Merge pull request #470 from stefanprodan/release-6.11.2

Release 6.11.2
2026-04-07 03:26:54 +00:00 · 2026-03-31 22:52:14 +03:00 · 2026-03-31 22:47:19 +03:00 · 2026-03-31 22:36:36 +03:00 · 2026-03-31 19:32:43 +00:00 · 2026-03-31 22:30:33 +03:00
343 changed files with 22845 additions and 5990 deletions
--- a/.cosign/README.md
+++ b/.cosign/README.md
@@ -1,9 +1,10 @@
 # Podinfo signed releases
-Podinfo deployment manifests are published to GitHub Container Registry as OCI artifacts
+Podinfo release assets (container image, Helm chart, Flux artifact, Timoni module)
-and are signed using [cosign](https://github.com/sigstore/cosign).
+are published to GitHub Container Registry and are signed with
 [Cosign v2](https://github.com/sigstore/cosign) keyless & GitHub Actions OIDC.
-## Verify the artifacts with cosign
+## Verify podinfo with cosign
 Install the [cosign](https://github.com/sigstore/cosign) CLI:
@@ -11,29 +12,50 @@ Install the [cosign](https://github.com/sigstore/cosign) CLI:
 brew install sigstore/tap/cosign
 ```
-Verify a podinfo release with cosign CLI:
+### Container image
 Verify the podinfo container image hosted on GHCR:
 ```sh
-cosign verify -key https://raw.githubusercontent.com/stefanprodan/podinfo/master/cosign/cosign.pub \
+cosign verify ghcr.io/stefanprodan/podinfo:6.5.0 \
-ghcr.io/stefanprodan/podinfo-deploy:latest
+--certificate-identity-regexp="^https://github.com/stefanprodan/podinfo.*$" \
 --certificate-oidc-issuer=https://token.actions.githubusercontent.com
 ```
-## Download the artifacts with crane
+Verify the podinfo container image hosted on Docker Hub:
 Install the [crane](https://github.com/google/go-containerregistry/tree/main/cmd/crane) CLI:
 ```sh
-brew install crane
+cosign verify docker.io/stefanprodan/podinfo:6.5.0 \
 --certificate-identity-regexp="^https://github.com/stefanprodan/podinfo.*$" \
 --certificate-oidc-issuer=https://token.actions.githubusercontent.com
 ```
-Download the podinfo deployment manifests with crane CLI:
+### Helm chart
-```console
+Verify the podinfo [Helm](https://helm.sh) chart hosted on GHCR:
 $ crane export ghcr.io/stefanprodan/podinfo-deploy:latest -| tar -xf - 
-$ ls -1
+```sh
-deployment.yaml
+cosign verify ghcr.io/stefanprodan/charts/podinfo:6.5.0 \
-hpa.yaml
+--certificate-identity-regexp="^https://github.com/stefanprodan/podinfo.*$" \
-kustomization.yaml
+--certificate-oidc-issuer=https://token.actions.githubusercontent.com
-service.yaml
+```
 ### Flux artifact
 Verify the podinfo [Flux](https://fluxcd.io) artifact hosted on GHCR:
 ```sh
 cosign verify ghcr.io/stefanprodan/manifests/podinfo:6.5.0 \
 --certificate-identity-regexp="^https://github.com/stefanprodan/podinfo.*$" \
 --certificate-oidc-issuer=https://token.actions.githubusercontent.com
 ```
 ### Timoni module
 Verify the podinfo [Timoni](https://timoni.sh) module hosted on GHCR:
 ```sh
 cosign verify ghcr.io/stefanprodan/modules/podinfo:6.5.0 \
 --certificate-identity-regexp="^https://github.com/stefanprodan/podinfo.*$" \
 --certificate-oidc-issuer=https://token.actions.githubusercontent.com
 ```
--- a/.gitattributes
+++ b/.gitattributes
@@ -0,0 +1 @@
 timoni/podinfo/cue.mod/** linguist-vendored
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -0,0 +1 @@
 github: stefanprodan
--- a/.github/actions/helm/action.yml
+++ b/.github/actions/helm/action.yml
@@ -1,33 +0,0 @@
 name: Setup Helm CLI
 description: A GitHub Action for running Helm commands
 author: Stefan Prodan
 branding:
  color: blue
  icon: command
 inputs:
  version:
    description: "Helm version"
    required: true
 runs:
  using: composite
  steps:
    - name: "Download helm binary to tmp"
      shell: bash
      run: |
        VERSION=${{ inputs.version }}
        BIN_URL="https://get.helm.sh/helm-v${VERSION}-linux-amd64.tar.gz"
        curl -sL ${BIN_URL} -o /tmp/helm.tar.gz
        mkdir -p /tmp/helm
        tar -C /tmp/helm/ -zxvf /tmp/helm.tar.gz
    - name: "Add helm binary to /usr/local/bin"
      shell: bash
      run: |
        sudo cp /tmp/helm/linux-amd64/helm /usr/local/bin
    - name: "Cleanup tmp"
      shell: bash
      run: |
        rm -rf /tmp/helm/ /tmp/helm.tar.gz
    - name: "Verify correct installation of binary"
      shell: bash
      run: |
        helm version
--- a/.github/actions/kubeconform/action.yml
+++ b/.github/actions/kubeconform/action.yml
@@ -0,0 +1,38 @@
 name: Setup kubeconform
 description: A GitHub Action for running kubeconform commands
 author: Stefan Prodan
 branding:
  color: blue
  icon: command
 inputs:
  version:
    description: "kubeconform version e.g. 0.5.0 (defaults to latest stable release)"
    required: false
  arch:
    description: "arch can be amd64 or arm64"
    required: true
    default: "amd64"
 runs:
  using: composite
  steps:
    - name: "Download binary to the GH runner cache"
      shell: bash
      run: |  
        ARCH=${{ inputs.arch }}
        VERSION=${{ inputs.version }}
        if [ -z $VERSION ]; then
          VERSION=$(curl https://api.github.com/repos/yannh/kubeconform/releases/latest -sL | grep tag_name | sed -E 's/.*"([^"]+)".*/\1/' | cut -c 2-)
        fi
        BIN_URL="https://github.com/yannh/kubeconform/releases/download/v${VERSION}/kubeconform-linux-${ARCH}.tar.gz"
        BIN_DIR=$RUNNER_TOOL_CACHE/kubeconform/$VERSION/$ARCH
        if [[ ! -x "$BIN_DIR/kind" ]]; then
          mkdir -p $BIN_DIR
          cd $BIN_DIR
          curl -sL $BIN_URL | tar xz
          chmod +x kubeconform
        fi
        echo "$BIN_DIR" >> "$GITHUB_PATH"
--- a/.github/actions/release-notes/Dockerfile
+++ b/.github/actions/release-notes/Dockerfile
@@ -1,6 +0,0 @@
 FROM stefanprodan/alpine-base:latest
 COPY entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
 ENTRYPOINT ["/entrypoint.sh"]
--- a/.github/actions/release-notes/action.yml
+++ b/.github/actions/release-notes/action.yml
@@ -1,9 +0,0 @@
 name: 'github-release-notes'
 description: 'A GitHub Action to run github-release-notes commands'
 author: 'Stefan Prodan'
 branding:
  icon: 'command'
  color: 'blue'
 runs:
  using: 'docker'
  image: 'Dockerfile'
--- a/.github/actions/release-notes/entrypoint.sh
+++ b/.github/actions/release-notes/entrypoint.sh
@@ -1,25 +0,0 @@
 #!/usr/bin/env bash
 set -o errexit
 set -o pipefail
 VERSION=0.2.0
 BIN_DIR="$GITHUB_WORKSPACE/bin"
 main() {
  mkdir -p ${BIN_DIR}
  tmpDir=$(mktemp -d)
  pushd $tmpDir >& /dev/null
  curl -sSL https://github.com/buchanae/github-release-notes/releases/download/${VERSION}/github-release-notes-linux-amd64-${VERSION}.tar.gz | tar xz
  cp github-release-notes ${BIN_DIR}/github-release-notes
  popd >& /dev/null
  rm -rf $tmpDir
 }
 main
 echo "$BIN_DIR" >> $GITHUB_PATH
 echo "$RUNNER_WORKSPACE/$(basename $GITHUB_REPOSITORY)/bin" >> $GITHUB_PATH
--- a/.github/actions/runner-cleanup/action.yml
+++ b/.github/actions/runner-cleanup/action.yml
@@ -0,0 +1,24 @@
 name: Runner Cleanup
 description: A GitHub Action for removing bloat from Ubuntu GitHub Actions runner.
 author: Stefan Prodan
 branding:
  color: blue
  icon: command
 runs:
  using: composite
  steps:
    - name: "Disk Usage Before Cleanup"
      shell: bash
      run: |
        df -h
    - name: "Remove .NET, Android and Haskell"
      shell: bash
      run: |
        sudo rm -rf /usr/share/dotnet || true
        sudo rm -rf /usr/local/lib/android || true
        sudo rm -rf /opt/ghc || true
        sudo rm -rf /usr/local/.ghcup || true
    - name: "Disk Usage After Cleanup"
      shell: bash
      run: |
        df -h
--- a/.github/dependabot.yaml
+++ b/.github/dependabot.yaml
@@ -0,0 +1,11 @@
 version: 2
 updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    groups:
      actions:
        patterns:
          - "*"
    schedule:
      interval: "weekly"
--- a/.github/policy/kubernetes.rego
+++ b/.github/policy/kubernetes.rego
@@ -1,51 +0,0 @@
 package kubernetes
 name = input.metadata.name
 kind = input.kind
 is_service {
 	input.kind = "Service"
 }
 is_deployment {
 	input.kind = "Deployment"
 }
 is_pod {
 	input.kind = "Pod"
 }
 split_image(image) = [image, "latest"] {
 	not contains(image, ":")
 }
 split_image(image) = [image_name, tag] {
 	[image_name, tag] = split(image, ":")
 }
 pod_containers(pod) = all_containers {
 	keys = {"containers", "initContainers"}
 	all_containers = [c | keys[k]; c = pod.spec[k][_]]
 }
 containers[container] {
 	pods[pod]
 	all_containers = pod_containers(pod)
 	container = all_containers[_]
 }
 containers[container] {
 	all_containers = pod_containers(input)
 	container = all_containers[_]
 }
 pods[pod] {
 	is_deployment
 	pod = input.spec.template
 }
 pods[pod] {
 	is_pod
 	pod = input
 }
--- a/.github/policy/rules.rego
+++ b/.github/policy/rules.rego
@@ -1,43 +0,0 @@
 package main
 import data.kubernetes
 name = input.metadata.name
 # Deny containers with latest image tag
 deny[msg] {
 	kubernetes.containers[container]
 	[image_name, "latest"] = kubernetes.split_image(container.image)
 	msg = sprintf("%s in the %s %s has an image %s, using the latest tag", [container.name, kubernetes.kind, kubernetes.name, image_name])
 }
 # Deny services without app label selector
 service_labels {
  input.spec.selector["app"]
 }
 deny[msg] {
  kubernetes.is_service
  not service_labels
  msg = sprintf("Service %s should set app label selector", [name])
 }
 # Deny deployments without app label selector
 match_labels {
  input.spec.selector.matchLabels["app"]
 }
 deny[msg] {
  kubernetes.is_deployment
  not match_labels
  msg = sprintf("Service %s should set app label selector", [name])
 }
 # Warn if deployments have no prometheus pod annotations
 annotations {
  input.spec.template.metadata.annotations["prometheus.io/scrape"]
  input.spec.template.metadata.annotations["prometheus.io/port"]
 }
 warn[msg] {
  kubernetes.is_deployment
  not annotations
  msg = sprintf("Deployment %s should set prometheus.io/scrape and prometheus.io/port pod annotations", [name])
 }
--- a/.github/workflows/cve-scan.yml
+++ b/.github/workflows/cve-scan.yml
@@ -1,28 +1,25 @@
 name: cve-scan
 on:
  workflow_dispatch:
  push:
    branches:
-      - 'master'
+      - "master"
  pull_request:
    branches:
      - "master"
 permissions:
  contents: read
 jobs:
-  trivy:
+  govulncheck:
    runs-on: ubuntu-latest
    steps:
-      - name: Checkout
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        uses: actions/checkout@v2
+      - uses: ./.github/actions/runner-cleanup
-      - name: Build image
+      - name: Vulnerability scan
-        id: build
+        id: govulncheck
-        run: |
+        uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4
          IMAGE=test/podinfo:${GITHUB_SHA}
          docker build -t ${IMAGE} .
          echo "::set-output name=image::$IMAGE"
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
-          image-ref: ${{ steps.build.outputs.image }}
+          repo-checkout: false
          format: table
          exit-code: "1"
          ignore-unfixed: true
          vuln-type: os,library
          severity: CRITICAL,HIGH
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -6,28 +6,29 @@ on:
    branches:
      - 'master'
 permissions:
  contents: read
 jobs:
  kind-helm:
    strategy:
      matrix:
        helm-version:
          - 3.8.1
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Disk Cleanup
        uses: ./.github/actions/runner-cleanup
      - name: Setup Kubernetes
-        uses: engineerd/setup-kind@v0.5.0
+        uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1.14.0
        with:
-          version: v0.11.1
+          cluster_name: kind
      - name: Build container image
        run: |
          ./test/build.sh
          kind load docker-image test/podinfo:latest
      - name: Setup Helm
-        uses: ./.github/actions/helm
+        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
        with:
-          version: ${{ matrix.helm-version }}
+          version: v4.1.0
      - name: Deploy
        run: ./test/deploy.sh
      - name: Run integration tests
@@ -36,3 +37,44 @@ jobs:
        if: failure()
        run: |
          kubectl logs -l app=podinfo || true
  kind-timoni:
    runs-on: ubuntu-latest
    services:
      registry:
        image: registry:2
        ports:
          - 5000:5000
    env:
      PODINFO_IMAGE_URL: "test/podinfo"
      PODINFO_MODULE_URL: "oci://localhost:5000/podinfo"
      PODINFO_VERSION: "0.0.0-devel"
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: ./.github/actions/runner-cleanup
      - name: Setup Timoni
        uses: stefanprodan/timoni/actions/setup@c68e33a34f17c7ca93c7fc6717d61a14819276dc # v0.26.0
      - name: Setup Kubernetes
        uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1.14.0
        with:
          cluster_name: kind
      - name: Build container
        run: |
          docker build -t ${PODINFO_IMAGE_URL}:${PODINFO_VERSION} --build-arg "REVISION=${GITHUB_SHA}"  -f Dockerfile.xx .
          kind load docker-image ${PODINFO_IMAGE_URL}:${PODINFO_VERSION}
      - name: Vet module
        run: |
          timoni mod vet ./timoni/podinfo --debug
      - name: Build module
        run: |
          timoni mod push ./timoni/podinfo ${PODINFO_MODULE_URL} -v ${PODINFO_VERSION}
      - name: Apply bundle
        run: |
          timoni bundle apply -f ./timoni/bundles/test.podinfo.cue --runtime-from-env
      - name: Verify status
        run: |
          timoni -n podinfo status backend
          timoni -n podinfo status frontend
      - name: Debug failure
        if: failure()
        run: |
          kubectl -n podinfo get all || true
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,36 +6,57 @@ on:
      - '*'
 permissions:
-  contents: write # needed to write releases
+  contents: read
  id-token: write # needed for keyless signing
  packages: write # needed for ghcr access
 jobs:
  release:
    runs-on: ubuntu-latest
    permissions:
      contents: write # needed to write releases
      id-token: write # needed for keyless signing
      packages: write # needed for ghcr access
      attestations: write # needed for provenance
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: imjasonh/setup-crane@v0.1
+      - uses: ./.github/actions/runner-cleanup
-      - uses: sigstore/cosign-installer@main
+      - uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
-      - name: Setup Helm
+      - uses: fluxcd/flux2/action@871be9b40d53627786d3a3835a3ddba1e3234bd2 # v2.8.3
-        uses: ./.github/actions/helm
+      - uses: stefanprodan/timoni/actions/setup@c68e33a34f17c7ca93c7fc6717d61a14819276dc # v0.26.0
      - name: Setup Notation CLI
        uses: notaryproject/notation-action/setup@b6fee73110795d6793253c673bd723f12bcf9bbb # v1.2.2
        with:
-          version: 3.8.1
+          version: "1.1.0"
      - name: Setup Notation signing keys
        run: |
          mkdir -p ~/.config/notation/localkeys/
          cp ./.notation/signingkeys.json ~/.config/notation/
          cp ./.notation/notation.crt ~/.config/notation/localkeys/
          echo "$NOTATION_KEY" > ~/.config/notation/localkeys/notation.key
        env:
          NOTATION_KEY: ${{ secrets.NOTATION_SIGNING_KEY }}
      - name: Setup Go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: 1.26.x
      - name: Setup Helm
        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
        with:
          version: v4.1.1
      - name: Setup QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
        with:
          platforms: all
      - name: Setup Docker Buildx
        id: buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v1
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
        with:
          registry: ghcr.io
-          username: ${{ secrets.DOCKER_USERNAME }}
+          username: ${{ github.actor }}
-          password: ${{ secrets.GHCR_TOKEN }}
+          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Login to Docker Hub
-        uses: docker/login-action@v1
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
@@ -46,43 +67,64 @@ jobs:
          if [[ $GITHUB_REF == refs/tags/* ]]; then
            VERSION=${GITHUB_REF/refs\/tags\//}
          fi
-          echo ::set-output name=BUILD_DATE::$(date -u +'%Y-%m-%dT%H:%M:%SZ')
+          echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
-          echo ::set-output name=VERSION::${VERSION}
+          echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
-      - name: Publish multi-arch image
+          echo "REVISION=${GITHUB_SHA}" >> $GITHUB_OUTPUT
-        uses: docker/build-push-action@v2
+      - name: Generate images meta
        id: meta
        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
        with:
          images: |
            docker.io/stefanprodan/podinfo
            ghcr.io/stefanprodan/podinfo
          tags: |
            type=raw,value=${{ steps.prep.outputs.VERSION }}
            type=raw,value=latest
      - name: Publish multi-arch image
        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
        with:
          sbom: true
          provenance: true
          push: true
          builder: ${{ steps.buildx.outputs.name }}
          context: .
          file: ./Dockerfile.xx
          build-args: |
            REVISION=${{ steps.prep.outputs.REVISION }}
          platforms: linux/amd64,linux/arm/v7,linux/arm64
-          tags: |
+          tags: ${{ steps.meta.outputs.tags }}
-            docker.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }}
+          labels: ${{ steps.meta.outputs.labels }}
-            docker.io/stefanprodan/podinfo:latest
+      - name: Publish Timoni module to GHCR
-            ghcr.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }}
+        run: |
-          labels: |
+          timoni mod push ./timoni/podinfo oci://ghcr.io/stefanprodan/modules/podinfo \
-            org.opencontainers.image.title=${{ github.event.repository.name }}
+          --sign cosign \
-            org.opencontainers.image.description=${{ github.event.repository.description }}
+          --version ${{ steps.prep.outputs.VERSION }} \
-            org.opencontainers.image.source=${{ github.event.repository.html_url }}
+          -a 'org.opencontainers.image.source=https://github.com/stefanprodan/podinfo' \
-            org.opencontainers.image.url=${{ github.event.repository.html_url }}
+          -a 'org.opencontainers.image.licenses=Apache-2.0' \
-            org.opencontainers.image.revision=${{ github.sha }}
+          -a 'org.opencontainers.image.description=A timoni.sh module for deploying Podinfo.' \
-            org.opencontainers.image.version=${{ steps.prep.outputs.VERSION }}
+          -a 'org.opencontainers.image.documentation=https://github.com/stefanprodan/podinfo/blob/main/timoni/podinfo/README.md'
            org.opencontainers.image.created=${{ steps.prep.outputs.BUILD_DATE }}
      - name: Publish Helm chart to GHCR
        run: |
          helm package charts/podinfo
          helm push podinfo-${{ steps.prep.outputs.VERSION }}.tgz oci://ghcr.io/stefanprodan/charts
          rm podinfo-${{ steps.prep.outputs.VERSION }}.tgz
-      - name: Sign images
+      - name: Publish Flux OCI artifact to GHCR
        run: |
          flux push artifact oci://ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }} \
            --path="./kustomize" \
            --source="${{ github.event.repository.html_url }}" \
            --revision="${GITHUB_REF_NAME}/${GITHUB_SHA}"
          flux tag artifact oci://ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }} --tag latest
      - name: Sign artifacts with Cosign
        env:
          COSIGN_EXPERIMENTAL: 1
        run: |
-          cosign sign docker.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }}
+          cosign sign docker.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }} --yes
-          cosign sign docker.io/stefanprodan/podinfo:latest
+          cosign sign ghcr.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }} --yes
-          cosign sign ghcr.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }}
+          cosign sign ghcr.io/stefanprodan/charts/podinfo:${{ steps.prep.outputs.VERSION }} --yes
-          cosign sign ghcr.io/stefanprodan/charts/podinfo:${{ steps.prep.outputs.VERSION }}
+          cosign sign ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }} --yes
      - name: Publish base image
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
        with:
          push: true
          builder: ${{ steps.buildx.outputs.name }}
@@ -91,33 +133,39 @@ jobs:
          file: ./Dockerfile.base
          tags: docker.io/stefanprodan/podinfo-base:latest
      - name: Publish helm chart
-        uses: stefanprodan/helm-gh-pages@master
+        uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 # v1.7.0
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Publish config artifact
        run: |
-          cd kustomize
+          flux push artifact oci://ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }} \
-          tar -cf config.tar * --numeric-owner --owner=0 --group=0
+            --path="./kustomize" \
-          crane append -f config.tar -t ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }}
+            --source="${{ github.event.repository.html_url }}" \
-          crane tag ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }} latest
+            --revision="${GITHUB_REF_NAME}/${GITHUB_SHA}"
-          rm config.tar
+          flux tag artifact oci://ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }} --tag latest
-      - name: Sign config artifact
+      - name: Sign config artifact with cso
        run: |
          echo "$COSIGN_KEY" > /tmp/cosign.key
-          cosign sign -key /tmp/cosign.key ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }}
+          cosign sign -key /tmp/cosign.key ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }} --yes
-          cosign sign -key /tmp/cosign.key ghcr.io/stefanprodan/podinfo-deploy:latest
+          cosign sign -key /tmp/cosign.key ghcr.io/stefanprodan/podinfo-deploy:latest --yes
        env:
          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
          COSIGN_KEY: ${{secrets.COSIGN_KEY}}
-      - uses: ./.github/actions/release-notes
+      - name: Sign artifacts with Notation
      - name: Generate release notes
        run: |
-          echo 'CHANGELOG' > /tmp/release.txt
+          notation sign --signature-format cose ghcr.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }}
-          github-release-notes -org stefanprodan -repo podinfo -since-latest-release >> /tmp/release.txt
+          notation sign --signature-format cose ghcr.io/stefanprodan/charts/podinfo:${{ steps.prep.outputs.VERSION }}
          notation sign --signature-format cose ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }}
          notation sign --signature-format cose ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }}
          notation sign --signature-format cose ghcr.io/stefanprodan/podinfo-deploy:latest
      - name: Publish release
-        uses: goreleaser/goreleaser-action@v1
+        uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
        with:
          version: latest
-          args: release --release-notes=/tmp/release.txt --skip-validate
+          args: release --skip=validate
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Attest release
        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
        with:
          subject-checksums: ./dist/podinfo_${{ steps.prep.outputs.VERSION }}_checksums.txt
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -6,30 +6,53 @@ on:
    branches:
      - 'master'
 permissions:
  contents: read
 env:
  KUBERNETES_VERSION: 1.35.0
  HELM_VERSION: 4.1.1
 jobs:
  test:
    runs-on: ubuntu-latest
    steps:
-      - name: Checkout
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        uses: actions/checkout@v2
+      - uses: ./.github/actions/runner-cleanup
      - name: Restore Go cache
        uses: actions/cache@v1
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
          restore-keys: ${{ runner.os }}-go-
      - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
-          go-version: 1.17.x
+          go-version: 1.26.x
          cache-dependency-path: |
            **/go.sum
            **/go.mod
      - name: Setup kubectl
        uses: azure/setup-kubectl@15650b3ad78fff148532a140b8a4c821796b2d7b # v5.0.0
        with:
          version: v${{ env.KUBERNETES_VERSION }}
      - name: Setup kubeconform
        uses: ./.github/actions/kubeconform
      - name: Setup Helm
        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
        with:
          version: v${{ env.HELM_VERSION }}
      - name: Setup CUE
        uses: cue-lang/setup-cue@a93fa358375740cd8b0078f76355512b9208acb1 # v1.0.1
      - name: Setup Timoni
        uses: stefanprodan/timoni/actions/setup@c68e33a34f17c7ca93c7fc6717d61a14819276dc # v0.26.0
      - name: Run unit tests
        run: make test
-      - name: Setup CUE
+      - name: Validate Helm chart
        uses: cue-lang/setup-cue@main
      - name: Verify CUE formatting
        working-directory: ./cue
        run: |
-          cue fmt .
