       ]
+	//     }
+	//   ]
+	// }
+	//
+	// See
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+	// for more examples of label selectors.
+	//
+	// Default to the empty LabelSelector, which matches everything.
+	// +optional
+	namespaceSelector?: null | metav1.#LabelSelector @go(NamespaceSelector,*metav1.LabelSelector) @protobuf(5,bytes,opt)
+
+	// ObjectSelector decides whether to run the webhook based on if the
+	// object has matching labels. objectSelector is evaluated against both
+	// the oldObject and newObject that would be sent to the webhook, and
+	// is considered to match if either object matches the selector. A null
+	// object (oldObject in the case of create, or newObject in the case of
+	// delete) or an object that cannot have labels (like a
+	// DeploymentRollback or a PodProxyOptions object) is not considered to
+	// match.
+	// Use the object selector only if the webhook is opt-in, because end
+	// users may skip the admission webhook by setting the labels.
+	// Default to the empty LabelSelector, which matches everything.
+	// +optional
+	objectSelector?: null | metav1.#LabelSelector @go(ObjectSelector,*metav1.LabelSelector) @protobuf(11,bytes,opt)
+
+	// SideEffects states whether this webhook has side effects.
+	// Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
+	// Webhooks with side effects MUST implement a reconciliation system, since a request may be
+	// rejected by a future step in the admission chain and the side effects therefore need to be undone.
+	// Requests with the dryRun attribute will be auto-rejected if they match a webhook with
+	// sideEffects == Unknown or Some.
+	sideEffects?: null | #SideEffectClass @go(SideEffects,*SideEffectClass) @protobuf(6,bytes,opt,casttype=SideEffectClass)
+
+	// TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
+	// the webhook call will be ignored or the API call will fail based on the
+	// failure policy.
+	// The timeout value must be between 1 and 30 seconds.
+	// Default to 10 seconds.
+	// +optional
+	timeoutSeconds?: null | int32 @go(TimeoutSeconds,*int32) @protobuf(7,varint,opt)
+
+	// AdmissionReviewVersions is an ordered list of preferred `AdmissionReview`
+	// versions the Webhook expects. API server will try to use first version in
+	// the list which it supports. If none of the versions specified in this list
+	// supported by API server, validation will fail for this object.
+	// If a persisted webhook configuration specifies allowed versions and does not
+	// include any versions known to the API Server, calls to the webhook will fail
+	// and be subject to the failure policy.
+	admissionReviewVersions: [...string] @go(AdmissionReviewVersions,[]string) @protobuf(8,bytes,rep)
+
+	// reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation.
+	// Allowed values are "Never" and "IfNeeded".
+	//
+	// Never: the webhook will not be called more than once in a single admission evaluation.
+	//
+	// IfNeeded: the webhook will be called at least one additional time as part of the admission evaluation
+	// if the object being admitted is modified by other admission plugins after the initial webhook call.
+	// Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted.
+	// Note:
+	// * the number of additional invocations is not guaranteed to be exactly one.
+	// * if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again.
+	// * webhooks that use this option may be reordered to minimize the number of additional invocations.
+	// * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead.
+	//
+	// Defaults to "Never".
+	// +optional
+	reinvocationPolicy?: null | #ReinvocationPolicyType @go(ReinvocationPolicy,*ReinvocationPolicyType) @protobuf(10,bytes,opt,casttype=ReinvocationPolicyType)
+
+	// MatchConditions is a list of conditions that must be met for a request to be sent to this
+	// webhook. Match conditions filter requests that have already been matched by the rules,
+	// namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
+	// There are a maximum of 64 match conditions allowed.
+	//
+	// The exact matching logic is (in order):
+	//   1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.
+	//   2. If ALL matchConditions evaluate to TRUE, the webhook is called.
+	//   3. If any matchCondition evaluates to an error (but none are FALSE):
+	//      - If failurePolicy=Fail, reject the request
+	//      - If failurePolicy=Ignore, the error is ignored and the webhook is skipped
+	//
+	// This is a beta feature and managed by the AdmissionWebhookMatchConditions feature gate.
+	//
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=name
+	// +featureGate=AdmissionWebhookMatchConditions
+	// +optional
+	matchConditions?: [...#MatchCondition] @go(MatchConditions,[]MatchCondition) @protobuf(12,bytes,opt)
+}
+
+// ReinvocationPolicyType specifies what type of policy the admission hook uses.
+// +enum
+#ReinvocationPolicyType: string // #enumReinvocationPolicyType
+
+#enumReinvocationPolicyType:
+	#NeverReinvocationPolicy |
+	#IfNeededReinvocationPolicy
+
+// NeverReinvocationPolicy indicates that the webhook must not be called more than once in a
+// single admission evaluation.
+#NeverReinvocationPolicy: #ReinvocationPolicyType & "Never"
+
+// IfNeededReinvocationPolicy indicates that the webhook may be called at least one
+// additional time as part of the admission evaluation if the object being admitted is
+// modified by other admission plugins after the initial webhook call.