+          helm lint ./charts/podinfo/
          helm template ./charts/podinfo/ | kubeconform -strict -summary -kubernetes-version ${{ env.KUBERNETES_VERSION }}
      - name: Validate Kustomize overlay
        run: |
          kubectl kustomize ./kustomize/ | kubeconform -strict -summary -kubernetes-version ${{ env.KUBERNETES_VERSION }}
      - name: Verify CUE formatting
        working-directory: ./timoni/podinfo
        run: |
          cue fmt ./...
          status=$(git status . --porcelain)
          [[ -z "$status" ]] || {
            echo "CUE files are not correctly formatted"
@@ -37,27 +60,14 @@ jobs:
            git diff
            exit 1
          }
-      - name: Validate CUE
+      - name: Validate Timoni module
-        working-directory: ./cue
+        working-directory: ./timoni/podinfo
-        run: cue vet --all-errors --concrete .
+        run: |
          timoni mod lint . 
          timoni build podinfo . -f test_values.cue | kubeconform -strict -summary -skip=ServiceMonitor -kubernetes-version ${{ env.KUBERNETES_VERSION }}
      - name: Check if working tree is dirty
        run: |
          if [[ $(git diff --stat) != '' ]]; then
            echo 'run make test and commit changes'
            exit 1
          fi
      - name: Validate Helm chart
        uses: stefanprodan/kube-tools@v1
        with:
          kubectl: 1.19.11
          helm: 2.17.0
          helmv3: 3.6.0
          command: |
            helmv3 template ./charts/podinfo | kubeval --strict --kubernetes-version 1.19.11 --schema-location https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master
      - name: Validate kustomization
        uses: stefanprodan/kube-tools@v1
        with:
          kubectl: 1.19.11
          command: |
            kustomize build ./kustomize | kubeval --strict --kubernetes-version 1.19.11 --schema-location https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master
            kustomize build ./kustomize | conftest test -p .github/policy -
--- a/.gitignore
+++ b/.gitignore
@@ -19,4 +19,10 @@ release/
 build/
 gcloud/
 dist/
-bin/
+bin/
 cue/cue.mod/gen/
 cue/go.mod
 cue/go.sum
 .notation/podinfo.csr
 .notation/podinfo.key
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -1,3 +1,18 @@
 version: 2
 # xref: https://goreleaser.com/customization/project/
 project_name: podinfo
 # xref: https://goreleaser.com/customization/hooks/
 before:
  hooks:
    - go mod download
 # xref: https://goreleaser.com/customization/env/
 env:
  - CGO_ENABLED=0
 # xref: https://goreleaser.com/customization/build/
 builds:
  - main: ./cmd/podcli
    binary: podcli
@@ -8,9 +23,13 @@ builds:
      - linux
    goarch:
      - amd64
-    env:
+
-      - CGO_ENABLED=0
+# xref: https://goreleaser.com/customization/archive/
 archives:
  - name_template: "{{ .Binary }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
    files:
-      - none*
+      - LICENSE
 # xref: https://goreleaser.com/customization/changelog/
 changelog:
  use: github-native
--- a/.notation/README.md
+++ b/.notation/README.md
@@ -0,0 +1,15 @@
 # Podinfo signed releases
 Podinfo release assets such as the Helm chart and the Flux artifact
 are published to GitHub Container Registry and are signed with
 [Notation](https://github.com/notaryproject/notation).
 ## Generate signing keys
 Generate a new signing key pair:
 ```sh
 openssl genrsa -out podinfo.key 2048
 openssl req -new -key podinfo.key -out podinfo.csr -config codesign.cnf
 openssl x509 -req -days 1826 -in podinfo.csr -signkey podinfo.key -out notation.crt -extensions v3_req -extfile codesign.cnf
 ```
--- a/.notation/codesign.cnf
+++ b/.notation/codesign.cnf
@@ -0,0 +1,18 @@
 [ req ]
 default_bits           = 2048
 default_keyfile        = privatekey.pem
 distinguished_name     = req_distinguished_name
 req_extensions         = v3_req
 prompt                 = no
 [ req_distinguished_name ]
 C                      = RO
 ST                     = BU
 L                      = Bucharest
 O                      = Notary
 CN                     = stefanprodan.com
 [ v3_req ]
 keyUsage               = critical,digitalSignature
 extendedKeyUsage       = critical,codeSigning
 #subjectKeyIdentifier  = hash
--- a/.notation/notation.crt
+++ b/.notation/notation.crt
@@ -0,0 +1,21 @@
 -----BEGIN CERTIFICATE-----
 MIIDbDCCAlSgAwIBAgIUP7zhmTw5XTWLcgBGkBEsErMOkz4wDQYJKoZIhvcNAQEL
 BQAwWjELMAkGA1UEBhMCUk8xCzAJBgNVBAgMAkJVMRIwEAYDVQQHDAlCdWNoYXJl
 c3QxDzANBgNVBAoMBk5vdGFyeTEZMBcGA1UEAwwQc3RlZmFucHJvZGFuLmNvbTAe
 Fw0yNDAyMjUxMDAyMzZaFw0yOTAyMjQxMDAyMzZaMFoxCzAJBgNVBAYTAlJPMQsw
 CQYDVQQIDAJCVTESMBAGA1UEBwwJQnVjaGFyZXN0MQ8wDQYDVQQKDAZOb3Rhcnkx
 GTAXBgNVBAMMEHN0ZWZhbnByb2Rhbi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
 DwAwggEKAoIBAQDtH4oPi3SyX/DGv6NdjIvmApvD9eeSgsmHdwpAly8T9D2me+fx
 Z+wRNJmq4aq/A1anX+Sg28iwHzV+1WKpsHnjYzDAJSEYP2S8A5H1nGRKUoibdijw
 C3QBh5C75rjF/tmZVSX/Vgbf3HJJEsF4WUxWabLxoV2QLo7UlEsQd9+bSeKNMncx
 1+E6FdbRCrYo90iobvZJ8K/S2zCWq/JTeHfTnmSEDhx6nMJcaSjvMPn3zyauWcQw
 dDpkcaGiJ64fEJRT2OFxXv9u+vDmIMKzo/Wjbd+IzFj6YY4VisK88aU7tmDelnk5
 gQB9eu62PFoaVsYJp4VOhblFKvGJpQwbWB9BAgMBAAGjKjAoMA4GA1UdDwEB/wQE
 AwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAzANBgkqhkiG9w0BAQsFAAOCAQEA
 6x+C6hAIbLwMvkNx4K5p7Qe/pLQR0VwQFAw10yr/5KSN+YKFpon6pQ0TebL7qll+
 uBGZvtQhN6v+DlnVqB7lvJKd+89isgirkkews5KwuXg7Gv5UPIugH0dXISZU8DMJ
 7J4oKREv5HzdFmfsUfNlQcfyVTjKL6UINXfKGdqNNxXxR9b4a1TY2JcmEhzBTHaq
 ZqX6HK784a0dB7aHgeFrFwPCCP4M684Hs7CFbk3jo2Ef4ljnB5AyWpe8pwCLMdRt
 UjSjL5xJWVQvRU+STQsPr6SvpokPCG4rLQyjgeYYk4CCj5piSxbSUZFavq8v1y7Y
 m91USVqfeUX7ZzjDxPHE2A==
 -----END CERTIFICATE-----
--- a/.notation/signingkeys.json
+++ b/.notation/signingkeys.json
@@ -0,0 +1,10 @@
 {
    "default": "stefanprodan.com",
    "keys": [
        {
            "name": "stefanprodan.com",
            "keyPath": "/home/runner/.config/notation/localkeys/notation.key",
            "certPath": "/home/runner/.config/notation/localkeys/notation.crt"
        }
    ]
 }
--- a/.notation/trustpolicy.json
+++ b/.notation/trustpolicy.json
@@ -0,0 +1,19 @@
 {
    "version": "1.0",
    "trustPolicies": [
        {
            "name": "stefanprodan.com",
            "registryScopes": [
                "ghcr.io/stefanprodan/podinfo-deploy",
                "ghcr.io/stefanprodan/charts/podinfo"
            ],
            "signatureVerification": {
                "level" : "strict"
            },
            "trustStores": [ "ca:stefanprodan.com" ],
            "trustedIdentities": [
                "x509.subject: C=RO, ST=BU, L=Bucharest, O=Notary, CN=stefanprodan.com"
            ]
        }
    ]
 }
--- a/4
+++ b/4
@@ -1,4 +1,4 @@
-FROM golang:1.17-alpine as builder
+FROM golang:1.26-alpine AS builder
 ARG REVISION
@@ -18,7 +18,7 @@ RUN CGO_ENABLED=0 go build -ldflags "-s -w \
    -X github.com/stefanprodan/podinfo/pkg/version.REVISION=${REVISION}" \
    -a -o bin/podcli cmd/podcli/*
-FROM alpine:3.15
+FROM alpine:3.23
 ARG BUILD_DATE
 ARG VERSION
--- a/Dockerfile.base
+++ b/Dockerfile.base
@@ -1,4 +1,4 @@
-FROM golang:1.17
+FROM golang:1.26
 WORKDIR /workspace
--- a/Dockerfile.xx
+++ b/Dockerfile.xx
@@ -1,5 +1,5 @@
-ARG GO_VERSION=1.17
+ARG GO_VERSION=1.26
-ARG XX_VERSION=1.1.0
+ARG XX_VERSION=1.9.0
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
@@ -28,7 +28,7 @@ RUN xx-go build -ldflags "-s -w \
    -X github.com/stefanprodan/podinfo/pkg/version.REVISION=${REVISION}" \
    -a -o bin/podcli cmd/podcli/*
-FROM alpine:3.15
+FROM alpine:3.23
 ARG BUILD_DATE
 ARG VERSION
--- a/34
+++ b/34
@@ -16,7 +16,7 @@ run:
 	--ui-logo=https://raw.githubusercontent.com/stefanprodan/podinfo/gh-pages/cuddle_clap.gif $(EXTRA_RUN_ARGS)
 .PHONY: test
-test:
+test: tidy fmt vet
 	go test ./... -coverprofile cover.out
 build:
@@ -24,11 +24,13 @@ build:
 	GIT_COMMIT=$$(git rev-list -1 HEAD) && CGO_ENABLED=0 go build  -ldflags "-s -w -X github.com/stefanprodan/podinfo/pkg/version.REVISION=$(GIT_COMMIT)" -a -o ./bin/podcli ./cmd/podcli/*
 tidy:
-	rm -f go.sum; go mod tidy -compat=1.17
+	rm -f go.sum; go mod tidy -compat=1.26
 vet:
 	go vet ./...
 fmt:
-	gofmt -l -s -w ./
+	go fmt ./...
 	goimports -l -w ./
 build-charts:
 	helm lint charts/*
@@ -79,18 +81,24 @@ version-set:
 	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/webapp/backend/deployment.yaml && \
 	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/bases/frontend/deployment.yaml && \
 	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/bases/backend/deployment.yaml && \
-	/usr/bin/sed -i '' "s/$$current/$$next/g" cue/main.cue && \
+	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/bases/database/statefulset-primary.yaml && \
-	echo "Version $$next set in code, deployment, chart and kustomize"
+	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/bases/database/deployment-replica.yaml && \
 	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/bases/database/cronjob-rollup-daily.yaml && \
 	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/bases/database/cronjob-rollup-weekly.yaml && \
 	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/bases/database/cronjob-backup-daily.yaml && \
 	/usr/bin/sed -i '' "s/$$current/$$next/g" timoni/podinfo/values.cue && \
 	echo "Version $$next set in code, deployment, module, chart and kustomize"
 release:
-	git tag $(VERSION)
+	git tag -s -m $(VERSION) $(VERSION)
 	git push origin $(VERSION)
 swagger:
-	go get github.com/swaggo/swag/cmd/swag
+	go install github.com/swaggo/swag/cmd/swag@latest
-	cd pkg/api && $$(go env GOPATH)/bin/swag init -g server.go
+	go get github.com/swaggo/swag/gen@latest
 	go get github.com/swaggo/swag/cmd/swag@latest
 	cd pkg/api/http && $$(go env GOPATH)/bin/swag init -g server.go
-.PHONY: cue
+.PHONY: timoni-build
-cue:
+timoni-build:
-	@cd cue && cue fmt ./... && cue vet --all-errors --concrete ./...
+	@timoni build podinfo ./timoni/podinfo -f ./timoni/podinfo/debug_values.cue
 	@cd cue && cue gen
--- a/README.md
+++ b/README.md
@@ -20,12 +20,12 @@ Specifications:
 * 12-factor app with viper
 * Fault injection (random errors and latency)
 * Swagger docs
-* Helm and Kustomize installers
+* Timoni, Helm and Kustomize installers
 * End-to-End testing with Kubernetes Kind and Helm
-* Kustomize testing with GitHub Actions and Open Policy Agent
+* Multi-arch container image with Docker buildx and GitHub Actions
 * Multi-arch container image with Docker buildx and Github Actions
 * Container image signing with Sigstore cosign
-* CVE scanning with Trivy
+* SBOMs and SLSA Provenance embedded in the container image
 * CVE scanning with govulncheck
 Web API:
@@ -57,6 +57,16 @@ Web API:
 gRPC API:
 * `/grpc.health.v1.Health/Check` health checking
 * `/grpc.EchoService/Echo` echos the received content
 * `/grpc.VersionService/Version` returns podinfo version and Git commit hash
 * `/grpc.DelayService/Delay` returns a successful response after the given seconds in the body of gRPC request
 * `/grpc.EnvService/Env` returns environment variables as a JSON array
 * `/grpc.HeaderService/Header` returns the headers present in the gRPC request. Any custom header can also be given as a part of request and that can be returned using this API
 * `/grpc.InfoService/Info` returns the runtime information
 * `/grpc.PanicService/Panic` crashes the process with gRPC status code as '1 CANCELLED'
 * `/grpc.StatusService/Status` returns the gRPC Status code given in the request body
 * `/grpc.TokenService/TokenGenerate` issues a JWT token valid for one minute
 * `/grpc.TokenService/TokenValidate` validates the JWT token
 Web UI:
@@ -66,16 +76,23 @@ To access the Swagger UI open `<podinfo-host>/swagger/index.html` in a browser.
 ### Guides
-* [GitOps Progressive Deliver with Flagger, Helm v3 and Linkerd](https://helm.workshop.flagger.dev/intro/)
+* [Getting started with Timoni](https://timoni.sh/quickstart/)
-* [GitOps Progressive Deliver on EKS with Flagger and AppMesh](https://eks.handson.flagger.dev/prerequisites/)
+* [Getting started with Flux](https://fluxcd.io/flux/get-started/)
-* [Automated canary deployments with Flagger and Istio](https://medium.com/google-cloud/automated-canary-deployments-with-flagger-and-istio-ac747827f9d1)
+* [Progressive Deliver with Flagger and Linkerd](https://docs.flagger.app/tutorials/linkerd-progressive-delivery)
-* [Kubernetes autoscaling with Istio metrics](https://medium.com/google-cloud/kubernetes-autoscaling-with-istio-metrics-76442253a45a)
+* [Automated canary deployments with Kubernetes Gateway API](https://docs.flagger.app/tutorials/gatewayapi-progressive-delivery)
 * [Autoscaling EKS on Fargate with custom metrics](https://aws.amazon.com/blogs/containers/autoscaling-eks-on-fargate-with-custom-metrics/)
 * [Managing Helm releases the GitOps way](https://medium.com/google-cloud/managing-helm-releases-the-gitops-way-207a6ac6ff0e)
 * [Securing EKS Ingress With Contour And Let’s Encrypt The GitOps Way](https://aws.amazon.com/blogs/containers/securing-eks-ingress-contour-lets-encrypt-gitops/)
 ### Install
 To install Podinfo on Kubernetes the minimum required version is **Kubernetes v1.23**.
 #### Timoni
 Install with [Timoni](https://timoni.sh):
 ```bash
 timoni -n default apply podinfo oci://ghcr.io/stefanprodan/modules/podinfo
 ```
 #### Helm
 Install from github.io:
@@ -89,7 +106,7 @@ helm upgrade --install --wait frontend \
 --set backend=http://backend-podinfo:9898/echo \
 podinfo/podinfo
-helm test frontend
+helm test frontend --namespace test
 helm upgrade --install --wait backend \
 --namespace test \
--- a/charts/podinfo/Chart.yaml
+++ b/charts/podinfo/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
-version: 6.1.2
+version: 6.11.2
-appVersion: 6.1.2
+appVersion: 6.11.2
 name: podinfo
 engine: gotpl
 description: Podinfo Helm chart for Kubernetes
@@ -10,4 +10,4 @@ maintainers:
  name: stefanprodan
 sources:
 - https://github.com/stefanprodan/podinfo
-kubeVersion: ">=1.19.0-0"
+kubeVersion: ">=1.23.0-0"
--- a/charts/podinfo/README.md
+++ b/charts/podinfo/README.md
@@ -9,12 +9,30 @@ for end-to-end testing and workshops.
 ## Installing the Chart
-To install the chart with the release name `my-release`:
+The Podinfo charts are published to
 [GitHub Container Registry](https://github.com/stefanprodan/podinfo/pkgs/container/charts%2Fpodinfo)
 and signed with [Cosign](https://github.com/sigstore/cosign) & GitHub Actions OIDC.
 To install the chart with the release name `podinfo` from GHCR:
 ```console
-$ helm repo add podinfo https://stefanprodan.github.io/podinfo
+$ helm upgrade -i podinfo oci://ghcr.io/stefanprodan/charts/podinfo
 ```
-$ helm upgrade -i my-release podinfo/podinfo
+To verify a chart version with Cosign:
 ```console
 $ cosign verify ghcr.io/stefanprodan/charts/podinfo:<VERSION> \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
  --certificate-identity-regexp=^https://github\\.com/stefanprodan/podinfo/.*$
 ```
 Alternatively, you can install the chart from GitHub pages:
 ```console
 $ helm repo add stefanprodan https://stefanprodan.github.io/podinfo
 $ helm upgrade -i podinfo stefanprodan/podinfo
 ```
 The command deploys podinfo on the Kubernetes cluster in the default namespace.
@@ -22,10 +40,10 @@ The [configuration](#configuration) section lists the parameters that can be con
 ## Uninstalling the Chart
-To uninstall/delete the `my-release` deployment:
+To uninstall the `podinfo` release:
 ```console
-$ helm delete my-release
+$ helm uninstall podinfo
 ```
 The command removes all the Kubernetes components associated with the chart and deletes the release.
@@ -34,90 +52,101 @@ The command removes all the Kubernetes components associated with the chart and
 The following tables lists the configurable parameters of the podinfo chart and their default values.
-Parameter | Default | Description
+| Parameter                                        | Default                        | Description                                                                                       |
--- | --- | ---
+|--------------------------------------------------|--------------------------------|---------------------------------------------------------------------------------------------------|
-`replicaCount` | `1` | Desired number of pods
+| `replicaCount`                                   | `1`                            | Desired number of pods                                                                            |
-`logLevel` | `info` | Log level: `debug`, `info`, `warn`, `error`
+| `logLevel`                                       | `info`                         | Log level: `debug`, `info`, `warn`, `error`                                                       |
-`backend` | `None` | Echo backend URL
+| `backend`                                        | `None`                         | Echo backend URL                                                                                  |
-`backends` | `[]` | Array of echo backend URLs
+| `backends`                                       | `[]`                           | Array of echo backend URLs                                                                        |
-`cache` | `None` | Redis address in the format `<host>:<port>`
+| `cache`                                          | `None`                         | Redis address in the format `tcp://<host>:<port>`                                                 |
-`redis.enabled` | `false` | Create Redis deployment for caching purposes
+| `redis.enabled`                                  | `false`                        | Create Redis deployment for caching purposes                                                      |
-`ui.color` | `#34577c` |  UI color
+| `redis.repository`                               | `docker.io/redis`              | Redis image repository                                                                            |
-`ui.message` | `None` |  UI greetings message
+| `redis.tag`                                      | `<VERSION>`                    | Redis image tag                                                                                   |
-`ui.logo` | `None` |  UI logo
+| `redis.imagePullSecrets`                         | `[]`                           | Redis image pull secrets                                                                          |
-`faults.delay` | `false` | Random HTTP response delays between 0 and 5 seconds
+| `ui.color`                                       | `#34577c`                      | UI color                                                                                          |
-`faults.error` | `false` | 1/3 chances of a random HTTP response error
+| `ui.message`                                     | `None`                         | UI greetings message                                                                              |
-`faults.unhealthy` | `false` | When set, the healthy state is never reached
+| `ui.logo`                                        | `None`                         | UI logo                                                                                           |
-`faults.unready` | `false` | When set, the ready state is never reached
+| `faults.delay`                                   | `false`                        | Random HTTP response delays between 0 and 5 seconds                                               |
-`faults.testFail` | `false` | When set, a helm test is included which always fails
+| `faults.error`                                   | `false`                        | 1/3 chances of a random HTTP response error                                                       |
-`faults.testTimeout` | `false` | When set, a helm test is included which always times out
+| `faults.unhealthy`                               | `false`                        | When set, the healthy state is never reached                                                      |
-`image.repository` | `stefanprodan/podinfo` | Image repository
+| `faults.unready`                                 | `false`                        | When set, the ready state is never reached                                                        |
-`image.tag` | `<VERSION>` | Image tag
+| `faults.testFail`                                | `false`                        | When set, a helm test is included which always fails                                              |
-`image.pullPolicy` | `IfNotPresent` | Image pull policy
+| `faults.testTimeout`                             | `false`                        | When set, a helm test is included which always times out                                          |
-`service.enabled` | `true` | Create a Kubernetes Service, should be disabled when using [Flagger](https://flagger.app)
+| `image.repository`                               | `ghcr.io/stefanprodan/podinfo` | Image repository                                                                                  |
-`service.type` | `ClusterIP` | Type of the Kubernetes Service
+| `image.tag`                                      | `<VERSION>`                    | Image tag                                                                                         |
-`service.metricsPort` | `9797` | Prometheus metrics endpoint port
+| `image.pullPolicy`                               | `IfNotPresent`                 | Image pull policy                                                                                 |
-`service.httpPort` | `9898` | Container HTTP port
+| `image.pullSecrets`                              | `[]`                           | Image pull secrets                                                                                |
-`service.externalPort` | `9898` | ClusterIP HTTP port
+| `service.enabled`                                | `true`                         | Create a Kubernetes Service, should be disabled when using [Flagger](https://flagger.app)         |
-`service.grpcPort` | `9999` | ClusterIP gPRC port
+| `service.type`                                   | `ClusterIP`                    | Type of the Kubernetes Service                                                                    |
-`service.grpcService` | `podinfo` | gPRC service name
+| `service.metricsPort`                            | `9797`                         | Prometheus metrics endpoint port                                                                  |
-`service.nodePort` | `31198` | NodePort for the HTTP endpoint
+| `service.httpPort`                               | `9898`                         | Container HTTP port                                                                               |
-`h2c.enabled` | `false` | Allow upgrading to h2c (non-TLS version of HTTP/2)
+| `service.externalPort`                           | `9898`                         | ClusterIP HTTP port                                                                               |
-`hpa.enabled` | `false` | Enables the Kubernetes HPA
+| `service.grpcPort`                               | `9999`                         | ClusterIP gPRC port                                                                               |
-`hpa.maxReplicas` | `10` | Maximum amount of pods
+| `service.grpcService`                            | `podinfo`                      | gPRC service name                                                                                 |
-`hpa.cpu` | `None` | Target CPU usage per pod
+| `service.nodePort`                               | `31198`                        | NodePort for the HTTP endpoint                                                                    |
-`hpa.memory` | `None` | Target memory usage per pod
+| `service.trafficDistribution`                    | `""`                           | Traffic distribution strategy                                                                     |
-`hpa.requests` | `None` | Target HTTP requests per second per pod
+| `service.additionalLabels`                       | `{}`                           | Additional labels to add to the service                                                           |
-`serviceAccount.enabled` | `false` | Whether a service account should be created
+| `service.externalTrafficPolicy`                  | `None`                         | External traffic policy for LoadBalance service                                                   |
-`serviceAccount.name` | `None` | The name of the service account to use, if not set and create is true, a name is generated using the fullname template
+| `h2c.enabled`                                    | `false`                        | Allow upgrading to h2c (non-TLS version of HTTP/2)                                                |
-`securityContext` | `{}` | The security context to be set on the podinfo container
+| `extraArgs`                                      | `[]`                           | Additional command line arguments to pass to podinfo container                                    |
-`linkerd.profile.enabled` | `false` | Create Linkerd service profile
+| `extraEnvs`                                      | `[]`                           | Extra environment variables for the podinfo container                                             |
-`serviceMonitor.enabled` | `false` | Whether a Prometheus Operator service monitor should be created
+| `config.path`                                    | `""`                           | config file path                                                                                  |
-`serviceMonitor.interval` | `15s` | Prometheus scraping interval
+| `config.name`                                    | `""`                           | config file name                                                                                  |
-`serviceMonitor.additionalLabels` | `{}` | Add additional labels to the service monitor |
+| `hpa.enabled`                                    | `false`                        | Enables the Kubernetes HPA                                                                        |
-`ingress.enabled` | `false` | Enables Ingress
+| `hpa.maxReplicas`                                | `10`                           | Maximum amount of pods                                                                            |
-`ingress.className ` | `""` | Use ingressClassName
+| `hpa.cpu`                                        | `None`                         | Target CPU usage per pod                                                                          |
-`ingress.annotations` | `{}` | Ingress annotations
+| `hpa.memory`                                     | `None`                         | Target memory usage per pod                                                                       |
-`ingress.hosts` | `[]` | Ingress accepted hosts
+| `hpa.requests`                                   | `None`                         | Target HTTP requests per second per pod                                                           |
-`ingress.tls` | `[]` | Ingress TLS configuration
+| `serviceAccount.enabled`                         | `false`                        | Whether a service account should be created                                                       |
-`resources.requests.cpu` | `1m` | Pod CPU request
+| `serviceAccount.name`                            | `None`                         | The name of the service account to use, if not set a name is generated using the fullname template|
-`resources.requests.memory` | `16Mi` | Pod memory request
+| `serviceAccount.imagePullSecrets`                | `[]`                           | List of image pull secrets if pulling from private registries                                     |
-`resources.limits.cpu` | `None` | Pod CPU limit
+| `securityContext`                                | `{}`                           | The security context to be set on the podinfo container                                           |
-`resources.limits.memory` | `None` | Pod memory limit
+| `podSecurityContext`                             | `{}`                           | The security context to be set on the pod                                                         |
-`nodeSelector` | `{}` | Node labels for pod assignment
+| `podAnnotations`                                 | `{}`                           | Pod annotations                                                                                   |
-`tolerations` | `[]` | List of node taints to tolerate
+| `serviceMonitor.enabled`                         | `false`                        | Whether a Prometheus Operator service monitor should be created                                   |
-`affinity` | `None` | Node/pod affinities
+| `serviceMonitor.interval`                        | `15s`                          | Prometheus scraping interval                                                                      |
-`podAnnotations` | `{}` | Pod annotations
+| `serviceMonitor.additionalLabels`                | `{}`                           | Add additional labels to the service monitor                                                      |
 | `ingress.enabled`                                | `false`                        | Enables Ingress                                                                                   |
 | `ingress.className`                              | `""`                           | Use ingressClassName                                                                              |
 | `ingress.additionalLabels`                       | `{}`                           | Add additional labels to the ingress                                                              |
 | `ingress.annotations`                            | `{}`                           | Ingress annotations                                                                               |
 | `ingress.hosts`                                  | `[]`                           | Ingress accepted hosts                                                                            |
 | `ingress.tls`                                    | `[]`                           | Ingress TLS configuration                                                                         |
 | `httpRoute.enabled`                              | `false`                        | Enables Gateway API HTTPRoute                                                                     |
 | `httpRoute.additionalLabels`                     | `{}`                           | Add additional labels to the HTTPRoute                                                            |
 | `httpRoute.annotations`                          | `{}`                           | HTTPRoute annotations                                                                             |
 | `httpRoute.parentRefs`                           | `[]`                           | Gateways that this route is attached to                                                           |
 | `httpRoute.hostnames`                            | `["podinfo.local"]`            | Hostnames matching HTTP header                                                                    |
 | `httpRoute.rules`                                | `[]`                           | List of rules and filters applied                                                                 |
 | `hooks.<hookType>.job.enabled`                   | `false`                        | Create a Helm hook job for testing (hookType: see values.yaml for available hooks)                |
 | `hooks.<hookType>.job.hookDeletePolicy`          | `hook-succeeded,hook-failed`   | Helm hook delete policy                                                                           |
 | `hooks.<hookType>.job.ttlSecondsAfterFinished`   | `None`                         | Job TTL after finished                                                                            |
 | `hooks.<hookType>.job.sleepSeconds`              | `None`                         | Sleep duration before job exits                                                                   |
 | `hooks.<hookType>.job.exitCode`                  | `0`                            | Job exit code                                                                                     |
 | `resources.requests.cpu`                         | `1m`                           | Pod CPU request                                                                                   |
 | `resources.requests.memory`                      | `16Mi`                         | Pod memory request                                                                                |
 | `resources.limits.cpu`                           | `None`                         | Pod CPU limit                                                                                     |
 | `resources.limits.memory`                        | `None`                         | Pod memory limit                                                                                  |
 | `nodeSelector`                                   | `{}`                           | Node labels for pod assignment                                                                    |
 | `tolerations`                                    | `[]`                           | List of node taints to tolerate                                                                   |
 | `affinity`                                       | `None`                         | Node/pod affinities                                                                               |
-Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
+Specify each parameter using the `--set key=value[,key=value]` argument:
 ```console
-$ helm install my-release podinfo/podinfo \
+$ helm upgrade -i podinfo oci://ghcr.io/stefanprodan/charts/podinfo \
  --set=serviceMonitor.enabled=true,serviceMonitor.interval=5s
 ```
 To add custom annotations you need to escape the annotation key string:
 ```console
-$ helm upgrade -i my-release podinfo/podinfo \
+$ helm upgrade -i podinfo oci://ghcr.io/stefanprodan/charts/podinfo \
--set podAnnotations."appmesh\.k8s\.aws\/preview"=enabled
+--set podAnnotations."toolkit\.fluxcd\.io\/tenant"=dev-team
 ```
-Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,
+Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart:
 ```console
-$ helm install my-release podinfo/podinfo -f values.yaml
+$ helm upgrade -i my-release oci://ghcr.io/stefanprodan/charts/podinfo -f values.yaml
 ```
 > **Tip**: You can use the default [values.yaml](values.yaml)
 ## Upgrading the chart
 ### To =< 5.0.0
 Version 5.0.0 is a major update.
 * The chart now follows the new Kubernetes label recommendations:
 <https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/>
 The simplest way to update is to do a force upgrade, which recreates the resources by doing a delete and an install.
--- a/charts/podinfo/templates/NOTES.txt
+++ b/charts/podinfo/templates/NOTES.txt
@@ -6,15 +6,15 @@
  {{- end }}
 {{- end }}
 {{- else if contains "NodePort" .Values.service.type }}
-  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "podinfo.fullname" . }})
+  export NODE_PORT=$(kubectl get --namespace {{ include "podinfo.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "podinfo.fullname" . }})
-  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  export NODE_IP=$(kubectl get nodes --namespace {{ include "podinfo.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}")
  echo http://$NODE_IP:$NODE_PORT
 {{- else if contains "LoadBalancer" .Values.service.type }}
     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
           You can watch the status of by running 'kubectl get svc -w {{ template "podinfo.fullname" . }}'
-  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "podinfo.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+  export SERVICE_IP=$(kubectl get svc --namespace {{ include "podinfo.namespace" . }} {{ template "podinfo.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
  echo http://$SERVICE_IP:{{ .Values.service.externalPort }}
 {{- else if contains "ClusterIP" .Values.service.type }}
  echo "Visit http://127.0.0.1:8080 to use your application"
-  kubectl -n {{ .Release.Namespace }} port-forward deploy/{{ template "podinfo.fullname" . }} 8080:{{ .Values.service.externalPort }}
+  kubectl -n {{ include "podinfo.namespace" . }} port-forward deploy/{{ template "podinfo.fullname" . }} 8080:{{ .Values.service.externalPort }}
 {{- end }}
--- a/charts/podinfo/templates/_helpers.tpl
+++ b/charts/podinfo/templates/_helpers.tpl
@@ -23,6 +23,13 @@ If release name contains chart name it will be used as a full name.
 {{- end }}
 {{- end }}
 {{/*
 Allow the release namespace to be overridden for multi-namespace deployments in combined charts.
 */}}
 {{- define "podinfo.namespace" -}}
 {{- default .Release.Namespace .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 {{/*
 Create chart name and version as used by the chart label.
 */}}
--- a/charts/podinfo/templates/certificate.yaml
+++ b/charts/podinfo/templates/certificate.yaml
@@ -3,6 +3,7 @@ apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: {{ template "podinfo.fullname" . }}
  namespace: {{ include "podinfo.namespace" . }}
  labels:
    {{- include "podinfo.labels" . | nindent 4 }}
 spec:
--- a/charts/podinfo/templates/deployment.yaml
+++ b/charts/podinfo/templates/deployment.yaml
@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ template "podinfo.fullname" . }}
  namespace: {{ include "podinfo.namespace" . }}
  labels:
    {{- include "podinfo.labels" . | nindent 4 }}
 spec:
@@ -30,6 +31,9 @@ spec:
      {{- if .Values.serviceAccount.enabled }}
      serviceAccountName: {{ template "podinfo.serviceAccountName" . }}
      {{- end }}
      {{- if .Values.image.pullSecrets }}
      imagePullSecrets: {{ toYaml .Values.image.pullSecrets | nindent 8 }}
      {{- end }}
      containers:
        - name: {{ .Chart.Name }}
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
@@ -73,7 +77,7 @@ spec:
            {{- if .Values.cache }}
            - --cache-server={{ .Values.cache }}
            {{- else if .Values.redis.enabled }}
-            - --cache-server={{ template "podinfo.fullname" . }}-redis:6379
+            - --cache-server=tcp://{{ template "podinfo.fullname" . }}-redis:6379
            {{- end }}
            - --level={{ .Values.logLevel }}
            - --random-delay={{ .Values.faults.delay }}
@@ -87,6 +91,15 @@ spec:
            {{- if .Values.h2c.enabled }}
            - --h2c
            {{- end }}
            {{- with .Values.config.path }}
            - --config-path={{ . }}
            {{- end }}
            {{- with .Values.config.name }}
            - --config={{ . }}
            {{- end }}
            {{- with .Values.extraArgs }}
              {{- toYaml . | nindent 12 }}
            {{- end }}
          env:
          {{- if .Values.ui.message }}
          - name: PODINFO_UI_MESSAGE
@@ -104,6 +117,9 @@ spec:
          - name: PODINFO_BACKEND_URL
            value: {{ .Values.backend }}
          {{- end }}
          {{- if .Values.extraEnvs }}
 {{ toYaml .Values.extraEnvs | indent 10 }}
          {{- end }}
          ports:
            - name: http
              containerPort: {{ .Values.service.httpPort | default 9898 }}
@@ -129,6 +145,22 @@ spec:
              containerPort: {{ .Values.service.grpcPort }}
              protocol: TCP
            {{- end }}
          {{- if .Values.probes.startup.enable }}
          startupProbe:
            exec:
              command:
              - podcli
              - check
              - http
              - localhost:{{ .Values.service.httpPort | default 9898 }}/healthz
            {{- with .Values.probes.startup }}
            initialDelaySeconds: {{ .initialDelaySeconds | default 1 }}
            timeoutSeconds: {{ .timeoutSeconds | default 5 }}
            failureThreshold: {{ .failureThreshold | default 3 }}
            successThreshold: {{ .successThreshold | default 1 }}
            periodSeconds: {{ .periodSeconds | default 10 }}
            {{- end }}
            {{- end }}
          livenessProbe:
            exec:
              command:
@@ -136,8 +168,13 @@ spec:
              - check
              - http
              - localhost:{{ .Values.service.httpPort | default 9898 }}/healthz
-            initialDelaySeconds: 1
+            {{- with .Values.probes.liveness }}
-            timeoutSeconds: 5
+            initialDelaySeconds: {{ .initialDelaySeconds | default 1 }}
            timeoutSeconds: {{ .timeoutSeconds | default 5 }}
            failureThreshold: {{ .failureThreshold | default 3 }}
            successThreshold: {{ .successThreshold | default 1 }}
            periodSeconds: {{ .periodSeconds | default 10 }}
            {{- end }}
          readinessProbe:
            exec:
              command:
@@ -145,8 +182,13 @@ spec:
              - check
              - http
              - localhost:{{ .Values.service.httpPort | default 9898 }}/readyz
-            initialDelaySeconds: 1
+            {{- with .Values.probes.readiness }}
-            timeoutSeconds: 5
+            initialDelaySeconds: {{ .initialDelaySeconds | default 1 }}
            timeoutSeconds: {{ .timeoutSeconds | default 5 }}
            failureThreshold: {{ .failureThreshold | default 3 }}
            successThreshold: {{ .successThreshold | default 1 }}
            periodSeconds: {{ .periodSeconds | default 10 }}
            {{- end }}
          volumeMounts:
          - name: data
            mountPath: /data
@@ -157,6 +199,10 @@ spec:
          {{- end }}
          resources:
 {{ toYaml .Values.resources | indent 12 }}
    {{- with .Values.podSecurityContext }}
      securityContext:
 {{ toYaml . | indent 8 }}
    {{- end }}
    {{- with .Values.nodeSelector }}
      nodeSelector:
 {{ toYaml . | indent 8 }}
@@ -177,3 +223,7 @@ spec:
        secret:
          secretName: {{ template "podinfo.tlsSecretName" . }}
      {{- end }}
    {{- with .Values.topologySpreadConstraints }}
      topologySpreadConstraints:
 {{- toYaml . | nindent 8 }}
    {{- end }}
--- a/charts/podinfo/templates/grpcroute.yaml
+++ b/charts/podinfo/templates/grpcroute.yaml
@@ -0,0 +1,42 @@
 {{- if .Values.grpcRoute.enabled -}}
 {{- $fullName := include "podinfo.fullname" . -}}
 {{- $grpcPort := .Values.service.grpcPort -}}
 apiVersion: gateway.networking.k8s.io/v1
 kind: GRPCRoute
 metadata:
  name: {{ $fullName }}
  namespace: {{ include "podinfo.namespace" . }}
  labels:
    {{- include "podinfo.labels" . | nindent 4 }}
    {{- with .Values.grpcRoute.additionalLabels }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
  {{- with .Values.grpcRoute.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 spec:
  parentRefs:
    {{- with .Values.grpcRoute.parentRefs }}
      {{- toYaml . | nindent 4 }}
    {{- end }}
  {{- with .Values.grpcRoute.hostnames }}
  hostnames:
    {{- toYaml . | nindent 4 }}
  {{- end }}
  rules:
    {{- range .Values.grpcRoute.rules }}
    - backendRefs:
        - name: {{ $fullName }}
          port: {{ $grpcPort }}
          weight: 1
    {{- with .matches }}
      matches:
      {{- toYaml . | nindent 8 }}
    {{- end }}
    {{- with .filters }}
      filters:
      {{- toYaml . | nindent 8 }}
    {{- end }}
    {{- end }}
 {{- end }}
--- a/charts/podinfo/templates/hooks/job.yaml
+++ b/charts/podinfo/templates/hooks/job.yaml
@@ -0,0 +1,37 @@
 {{- $hooks := dict "preInstall" "pre-install" "postInstall" "post-install" "preDelete" "pre-delete" "postDelete" "post-delete" "preUpgrade" "pre-upgrade" "postUpgrade" "post-upgrade" "preRollback" "pre-rollback" "postRollback" "post-rollback" }}
 {{- range $hookName, $hookType := $hooks }}
 {{- $hookConfig := index $.Values.hooks $hookName }}
 {{- if and $hookConfig $hookConfig.job $hookConfig.job.enabled }}
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
  name: {{ template "podinfo.fullname" $ }}-{{ $hookType }}
  namespace: {{ include "podinfo.namespace" $ }}
  labels:
    {{- include "podinfo.labels" $ | nindent 4 }}
  annotations:
    "helm.sh/hook": {{ $hookType }}
    "helm.sh/hook-delete-policy": {{ $hookConfig.job.hookDeletePolicy }}
 spec:
  {{- if kindIs "float64" $hookConfig.job.ttlSecondsAfterFinished }}
  ttlSecondsAfterFinished: {{ $hookConfig.job.ttlSecondsAfterFinished | int }}
  {{- end }}
  template:
    spec:
      containers:
        - name: job
          image: "{{ $.Values.image.repository }}:{{ $.Values.image.tag }}"
          imagePullPolicy: {{ $.Values.image.pullPolicy }}
          command:
            - sh
            - -c
            - |
              {{- if kindIs "float64" $hookConfig.job.sleepSeconds }}
              sleep {{ $hookConfig.job.sleepSeconds | int }}
              {{- end }}
              exit {{ $hookConfig.job.exitCode | default 0 }}
      restartPolicy: Never
  backoffLimit: 1
 {{- end }}
 {{- end }}
--- a/charts/podinfo/templates/hpa.yaml
+++ b/charts/podinfo/templates/hpa.yaml
@@ -1,8 +1,9 @@
 {{- if .Values.hpa.enabled -}}
-apiVersion: autoscaling/v2beta2
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
  name: {{ template "podinfo.fullname" . }}
  namespace: {{ include "podinfo.namespace" . }}
  labels:
    {{- include "podinfo.labels" . | nindent 4 }}  
 spec:
--- a/charts/podinfo/templates/httproute.yaml
+++ b/charts/podinfo/templates/httproute.yaml
@@ -0,0 +1,42 @@
 {{- if .Values.httpRoute.enabled -}}
 {{- $fullName := include "podinfo.fullname" . -}}
 {{- $svcPort := .Values.service.externalPort -}}
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
  name: {{ $fullName }}
  namespace: {{ include "podinfo.namespace" . }}
  labels:
    {{- include "podinfo.labels" . | nindent 4 }}
    {{- with .Values.httpRoute.additionalLabels }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
  {{- with .Values.httpRoute.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 spec:
  parentRefs:
    {{- with .Values.httpRoute.parentRefs }}
      {{- toYaml . | nindent 4 }}
    {{- end }}
  {{- with .Values.httpRoute.hostnames }}
  hostnames:
    {{- toYaml . | nindent 4 }}
  {{- end }}
  rules:
    {{- range .Values.httpRoute.rules }}
    {{- with .matches }}
    - matches:
      {{- toYaml . | nindent 8 }}
    {{- end }}
    {{- with .filters }}
      filters:
      {{- toYaml . | nindent 8 }}
    {{- end }}
      backendRefs:
        - name: {{ $fullName }}
          port: {{ $svcPort }}
          weight: 1
    {{- end }}
 {{- end }}
--- a/charts/podinfo/templates/ingress.yaml
+++ b/charts/podinfo/templates/ingress.yaml
@@ -5,8 +5,12 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: {{ $fullName }}
  namespace: {{ include "podinfo.namespace" . }}
  labels:
    {{- include "podinfo.labels" . | nindent 4 }}
    {{- with .Values.ingress.additionalLabels }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
  {{- with .Values.ingress.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
--- a/charts/podinfo/templates/linkerd.yaml
+++ b/charts/podinfo/templates/linkerd.yaml
@@ -1,98 +0,0 @@
 {{- if .Values.linkerd.profile.enabled -}}
 apiVersion: linkerd.io/v1alpha2
 kind: ServiceProfile
 metadata:
  name: {{ template "podinfo.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local
  labels:
    {{- include "podinfo.labels" . | nindent 4 }}  
 spec:
  routes:
    - condition:
        method: GET
        pathRegex: /
      name: GET /
    - condition:
        method: POST
        pathRegex: /api/echo
      name: POST /api/echo
    - condition:
        method: GET
        pathRegex: /api/info
      name: GET /api/info
    - condition:
        method: GET
        pathRegex: /chunked/[^/]*
      name: GET /chunked/{seconds}
    - condition:
        method: GET
        pathRegex: /delay/[^/]*
      name: GET /delay/{seconds}
    - condition:
        method: GET
        pathRegex: /env
      name: GET /env
    - condition:
        method: GET
        pathRegex: /headers
      name: GET /headers
    - condition:
        method: GET
        pathRegex: /healthz
      name: GET /healthz
    - condition:
        method: GET
        pathRegex: /metrics
      name: GET /metrics
    - condition:
        method: GET
        pathRegex: /panic
      name: GET /panic
    - condition:
        method: GET
        pathRegex: /readyz
      name: GET /readyz
    - condition:
        method: POST
        pathRegex: /readyz/disable
      name: POST /readyz/disable
    - condition:
        method: POST
        pathRegex: /readyz/enable
      name: POST /readyz/enable
    - condition:
        method: GET
        pathRegex: /status/[^/]*
      name: GET /status/{code}
    - condition:
        method: POST
        pathRegex: /cache
      name: POST /cache
    - condition:
        method: GET
        pathRegex: /cache/[^/]*
      name: GET /cache/{hash}
    - condition:
        method: POST
        pathRegex: /store
      name: POST /store
    - condition:
        method: GET
        pathRegex: /store/[^/]*
      name: GET /store/{hash}
    - condition:
        method: POST
        pathRegex: /token
      name: POST /token
    - condition:
        method: POST
        pathRegex: /token/validate
      name: POST /token/validate
    - condition:
        method: GET
        pathRegex: /version
      name: GET /version
    - condition:
        method: POST
        pathRegex: /ws/echo
      name: POST /ws/echo
 {{- end }}
--- a/charts/podinfo/templates/pdb.yaml
+++ b/charts/podinfo/templates/pdb.yaml
@@ -0,0 +1,14 @@
 {{- if and .Values.podDisruptionBudget (gt (int .Values.replicaCount) 1) }}
 apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
  name: {{ include "podinfo.fullname" . }}
  namespace: {{ include "podinfo.namespace" . }}
  labels:
    {{- include "podinfo.labels" . | nindent 4 }}
 spec:
  selector:
    matchLabels:
      {{- include "podinfo.selectorLabels" . | nindent 6 }}
  {{- toYaml .Values.podDisruptionBudget | nindent 2 }}
 {{- end }}
--- a/charts/podinfo/templates/redis/deployment.yaml
+++ b/charts/podinfo/templates/redis/deployment.yaml
@@ -21,6 +21,9 @@ spec:
      {{- if .Values.serviceAccount.enabled }}
      serviceAccountName: {{ template "podinfo.serviceAccountName" . }}
      {{- end }}
      {{- if .Values.redis.imagePullSecrets }}
      imagePullSecrets: {{ toYaml .Values.redis.imagePullSecrets | nindent 8 }}
      {{- end }}
      containers:
        - name: redis
          image: "{{ .Values.redis.repository }}:{{ .Values.redis.tag }}"
--- a/charts/podinfo/templates/redis/service.yaml
+++ b/charts/podinfo/templates/redis/service.yaml
@@ -14,4 +14,5 @@ spec:
      port: 6379
      protocol: TCP
      targetPort: redis
      appProtocol: redis
 {{- end }}
--- a/charts/podinfo/templates/service.yaml
+++ b/charts/podinfo/templates/service.yaml
@@ -3,8 +3,12 @@ apiVersion: v1
 kind: Service
 metadata:
  name: {{ template "podinfo.fullname" . }}
  namespace: {{ include "podinfo.namespace" . }}
  labels:
    {{- include "podinfo.labels" . | nindent 4 }}
    {{- with .Values.service.additionalLabels }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
 {{- with .Values.service.annotations }}
  annotations:
 {{ toYaml . | indent 4 }}
@@ -33,4 +37,10 @@ spec:
    {{- end }}
  selector:
    {{- include "podinfo.selectorLabels" . | nindent 4 }}
  {{- if .Values.service.trafficDistribution }}
  trafficDistribution: {{ .Values.service.trafficDistribution }}
  {{- end }}
  {{- if ( and (.Values.service.externalTrafficPolicy) (eq .Values.service.type "LoadBalancer") ) }}
  externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }}
  {{- end }}
 {{- end }}
--- a/charts/podinfo/templates/serviceaccount.yaml
+++ b/charts/podinfo/templates/serviceaccount.yaml
@@ -5,4 +5,8 @@ metadata:
  name: {{ template "podinfo.serviceAccountName" . }}
  labels:
    {{- include "podinfo.labels" . | nindent 4 }}
 {{- with .Values.serviceAccount.imagePullSecrets }}
 imagePullSecrets:
  {{- toYaml . | nindent 2 }}
 {{- end -}}
 {{- end -}}
--- a/charts/podinfo/templates/servicemonitor.yaml
+++ b/charts/podinfo/templates/servicemonitor.yaml
@@ -3,6 +3,7 @@ apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: {{ template "podinfo.fullname" . }}
  namespace: {{ include "podinfo.namespace" . }}
  labels:
    {{- include "podinfo.labels" . | nindent 4 }}
    {{- with .Values.serviceMonitor.additionalLabels }}
@@ -15,7 +16,7 @@ spec:
      interval: {{ .Values.serviceMonitor.interval }}
  namespaceSelector:
    matchNames:
-      - {{ .Release.Namespace }}
+      - {{ include "podinfo.namespace" . }}
  selector:
    matchLabels:
      {{- include "podinfo.selectorLabels" . | nindent 6 }}
--- a/charts/podinfo/templates/tests/cache.yaml
+++ b/charts/podinfo/templates/tests/cache.yaml
@@ -3,6 +3,7 @@ apiVersion: v1
 kind: Pod
 metadata:
  name: {{ template "podinfo.fullname" . }}-cache-test-{{ randAlphaNum 5 | lower }}
  namespace: {{ include "podinfo.namespace" . }}
  labels:
    {{- include "podinfo.labels" . | nindent 4 }}
  annotations:
@@ -24,6 +25,6 @@ spec:
          curl -s -XDELETE ${PODINFO_SVC}/cache/test
      env:
      - name: PODINFO_SVC
-        value: "{{ template "podinfo.fullname" . }}.{{ .Release.Namespace }}:{{ .Values.service.externalPort }}"
+        value: "{{ template "podinfo.fullname" . }}.{{ include "podinfo.namespace" . }}:{{ .Values.service.externalPort }}"
  restartPolicy: Never
 {{- end }}
--- a/charts/podinfo/templates/tests/fail.yaml
+++ b/charts/podinfo/templates/tests/fail.yaml
@@ -3,6 +3,7 @@ apiVersion: v1
 kind: Pod
 metadata:
  name: {{ template "podinfo.fullname" . }}-fault-test-{{ randAlphaNum 5 | lower }}
  namespace: {{ include "podinfo.namespace" . }}
  labels:
    {{- include "podinfo.labels" . | nindent 4 }}
  annotations:
--- a/charts/podinfo/templates/tests/grpc.yaml
+++ b/charts/podinfo/templates/tests/grpc.yaml
@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Pod
 metadata:
  name: {{ template "podinfo.fullname" . }}-grpc-test-{{ randAlphaNum 5 | lower }}
  namespace: {{ include "podinfo.namespace" . }}
  labels:
    {{- include "podinfo.labels" . | nindent 4 }}
  annotations:
@@ -15,5 +16,5 @@ spec:
    - name: grpc-health-probe
      image: stefanprodan/grpc_health_probe:v0.3.0
      command: ['grpc_health_probe']
-      args:  ['-addr={{ template "podinfo.fullname" . }}.{{ .Release.Namespace }}:{{ .Values.service.grpcPort }}']
+      args:  ['-addr={{ template "podinfo.fullname" . }}.{{ include "podinfo.namespace" . }}:{{ .Values.service.grpcPort }}']
  restartPolicy: Never
--- a/charts/podinfo/templates/tests/jwt.yaml
+++ b/charts/podinfo/templates/tests/jwt.yaml
@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Pod
 metadata:
  name: {{ template "podinfo.fullname" . }}-jwt-test-{{ randAlphaNum 5 | lower }}
  namespace: {{ include "podinfo.namespace" . }}
  labels:
    {{- include "podinfo.labels" . | nindent 4 }}
  annotations:
@@ -22,5 +23,5 @@ spec:
          curl -sH "Authorization: Bearer ${TOKEN}" ${PODINFO_SVC}/token/validate | grep test
      env:
      - name: PODINFO_SVC
-        value: "{{ template "podinfo.fullname" . }}.{{ .Release.Namespace }}:{{ .Values.service.externalPort }}"
+        value: "{{ template "podinfo.fullname" . }}.{{ include "podinfo.namespace" . }}:{{ .Values.service.externalPort }}"
  restartPolicy: Never
--- a/charts/podinfo/templates/tests/service.yaml
+++ b/charts/podinfo/templates/tests/service.yaml
@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Pod
 metadata:
  name: {{ template "podinfo.fullname" . }}-service-test-{{ randAlphaNum 5 | lower }}
  namespace: {{ include "podinfo.namespace" . }}
  labels:
    {{- include "podinfo.labels" . | nindent 4 }}
  annotations:
@@ -21,5 +22,5 @@ spec:
          curl -s ${PODINFO_SVC}/api/info | grep version
      env:
        - name: PODINFO_SVC
-          value: "{{ template "podinfo.fullname" . }}.{{ .Release.Namespace }}:{{ .Values.service.externalPort }}"
+          value: "{{ template "podinfo.fullname" . }}.{{ include "podinfo.namespace" . }}:{{ .Values.service.externalPort }}"
  restartPolicy: Never
--- a/charts/podinfo/templates/tests/timeout.yaml
+++ b/charts/podinfo/templates/tests/timeout.yaml
@@ -3,6 +3,7 @@ apiVersion: v1
 kind: Pod
 metadata:
  name: {{ template "podinfo.fullname" . }}-fault-test-{{ randAlphaNum 5 | lower }}
  namespace: {{ include "podinfo.namespace" . }}
  labels:
    {{- include "podinfo.labels" . | nindent 4 }}
  annotations:
--- a/charts/podinfo/templates/tests/tls.yaml
+++ b/charts/podinfo/templates/tests/tls.yaml
@@ -3,6 +3,7 @@ apiVersion: v1
 kind: Pod
 metadata:
  name: {{ template "podinfo.fullname" . }}-tls-test-{{ randAlphaNum 5 | lower }}
  namespace: {{ include "podinfo.namespace" . }}
  labels:
    {{- include "podinfo.labels" . | nindent 4 }}
  annotations:
@@ -22,6 +23,6 @@ spec:
          curl -sk ${PODINFO_SVC}/api/info | grep version
      env:
        - name: PODINFO_SVC
-          value: "https://{{ template "podinfo.fullname" . }}.{{ .Release.Namespace }}:{{ .Values.tls.port }}"
+          value: "https://{{ template "podinfo.fullname" . }}.{{ include "podinfo.namespace" . }}:{{ .Values.tls.port }}"
  restartPolicy: Never
 {{- end }}
--- a/charts/podinfo/values-prod.yaml
+++ b/charts/podinfo/values-prod.yaml
@@ -8,7 +8,7 @@ backends: []
 image:
  repository: ghcr.io/stefanprodan/podinfo
-  tag: 6.1.2
+  tag: 6.11.2
  pullPolicy: IfNotPresent
 ui:
@@ -29,6 +29,7 @@ faults:
 service:
  enabled: true
  annotations: {}
  additionalLabels: { }
  type: ClusterIP
  metricsPort: 9797
  httpPort: 9898
@@ -36,11 +37,23 @@ service:
  grpcPort: 9999
  grpcService: podinfo
  nodePort: 31198
  trafficDistribution: ""
  externalTrafficPolicy: ""
 # enable h2c protocol (non-TLS version of HTTP/2)
 h2c:
  enabled: false
 # config file settings
 config:
  # config file path
  path: ""
  # config file name
  name: ""
 # Additional command line arguments to pass to podinfo container
 extraArgs: []
 # enable tls on the podinfo service
 tls:
  enabled: false
@@ -77,13 +90,13 @@ hpa:
  # average http requests per second per pod (k8s-prometheus-adapter)
  requests:
-# Redis address in the format <host>:<port>
+# Redis address in the format tcp://<host>:<port>
 cache: ""
 # Redis deployment
 redis:
  enabled: true
  repository: redis
-  tag: 6.0.8
+  tag: 8.6.1
 serviceAccount:
  # Specifies whether a service account should be created
@@ -91,16 +104,25 @@ serviceAccount:
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name:
  # List of image pull secrets if pulling from private registries
  imagePullSecrets: []
 # set container security context
 securityContext: {}
 # set pod security context
 podSecurityContext: {}
 # -- Expose the service via Kubernetes Ingress
 # Requires an Ingress controller
 # Docs https://kubernetes.io/docs/concepts/services-networking/ingress/
 ingress:
  enabled: false
  className: ""
  additionalLabels: {}
  annotations: {}
    # kubernetes.io/ingress.class: nginx
-    # kubernetes.io/tls-acme: "true"
+  # kubernetes.io/tls-acme: "true"
  hosts:
    - host: podinfo.local
      paths:
@@ -111,9 +133,30 @@ ingress:
  #    hosts:
  #      - chart-example.local
-linkerd:
+# -- Expose the service via Gateway HTTPRoute
-  profile:
+# Requires a Gateway controller
-    enabled: false
+# Docs https://gateway-api.sigs.k8s.io/guides/
 httpRoute:
  # HTTPRoute enabled.
  enabled: false
  # Add additional labels to the HTTPRoute.
  additionalLabels: {}
  # HTTPRoute annotations.
  annotations: {}
  # Which Gateways this Route is attached to.
  parentRefs:
    - name: gateway
      sectionName: http
      # namespace: default
  # Hostnames matching HTTP header.
  hostnames:
    - podinfo.local
  # List of rules and filters applied.
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /
 # create Prometheus Operator monitor
 serviceMonitor:
@@ -128,6 +171,14 @@ resources:
    cpu: 100m
    memory: 64Mi
 # Extra environment variables for the podinfo container
 extraEnvs: []
 # Example on how to configure extraEnvs
 #  - name: OTEL_EXPORTER_OTLP_TRACES_ENDPOINT
 #    value: "http://otel:4317"
 #  - name: MULTIPLE_VALUES
 #    value: TEST
 nodeSelector: {}
 tolerations: []
@@ -135,3 +186,25 @@ tolerations: []
 affinity: {}
 podAnnotations: {}
 # https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
 probes:
  readiness:
    initialDelaySeconds: 1
    timeoutSeconds: 5
    failureThreshold: 3
    successThreshold: 1
    periodSeconds: 10
  liveness:
    initialDelaySeconds: 1
    timeoutSeconds: 5
    failureThreshold: 3
    successThreshold: 1
    periodSeconds: 10
  startup:
    enable: false
    initialDelaySeconds: 10
    timeoutSeconds: 5
    failureThreshold: 20
    successThreshold: 1
    periodSeconds: 10
--- a/charts/podinfo/values.yaml
+++ b/charts/podinfo/values.yaml
@@ -8,8 +8,9 @@ backends: []
 image:
  repository: ghcr.io/stefanprodan/podinfo
-  tag: 6.1.2
+  tag: 6.11.2
  pullPolicy: IfNotPresent
  pullSecrets: []
 ui:
  color: "#34577c"
@@ -29,6 +30,7 @@ faults:
 service:
  enabled: true
  annotations: {}
  additionalLabels: { }
  type: ClusterIP
  metricsPort: 9797
  httpPort: 9898
@@ -40,11 +42,32 @@ service:
  # NOTE: requires privileged container with NET_BIND_SERVICE capability -- this is useful for testing
  # in local clusters such as kind without port forwarding
  hostPort:
  # Stable from Kubernetes v1.33+ with a value of PreferClose. Additional values are PreferSameZone and PreferSameNode from v1.34+. Empty string means it's disabled.
  trafficDistribution: ""
  externalTrafficPolicy: ""
 # enable h2c protocol (non-TLS version of HTTP/2)
 h2c:
  enabled: false
 # config file settings
 config:
  # config file path
  path: ""
  # config file name
  name: ""
 # Additional command line arguments to pass to podinfo container
 extraArgs: []
 # Extra environment variables for the podinfo container
 extraEnvs: []
 # Example on how to configure extraEnvs
 #  - name: OTEL_EXPORTER_OTLP_TRACES_ENDPOINT
 #    value: "http://otel:4317"
 #  - name: MULTIPLE_VALUES
 #    value: TEST
 # enable tls on the podinfo service
 tls:
  enabled: false
@@ -70,6 +93,65 @@ certificate:
  dnsNames:
    - podinfo
 # Helm hooks (for testing purposes)
 hooks:
  preInstall:
    job:
      enabled: false
      hookDeletePolicy: hook-succeeded,hook-failed
      ttlSecondsAfterFinished:
      sleepSeconds:
      exitCode: 0
  postInstall:
    job:
      enabled: false
      hookDeletePolicy: hook-succeeded,hook-failed
      ttlSecondsAfterFinished:
      sleepSeconds:
      exitCode: 0
  preDelete:
    job:
      enabled: false
      hookDeletePolicy: hook-succeeded,hook-failed
      ttlSecondsAfterFinished:
      sleepSeconds:
      exitCode: 0
  postDelete:
    job:
      enabled: false
      hookDeletePolicy: hook-succeeded,hook-failed
      ttlSecondsAfterFinished:
      sleepSeconds:
      exitCode: 0
  preUpgrade:
    job:
      enabled: false
      hookDeletePolicy: hook-succeeded,hook-failed
      ttlSecondsAfterFinished:
      sleepSeconds:
      exitCode: 0
  postUpgrade:
    job:
      enabled: false
      hookDeletePolicy: hook-succeeded,hook-failed
      ttlSecondsAfterFinished:
      sleepSeconds:
      exitCode: 0
  preRollback:
    job:
      enabled: false
      hookDeletePolicy: hook-succeeded,hook-failed
      ttlSecondsAfterFinished:
      sleepSeconds:
      exitCode: 0
  postRollback:
    job:
      enabled: false
      hookDeletePolicy: hook-succeeded,hook-failed
      ttlSecondsAfterFinished:
      sleepSeconds:
      exitCode: 0
 # metrics-server add-on required
 hpa:
  enabled: false
@@ -81,13 +163,14 @@ hpa:
  # average http requests per second per pod (k8s-prometheus-adapter)
  requests:
-# Redis address in the format <host>:<port>
+# Redis address in the format tcp://<host>:<port>
 cache: ""
 # Redis deployment
 redis:
  enabled: false
-  repository: redis
+  repository: docker.io/redis
-  tag: 6.0.8
+  tag: 8.6.1
  imagePullSecrets: []
 serviceAccount:
  # Specifies whether a service account should be created
@@ -95,13 +178,22 @@ serviceAccount:
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name:
  # List of image pull secrets if pulling from private registries
  imagePullSecrets: []
 # set container security context
 securityContext: {}
 # set pod security context
 podSecurityContext: {}
 # -- Expose the service via Kubernetes Ingress
 # Requires an Ingress controller
 # Docs https://kubernetes.io/docs/concepts/services-networking/ingress/
 ingress:
  enabled: false
  className: ""
  additionalLabels: {}
  annotations: {}
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
@@ -115,9 +207,52 @@ ingress:
  #    hosts:
  #      - chart-example.local
-linkerd:
+# -- Expose the service via Gateway HTTPRoute
-  profile:
+# Requires a Gateway controller
-    enabled: false
+# Docs https://gateway-api.sigs.k8s.io/guides/
 httpRoute:
  # HTTPRoute enabled.
  enabled: false
  # Add additional labels to the HTTPRoute.
  additionalLabels: {}
  # HTTPRoute annotations.
  annotations: {}
  # Which Gateways this Route is attached to.
  parentRefs:
    - name: gateway
      sectionName: http
      # namespace: default
  # Hostnames matching HTTP header.
  hostnames:
    - podinfo.local
  # List of rules and filters applied.
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /
 # -- Expose the gRPC service via Gateway GRPCRoute
 # Requires a Gateway controller with GRPCRoute support
 # Docs https://gateway-api.sigs.k8s.io/guides/grpc-routing/
 grpcRoute:
  # GRPCRoute enabled.
  enabled: false
  # Add additional labels to the GRPCRoute.
  additionalLabels: {}
  # GRPCRoute annotations.
  annotations: {}
  # Which Gateways this Route is attached to.
  parentRefs:
    - name: gateway
      sectionName: http
      # namespace: default
  # Hostnames matching HTTP header.
  hostnames:
    - podinfo.local
  # List of rules applied.
  rules:
    - {}
 # create Prometheus Operator monitor
 serviceMonitor:
@@ -138,3 +273,32 @@ tolerations: []
 affinity: {}
 podAnnotations: {}
 # https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
 topologySpreadConstraints: []
 # Disruption budget will be configured only when the replicaCount is greater than 1
 podDisruptionBudget: {}
 #  maxUnavailable: 1
 # https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
 probes:
  readiness:
    initialDelaySeconds: 1
    timeoutSeconds: 5
    failureThreshold: 3
    successThreshold: 1
    periodSeconds: 10
  liveness:
    initialDelaySeconds: 1
    timeoutSeconds: 5
    failureThreshold: 3
    successThreshold: 1
    periodSeconds: 10
  startup:
    enable: false
    initialDelaySeconds: 10
    timeoutSeconds: 5
    failureThreshold: 20
    successThreshold: 1
    periodSeconds: 10
--- a/cloudbuild.yaml
+++ b/cloudbuild.yaml
@@ -1,4 +0,0 @@
 steps:
 - name: 'gcr.io/cloud-builders/docker'
  args: ['build','-f' , 'Dockerfile', '-t', 'gcr.io/$PROJECT_ID/podinfo:$BRANCH_NAME-$SHORT_SHA', '.']
 images: ['gcr.io/$PROJECT_ID/podinfo:$BRANCH_NAME-$SHORT_SHA']
--- a/cmd/podcli/check.go
+++ b/cmd/podcli/check.go
@@ -12,10 +12,13 @@ import (
 	"strings"
 	"time"
 	"github.com/gorilla/websocket"
 	"github.com/spf13/cobra"
 	"go.uber.org/zap"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 	"google.golang.org/grpc/health/grpc_health_v1"
 	"google.golang.org/grpc/status"
 )
@@ -27,6 +30,7 @@ var (
 	body            string
 	timeout         time.Duration
 	grpcServiceName string
 	grpcTLS         bool
 )
 var checkCmd = &cobra.Command{
@@ -63,6 +67,13 @@ var checkgRPCCmd = &cobra.Command{
 	RunE:    runCheckgPRC,
 }
 var checkWsCmd = &cobra.Command{
 	Use:     `ws [address]`,
 	Short:   "WebSocket round-trip health check",
 	Example: `  check ws ws://localhost:9898/ws/echo --retry=1 --delay=2s --timeout=5s`,
 	RunE:    runCheckWs,
 }
 func init() {
 	checkUrlCmd.Flags().StringVar(&method, "method", "GET", "HTTP method")
 	checkUrlCmd.Flags().StringVar(&body, "body", "", "HTTP POST/PUT content")
@@ -80,10 +91,16 @@ func init() {
 	checkgRPCCmd.Flags().DurationVar(&retryDelay, "delay", 1*time.Second, "wait duration between retries")
 	checkgRPCCmd.Flags().DurationVar(&timeout, "timeout", 5*time.Second, "timeout")
 	checkgRPCCmd.Flags().StringVar(&grpcServiceName, "service", "", "gRPC service name")
 	checkgRPCCmd.Flags().BoolVar(&grpcTLS, "tls", false, "use TLS for gRPC connection")
 	checkCmd.AddCommand(checkgRPCCmd)
 	checkCmd.AddCommand(checkCertCmd)
 	checkWsCmd.Flags().IntVar(&retryCount, "retry", 0, "times to retry the WebSocket check")
 	checkWsCmd.Flags().DurationVar(&retryDelay, "delay", 1*time.Second, "wait duration between retries")
 	checkWsCmd.Flags().DurationVar(&timeout, "timeout", 5*time.Second, "timeout")
 	checkCmd.AddCommand(checkWsCmd)
 	rootCmd.AddCommand(checkCmd)
 }
@@ -262,6 +279,72 @@ func fmtContentLength(b int64) string {
 	return fmt.Sprintf("%.1f %cB", float64(b)/float64(div), "kMGTPE"[exp])
 }
 func runCheckWs(cmd *cobra.Command, args []string) error {
 	if retryCount < 0 {
 		return fmt.Errorf("--retry is required")
 	}
 	if len(args) < 1 {
 		return fmt.Errorf("address is required! example: check ws wss://localhost:9898/ws/echo")
 	}
 	address := args[0]
 	if !strings.HasPrefix(address, "ws://") && !strings.HasPrefix(address, "wss://") {
 		return fmt.Errorf("address must start with ws:// or wss://")
 	}
 	for n := 0; n <= retryCount; n++ {
 		if n != 0 {
 			time.Sleep(retryDelay)
 		}
 		dialer := websocket.Dialer{
 			HandshakeTimeout: timeout,
 		}
 		conn, _, err := dialer.Dial(address, nil)
 		if err != nil {
 			logger.Info("check failed",
 				zap.String("address", address),
 				zap.Error(err))
 			continue
 		}
 		msg := "podinfo-check"
 		start := time.Now()
 		conn.SetWriteDeadline(start.Add(timeout))
 		if err := conn.WriteMessage(websocket.TextMessage, []byte(msg)); err != nil {
 			conn.Close()
 			logger.Info("check failed",
 				zap.String("address", address),
 				zap.Error(err))
 			continue
 		}
 		conn.SetReadDeadline(time.Now().Add(timeout))
 		_, resp, err := conn.ReadMessage()
 		if err != nil {
 			conn.Close()
 			logger.Info("check failed",
 				zap.String("address", address),
 				zap.Error(err))
 			continue
 		}
 		rtt := time.Since(start)
 		conn.Close()
 		logger.Info("check succeed",
 			zap.String("address", address),
 			zap.Duration("round-trip", rtt),
 			zap.Int("response size", len(resp)))
 		os.Exit(0)
 	}
 	os.Exit(1)
 	return nil
 }
 func runCheckgPRC(cmd *cobra.Command, args []string) error {
 	if retryCount < 0 {
 		return fmt.Errorf("--retry is required")
@@ -271,12 +354,19 @@ func runCheckgPRC(cmd *cobra.Command, args []string) error {
 	}
 	address := args[0]
 	var creds grpc.DialOption
 	if grpcTLS {
 		creds = grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{}))
 	} else {
 		creds = grpc.WithTransportCredentials(insecure.NewCredentials())
 	}
 	for n := 0; n <= retryCount; n++ {
-		if n != 1 {
+		if n != 0 {
 			time.Sleep(retryDelay)
 		}
-		conn, err := grpc.Dial(address, grpc.WithInsecure())
+		conn, err := grpc.NewClient(address, creds)
 		if err != nil {
 			logger.Info("check failed",
 				zap.String("address", address),
@@ -291,13 +381,14 @@ func runCheckgPRC(cmd *cobra.Command, args []string) error {
 		if err != nil {
 			if stat, ok := status.FromError(err); ok && stat.Code() == codes.Unimplemented {
-				logger.Info("gPRC health protocol not implemented")
+				logger.Info("gRPC health protocol not implemented")
 				os.Exit(1)
 			} else {
 				logger.Info("check failed",
 					zap.String("address", address),
 					zap.Error(err))
 			}
 			conn.Close()
 			continue
 		}
@@ -305,7 +396,6 @@ func runCheckgPRC(cmd *cobra.Command, args []string) error {
 		logger.Info("check succeed",
 			zap.String("status", resp.GetStatus().String()))
 		os.Exit(0)
 	}
 	os.Exit(1)
--- a/cmd/podinfo/main.go
+++ b/cmd/podinfo/main.go
@@ -1,8 +1,8 @@
 package main
 import (
 	"context"
 	"fmt"
 	"io/ioutil"
 	"os"
 	"path/filepath"
 	"strconv"
@@ -11,13 +11,19 @@ import (
 	"github.com/spf13/pflag"
 	"github.com/spf13/viper"
 	"go.opentelemetry.io/contrib/bridges/otelzap"
 	"go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc"
 	sdklog "go.opentelemetry.io/otel/sdk/log"
 	"go.opentelemetry.io/otel/sdk/resource"
 	semconv "go.opentelemetry.io/otel/semconv/v1.7.0"
 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"
-	"github.com/stefanprodan/podinfo/pkg/api"
+	"github.com/stefanprodan/podinfo/pkg/api/grpc"
-	"github.com/stefanprodan/podinfo/pkg/grpc"
+	"github.com/stefanprodan/podinfo/pkg/api/http"
 	"github.com/stefanprodan/podinfo/pkg/signals"
 	"github.com/stefanprodan/podinfo/pkg/version"
 	go_grpc "google.golang.org/grpc"
 )
 func main() {
@@ -33,7 +39,7 @@ func main() {
 	fs.StringSlice("backend-url", []string{}, "backend service URL")
 	fs.Duration("http-client-timeout", 2*time.Minute, "client timeout duration")
 	fs.Duration("http-server-timeout", 30*time.Second, "server read and write timeout duration")
-	fs.Duration("http-server-shutdown-timeout", 5*time.Second, "server graceful shutdown timeout duration")
+	fs.Duration("server-shutdown-timeout", 5*time.Second, "server graceful shutdown timeout duration")
 	fs.String("data-path", "/data", "data local path")
 	fs.String("config-path", "", "config dir path")
 	fs.String("cert-path", "/data/cert", "certificate path for HTTPS port")
@@ -52,8 +58,8 @@ func main() {
 	fs.Bool("unready", false, "when set, ready state is never reached")
 	fs.Int("stress-cpu", 0, "number of CPU cores with 100 load")
 	fs.Int("stress-memory", 0, "MB of data to load into memory")
-	fs.String("cache-server", "", "Redis address in the format <host>:<port>")
+	fs.String("cache-server", "", "Redis address in the format 'tcp://<host>:<port>'")
-	fs.String("otel-service-name", "", "service name for reporting to open telemetry address, when not set tracing is disabled")
+	fs.String("otel-service-name", "", "service name for OpenTelemetry, when not set tracing and log export are disabled")
 	versionFlag := fs.BoolP("version", "v", false, "get version number")
@@ -93,8 +99,18 @@ func main() {
 		}
 	}
 	// initialize OTel log provider if service name is set
 	var loggerProvider *sdklog.LoggerProvider
 	if otelServiceName := viper.GetString("otel-service-name"); otelServiceName != "" {
 		var err error
 		loggerProvider, err = initLoggerProvider(context.Background(), otelServiceName)
 		if err != nil {
 			fmt.Fprintf(os.Stderr, "Error initializing OTel log provider: %s\n", err.Error())
 		}
 	}
 	// configure logging
-	logger, _ := initZap(viper.GetString("level"))
+	logger, _ := initZap(viper.GetString("level"), loggerProvider)
 	defer logger.Sync()
 	stdLog := zap.RedirectStdLog(logger)
 	defer stdLog()
@@ -135,13 +151,16 @@ func main() {
 	}
 	// start gRPC server
 	var grpcServer *go_grpc.Server
 	if grpcCfg.Port > 0 {
 		grpcSrv, _ := grpc.NewServer(&grpcCfg, logger)
-		go grpcSrv.ListenAndServe()
+		//grpcinfoSrv, _ := grpc.NewInfoServer(&grpcCfg)
 		grpcServer = grpcSrv.ListenAndServe()
 	}
 	// load HTTP server config
-	var srvCfg api.Config
+	var srvCfg http.Config
 	if err := viper.Unmarshal(&srvCfg); err != nil {
 		logger.Panic("config unmarshal failed", zap.Error(err))
 	}
@@ -154,12 +173,35 @@ func main() {
 	)
 	// start HTTP server
-	srv, _ := api.NewServer(&srvCfg, logger)
+	srv, _ := http.NewServer(&srvCfg, logger)
 	httpServer, httpsServer, healthy, ready := srv.ListenAndServe()
 	// graceful shutdown
 	stopCh := signals.SetupSignalHandler()
-	srv.ListenAndServe(stopCh)
+	sd, _ := signals.NewShutdown(srvCfg.ServerShutdownTimeout, logger)
 	sd.SetLoggerProvider(loggerProvider)
 	sd.Graceful(stopCh, httpServer, httpsServer, grpcServer, healthy, ready)
 }
-func initZap(logLevel string) (*zap.Logger, error) {
+func initLoggerProvider(ctx context.Context, serviceName string) (*sdklog.LoggerProvider, error) {
 	exporter, err := otlploggrpc.New(ctx)
 	if err != nil {
 		return nil, fmt.Errorf("creating OTLP log exporter: %w", err)
 	}
 	provider := sdklog.NewLoggerProvider(
 		sdklog.WithProcessor(sdklog.NewBatchProcessor(exporter)),
 		sdklog.WithResource(resource.NewWithAttributes(
 			semconv.SchemaURL,
 			semconv.ServiceNameKey.String(serviceName),
 			semconv.ServiceVersionKey.String(version.VERSION),
 		)),
 	)
 	return provider, nil
 }
 func initZap(logLevel string, loggerProvider *sdklog.LoggerProvider) (*zap.Logger, error) {
 	level := zap.NewAtomicLevelAt(zapcore.InfoLevel)
 	switch logLevel {
 	case "debug":
@@ -203,7 +245,21 @@ func initZap(logLevel string) (*zap.Logger, error) {
 		ErrorOutputPaths: []string{"stderr"},
 	}
-	return zapConfig.Build()
+	logger, err := zapConfig.Build()
 	if err != nil {
 		return nil, err
 	}
 	if loggerProvider != nil {
 		otelCore := otelzap.NewCore("github.com/stefanprodan/podinfo",
 			otelzap.WithLoggerProvider(loggerProvider),
 		)
 		logger = logger.WithOptions(zap.WrapCore(func(core zapcore.Core) zapcore.Core {
 			return zapcore.NewTee(core, otelCore)
 		}))
 	}
 	return logger, nil
 }
 var stressMemoryPayload []byte
@@ -238,12 +294,12 @@ func beginStressTest(cpus int, mem int, logger *zap.Logger) {
 			logger.Error("memory stress failed", zap.Error(err))
 		}
-		stressMemoryPayload, err = ioutil.ReadFile(path)
+		stressMemoryPayload, err = os.ReadFile(path)
 		f.Close()
 		os.Remove(path)
 		if err != nil {
 			logger.Error("memory stress failed", zap.Error(err))
 		}
-		logger.Info("starting CPU stress", zap.Int("memory", len(stressMemoryPayload)))
+		logger.Info("starting MEMORY stress", zap.Int("memory", len(stressMemoryPayload)))
 	}
 }
--- a/cue/README.md
+++ b/cue/README.md
@@ -1,15 +0,0 @@
 # CUE Demo
 This directory contains a [cuelang module](https://cuelang.org/docs/) and tooling to generate podinfo resources.