+#IfNeededReinvocationPolicy: #ReinvocationPolicyType & "IfNeeded"
+
+// RuleWithOperations is a tuple of Operations and Resources. It is recommended to make
+// sure that all the tuple expansions are valid.
+#RuleWithOperations: {
+	// Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *
+	// for all of those operations and any future admission operations that are added.
+	// If '*' is present, the length of the slice must be one.
+	// Required.
+	// +listType=atomic
+	operations?: [...#OperationType] @go(Operations,[]OperationType) @protobuf(1,bytes,rep,casttype=OperationType)
+
+	#Rule
+}
+
+// OperationType specifies an operation for a request.
+// +enum
+#OperationType: string // #enumOperationType
+
+#enumOperationType:
+	#OperationAll |
+	#Create |
+	#Update |
+	#Delete |
+	#Connect
+
+#OperationAll: #OperationType & "*"
+#Create:       #OperationType & "CREATE"
+#Update:       #OperationType & "UPDATE"
+#Delete:       #OperationType & "DELETE"
+#Connect:      #OperationType & "CONNECT"
+
+// WebhookClientConfig contains the information to make a TLS
+// connection with the webhook
+#WebhookClientConfig: {
+	// `url` gives the location of the webhook, in standard URL form
+	// (`scheme://host:port/path`). Exactly one of `url` or `service`
+	// must be specified.
+	//
+	// The `host` should not refer to a service running in the cluster; use
+	// the `service` field instead. The host might be resolved via external
+	// DNS in some apiservers (e.g., `kube-apiserver` cannot resolve
+	// in-cluster DNS as that would be a layering violation). `host` may
+	// also be an IP address.
+	//
+	// Please note that using `localhost` or `127.0.0.1` as a `host` is
+	// risky unless you take great care to run this webhook on all hosts
+	// which run an apiserver which might need to make calls to this
+	// webhook. Such installs are likely to be non-portable, i.e., not easy
+	// to turn up in a new cluster.
+	//
+	// The scheme must be "https"; the URL must begin with "https://".
+	//
+	// A path is optional, and if present may be any string permissible in
+	// a URL. You may use the path to pass an arbitrary string to the
+	// webhook, for example, a cluster identifier.
+	//
+	// Attempting to use a user or basic auth e.g. "user:password@" is not
+	// allowed. Fragments ("#...") and query parameters ("?...") are not
+	// allowed, either.
+	//
+	// +optional
+	url?: null | string @go(URL,*string) @protobuf(3,bytes,opt)
+
+	// `service` is a reference to the service for this webhook. Either
+	// `service` or `url` must be specified.
+	//
+	// If the webhook is running within the cluster, then you should use `service`.
+	//
+	// +optional
+	service?: null | #ServiceReference @go(Service,*ServiceReference) @protobuf(1,bytes,opt)
+
+	// `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
+	// If unspecified, system trust roots on the apiserver are used.
+	// +optional
+	caBundle?: bytes @go(CABundle,[]byte) @protobuf(2,bytes,opt)
+}
+
+// ServiceReference holds a reference to Service.legacy.k8s.io
+#ServiceReference: {
+	// `namespace` is the namespace of the service.
+	// Required
+	namespace: string @go(Namespace) @protobuf(1,bytes,opt)
+
+	// `name` is the name of the service.
+	// Required
+	name: string @go(Name) @protobuf(2,bytes,opt)
+
+	// `path` is an optional URL path which will be sent in any request to
+	// this service.
+	// +optional
+	path?: null | string @go(Path,*string) @protobuf(3,bytes,opt)
+
+	// If specified, the port on the service that hosting webhook.
+	// Default to 443 for backward compatibility.
+	// `port` should be a valid port number (1-65535, inclusive).
+	// +optional
+	port?: null | int32 @go(Port,*int32) @protobuf(4,varint,opt)
+}
+
+// MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.
+#MatchCondition: {
+	// Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+	// as well as providing an identifier for logging purposes. A good name should be descriptive of
+	// the associated expression.
+	// Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+	// must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or
+	// '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+	// optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+	//
+	// Required.
+	name: string @go(Name) @protobuf(1,bytes,opt)
+
+	// Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+	// CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+	//
+	// 'object' - The object from the incoming request. The value is null for DELETE requests.
+	// 'oldObject' - The existing object. The value is null for CREATE requests.
+	// 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+	// 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+	//   See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+	// 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+	//   request resource.
+	// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+	//
+	// Required.
+	expression: string @go(Expression) @protobuf(2,bytes,opt)
+}
--- a/timoni/podinfo/cue.mod/gen/k8s.io/api/apps/v1/register_go_gen.cue
+++ b/timoni/podinfo/cue.mod/gen/k8s.io/api/apps/v1/register_go_gen.cue
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				`timoni/podinfo/cue.mod/** linguist-vendored`
				`@@ -1 +0,0 @@`
				`module: "github.com/stefanprodan/podinfo/cue"`