 It defines a `podinfo.#Application` definition which takes a `podinfo.#Config` as input. The `podinfo.#Config` definition is modelled on the `podinfo` Helm chart `values.yaml` file.
 ## Configuration
 Configure the application in `main.cue`.
 ## Generate the manifests
 ```shell
 cue gen
 ```
--- a/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/acme/v1/const_go_gen.cue
+++ b/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/acme/v1/const_go_gen.cue
@@ -1,7 +0,0 @@
 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/acme/v1
 package v1
 #ACMEFinalizer: "finalizer.acme.cert-manager.io"
--- a/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/acme/v1/doc_go_gen.cue
+++ b/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/acme/v1/doc_go_gen.cue
@@ -1,8 +0,0 @@
 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/acme/v1
 // Package v1 is the v1 version of the API.
 // +k8s:deepcopy-gen=package,register
 // +groupName=acme.cert-manager.io
 package v1
--- a/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/acme/v1/types_challenge_go_gen.cue
+++ b/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/acme/v1/types_challenge_go_gen.cue
@@ -1,128 +0,0 @@
 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/acme/v1
 package v1
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
 )
 // Challenge is a type to represent a Challenge request with an ACME server
 // +k8s:openapi-gen=true
 // +kubebuilder:printcolumn:name="State",type="string",JSONPath=".status.state"
 // +kubebuilder:printcolumn:name="Domain",type="string",JSONPath=".spec.dnsName"
 // +kubebuilder:printcolumn:name="Reason",type="string",JSONPath=".status.reason",description="",priority=1
 // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC."
 // +kubebuilder:subresource:status
 // +kubebuilder:resource:path=challenges
 #Challenge: {
 	metav1.#TypeMeta
 	metadata: metav1.#ObjectMeta @go(ObjectMeta)
 	spec:     #ChallengeSpec     @go(Spec)
 	// +optional
 	status: #ChallengeStatus @go(Status)
 }
 // ChallengeList is a list of Challenges
 #ChallengeList: {
 	metav1.#TypeMeta
 	metadata: metav1.#ListMeta @go(ListMeta)
 	items: [...#Challenge] @go(Items,[]Challenge)
 }
 #ChallengeSpec: {
 	// The URL of the ACME Challenge resource for this challenge.
 	// This can be used to lookup details about the status of this challenge.
 	url: string @go(URL)
 	// The URL to the ACME Authorization resource that this
 	// challenge is a part of.
 	authorizationURL: string @go(AuthorizationURL)
 	// dnsName is the identifier that this challenge is for, e.g. example.com.
 	// If the requested DNSName is a 'wildcard', this field MUST be set to the
 	// non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`.
 	dnsName: string @go(DNSName)
 	// wildcard will be true if this challenge is for a wildcard identifier,
 	// for example '*.example.com'.
 	// +optional
 	wildcard: bool @go(Wildcard)
 	// The type of ACME challenge this resource represents.
 	// One of "HTTP-01" or "DNS-01".
 	type: #ACMEChallengeType @go(Type)
 	// The ACME challenge token for this challenge.
 	// This is the raw value returned from the ACME server.
 	token: string @go(Token)
 	// The ACME challenge key for this challenge
 	// For HTTP01 challenges, this is the value that must be responded with to
 	// complete the HTTP01 challenge in the format:
 	// `<private key JWK thumbprint>.<key from acme server for challenge>`.
 	// For DNS01 challenges, this is the base64 encoded SHA256 sum of the
 	// `<private key JWK thumbprint>.<key from acme server for challenge>`
 	// text that must be set as the TXT record content.
 	key: string @go(Key)
 	// Contains the domain solving configuration that should be used to
 	// solve this challenge resource.
 	solver: #ACMEChallengeSolver @go(Solver)
 	// References a properly configured ACME-type Issuer which should
 	// be used to create this Challenge.
 	// If the Issuer does not exist, processing will be retried.
 	// If the Issuer is not an 'ACME' Issuer, an error will be returned and the
 	// Challenge will be marked as failed.
 	issuerRef: cmmeta.#ObjectReference @go(IssuerRef)
 }
 // The type of ACME challenge. Only HTTP-01 and DNS-01 are supported.
 // +kubebuilder:validation:Enum=HTTP-01;DNS-01
 #ACMEChallengeType: string // #enumACMEChallengeType
 #enumACMEChallengeType:
 	#ACMEChallengeTypeHTTP01 |
 	#ACMEChallengeTypeDNS01
 // ACMEChallengeTypeHTTP01 denotes a Challenge is of type http-01
 // More info: https://letsencrypt.org/docs/challenge-types/#http-01-challenge
 #ACMEChallengeTypeHTTP01: #ACMEChallengeType & "HTTP-01"
 // ACMEChallengeTypeDNS01 denotes a Challenge is of type dns-01
 // More info: https://letsencrypt.org/docs/challenge-types/#dns-01-challenge
 #ACMEChallengeTypeDNS01: #ACMEChallengeType & "DNS-01"
 #ChallengeStatus: {
 	// Used to denote whether this challenge should be processed or not.
 	// This field will only be set to true by the 'scheduling' component.
 	// It will only be set to false by the 'challenges' controller, after the
 	// challenge has reached a final state or timed out.
 	// If this field is set to false, the challenge controller will not take
 	// any more action.
 	// +optional
 	processing: bool @go(Processing)
 	// presented will be set to true if the challenge values for this challenge
 	// are currently 'presented'.
 	// This *does not* imply the self check is passing. Only that the values
 	// have been 'submitted' for the appropriate challenge mechanism (i.e. the
 	// DNS01 TXT record has been presented, or the HTTP01 configuration has been
 	// configured).
 	// +optional
 	presented: bool @go(Presented)
 	// Contains human readable information on why the Challenge is in the
 	// current state.
 	// +optional
 	reason?: string @go(Reason)
 	// Contains the current 'state' of the challenge.
 	// If not set, the state of the challenge is unknown.
 	// +optional
 	state?: #State @go(State)
 }
--- a/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/acme/v1/types_go_gen.cue
+++ b/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/acme/v1/types_go_gen.cue
@@ -1,41 +0,0 @@
 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/acme/v1
 package v1
 // ACMECertificateHTTP01IngressNameOverride is annotation to override ingress name.
 // If this annotation is specified on a Certificate or Order resource when
 // using the HTTP01 solver type, the ingress.name field of the HTTP01
 // solver's configuration will be set to the value given here.
 // This is especially useful for users of Ingress controllers that maintain
 // a 1:1 mapping between endpoint IP and Ingress resource.
 #ACMECertificateHTTP01IngressNameOverride: "acme.cert-manager.io/http01-override-ingress-name"
 // ACMECertificateHTTP01IngressClassOverride is annotation to override ingress class.
 // If this annotation is specified on a Certificate or Order resource when
 // using the HTTP01 solver type, the ingress.class field of the HTTP01
 // solver's configuration will be set to the value given here.
 // This is especially useful for users deploying many different ingress
 // classes into a single cluster that want to be able to re-use a single
 // solver for each ingress class.
 #ACMECertificateHTTP01IngressClassOverride: "acme.cert-manager.io/http01-override-ingress-class"
 // IngressEditInPlaceAnnotationKey is used to toggle the use of ingressClass instead
 // of ingress on the created Certificate resource
 #IngressEditInPlaceAnnotationKey: "acme.cert-manager.io/http01-edit-in-place"
 // DomainLabelKey is added to the labels of a Pod serving an ACME challenge.
 // Its value will be the hash of the domain name that is being verified.
 #DomainLabelKey: "acme.cert-manager.io/http-domain"
 // TokenLabelKey is added to the labels of a Pod serving an ACME challenge.
 // Its value will be the hash of the challenge token that is being served by the pod.
 #TokenLabelKey: "acme.cert-manager.io/http-token"
 // SolverIdentificationLabelKey is added to the labels of a Pod serving an ACME challenge.
 // Its value will be the "true" if the Pod is an HTTP-01 solver.
 #SolverIdentificationLabelKey: "acme.cert-manager.io/http01-solver"
 #OrderKind:     "Order"
 #ChallengeKind: "Challenge"
--- a/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/acme/v1/types_issuer_go_gen.cue
+++ b/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/acme/v1/types_issuer_go_gen.cue
@@ -1,591 +0,0 @@
 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/acme/v1
 package v1
 import (
 	cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
 	corev1 "k8s.io/api/core/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 )
 // ACMEIssuer contains the specification for an ACME issuer.
 // This uses the RFC8555 specification to obtain certificates by completing
 // 'challenges' to prove ownership of domain identifiers.
 // Earlier draft versions of the ACME specification are not supported.
 #ACMEIssuer: {
 	// Email is the email address to be associated with the ACME account.
 	// This field is optional, but it is strongly recommended to be set.
 	// It will be used to contact you in case of issues with your account or
 	// certificates, including expiry notification emails.
 	// This field may be updated after the account is initially registered.
 	// +optional
 	email?: string @go(Email)
 	// Server is the URL used to access the ACME server's 'directory' endpoint.
 	// For example, for Let's Encrypt's staging endpoint, you would use:
 	// "https://acme-staging-v02.api.letsencrypt.org/directory".
 	// Only ACME v2 endpoints (i.e. RFC 8555) are supported.
 	server: string @go(Server)
 	// PreferredChain is the chain to use if the ACME server outputs multiple.
 	// PreferredChain is no guarantee that this one gets delivered by the ACME
 	// endpoint.
 	// For example, for Let's Encrypt's DST crosssign you would use:
 	// "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA.
 	// This value picks the first certificate bundle in the ACME alternative
 	// chains that has a certificate with this value as its issuer's CN
 	// +optional
 	// +kubebuilder:validation:MaxLength=64
 	preferredChain: string @go(PreferredChain)
 	// Enables or disables validation of the ACME server TLS certificate.
 	// If true, requests to the ACME server will not have their TLS certificate
 	// validated (i.e. insecure connections will be allowed).
 	// Only enable this option in development environments.
 	// The cert-manager system installed roots will be used to verify connections
 	// to the ACME server if this is false.
 	// Defaults to false.
 	// +optional
 	skipTLSVerify?: bool @go(SkipTLSVerify)
 	// ExternalAccountBinding is a reference to a CA external account of the ACME
 	// server.
 	// If set, upon registration cert-manager will attempt to associate the given
 	// external account credentials with the registered ACME account.
 	// +optional
 	externalAccountBinding?: null | #ACMEExternalAccountBinding @go(ExternalAccountBinding,*ACMEExternalAccountBinding)
 	// PrivateKey is the name of a Kubernetes Secret resource that will be used to
 	// store the automatically generated ACME account private key.
 	// Optionally, a `key` may be specified to select a specific entry within
 	// the named Secret resource.
 	// If `key` is not specified, a default of `tls.key` will be used.
 	privateKeySecretRef: cmmeta.#SecretKeySelector @go(PrivateKey)
 	// Solvers is a list of challenge solvers that will be used to solve
 	// ACME challenges for the matching domains.
 	// Solver configurations must be provided in order to obtain certificates
 	// from an ACME server.
 	// For more information, see: https://cert-manager.io/docs/configuration/acme/
 	// +optional
 	solvers?: [...#ACMEChallengeSolver] @go(Solvers,[]ACMEChallengeSolver)
 	// Enables or disables generating a new ACME account key.
 	// If true, the Issuer resource will *not* request a new account but will expect
 	// the account key to be supplied via an existing secret.
 	// If false, the cert-manager system will generate a new ACME account key
 	// for the Issuer.
 	// Defaults to false.
 	// +optional
 	disableAccountKeyGeneration?: bool @go(DisableAccountKeyGeneration)
 	// Enables requesting a Not After date on certificates that matches the
 	// duration of the certificate. This is not supported by all ACME servers
 	// like Let's Encrypt. If set to true when the ACME server does not support
 	// it it will create an error on the Order.
 	// Defaults to false.
 	// +optional
 	enableDurationFeature?: bool @go(EnableDurationFeature)
 }
 // ACMEExternalAccountBinding is a reference to a CA external account of the ACME
 // server.
 #ACMEExternalAccountBinding: {
 	// keyID is the ID of the CA key that the External Account is bound to.
 	keyID: string @go(KeyID)
 	// keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes
 	// Secret which holds the symmetric MAC key of the External Account Binding.
 	// The `key` is the index string that is paired with the key data in the
 	// Secret and should not be confused with the key data itself, or indeed with
 	// the External Account Binding keyID above.
 	// The secret key stored in the Secret **must** be un-padded, base64 URL
 	// encoded data.
 	keySecretRef: cmmeta.#SecretKeySelector @go(Key)
 	// Deprecated: keyAlgorithm field exists for historical compatibility
 	// reasons and should not be used. The algorithm is now hardcoded to HS256
 	// in golang/x/crypto/acme.
 	// +optional
 	keyAlgorithm?: #HMACKeyAlgorithm @go(KeyAlgorithm)
 }
 // HMACKeyAlgorithm is the name of a key algorithm used for HMAC encryption
 // +kubebuilder:validation:Enum=HS256;HS384;HS512
 #HMACKeyAlgorithm: string // #enumHMACKeyAlgorithm
 #enumHMACKeyAlgorithm:
 	#HS256 |
 	#HS384 |
 	#HS512
 #HS256: #HMACKeyAlgorithm & "HS256"
 #HS384: #HMACKeyAlgorithm & "HS384"
 #HS512: #HMACKeyAlgorithm & "HS512"
 // An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of.
 // A selector may be provided to use different solving strategies for different DNS names.
 // Only one of HTTP01 or DNS01 must be provided.
 #ACMEChallengeSolver: {
 	// Selector selects a set of DNSNames on the Certificate resource that
 	// should be solved using this challenge solver.
 	// If not specified, the solver will be treated as the 'default' solver
 	// with the lowest priority, i.e. if any other solver has a more specific
 	// match, it will be used instead.
 	// +optional
 	selector?: null | #CertificateDNSNameSelector @go(Selector,*CertificateDNSNameSelector)
 	// Configures cert-manager to attempt to complete authorizations by
 	// performing the HTTP01 challenge flow.
 	// It is not possible to obtain certificates for wildcard domain names
 	// (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
 	// +optional
 	http01?: null | #ACMEChallengeSolverHTTP01 @go(HTTP01,*ACMEChallengeSolverHTTP01)
 	// Configures cert-manager to attempt to complete authorizations by
 	// performing the DNS01 challenge flow.
 	// +optional
 	dns01?: null | #ACMEChallengeSolverDNS01 @go(DNS01,*ACMEChallengeSolverDNS01)
 }
 // CertificateDNSNameSelector selects certificates using a label selector, and
 // can optionally select individual DNS names within those certificates.
 // If both MatchLabels and DNSNames are empty, this selector will match all
 // certificates and DNS names within them.
 #CertificateDNSNameSelector: {
 	// A label selector that is used to refine the set of certificate's that
 	// this challenge solver will apply to.
 	// +optional
 	matchLabels?: {[string]: string} @go(MatchLabels,map[string]string)
 	// List of DNSNames that this solver will be used to solve.
 	// If specified and a match is found, a dnsNames selector will take
 	// precedence over a dnsZones selector.
 	// If multiple solvers match with the same dnsNames value, the solver
 	// with the most matching labels in matchLabels will be selected.
 	// If neither has more matches, the solver defined earlier in the list
 	// will be selected.
 	// +optional
 	dnsNames?: [...string] @go(DNSNames,[]string)
 	// List of DNSZones that this solver will be used to solve.
 	// The most specific DNS zone match specified here will take precedence
 	// over other DNS zone matches, so a solver specifying sys.example.com
 	// will be selected over one specifying example.com for the domain
 	// www.sys.example.com.
 	// If multiple solvers match with the same dnsZones value, the solver
 	// with the most matching labels in matchLabels will be selected.
 	// If neither has more matches, the solver defined earlier in the list
 	// will be selected.
 	// +optional
 	dnsZones?: [...string] @go(DNSZones,[]string)
 }
 // ACMEChallengeSolverHTTP01 contains configuration detailing how to solve
 // HTTP01 challenges within a Kubernetes cluster.
 // Typically this is accomplished through creating 'routes' of some description
 // that configure ingress controllers to direct traffic to 'solver pods', which
 // are responsible for responding to the ACME server's HTTP requests.
 // Only one of Ingress / Gateway can be specified.
 #ACMEChallengeSolverHTTP01: {
 	// The ingress based HTTP01 challenge solver will solve challenges by
 	// creating or modifying Ingress resources in order to route requests for
 	// '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
 	// provisioned by cert-manager for each Challenge to be completed.
 	// +optional
 	ingress?: null | #ACMEChallengeSolverHTTP01Ingress @go(Ingress,*ACMEChallengeSolverHTTP01Ingress)
 	// The Gateway API is a sig-network community API that models service networking
 	// in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
 	// create HTTPRoutes with the specified labels in the same namespace as the challenge.
 	// This solver is experimental, and fields / behaviour may change in the future.
 	// +optional
 	gatewayHTTPRoute?: null | #ACMEChallengeSolverHTTP01GatewayHTTPRoute @go(GatewayHTTPRoute,*ACMEChallengeSolverHTTP01GatewayHTTPRoute)
 }
 #ACMEChallengeSolverHTTP01Ingress: {
 	// Optional service type for Kubernetes solver service. Supported values
 	// are NodePort or ClusterIP. If unset, defaults to NodePort.
 	// +optional
 	serviceType?: corev1.#ServiceType @go(ServiceType)
 	// The ingress class to use when creating Ingress resources to solve ACME
 	// challenges that use this challenge solver.
 	// Only one of 'class' or 'name' may be specified.
 	// +optional
 	class?: null | string @go(Class,*string)
 	// The name of the ingress resource that should have ACME challenge solving
 	// routes inserted into it in order to solve HTTP01 challenges.
 	// This is typically used in conjunction with ingress controllers like
 	// ingress-gce, which maintains a 1:1 mapping between external IPs and
 	// ingress resources.
 	// +optional
 	name?: string @go(Name)
 	// Optional pod template used to configure the ACME challenge solver pods
 	// used for HTTP01 challenges.
 	// +optional
 	podTemplate?: null | #ACMEChallengeSolverHTTP01IngressPodTemplate @go(PodTemplate,*ACMEChallengeSolverHTTP01IngressPodTemplate)
 	// Optional ingress template used to configure the ACME challenge solver
 	// ingress used for HTTP01 challenges.
 	// +optional
 	ingressTemplate?: null | #ACMEChallengeSolverHTTP01IngressTemplate @go(IngressTemplate,*ACMEChallengeSolverHTTP01IngressTemplate)
 }
 // The ACMEChallengeSolverHTTP01GatewayHTTPRoute solver will create HTTPRoute objects for a Gateway class
 // routing to an ACME challenge solver pod.
 #ACMEChallengeSolverHTTP01GatewayHTTPRoute: {
 	// Optional service type for Kubernetes solver service. Supported values
 	// are NodePort or ClusterIP. If unset, defaults to NodePort.
 	// +optional
 	serviceType?: corev1.#ServiceType @go(ServiceType)
 	// The labels that cert-manager will use when creating the temporary
 	// HTTPRoute needed for solving the HTTP-01 challenge. These labels
 	// must match the label selector of at least one Gateway.
 	labels?: {[string]: string} @go(Labels,map[string]string)
 }
 #ACMEChallengeSolverHTTP01IngressPodTemplate: {
 	// ObjectMeta overrides for the pod used to solve HTTP01 challenges.
 	// Only the 'labels' and 'annotations' fields may be set.
 	// If labels or annotations overlap with in-built values, the values here
 	// will override the in-built values.
 	// +optional
 	metadata: #ACMEChallengeSolverHTTP01IngressPodObjectMeta @go(ACMEChallengeSolverHTTP01IngressPodObjectMeta)
 	// PodSpec defines overrides for the HTTP01 challenge solver pod.
 	// Only the 'priorityClassName', 'nodeSelector', 'affinity',
 	// 'serviceAccountName' and 'tolerations' fields are supported currently.
 	// All other fields will be ignored.
 	// +optional
 	spec: #ACMEChallengeSolverHTTP01IngressPodSpec @go(Spec)
 }
 #ACMEChallengeSolverHTTP01IngressPodObjectMeta: {
 	// Annotations that should be added to the create ACME HTTP01 solver pods.
 	// +optional
 	annotations?: {[string]: string} @go(Annotations,map[string]string)
 	// Labels that should be added to the created ACME HTTP01 solver pods.
 	// +optional
 	labels?: {[string]: string} @go(Labels,map[string]string)
 }
 #ACMEChallengeSolverHTTP01IngressPodSpec: {
 	// NodeSelector is a selector which must be true for the pod to fit on a node.
 	// Selector which must match a node's labels for the pod to be scheduled on that node.
 	// More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
 	// +optional
 	nodeSelector?: {[string]: string} @go(NodeSelector,map[string]string)
 	// If specified, the pod's scheduling constraints
 	// +optional
 	affinity?: null | corev1.#Affinity @go(Affinity,*corev1.Affinity)
 	// If specified, the pod's tolerations.
 	// +optional
 	tolerations?: [...corev1.#Toleration] @go(Tolerations,[]corev1.Toleration)
 	// If specified, the pod's priorityClassName.
 	// +optional
 	priorityClassName?: string @go(PriorityClassName)
 	// If specified, the pod's service account
 	// +optional
 	serviceAccountName?: string @go(ServiceAccountName)
 }
 #ACMEChallengeSolverHTTP01IngressTemplate: {
 	// ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
 	// Only the 'labels' and 'annotations' fields may be set.
 	// If labels or annotations overlap with in-built values, the values here
 	// will override the in-built values.
 	// +optional
 	metadata: #ACMEChallengeSolverHTTP01IngressObjectMeta @go(ACMEChallengeSolverHTTP01IngressObjectMeta)
 }
 #ACMEChallengeSolverHTTP01IngressObjectMeta: {
 	// Annotations that should be added to the created ACME HTTP01 solver ingress.
 	// +optional
 	annotations?: {[string]: string} @go(Annotations,map[string]string)
 	// Labels that should be added to the created ACME HTTP01 solver ingress.
 	// +optional
 	labels?: {[string]: string} @go(Labels,map[string]string)
 }
 // Used to configure a DNS01 challenge provider to be used when solving DNS01
 // challenges.
 // Only one DNS provider may be configured per solver.
 #ACMEChallengeSolverDNS01: {
 	// CNAMEStrategy configures how the DNS01 provider should handle CNAME
 	// records when found in DNS zones.
 	// +optional
 	cnameStrategy?: #CNAMEStrategy @go(CNAMEStrategy)
 	// Use the Akamai DNS zone management API to manage DNS01 challenge records.
 	// +optional
 	akamai?: null | #ACMEIssuerDNS01ProviderAkamai @go(Akamai,*ACMEIssuerDNS01ProviderAkamai)
 	// Use the Google Cloud DNS API to manage DNS01 challenge records.
 	// +optional
 	cloudDNS?: null | #ACMEIssuerDNS01ProviderCloudDNS @go(CloudDNS,*ACMEIssuerDNS01ProviderCloudDNS)
 	// Use the Cloudflare API to manage DNS01 challenge records.
 	// +optional
 	cloudflare?: null | #ACMEIssuerDNS01ProviderCloudflare @go(Cloudflare,*ACMEIssuerDNS01ProviderCloudflare)
 	// Use the AWS Route53 API to manage DNS01 challenge records.
 	// +optional
 	route53?: null | #ACMEIssuerDNS01ProviderRoute53 @go(Route53,*ACMEIssuerDNS01ProviderRoute53)
 	// Use the Microsoft Azure DNS API to manage DNS01 challenge records.
 	// +optional
 	azureDNS?: null | #ACMEIssuerDNS01ProviderAzureDNS @go(AzureDNS,*ACMEIssuerDNS01ProviderAzureDNS)
 	// Use the DigitalOcean DNS API to manage DNS01 challenge records.
 	// +optional
 	digitalocean?: null | #ACMEIssuerDNS01ProviderDigitalOcean @go(DigitalOcean,*ACMEIssuerDNS01ProviderDigitalOcean)
 	// Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
 	// DNS01 challenge records.
 	// +optional
 	acmeDNS?: null | #ACMEIssuerDNS01ProviderAcmeDNS @go(AcmeDNS,*ACMEIssuerDNS01ProviderAcmeDNS)
 	// Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
 	// to manage DNS01 challenge records.
 	// +optional
 	rfc2136?: null | #ACMEIssuerDNS01ProviderRFC2136 @go(RFC2136,*ACMEIssuerDNS01ProviderRFC2136)
 	// Configure an external webhook based DNS01 challenge solver to manage
 	// DNS01 challenge records.
 	// +optional
 	webhook?: null | #ACMEIssuerDNS01ProviderWebhook @go(Webhook,*ACMEIssuerDNS01ProviderWebhook)
 }
 // CNAMEStrategy configures how the DNS01 provider should handle CNAME records
 // when found in DNS zones.
 // By default, the None strategy will be applied (i.e. do not follow CNAMEs).
 // +kubebuilder:validation:Enum=None;Follow
 #CNAMEStrategy: string
 // NoneStrategy indicates that no CNAME resolution strategy should be used
 // when determining which DNS zone to update during DNS01 challenges.
 #NoneStrategy: "None"
 // FollowStrategy will cause cert-manager to recurse through CNAMEs in
 // order to determine which DNS zone to update during DNS01 challenges.
 // This is useful if you do not want to grant cert-manager access to your
 // root DNS zone, and instead delegate the _acme-challenge.example.com
 // subdomain to some other, less privileged domain.
 #FollowStrategy: "Follow"
 // ACMEIssuerDNS01ProviderAkamai is a structure containing the DNS
 // configuration for Akamai DNS—Zone Record Management API
 #ACMEIssuerDNS01ProviderAkamai: {
 	serviceConsumerDomain: string                    @go(ServiceConsumerDomain)
 	clientTokenSecretRef:  cmmeta.#SecretKeySelector @go(ClientToken)
 	clientSecretSecretRef: cmmeta.#SecretKeySelector @go(ClientSecret)
 	accessTokenSecretRef:  cmmeta.#SecretKeySelector @go(AccessToken)
 }
 // ACMEIssuerDNS01ProviderCloudDNS is a structure containing the DNS
 // configuration for Google Cloud DNS
 #ACMEIssuerDNS01ProviderCloudDNS: {
 	// +optional
 	serviceAccountSecretRef?: null | cmmeta.#SecretKeySelector @go(ServiceAccount,*cmmeta.SecretKeySelector)
 	project:                  string                           @go(Project)
 	// HostedZoneName is an optional field that tells cert-manager in which
 	// Cloud DNS zone the challenge record has to be created.
 	// If left empty cert-manager will automatically choose a zone.
 	// +optional
 	hostedZoneName?: string @go(HostedZoneName)
 }
 // ACMEIssuerDNS01ProviderCloudflare is a structure containing the DNS
 // configuration for Cloudflare.
 // One of `apiKeySecretRef` or `apiTokenSecretRef` must be provided.
 #ACMEIssuerDNS01ProviderCloudflare: {
 	// Email of the account, only required when using API key based authentication.
 	// +optional
 	email?: string @go(Email)
 	// API key to use to authenticate with Cloudflare.
 	// Note: using an API token to authenticate is now the recommended method
 	// as it allows greater control of permissions.
 	// +optional
 	apiKeySecretRef?: null | cmmeta.#SecretKeySelector @go(APIKey,*cmmeta.SecretKeySelector)
 	// API token used to authenticate with Cloudflare.
 	// +optional
 	apiTokenSecretRef?: null | cmmeta.#SecretKeySelector @go(APIToken,*cmmeta.SecretKeySelector)
 }
 // ACMEIssuerDNS01ProviderDigitalOcean is a structure containing the DNS
 // configuration for DigitalOcean Domains
 #ACMEIssuerDNS01ProviderDigitalOcean: {
 	tokenSecretRef: cmmeta.#SecretKeySelector @go(Token)
 }
 // ACMEIssuerDNS01ProviderRoute53 is a structure containing the Route 53
 // configuration for AWS
 #ACMEIssuerDNS01ProviderRoute53: {
 	// The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata
 	// see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
 	// +optional
 	accessKeyID?: string @go(AccessKeyID)
 	// The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata
 	// https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
 	// +optional
 	secretAccessKeySecretRef: cmmeta.#SecretKeySelector @go(SecretAccessKey)
 	// Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
 	// or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
 	// +optional
 	role?: string @go(Role)
 	// If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
 	// +optional
 	hostedZoneID?: string @go(HostedZoneID)
 	// Always set the region when using AccessKeyID and SecretAccessKey
 	region: string @go(Region)
 }
 // ACMEIssuerDNS01ProviderAzureDNS is a structure containing the
 // configuration for Azure DNS
 #ACMEIssuerDNS01ProviderAzureDNS: {
 	// if both this and ClientSecret are left unset MSI will be used
 	// +optional
 	clientID?: string @go(ClientID)
 	// if both this and ClientID are left unset MSI will be used
 	// +optional
 	clientSecretSecretRef?: null | cmmeta.#SecretKeySelector @go(ClientSecret,*cmmeta.SecretKeySelector)
 	// ID of the Azure subscription
 	subscriptionID: string @go(SubscriptionID)
 	// when specifying ClientID and ClientSecret then this field is also needed
 	// +optional
 	tenantID?: string @go(TenantID)
 	// resource group the DNS zone is located in
 	resourceGroupName: string @go(ResourceGroupName)
 	// name of the DNS zone that should be used
 	// +optional
 	hostedZoneName?: string @go(HostedZoneName)
 	// name of the Azure environment (default AzurePublicCloud)
 	// +optional
 	environment?: #AzureDNSEnvironment @go(Environment)
 	// managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID
 	// +optional
 	managedIdentity?: null | #AzureManagedIdentity @go(ManagedIdentity,*AzureManagedIdentity)
 }
 #AzureManagedIdentity: {
 	// client ID of the managed identity, can not be used at the same time as resourceID
 	// +optional
 	clientID?: string @go(ClientID)
 	// resource ID of the managed identity, can not be used at the same time as clientID
 	// +optional
 	resourceID?: string @go(ResourceID)
 }
 // +kubebuilder:validation:Enum=AzurePublicCloud;AzureChinaCloud;AzureGermanCloud;AzureUSGovernmentCloud
 #AzureDNSEnvironment: string // #enumAzureDNSEnvironment
 #enumAzureDNSEnvironment:
 	#AzurePublicCloud |
 	#AzureChinaCloud |
 	#AzureGermanCloud |
 	#AzureUSGovernmentCloud
 #AzurePublicCloud:       #AzureDNSEnvironment & "AzurePublicCloud"
 #AzureChinaCloud:        #AzureDNSEnvironment & "AzureChinaCloud"
 #AzureGermanCloud:       #AzureDNSEnvironment & "AzureGermanCloud"
 #AzureUSGovernmentCloud: #AzureDNSEnvironment & "AzureUSGovernmentCloud"
 // ACMEIssuerDNS01ProviderAcmeDNS is a structure containing the
 // configuration for ACME-DNS servers
 #ACMEIssuerDNS01ProviderAcmeDNS: {
 	host:             string                    @go(Host)
 	accountSecretRef: cmmeta.#SecretKeySelector @go(AccountSecret)
 }
 // ACMEIssuerDNS01ProviderRFC2136 is a structure containing the
 // configuration for RFC2136 DNS
 #ACMEIssuerDNS01ProviderRFC2136: {
 	// The IP address or hostname of an authoritative DNS server supporting
 	// RFC2136 in the form host:port. If the host is an IPv6 address it must be
 	// enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
 	// This field is required.
 	nameserver: string @go(Nameserver)
 	// The name of the secret containing the TSIG value.
 	// If ``tsigKeyName`` is defined, this field is required.
 	// +optional
 	tsigSecretSecretRef?: cmmeta.#SecretKeySelector @go(TSIGSecret)
 	// The TSIG Key name configured in the DNS.
 	// If ``tsigSecretSecretRef`` is defined, this field is required.
 	// +optional
 	tsigKeyName?: string @go(TSIGKeyName)
 	// The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
 	// when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
 	// Supported values are (case-insensitive): ``HMACMD5`` (default),
 	// ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
 	// +optional
 	tsigAlgorithm?: string @go(TSIGAlgorithm)
 }
 // ACMEIssuerDNS01ProviderWebhook specifies configuration for a webhook DNS01
 // provider, including where to POST ChallengePayload resources.
 #ACMEIssuerDNS01ProviderWebhook: {
 	// The API group name that should be used when POSTing ChallengePayload
 	// resources to the webhook apiserver.
 	// This should be the same as the GroupName specified in the webhook
 	// provider implementation.
 	groupName: string @go(GroupName)
 	// The name of the solver to use, as defined in the webhook provider
 	// implementation.
 	// This will typically be the name of the provider, e.g. 'cloudflare'.
 	solverName: string @go(SolverName)
 	// Additional configuration that should be passed to the webhook apiserver
 	// when challenges are processed.
 	// This can contain arbitrary JSON data.
 	// Secret values should not be specified in this stanza.
 	// If secret values are needed (e.g. credentials for a DNS service), you
 	// should use a SecretKeySelector to reference a Secret resource.
 	// For details on the schema of this field, consult the webhook provider
 	// implementation's documentation.
 	// +optional
 	config?: null | apiextensionsv1.#JSON @go(Config,*apiextensionsv1.JSON)
 }
 #ACMEIssuerStatus: {
 	// URI is the unique account identifier, which can also be used to retrieve
 	// account details from the CA
 	// +optional
 	uri?: string @go(URI)
 	// LastRegisteredEmail is the email associated with the latest registered
 	// ACME account, in order to track changes made to registered account
 	// associated with the  Issuer
 	// +optional
 	lastRegisteredEmail?: string @go(LastRegisteredEmail)
 }
--- a/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/acme/v1/types_order_go_gen.cue
+++ b/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/acme/v1/types_order_go_gen.cue
@@ -1,228 +0,0 @@
 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/acme/v1
 package v1
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
 )
 // Order is a type to represent an Order with an ACME server
 // +k8s:openapi-gen=true
 #Order: {
 	metav1.#TypeMeta
 	metadata: metav1.#ObjectMeta @go(ObjectMeta)
 	spec:     #OrderSpec         @go(Spec)
 	// +optional
 	status: #OrderStatus @go(Status)
 }
 // OrderList is a list of Orders
 #OrderList: {
 	metav1.#TypeMeta
 	metadata: metav1.#ListMeta @go(ListMeta)
 	items: [...#Order] @go(Items,[]Order)
 }
 #OrderSpec: {
 	// Certificate signing request bytes in DER encoding.
 	// This will be used when finalizing the order.
 	// This field must be set on the order.
 	request: bytes @go(Request,[]byte)
 	// IssuerRef references a properly configured ACME-type Issuer which should
 	// be used to create this Order.
 	// If the Issuer does not exist, processing will be retried.
 	// If the Issuer is not an 'ACME' Issuer, an error will be returned and the
 	// Order will be marked as failed.
 	issuerRef: cmmeta.#ObjectReference @go(IssuerRef)
 	// CommonName is the common name as specified on the DER encoded CSR.
 	// If specified, this value must also be present in `dnsNames` or `ipAddresses`.
 	// This field must match the corresponding field on the DER encoded CSR.
 	// +optional
 	commonName?: string @go(CommonName)
 	// DNSNames is a list of DNS names that should be included as part of the Order
 	// validation process.
 	// This field must match the corresponding field on the DER encoded CSR.
 	//+optional
 	dnsNames?: [...string] @go(DNSNames,[]string)
 	// IPAddresses is a list of IP addresses that should be included as part of the Order
 	// validation process.
 	// This field must match the corresponding field on the DER encoded CSR.
 	// +optional
 	ipAddresses?: [...string] @go(IPAddresses,[]string)
 	// Duration is the duration for the not after date for the requested certificate.
 	// this is set on order creation as pe the ACME spec.
 	// +optional
 	duration?: null | metav1.#Duration @go(Duration,*metav1.Duration)
 }
 #OrderStatus: {
 	// URL of the Order.
 	// This will initially be empty when the resource is first created.
 	// The Order controller will populate this field when the Order is first processed.
 	// This field will be immutable after it is initially set.
 	// +optional
 	url?: string @go(URL)
 	// FinalizeURL of the Order.
 	// This is used to obtain certificates for this order once it has been completed.
 	// +optional
 	finalizeURL?: string @go(FinalizeURL)
 	// Authorizations contains data returned from the ACME server on what
 	// authorizations must be completed in order to validate the DNS names
 	// specified on the Order.
 	// +optional
 	authorizations?: [...#ACMEAuthorization] @go(Authorizations,[]ACMEAuthorization)
 	// Certificate is a copy of the PEM encoded certificate for this Order.
 	// This field will be populated after the order has been successfully
 	// finalized with the ACME server, and the order has transitioned to the
 	// 'valid' state.
 	// +optional
 	certificate?: bytes @go(Certificate,[]byte)
 	// State contains the current state of this Order resource.
 	// States 'success' and 'expired' are 'final'
 	// +optional
 	state?: #State @go(State)
 	// Reason optionally provides more information about a why the order is in
 	// the current state.
 	// +optional
 	reason?: string @go(Reason)
 	// FailureTime stores the time that this order failed.
 	// This is used to influence garbage collection and back-off.
 	// +optional
 	failureTime?: null | metav1.#Time @go(FailureTime,*metav1.Time)
 }
 // ACMEAuthorization contains data returned from the ACME server on an
 // authorization that must be completed in order validate a DNS name on an ACME
 // Order resource.
 #ACMEAuthorization: {
 	// URL is the URL of the Authorization that must be completed
 	url: string @go(URL)
 	// Identifier is the DNS name to be validated as part of this authorization
 	// +optional
 	identifier?: string @go(Identifier)
 	// Wildcard will be true if this authorization is for a wildcard DNS name.
 	// If this is true, the identifier will be the *non-wildcard* version of
 	// the DNS name.
 	// For example, if '*.example.com' is the DNS name being validated, this
 	// field will be 'true' and the 'identifier' field will be 'example.com'.
 	// +optional
 	wildcard?: null | bool @go(Wildcard,*bool)
 	// InitialState is the initial state of the ACME authorization when first
 	// fetched from the ACME server.
 	// If an Authorization is already 'valid', the Order controller will not
 	// create a Challenge resource for the authorization. This will occur when
 	// working with an ACME server that enables 'authz reuse' (such as Let's
 	// Encrypt's production endpoint).
 	// If not set and 'identifier' is set, the state is assumed to be pending
 	// and a Challenge will be created.
 	// +optional
 	initialState?: #State @go(InitialState)
 	// Challenges specifies the challenge types offered by the ACME server.
 	// One of these challenge types will be selected when validating the DNS
 	// name and an appropriate Challenge resource will be created to perform
 	// the ACME challenge process.
 	// +optional
 	challenges?: [...#ACMEChallenge] @go(Challenges,[]ACMEChallenge)
 }
 // Challenge specifies a challenge offered by the ACME server for an Order.
 // An appropriate Challenge resource can be created to perform the ACME
 // challenge process.
 #ACMEChallenge: {
 	// URL is the URL of this challenge. It can be used to retrieve additional
 	// metadata about the Challenge from the ACME server.
 	url: string @go(URL)
 	// Token is the token that must be presented for this challenge.
 	// This is used to compute the 'key' that must also be presented.
 	token: string @go(Token)
 	// Type is the type of challenge being offered, e.g. 'http-01', 'dns-01',
 	// 'tls-sni-01', etc.
 	// This is the raw value retrieved from the ACME server.
 	// Only 'http-01' and 'dns-01' are supported by cert-manager, other values
 	// will be ignored.
 	type: string @go(Type)
 }
 // State represents the state of an ACME resource, such as an Order.
 // The possible options here map to the corresponding values in the
 // ACME specification.
 // Full details of these values can be found here: https://tools.ietf.org/html/draft-ietf-acme-acme-15#section-7.1.6
 // Clients utilising this type must also gracefully handle unknown
 // values, as the contents of this enumeration may be added to over time.
 // +kubebuilder:validation:Enum=valid;ready;pending;processing;invalid;expired;errored
 #State: string // #enumState
 #enumState:
 	#Unknown |
 	#Valid |
 	#Ready |
 	#Pending |
 	#Processing |
 	#Invalid |
 	#Expired |
 	#Errored
 // Unknown is not a real state as part of the ACME spec.
 // It is used to represent an unrecognised value.
 #Unknown: #State & ""
 // Valid signifies that an ACME resource is in a valid state.
 // If an order is 'valid', it has been finalized with the ACME server and
 // the certificate can be retrieved from the ACME server using the
 // certificate URL stored in the Order's status subresource.
 // This is a final state.
 #Valid: #State & "valid"
 // Ready signifies that an ACME resource is in a ready state.
 // If an order is 'ready', all of its challenges have been completed
 // successfully and the order is ready to be finalized.
 // Once finalized, it will transition to the Valid state.
 // This is a transient state.
 #Ready: #State & "ready"
 // Pending signifies that an ACME resource is still pending and is not yet ready.
 // If an Order is marked 'Pending', the validations for that Order are still in progress.
 // This is a transient state.
 #Pending: #State & "pending"
 // Processing signifies that an ACME resource is being processed by the server.
 // If an Order is marked 'Processing', the validations for that Order are currently being processed.
 // This is a transient state.
 #Processing: #State & "processing"
 // Invalid signifies that an ACME resource is invalid for some reason.
 // If an Order is marked 'invalid', one of its validations be have invalid for some reason.
 // This is a final state.
 #Invalid: #State & "invalid"
 // Expired signifies that an ACME resource has expired.
 // If an Order is marked 'Expired', one of its validations may have expired or the Order itself.
 // This is a final state.
 #Expired: #State & "expired"
 // Errored signifies that the ACME resource has errored for some reason.
 // This is a catch-all state, and is used for marking internal cert-manager
 // errors such as validation failures.
 // This is a final state.
 #Errored: #State & "errored"
--- a/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/certmanager/v1/const_go_gen.cue
+++ b/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/certmanager/v1/const_go_gen.cue
@@ -1,27 +0,0 @@
 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/certmanager/v1
 package v1
 import "time"
 // minimum permitted certificate duration by cert-manager
 #MinimumCertificateDuration: time.#Duration & 3600000000000
 // default certificate duration if Issuer.spec.duration is not set
 #DefaultCertificateDuration: time.#Duration & 7776000000000000
 // minimum certificate duration before certificate expiration
 #MinimumRenewBefore: time.#Duration & 300000000000
 // Deprecated: the default is now 2/3 of Certificate's duration
 #DefaultRenewBefore: time.#Duration & 2592000000000000
 // Default index key for the Secret reference for Token authentication
 #DefaultVaultTokenAuthSecretKey: "token"
 // Default mount path location for Kubernetes ServiceAccount authentication
 // (/v1/auth/kubernetes). The endpoint will then be called at `/login`, so
 // left as the default, `/v1/auth/kubernetes/login` will be called.
 #DefaultVaultKubernetesAuthMountPath: "/v1/auth/kubernetes"
--- a/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/certmanager/v1/doc_go_gen.cue
+++ b/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/certmanager/v1/doc_go_gen.cue
@@ -1,9 +0,0 @@
 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/certmanager/v1
 // Package v1 is the v1 version of the API.
 // +k8s:deepcopy-gen=package,register
 // +groupName=cert-manager.io
 // +groupGoName=Certmanager
 package v1
--- a/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/certmanager/v1/generic_issuer_go_gen.cue
+++ b/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/certmanager/v1/generic_issuer_go_gen.cue
@@ -1,7 +0,0 @@
 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/certmanager/v1
 package v1
 #GenericIssuer: _
--- a/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/certmanager/v1/types_certificate_go_gen.cue
+++ b/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/certmanager/v1/types_certificate_go_gen.cue
@@ -1,496 +0,0 @@
 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/certmanager/v1
 package v1
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
 )
 // A Certificate resource should be created to ensure an up to date and signed
 // x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`.
 //
 // The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`).
 // +k8s:openapi-gen=true
 #Certificate: {
 	metav1.#TypeMeta
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta)
 	// Desired state of the Certificate resource.
 	spec: #CertificateSpec @go(Spec)
 	// Status of the Certificate. This is set and managed automatically.
 	// +optional
 	status: #CertificateStatus @go(Status)
 }
 // CertificateList is a list of Certificates
 #CertificateList: {
 	metav1.#TypeMeta
 	metadata: metav1.#ListMeta @go(ListMeta)
 	items: [...#Certificate] @go(Items,[]Certificate)
 }
 // +kubebuilder:validation:Enum=RSA;ECDSA;Ed25519
 #PrivateKeyAlgorithm: string // #enumPrivateKeyAlgorithm
 #enumPrivateKeyAlgorithm:
 	#RSAKeyAlgorithm |
 	#ECDSAKeyAlgorithm |
 	#Ed25519KeyAlgorithm
 // Denotes the RSA private key type.
 #RSAKeyAlgorithm: #PrivateKeyAlgorithm & "RSA"
 // Denotes the ECDSA private key type.
 #ECDSAKeyAlgorithm: #PrivateKeyAlgorithm & "ECDSA"
 // Denotes the Ed25519 private key type.
 #Ed25519KeyAlgorithm: #PrivateKeyAlgorithm & "Ed25519"
 // +kubebuilder:validation:Enum=PKCS1;PKCS8
 #PrivateKeyEncoding: string // #enumPrivateKeyEncoding
 #enumPrivateKeyEncoding:
 	#PKCS1 |
 	#PKCS8
 // PKCS1 key encoding will produce PEM files that include the type of
 // private key as part of the PEM header, e.g. `BEGIN RSA PRIVATE KEY`.
 // If the keyAlgorithm is set to 'ECDSA', this will produce private keys
 // that use the `BEGIN EC PRIVATE KEY` header.
 #PKCS1: #PrivateKeyEncoding & "PKCS1"
 // PKCS8 key encoding will produce PEM files with the `BEGIN PRIVATE KEY`
 // header. It encodes the keyAlgorithm of the private key as part of the
 // DER encoded PEM block.
 #PKCS8: #PrivateKeyEncoding & "PKCS8"
 // CertificateSpec defines the desired state of Certificate.
 // A valid Certificate requires at least one of a CommonName, DNSName, or
 // URISAN to be valid.
 #CertificateSpec: {
 	// Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
 	// +optional
 	subject?: null | #X509Subject @go(Subject,*X509Subject)
 	// CommonName is a common name to be used on the Certificate.
 	// The CommonName should have a length of 64 characters or fewer to avoid
 	// generating invalid CSRs.
 	// This value is ignored by TLS clients when any subject alt name is set.
 	// This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4
 	// +optional
 	commonName?: string @go(CommonName)
 	// The requested 'duration' (i.e. lifetime) of the Certificate. This option
 	// may be ignored/overridden by some issuer types. If unset this defaults to
 	// 90 days. Certificate will be renewed either 2/3 through its duration or
 	// `renewBefore` period before its expiry, whichever is later. Minimum
 	// accepted duration is 1 hour. Value must be in units accepted by Go
 	// time.ParseDuration https://golang.org/pkg/time/#ParseDuration
 	// +optional
 	duration?: null | metav1.#Duration @go(Duration,*metav1.Duration)
 	// How long before the currently issued certificate's expiry
 	// cert-manager should renew the certificate. The default is 2/3 of the
 	// issued certificate's duration. Minimum accepted value is 5 minutes.
 	// Value must be in units accepted by Go time.ParseDuration
 	// https://golang.org/pkg/time/#ParseDuration
 	// +optional
 	renewBefore?: null | metav1.#Duration @go(RenewBefore,*metav1.Duration)
 	// DNSNames is a list of DNS subjectAltNames to be set on the Certificate.
 	// +optional
 	dnsNames?: [...string] @go(DNSNames,[]string)
 	// IPAddresses is a list of IP address subjectAltNames to be set on the Certificate.
 	// +optional
 	ipAddresses?: [...string] @go(IPAddresses,[]string)
 	// URIs is a list of URI subjectAltNames to be set on the Certificate.
 	// +optional
 	uris?: [...string] @go(URIs,[]string)
 	// EmailAddresses is a list of email subjectAltNames to be set on the Certificate.
 	// +optional
 	emailAddresses?: [...string] @go(EmailAddresses,[]string)
 	// SecretName is the name of the secret resource that will be automatically
 	// created and managed by this Certificate resource.
 	// It will be populated with a private key and certificate, signed by the
 	// denoted issuer.
 	secretName: string @go(SecretName)
 	// SecretTemplate defines annotations and labels to be copied to the
 	// Certificate's Secret. Labels and annotations on the Secret will be changed
 	// as they appear on the SecretTemplate when added or removed. SecretTemplate
 	// annotations are added in conjunction with, and cannot overwrite, the base
 	// set of annotations cert-manager sets on the Certificate's Secret.
 	// +optional
 	secretTemplate?: null | #CertificateSecretTemplate @go(SecretTemplate,*CertificateSecretTemplate)
 	// Keystores configures additional keystore output formats stored in the
 	// `secretName` Secret resource.
 	// +optional
 	keystores?: null | #CertificateKeystores @go(Keystores,*CertificateKeystores)
 	// IssuerRef is a reference to the issuer for this certificate.
 	// If the `kind` field is not set, or set to `Issuer`, an Issuer resource
 	// with the given name in the same namespace as the Certificate will be used.
 	// If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the
 	// provided name will be used.
 	// The `name` field in this stanza is required at all times.
 	issuerRef: cmmeta.#ObjectReference @go(IssuerRef)
 	// IsCA will mark this Certificate as valid for certificate signing.
 	// This will automatically add the `cert sign` usage to the list of `usages`.
 	// +optional
 	isCA?: bool @go(IsCA)
 	// Usages is the set of x509 usages that are requested for the certificate.
 	// Defaults to `digital signature` and `key encipherment` if not specified.
 	// +optional
 	usages?: [...#KeyUsage] @go(Usages,[]KeyUsage)
 	// Options to control private keys used for the Certificate.
 	// +optional
 	privateKey?: null | #CertificatePrivateKey @go(PrivateKey,*CertificatePrivateKey)
 	// EncodeUsagesInRequest controls whether key usages should be present
 	// in the CertificateRequest
 	// +optional
 	encodeUsagesInRequest?: null | bool @go(EncodeUsagesInRequest,*bool)
 	// revisionHistoryLimit is the maximum number of CertificateRequest revisions
 	// that are maintained in the Certificate's history. Each revision represents
 	// a single `CertificateRequest` created by this Certificate, either when it
 	// was created, renewed, or Spec was changed. Revisions will be removed by
 	// oldest first if the number of revisions exceeds this number. If set,
 	// revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`),
 	// revisions will not be garbage collected. Default value is `nil`.
 	// +kubebuilder:validation:ExclusiveMaximum=false
 	// +optional
 	revisionHistoryLimit?: null | int32 @go(RevisionHistoryLimit,*int32)
 	// AdditionalOutputFormats defines extra output formats of the private key
 	// and signed certificate chain to be written to this Certificate's target
 	// Secret. This is an Alpha Feature and is only enabled with the
 	// `--feature-gates=AdditionalCertificateOutputFormats=true` option on both
 	// the controller and webhook components.
 	// +optional
 	additionalOutputFormats?: [...#CertificateAdditionalOutputFormat] @go(AdditionalOutputFormats,[]CertificateAdditionalOutputFormat)
 }
 // CertificatePrivateKey contains configuration options for private keys
 // used by the Certificate controller.
 // This allows control of how private keys are rotated.
 #CertificatePrivateKey: {
 	// RotationPolicy controls how private keys should be regenerated when a
 	// re-issuance is being processed.
 	// If set to Never, a private key will only be generated if one does not
 	// already exist in the target `spec.secretName`. If one does exists but it
 	// does not have the correct algorithm or size, a warning will be raised
 	// to await user intervention.
 	// If set to Always, a private key matching the specified requirements
 	// will be generated whenever a re-issuance occurs.
 	// Default is 'Never' for backward compatibility.
 	// +optional
 	rotationPolicy?: #PrivateKeyRotationPolicy @go(RotationPolicy)
 	// The private key cryptography standards (PKCS) encoding for this
 	// certificate's private key to be encoded in.
 	// If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1
 	// and PKCS#8, respectively.
 	// Defaults to `PKCS1` if not specified.
 	// +optional
 	encoding?: #PrivateKeyEncoding @go(Encoding)
 	// Algorithm is the private key algorithm of the corresponding private key
 	// for this certificate. If provided, allowed values are either `RSA`,`Ed25519` or `ECDSA`
 	// If `algorithm` is specified and `size` is not provided,
 	// key size of 256 will be used for `ECDSA` key algorithm and
 	// key size of 2048 will be used for `RSA` key algorithm.
 	// key size is ignored when using the `Ed25519` key algorithm.
 	// +optional
 	algorithm?: #PrivateKeyAlgorithm @go(Algorithm)
 	// Size is the key bit size of the corresponding private key for this certificate.
 	// If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`,
 	// and will default to `2048` if not specified.
 	// If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`,
 	// and will default to `256` if not specified.
 	// If `algorithm` is set to `Ed25519`, Size is ignored.
 	// No other values are allowed.
 	// +optional
 	size?: int @go(Size)
 }
 // Denotes how private keys should be generated or sourced when a Certificate
 // is being issued.
 #PrivateKeyRotationPolicy: string
 // CertificateOutputFormatType specifies which additional output formats should
 // be written to the Certificate's target Secret.
 // Allowed values are `DER` or `CombinedPEM`.
 // When Type is set to `DER` an additional entry `key.der` will be written to
 // the Secret, containing the binary format of the private key.
 // When Type is set to `CombinedPEM` an additional entry `tls-combined.pem`
 // will be written to the Secret, containing the PEM formatted private key and
 // signed certificate chain (tls.key + tls.crt concatenated).
 // +kubebuilder:validation:Enum=DER;CombinedPEM
 #CertificateOutputFormatType: string // #enumCertificateOutputFormatType
 #enumCertificateOutputFormatType:
 	#CertificateOutputFormatDER |
 	#CertificateOutputFormatCombinedPEM
 // CertificateOutputFormatDERKey is the name of the data entry in the Secret
 // resource used to store the DER formatted private key.
 #CertificateOutputFormatDERKey: "key.der"
 // CertificateOutputFormatDER  writes the Certificate's private key in DER
 // binary format to the `key.der` target Secret Data key.
 #CertificateOutputFormatDER: #CertificateOutputFormatType & "DER"
 // CertificateOutputFormatCombinedPEMKey is the name of the data entry in the Secret
 // resource used to store the combined PEM (key + signed certificate).
 #CertificateOutputFormatCombinedPEMKey: "tls-combined.pem"
 // CertificateOutputFormatCombinedPEM  writes the Certificate's signed
 // certificate chain and private key, in PEM format, to the
 // `tls-combined.pem` target Secret Data key. The value at this key will
 // include the private key PEM document, followed by at least one new line
 // character, followed by the chain of signed certificate PEM documents
 // (`<private key> + \n + <signed certificate chain>`).
 #CertificateOutputFormatCombinedPEM: #CertificateOutputFormatType & "CombinedPEM"
 // CertificateAdditionalOutputFormat defines an additional output format of a
 // Certificate resource. These contain supplementary data formats of the signed
 // certificate chain and paired private key.
 #CertificateAdditionalOutputFormat: {
 	// Type is the name of the format type that should be written to the
 	// Certificate's target Secret.
 	type: #CertificateOutputFormatType @go(Type)
 }
 // X509Subject Full X509 name specification
 #X509Subject: {
 	// Organizations to be used on the Certificate.
 	// +optional
 	organizations?: [...string] @go(Organizations,[]string)
 	// Countries to be used on the Certificate.
 	// +optional
 	countries?: [...string] @go(Countries,[]string)
 	// Organizational Units to be used on the Certificate.
 	// +optional
 	organizationalUnits?: [...string] @go(OrganizationalUnits,[]string)
 	// Cities to be used on the Certificate.
 	// +optional
 	localities?: [...string] @go(Localities,[]string)
 	// State/Provinces to be used on the Certificate.
 	// +optional
 	provinces?: [...string] @go(Provinces,[]string)
 	// Street addresses to be used on the Certificate.
 	// +optional
 	streetAddresses?: [...string] @go(StreetAddresses,[]string)
 	// Postal codes to be used on the Certificate.
 	// +optional
 	postalCodes?: [...string] @go(PostalCodes,[]string)
 	// Serial number to be used on the Certificate.
 	// +optional
 	serialNumber?: string @go(SerialNumber)
 }
 // CertificateKeystores configures additional keystore output formats to be
 // created in the Certificate's output Secret.
 #CertificateKeystores: {
 	// JKS configures options for storing a JKS keystore in the
 	// `spec.secretName` Secret resource.
 	// +optional
 	jks?: null | #JKSKeystore @go(JKS,*JKSKeystore)
 	// PKCS12 configures options for storing a PKCS12 keystore in the
 	// `spec.secretName` Secret resource.
 	// +optional
 	pkcs12?: null | #PKCS12Keystore @go(PKCS12,*PKCS12Keystore)
 }
 // JKS configures options for storing a JKS keystore in the `spec.secretName`
 // Secret resource.
 #JKSKeystore: {
 	// Create enables JKS keystore creation for the Certificate.
 	// If true, a file named `keystore.jks` will be created in the target
 	// Secret resource, encrypted using the password stored in
 	// `passwordSecretRef`.
 	// The keystore file will only be updated upon re-issuance.
 	// A file named `truststore.jks` will also be created in the target
 	// Secret resource, encrypted using the password stored in
 	// `passwordSecretRef` containing the issuing Certificate Authority
 	create: bool @go(Create)
 	// PasswordSecretRef is a reference to a key in a Secret resource
 	// containing the password used to encrypt the JKS keystore.
 	passwordSecretRef: cmmeta.#SecretKeySelector @go(PasswordSecretRef)
 }
 // PKCS12 configures options for storing a PKCS12 keystore in the
 // `spec.secretName` Secret resource.
 #PKCS12Keystore: {
 	// Create enables PKCS12 keystore creation for the Certificate.
 	// If true, a file named `keystore.p12` will be created in the target
 	// Secret resource, encrypted using the password stored in
 	// `passwordSecretRef`.
 	// The keystore file will only be updated upon re-issuance.
 	// A file named `truststore.p12` will also be created in the target
 	// Secret resource, encrypted using the password stored in
 	// `passwordSecretRef` containing the issuing Certificate Authority
 	create: bool @go(Create)
 	// PasswordSecretRef is a reference to a key in a Secret resource
 	// containing the password used to encrypt the PKCS12 keystore.
 	passwordSecretRef: cmmeta.#SecretKeySelector @go(PasswordSecretRef)
 }
 // CertificateStatus defines the observed state of Certificate
 #CertificateStatus: {
 	// List of status conditions to indicate the status of certificates.
 	// Known condition types are `Ready` and `Issuing`.
 	// +optional
 	conditions?: [...#CertificateCondition] @go(Conditions,[]CertificateCondition)
 	// LastFailureTime is the time as recorded by the Certificate controller
 	// of the most recent failure to complete a CertificateRequest for this
 	// Certificate resource.
 	// If set, cert-manager will not re-request another Certificate until
 	// 1 hour has elapsed from this time.
 	// +optional
 	lastFailureTime?: null | metav1.#Time @go(LastFailureTime,*metav1.Time)
 	// The time after which the certificate stored in the secret named
 	// by this resource in spec.secretName is valid.
 	// +optional
 	notBefore?: null | metav1.#Time @go(NotBefore,*metav1.Time)
 	// The expiration time of the certificate stored in the secret named
 	// by this resource in `spec.secretName`.
 	// +optional
 	notAfter?: null | metav1.#Time @go(NotAfter,*metav1.Time)
 	// RenewalTime is the time at which the certificate will be next
 	// renewed.
 	// If not set, no upcoming renewal is scheduled.
 	// +optional
 	renewalTime?: null | metav1.#Time @go(RenewalTime,*metav1.Time)
 	// The current 'revision' of the certificate as issued.
 	//
 	// When a CertificateRequest resource is created, it will have the
 	// `cert-manager.io/certificate-revision` set to one greater than the
 	// current value of this field.
 	//
 	// Upon issuance, this field will be set to the value of the annotation
 	// on the CertificateRequest resource used to issue the certificate.
 	//
 	// Persisting the value on the CertificateRequest resource allows the
 	// certificates controller to know whether a request is part of an old
 	// issuance or if it is part of the ongoing revision's issuance by
 	// checking if the revision value in the annotation is greater than this
 	// field.
 	// +optional
 	revision?: null | int @go(Revision,*int)
 	// The name of the Secret resource containing the private key to be used
 	// for the next certificate iteration.
 	// The keymanager controller will automatically set this field if the
 	// `Issuing` condition is set to `True`.
 	// It will automatically unset this field when the Issuing condition is
 	// not set or False.
 	// +optional
 	nextPrivateKeySecretName?: null | string @go(NextPrivateKeySecretName,*string)
 }
 // CertificateCondition contains condition information for an Certificate.
 #CertificateCondition: {
 	// Type of the condition, known values are (`Ready`, `Issuing`).
 	type: #CertificateConditionType @go(Type)
 	// Status of the condition, one of (`True`, `False`, `Unknown`).
 	status: cmmeta.#ConditionStatus @go(Status)
 	// LastTransitionTime is the timestamp corresponding to the last status
 	// change of this condition.
 	// +optional
 	lastTransitionTime?: null | metav1.#Time @go(LastTransitionTime,*metav1.Time)
 	// Reason is a brief machine readable explanation for the condition's last
 	// transition.
 	// +optional
 	reason?: string @go(Reason)
 	// Message is a human readable description of the details of the last
 	// transition, complementing reason.
 	// +optional
 	message?: string @go(Message)
 	// If set, this represents the .metadata.generation that the condition was
 	// set based upon.
 	// For instance, if .metadata.generation is currently 12, but the
 	// .status.condition[x].observedGeneration is 9, the condition is out of date
 	// with respect to the current state of the Certificate.
 	// +optional
 	observedGeneration?: int64 @go(ObservedGeneration)
 }
 // CertificateConditionType represents an Certificate condition value.
 #CertificateConditionType: string // #enumCertificateConditionType
 #enumCertificateConditionType:
 	#CertificateConditionReady |
 	#CertificateConditionIssuing
 // CertificateConditionReady indicates that a certificate is ready for use.
 // This is defined as:
 // - The target secret exists
 // - The target secret contains a certificate that has not expired
 // - The target secret contains a private key valid for the certificate
 // - The commonName and dnsNames attributes match those specified on the Certificate
 #CertificateConditionReady: #CertificateConditionType & "Ready"
 // A condition added to Certificate resources when an issuance is required.
 // This condition will be automatically added and set to true if:
 //   * No keypair data exists in the target Secret
 //   * The data stored in the Secret cannot be decoded
 //   * The private key and certificate do not have matching public keys
 //   * If a CertificateRequest for the current revision exists and the
 //     certificate data stored in the Secret does not match the
 //    `status.certificate` on the CertificateRequest.
 //   * If no CertificateRequest resource exists for the current revision,
 //     the options on the Certificate resource are compared against the
 //     x509 data in the Secret, similar to what's done in earlier versions.
 //     If there is a mismatch, an issuance is triggered.
 // This condition may also be added by external API consumers to trigger
 // a re-issuance manually for any other reason.
 //
 // It will be removed by the 'issuing' controller upon completing issuance.
 #CertificateConditionIssuing: #CertificateConditionType & "Issuing"
 // CertificateSecretTemplate defines the default labels and annotations
 // to be copied to the Kubernetes Secret resource named in `CertificateSpec.secretName`.
 #CertificateSecretTemplate: {
 	// Annotations is a key value map to be copied to the target Kubernetes Secret.
 	// +optional
 	annotations?: {[string]: string} @go(Annotations,map[string]string)
 	// Labels is a key value map to be copied to the target Kubernetes Secret.
 	// +optional
 	labels?: {[string]: string} @go(Labels,map[string]string)
 }
--- a/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/certmanager/v1/types_certificaterequest_go_gen.cue
+++ b/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/certmanager/v1/types_certificaterequest_go_gen.cue
@@ -1,195 +0,0 @@
 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/certmanager/v1
 package v1
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
 )
 // Pending indicates that a CertificateRequest is still in progress.
 #CertificateRequestReasonPending: "Pending"
 // Failed indicates that a CertificateRequest has failed, either due to
 // timing out or some other critical failure.
 #CertificateRequestReasonFailed: "Failed"
 // Issued indicates that a CertificateRequest has been completed, and that
 // the `status.certificate` field is set.
 #CertificateRequestReasonIssued: "Issued"
 // Denied is a Ready condition reason that indicates that a
 // CertificateRequest has been denied, and the CertificateRequest will never
 // be issued.
 #CertificateRequestReasonDenied: "Denied"
 // A CertificateRequest is used to request a signed certificate from one of the
 // configured issuers.
 //
 // All fields within the CertificateRequest's `spec` are immutable after creation.
 // A CertificateRequest will either succeed or fail, as denoted by its `status.state`
 // field.
 //
 // A CertificateRequest is a one-shot resource, meaning it represents a single
 // point in time request for a certificate and cannot be re-used.
 // +k8s:openapi-gen=true
 #CertificateRequest: {
 	metav1.#TypeMeta
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta)
 	// Desired state of the CertificateRequest resource.
 	spec: #CertificateRequestSpec @go(Spec)
 	// Status of the CertificateRequest. This is set and managed automatically.
 	// +optional
 	status: #CertificateRequestStatus @go(Status)
 }
 // CertificateRequestList is a list of Certificates
 #CertificateRequestList: {
 	metav1.#TypeMeta
 	metadata: metav1.#ListMeta @go(ListMeta)
 	items: [...#CertificateRequest] @go(Items,[]CertificateRequest)
 }
 // CertificateRequestSpec defines the desired state of CertificateRequest
 #CertificateRequestSpec: {
 	// The requested 'duration' (i.e. lifetime) of the Certificate.
 	// This option may be ignored/overridden by some issuer types.
 	// +optional
 	duration?: null | metav1.#Duration @go(Duration,*metav1.Duration)
 	// IssuerRef is a reference to the issuer for this CertificateRequest.  If
 	// the `kind` field is not set, or set to `Issuer`, an Issuer resource with
 	// the given name in the same namespace as the CertificateRequest will be
 	// used.  If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with
 	// the provided name will be used. The `name` field in this stanza is
 	// required at all times. The group field refers to the API group of the
 	// issuer which defaults to `cert-manager.io` if empty.
 	issuerRef: cmmeta.#ObjectReference @go(IssuerRef)
 	// The PEM-encoded x509 certificate signing request to be submitted to the
 	// CA for signing.
 	request: bytes @go(Request,[]byte)
 	// IsCA will request to mark the certificate as valid for certificate signing
 	// when submitting to the issuer.
 	// This will automatically add the `cert sign` usage to the list of `usages`.
 	// +optional
 	isCA?: bool @go(IsCA)
 	// Usages is the set of x509 usages that are requested for the certificate.
 	// If usages are set they SHOULD be encoded inside the CSR spec
 	// Defaults to `digital signature` and `key encipherment` if not specified.
 	// +optional
 	usages?: [...#KeyUsage] @go(Usages,[]KeyUsage)
 	// Username contains the name of the user that created the CertificateRequest.
 	// Populated by the cert-manager webhook on creation and immutable.
 	// +optional
 	username?: string @go(Username)
 	// UID contains the uid of the user that created the CertificateRequest.
 	// Populated by the cert-manager webhook on creation and immutable.
 	// +optional
 	uid?: string @go(UID)
 	// Groups contains group membership of the user that created the CertificateRequest.
 	// Populated by the cert-manager webhook on creation and immutable.
 	// +listType=atomic
 	// +optional
 	groups?: [...string] @go(Groups,[]string)
 	// Extra contains extra attributes of the user that created the CertificateRequest.
 	// Populated by the cert-manager webhook on creation and immutable.
 	// +optional
 	extra?: {[string]: [...string]} @go(Extra,map[string][]string)
 }
 // CertificateRequestStatus defines the observed state of CertificateRequest and
 // resulting signed certificate.
 #CertificateRequestStatus: {
 	// List of status conditions to indicate the status of a CertificateRequest.
 	// Known condition types are `Ready` and `InvalidRequest`.
 	// +optional
 	conditions?: [...#CertificateRequestCondition] @go(Conditions,[]CertificateRequestCondition)
 	// The PEM encoded x509 certificate resulting from the certificate
 	// signing request.
 	// If not set, the CertificateRequest has either not been completed or has
 	// failed. More information on failure can be found by checking the
 	// `conditions` field.
 	// +optional
 	certificate?: bytes @go(Certificate,[]byte)
 	// The PEM encoded x509 certificate of the signer, also known as the CA
 	// (Certificate Authority).
 	// This is set on a best-effort basis by different issuers.
 	// If not set, the CA is assumed to be unknown/not available.
 	// +optional
 	ca?: bytes @go(CA,[]byte)
 	// FailureTime stores the time that this CertificateRequest failed. This is
 	// used to influence garbage collection and back-off.
 	// +optional
 	failureTime?: null | metav1.#Time @go(FailureTime,*metav1.Time)
 }
 // CertificateRequestCondition contains condition information for a CertificateRequest.
 #CertificateRequestCondition: {
 	// Type of the condition, known values are (`Ready`, `InvalidRequest`,
 	// `Approved`, `Denied`).
 	type: #CertificateRequestConditionType @go(Type)
 	// Status of the condition, one of (`True`, `False`, `Unknown`).
 	status: cmmeta.#ConditionStatus @go(Status)
 	// LastTransitionTime is the timestamp corresponding to the last status
 	// change of this condition.
 	// +optional
 	lastTransitionTime?: null | metav1.#Time @go(LastTransitionTime,*metav1.Time)
 	// Reason is a brief machine readable explanation for the condition's last
 	// transition.
 	// +optional
 	reason?: string @go(Reason)
 	// Message is a human readable description of the details of the last
 	// transition, complementing reason.
 	// +optional
 	message?: string @go(Message)
 }
 // CertificateRequestConditionType represents an Certificate condition value.
 #CertificateRequestConditionType: string // #enumCertificateRequestConditionType
 #enumCertificateRequestConditionType:
 	#CertificateRequestConditionReady |
 	#CertificateRequestConditionInvalidRequest |
 	#CertificateRequestConditionApproved |
 	#CertificateRequestConditionDenied
 // CertificateRequestConditionReady indicates that a certificate is ready for use.
 // This is defined as:
 // - The target certificate exists in CertificateRequest.Status
 #CertificateRequestConditionReady: #CertificateRequestConditionType & "Ready"
 // CertificateRequestConditionInvalidRequest indicates that a certificate
 // signer has refused to sign the request due to at least one of the input
 // parameters being invalid. Additional information about why the request
 // was rejected can be found in the `reason` and `message` fields.
 #CertificateRequestConditionInvalidRequest: #CertificateRequestConditionType & "InvalidRequest"
 // CertificateRequestConditionApproved indicates that a certificate request
 // is approved and ready for signing. Condition must never have a status of
 // `False`, and cannot be modified once set. Cannot be set alongside
 // `Denied`.
 #CertificateRequestConditionApproved: #CertificateRequestConditionType & "Approved"
 // CertificateRequestConditionDenied indicates that a certificate request is
 // denied, and must never be signed. Condition must never have a status of
 // `False`, and cannot be modified once set. Cannot be set alongside
 // `Approved`.
 #CertificateRequestConditionDenied: #CertificateRequestConditionType & "Denied"
--- a/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/certmanager/v1/types_go_gen.cue
+++ b/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/certmanager/v1/types_go_gen.cue
@@ -1,195 +0,0 @@
 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/certmanager/v1
 package v1
 // Annotation key for DNS subjectAltNames.
 #AltNamesAnnotationKey: "cert-manager.io/alt-names"
 // Annotation key for IP subjectAltNames.
 #IPSANAnnotationKey: "cert-manager.io/ip-sans"
 // Annotation key for URI subjectAltNames.
 #URISANAnnotationKey: "cert-manager.io/uri-sans"
 // Annotation key for certificate common name.
 #CommonNameAnnotationKey: "cert-manager.io/common-name"
 // Duration key for certificate duration.
 #DurationAnnotationKey: "cert-manager.io/duration"
 // Annotation key for certificate renewBefore.
 #RenewBeforeAnnotationKey: "cert-manager.io/renew-before"
 // Annotation key for certificate key usages.
 #UsagesAnnotationKey: "cert-manager.io/usages"
 // Annotation key the 'name' of the Issuer resource.
 #IssuerNameAnnotationKey: "cert-manager.io/issuer-name"
 // Annotation key for the 'kind' of the Issuer resource.
 #IssuerKindAnnotationKey: "cert-manager.io/issuer-kind"
 // Annotation key for the 'group' of the Issuer resource.
 #IssuerGroupAnnotationKey: "cert-manager.io/issuer-group"
 // Annotation key for the name of the certificate that a resource is related to.
 #CertificateNameKey: "cert-manager.io/certificate-name"
 // Annotation key used to denote whether a Secret is named on a Certificate
 // as a 'next private key' Secret resource.
 #IsNextPrivateKeySecretLabelKey: "cert-manager.io/next-private-key"
 // IngressIssuerNameAnnotationKey holds the issuerNameAnnotation value which can be
 // used to override the issuer specified on the created Certificate resource.
 #IngressIssuerNameAnnotationKey: "cert-manager.io/issuer"
 // IngressClusterIssuerNameAnnotationKey holds the clusterIssuerNameAnnotation value which
 // can be used to override the issuer specified on the created Certificate resource. The Certificate
 // will reference the specified *ClusterIssuer* instead of normal issuer.
 #IngressClusterIssuerNameAnnotationKey: "cert-manager.io/cluster-issuer"
 // IngressACMEIssuerHTTP01IngressClassAnnotationKey holds the acmeIssuerHTTP01IngressClassAnnotation value
 // which can be used to override the http01 ingressClass if the challenge type is set to http01
 #IngressACMEIssuerHTTP01IngressClassAnnotationKey: "acme.cert-manager.io/http01-ingress-class"
 // IngressClassAnnotationKey picks a specific "class" for the Ingress. The
 // controller only processes Ingresses with this annotation either unset, or
 // set to either the configured value or the empty string.
 #IngressClassAnnotationKey: "kubernetes.io/ingress.class"
 // Annotation added to CertificateRequest resources to denote the name of
 // a Secret resource containing the private key used to sign the CSR stored
 // on the resource.
 // This annotation *may* not be present, and is used by the 'self signing'
 // issuer type to self-sign certificates.
 #CertificateRequestPrivateKeyAnnotationKey: "cert-manager.io/private-key-secret-name"
 // Annotation to declare the CertificateRequest "revision", belonging to a Certificate Resource
 #CertificateRequestRevisionAnnotationKey: "cert-manager.io/certificate-revision"
 // IssueTemporaryCertificateAnnotation is an annotation that can be added to
 // Certificate resources.
 // If it is present, a temporary internally signed certificate will be
 // stored in the target Secret resource whilst the real Issuer is processing
 // the certificate request.
 #IssueTemporaryCertificateAnnotation: "cert-manager.io/issue-temporary-certificate"
 #ClusterIssuerKind:      "ClusterIssuer"
 #IssuerKind:             "Issuer"
 #CertificateKind:        "Certificate"
 #CertificateRequestKind: "CertificateRequest"
 // WantInjectAnnotation is the annotation that specifies that a particular
 // object wants injection of CAs.  It takes the form of a reference to a certificate
 // as namespace/name.  The certificate is expected to have the is-serving-for annotations.
 #WantInjectAnnotation: "cert-manager.io/inject-ca-from"
 // WantInjectAPIServerCAAnnotation will - if set to "true" - make the cainjector
 // inject the CA certificate for the Kubernetes apiserver into the resource.
 // It discovers the apiserver's CA by inspecting the service account credentials
 // mounted into the cainjector pod.
 #WantInjectAPIServerCAAnnotation: "cert-manager.io/inject-apiserver-ca"
 // WantInjectFromSecretAnnotation is the annotation that specifies that a particular
 // object wants injection of CAs.  It takes the form of a reference to a Secret
 // as namespace/name.
 #WantInjectFromSecretAnnotation: "cert-manager.io/inject-ca-from-secret"
 // AllowsInjectionFromSecretAnnotation is an annotation that must be added
 // to Secret resource that want to denote that they can be directly
 // injected into injectables that have a `inject-ca-from-secret` annotation.
 // If an injectable references a Secret that does NOT have this annotation,
 // the cainjector will refuse to inject the secret.
 #AllowsInjectionFromSecretAnnotation: "cert-manager.io/allow-direct-injection"
 // VenafiCustomFieldsAnnotationKey is the annotation that passes on JSON encoded custom fields to the Venafi issuer
 // This will only work with Venafi TPP v19.3 and higher
 // The value is an array with objects containing the name and value keys
 // for example: `[{"name": "custom-field", "value": "custom-value"}]`
 #VenafiCustomFieldsAnnotationKey: "venafi.cert-manager.io/custom-fields"
 // VenafiPickupIDAnnotationKey is the annotation key used to record the
 // Venafi Pickup ID of a certificate signing request that has been submitted
 // to the Venafi API for collection later.
 #VenafiPickupIDAnnotationKey: "venafi.cert-manager.io/pickup-id"
 // KeyUsage specifies valid usage contexts for keys.
 // See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3
 //      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
 // Valid KeyUsage values are as follows:
 // "signing",
 // "digital signature",
 // "content commitment",
 // "key encipherment",
 // "key agreement",
 // "data encipherment",
 // "cert sign",
 // "crl sign",
 // "encipher only",
 // "decipher only",
 // "any",
 // "server auth",
 // "client auth",
 // "code signing",
 // "email protection",
 // "s/mime",
 // "ipsec end system",
 // "ipsec tunnel",
 // "ipsec user",
 // "timestamping",
 // "ocsp signing",
 // "microsoft sgc",
 // "netscape sgc"
 // +kubebuilder:validation:Enum="signing";"digital signature";"content commitment";"key encipherment";"key agreement";"data encipherment";"cert sign";"crl sign";"encipher only";"decipher only";"any";"server auth";"client auth";"code signing";"email protection";"s/mime";"ipsec end system";"ipsec tunnel";"ipsec user";"timestamping";"ocsp signing";"microsoft sgc";"netscape sgc"
 #KeyUsage: string // #enumKeyUsage
 #enumKeyUsage:
 	#UsageSigning |
 	#UsageDigitalSignature |
 	#UsageContentCommitment |
 	#UsageKeyEncipherment |
 	#UsageKeyAgreement |
 	#UsageDataEncipherment |
 	#UsageCertSign |
 	#UsageCRLSign |
 	#UsageEncipherOnly |
 	#UsageDecipherOnly |
 	#UsageAny |
 	#UsageServerAuth |
 	#UsageClientAuth |
 	#UsageCodeSigning |
 	#UsageEmailProtection |
 	#UsageSMIME |
 	#UsageIPsecEndSystem |
 	#UsageIPsecTunnel |
 	#UsageIPsecUser |
 	#UsageTimestamping |
 	#UsageOCSPSigning |
 	#UsageMicrosoftSGC |
 	#UsageNetscapeSGC
 #UsageSigning:           #KeyUsage & "signing"
 #UsageDigitalSignature:  #KeyUsage & "digital signature"
 #UsageContentCommitment: #KeyUsage & "content commitment"
 #UsageKeyEncipherment:   #KeyUsage & "key encipherment"
 #UsageKeyAgreement:      #KeyUsage & "key agreement"
 #UsageDataEncipherment:  #KeyUsage & "data encipherment"
 #UsageCertSign:          #KeyUsage & "cert sign"
 #UsageCRLSign:           #KeyUsage & "crl sign"
 #UsageEncipherOnly:      #KeyUsage & "encipher only"
 #UsageDecipherOnly:      #KeyUsage & "decipher only"
 #UsageAny:               #KeyUsage & "any"
 #UsageServerAuth:        #KeyUsage & "server auth"
 #UsageClientAuth:        #KeyUsage & "client auth"
 #UsageCodeSigning:       #KeyUsage & "code signing"
 #UsageEmailProtection:   #KeyUsage & "email protection"
 #UsageSMIME:             #KeyUsage & "s/mime"
 #UsageIPsecEndSystem:    #KeyUsage & "ipsec end system"
 #UsageIPsecTunnel:       #KeyUsage & "ipsec tunnel"
 #UsageIPsecUser:         #KeyUsage & "ipsec user"
 #UsageTimestamping:      #KeyUsage & "timestamping"
 #UsageOCSPSigning:       #KeyUsage & "ocsp signing"
 #UsageMicrosoftSGC:      #KeyUsage & "microsoft sgc"
 #UsageNetscapeSGC:       #KeyUsage & "netscape sgc"
--- a/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/certmanager/v1/types_issuer_go_gen.cue
+++ b/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/certmanager/v1/types_issuer_go_gen.cue
@@ -1,316 +0,0 @@
 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/certmanager/v1
 package v1
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	cmacme "github.com/jetstack/cert-manager/pkg/apis/acme/v1"
 	cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
 )
 // A ClusterIssuer represents a certificate issuing authority which can be
 // referenced as part of `issuerRef` fields.
 // It is similar to an Issuer, however it is cluster-scoped and therefore can
 // be referenced by resources that exist in *any* namespace, not just the same
 // namespace as the referent.
 #ClusterIssuer: {
 	metav1.#TypeMeta
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta)
 	// Desired state of the ClusterIssuer resource.
 	spec: #IssuerSpec @go(Spec)
 	// Status of the ClusterIssuer. This is set and managed automatically.
 	// +optional
 	status: #IssuerStatus @go(Status)
 }
 // ClusterIssuerList is a list of Issuers
 #ClusterIssuerList: {
 	metav1.#TypeMeta
 	metadata: metav1.#ListMeta @go(ListMeta)
 	items: [...#ClusterIssuer] @go(Items,[]ClusterIssuer)
 }
 // An Issuer represents a certificate issuing authority which can be
 // referenced as part of `issuerRef` fields.
 // It is scoped to a single namespace and can therefore only be referenced by
 // resources within the same namespace.
 #Issuer: {
 	metav1.#TypeMeta
 	metadata?: metav1.#ObjectMeta @go(ObjectMeta)
 	// Desired state of the Issuer resource.
 	spec: #IssuerSpec @go(Spec)
 	// Status of the Issuer. This is set and managed automatically.
 	// +optional
 	status: #IssuerStatus @go(Status)
 }
 // IssuerList is a list of Issuers
 #IssuerList: {
 	metav1.#TypeMeta
 	metadata: metav1.#ListMeta @go(ListMeta)
 	items: [...#Issuer] @go(Items,[]Issuer)
 }
 // IssuerSpec is the specification of an Issuer. This includes any
 // configuration required for the issuer.
 #IssuerSpec: {
 	#IssuerConfig
 }
 // The configuration for the issuer.
 // Only one of these can be set.
 #IssuerConfig: {
 	// ACME configures this issuer to communicate with a RFC8555 (ACME) server
 	// to obtain signed x509 certificates.
 	// +optional
 	acme?: null | cmacme.#ACMEIssuer @go(ACME,*cmacme.ACMEIssuer)
 	// CA configures this issuer to sign certificates using a signing CA keypair
 	// stored in a Secret resource.
 	// This is used to build internal PKIs that are managed by cert-manager.
 	// +optional
 	ca?: null | #CAIssuer @go(CA,*CAIssuer)
 	// Vault configures this issuer to sign certificates using a HashiCorp Vault
 	// PKI backend.
 	// +optional
 	vault?: null | #VaultIssuer @go(Vault,*VaultIssuer)
 	// SelfSigned configures this issuer to 'self sign' certificates using the
 	// private key used to create the CertificateRequest object.
 	// +optional
 	selfSigned?: null | #SelfSignedIssuer @go(SelfSigned,*SelfSignedIssuer)
 	// Venafi configures this issuer to sign certificates using a Venafi TPP
 	// or Venafi Cloud policy zone.
 	// +optional
 	venafi?: null | #VenafiIssuer @go(Venafi,*VenafiIssuer)
 }
 // Configures an issuer to sign certificates using a Venafi TPP
 // or Cloud policy zone.
 #VenafiIssuer: {
 	// Zone is the Venafi Policy Zone to use for this issuer.
 	// All requests made to the Venafi platform will be restricted by the named
 	// zone policy.
 	// This field is required.
 	zone: string @go(Zone)
 	// TPP specifies Trust Protection Platform configuration settings.
 	// Only one of TPP or Cloud may be specified.
 	// +optional
 	tpp?: null | #VenafiTPP @go(TPP,*VenafiTPP)
 	// Cloud specifies the Venafi cloud configuration settings.
 	// Only one of TPP or Cloud may be specified.
 	// +optional
 	cloud?: null | #VenafiCloud @go(Cloud,*VenafiCloud)
 }
 // VenafiTPP defines connection configuration details for a Venafi TPP instance
 #VenafiTPP: {
 	// URL is the base URL for the vedsdk endpoint of the Venafi TPP instance,
 	// for example: "https://tpp.example.com/vedsdk".
 	url: string @go(URL)
 	// CredentialsRef is a reference to a Secret containing the username and
 	// password for the TPP server.
 	// The secret must contain two keys, 'username' and 'password'.
 	credentialsRef: cmmeta.#LocalObjectReference @go(CredentialsRef)
 	// CABundle is a PEM encoded TLS certificate to use to verify connections to
 	// the TPP instance.
 	// If specified, system roots will not be used and the issuing CA for the
 	// TPP instance must be verifiable using the provided root.
 	// If not specified, the connection will be verified using the cert-manager
 	// system root certificates.
 	// +optional
 	caBundle?: bytes @go(CABundle,[]byte)
 }
 // VenafiCloud defines connection configuration details for Venafi Cloud
 #VenafiCloud: {
 	// URL is the base URL for Venafi Cloud.
 	// Defaults to "https://api.venafi.cloud/v1".
 	// +optional
 	url?: string @go(URL)
 	// APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
 	apiTokenSecretRef: cmmeta.#SecretKeySelector @go(APITokenSecretRef)
 }
 // Configures an issuer to 'self sign' certificates using the
 // private key used to create the CertificateRequest object.
 #SelfSignedIssuer: {
 	// The CRL distribution points is an X.509 v3 certificate extension which identifies
 	// the location of the CRL from which the revocation of this certificate can be checked.
 	// If not set certificate will be issued without CDP. Values are strings.
 	// +optional
 	crlDistributionPoints?: [...string] @go(CRLDistributionPoints,[]string)
 }
 // Configures an issuer to sign certificates using a HashiCorp Vault
 // PKI backend.
 #VaultIssuer: {
 	// Auth configures how cert-manager authenticates with the Vault server.
 	auth: #VaultAuth @go(Auth)
 	// Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".
 	server: string @go(Server)
 	// Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g:
 	// "my_pki_mount/sign/my-role-name".
 	path: string @go(Path)
 	// Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1"
 	// More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
 	// +optional
 	namespace?: string @go(Namespace)
 	// PEM-encoded CA bundle (base64-encoded) used to validate Vault server
 	// certificate. Only used if the Server URL is using HTTPS protocol. This
 	// parameter is ignored for plain HTTP protocol connection. If not set the
 	// system root certificates are used to validate the TLS connection.
 	// +optional
 	caBundle?: bytes @go(CABundle,[]byte)
 }
 // Configuration used to authenticate with a Vault server.
 // Only one of `tokenSecretRef`, `appRole` or `kubernetes` may be specified.
 #VaultAuth: {
 	// TokenSecretRef authenticates with Vault by presenting a token.
 	// +optional
 	tokenSecretRef?: null | cmmeta.#SecretKeySelector @go(TokenSecretRef,*cmmeta.SecretKeySelector)
 	// AppRole authenticates with Vault using the App Role auth mechanism,
 	// with the role and secret stored in a Kubernetes Secret resource.
 	// +optional
 	appRole?: null | #VaultAppRole @go(AppRole,*VaultAppRole)
 	// Kubernetes authenticates with Vault by passing the ServiceAccount
 	// token stored in the named Secret resource to the Vault server.
 	// +optional
 	kubernetes?: null | #VaultKubernetesAuth @go(Kubernetes,*VaultKubernetesAuth)
 }
 // VaultAppRole authenticates with Vault using the App Role auth mechanism,
 // with the role and secret stored in a Kubernetes Secret resource.
 #VaultAppRole: {
 	// Path where the App Role authentication backend is mounted in Vault, e.g:
 	// "approle"
 	path: string @go(Path)
 	// RoleID configured in the App Role authentication backend when setting
 	// up the authentication backend in Vault.
 	roleId: string @go(RoleId)
 	// Reference to a key in a Secret that contains the App Role secret used
 	// to authenticate with Vault.
 	// The `key` field must be specified and denotes which entry within the Secret
 	// resource is used as the app role secret.
 	secretRef: cmmeta.#SecretKeySelector @go(SecretRef)
 }
 // Authenticate against Vault using a Kubernetes ServiceAccount token stored in
 // a Secret.
 #VaultKubernetesAuth: {
 	// The Vault mountPath here is the mount path to use when authenticating with
 	// Vault. For example, setting a value to `/v1/auth/foo`, will use the path
 	// `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
 	// default value "/v1/auth/kubernetes" will be used.
 	// +optional
 	mountPath?: string @go(Path)
 	// The required Secret field containing a Kubernetes ServiceAccount JWT used
 	// for authenticating with Vault. Use of 'ambient credentials' is not
 	// supported.
 	secretRef: cmmeta.#SecretKeySelector @go(SecretRef)
 	// A required field containing the Vault Role to assume. A Role binds a
 	// Kubernetes ServiceAccount with a set of Vault policies.
 	role: string @go(Role)
 }
 #CAIssuer: {
 	// SecretName is the name of the secret used to sign Certificates issued
 	// by this Issuer.
 	secretName: string @go(SecretName)
 	// The CRL distribution points is an X.509 v3 certificate extension which identifies
 	// the location of the CRL from which the revocation of this certificate can be checked.
 	// If not set, certificates will be issued without distribution points set.
 	// +optional
 	crlDistributionPoints?: [...string] @go(CRLDistributionPoints,[]string)
 	// The OCSP server list is an X.509 v3 extension that defines a list of
 	// URLs of OCSP responders. The OCSP responders can be queried for the
 	// revocation status of an issued certificate. If not set, the
 	// certificate will be issued with no OCSP servers set. For example, an
 	// OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
 	// +optional
 	ocspServers?: [...string] @go(OCSPServers,[]string)
 }
 // IssuerStatus contains status information about an Issuer
 #IssuerStatus: {
 	// List of status conditions to indicate the status of a CertificateRequest.
 	// Known condition types are `Ready`.
 	// +optional
 	conditions?: [...#IssuerCondition] @go(Conditions,[]IssuerCondition)
 	// ACME specific status options.
 	// This field should only be set if the Issuer is configured to use an ACME
 	// server to issue certificates.
 	// +optional
 	acme?: null | cmacme.#ACMEIssuerStatus @go(ACME,*cmacme.ACMEIssuerStatus)
 }
 // IssuerCondition contains condition information for an Issuer.
 #IssuerCondition: {
 	// Type of the condition, known values are (`Ready`).
 	type: #IssuerConditionType @go(Type)
 	// Status of the condition, one of (`True`, `False`, `Unknown`).
 	status: cmmeta.#ConditionStatus @go(Status)
 	// LastTransitionTime is the timestamp corresponding to the last status
 	// change of this condition.
 	// +optional
 	lastTransitionTime?: null | metav1.#Time @go(LastTransitionTime,*metav1.Time)
 	// Reason is a brief machine readable explanation for the condition's last
 	// transition.
 	// +optional
 	reason?: string @go(Reason)
 	// Message is a human readable description of the details of the last
 	// transition, complementing reason.
 	// +optional
 	message?: string @go(Message)
 	// If set, this represents the .metadata.generation that the condition was
 	// set based upon.
 	// For instance, if .metadata.generation is currently 12, but the
 	// .status.condition[x].observedGeneration is 9, the condition is out of date
 	// with respect to the current state of the Issuer.
 	// +optional
 	observedGeneration?: int64 @go(ObservedGeneration)
 }
 // IssuerConditionType represents an Issuer condition value.
 #IssuerConditionType: string // #enumIssuerConditionType
 #enumIssuerConditionType:
 	#IssuerConditionReady
 // IssuerConditionReady represents the fact that a given Issuer condition
 // is in ready state and able to issue certificates.
 // If the `status` of this condition is `False`, CertificateRequest controllers
 // should prevent attempts to sign certificates.
 #IssuerConditionReady: #IssuerConditionType & "Ready"
--- a/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/meta/v1/doc_go_gen.cue
+++ b/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/meta/v1/doc_go_gen.cue
@@ -1,9 +0,0 @@
 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/meta/v1
 // Package v1 contains meta types for cert-manager APIs
 // +k8s:deepcopy-gen=package
 // +gencrdrefdocs:force
 // +groupName=meta.cert-manager.io
 package v1
--- a/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/meta/v1/types_go_gen.cue
+++ b/cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/meta/v1/types_go_gen.cue
@@ -1,64 +0,0 @@
 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/meta/v1
 package v1
 // ConditionStatus represents a condition's status.
 // +kubebuilder:validation:Enum=True;False;Unknown
 #ConditionStatus: string // #enumConditionStatus
 #enumConditionStatus:
 	#ConditionTrue |
 	#ConditionFalse |
 	#ConditionUnknown
 // ConditionTrue represents the fact that a given condition is true
 #ConditionTrue: #ConditionStatus & "True"
 // ConditionFalse represents the fact that a given condition is false
 #ConditionFalse: #ConditionStatus & "False"
 // ConditionUnknown represents the fact that a given condition is unknown
 #ConditionUnknown: #ConditionStatus & "Unknown"
 // A reference to an object in the same namespace as the referent.
 // If the referent is a cluster-scoped resource (e.g. a ClusterIssuer),
 // the reference instead refers to the resource with the given name in the
 // configured 'cluster resource namespace', which is set as a flag on the
 // controller component (and defaults to the namespace that cert-manager
 // runs in).
 #LocalObjectReference: {
 	// Name of the resource being referred to.
 	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
 	name: string @go(Name)
 }
 // ObjectReference is a reference to an object with a given name, kind and group.
 #ObjectReference: {
 	// Name of the resource being referred to.
 	name: string @go(Name)
 	// Kind of the resource being referred to.
 	// +optional
 	kind?: string @go(Kind)
 	// Group of the resource being referred to.
 	// +optional
 	group?: string @go(Group)
 }
 // A reference to a specific 'key' within a Secret resource.
 // In some instances, `key` is a required field.
 #SecretKeySelector: {
 	#LocalObjectReference
 	// The key of the entry in the Secret resource's `data` field to be used.
 	// Some instances of this field may be defaulted, in others it may be
 	// required.
 	// +optional
 	key?: string @go(Key)
 }
 // Used as a data key in Secret resources to store a CA certificate.
 #TLSCAKey: "ca.crt"
--- a/cue/cue.mod/gen/k8s.io/apimachinery/pkg/types/nodename_go_gen.cue
+++ b/cue/cue.mod/gen/k8s.io/apimachinery/pkg/types/nodename_go_gen.cue
@@ -1,31 +0,0 @@
 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go k8s.io/apimachinery/pkg/types
 package types
 // NodeName is a type that holds a api.Node's Name identifier.
 // Being a type captures intent and helps make sure that the node name
 // is not confused with similar concepts (the hostname, the cloud provider id,
 // the cloud provider name etc)
 //
 // To clarify the various types:
 //
 // * Node.Name is the Name field of the Node in the API.  This should be stored in a NodeName.
 //   Unfortunately, because Name is part of ObjectMeta, we can't store it as a NodeName at the API level.
 //
 // * Hostname is the hostname of the local machine (from uname -n).
 //   However, some components allow the user to pass in a --hostname-override flag,
 //   which will override this in most places. In the absence of anything more meaningful,
 //   kubelet will use Hostname as the Node.Name when it creates the Node.
 //
 // * The cloudproviders have the own names: GCE has InstanceName, AWS has InstanceId.
 //
 //   For GCE, InstanceName is the Name of an Instance object in the GCE API.  On GCE, Instance.Name becomes the
 //   Hostname, and thus it makes sense also to use it as the Node.Name.  But that is GCE specific, and it is up
 //   to the cloudprovider how to do this mapping.
 //
 //   For AWS, the InstanceID is not yet suitable for use as a Node.Name, so we actually use the
 //   PrivateDnsName for the Node.Name.  And this is _not_ always the same as the hostname: if
 //   we are using a custom DHCP domain it won't be.
 #NodeName: string
--- a/cue/cue.mod/gen/time/format_go_gen.cue
+++ b/cue/cue.mod/gen/time/format_go_gen.cue
@@ -1,68 +0,0 @@
 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go time
 package time
 #Layout:      "01/02 03:04:05PM '06 -0700"
 #ANSIC:       "Mon Jan _2 15:04:05 2006"
 #UnixDate:    "Mon Jan _2 15:04:05 MST 2006"
 #RubyDate:    "Mon Jan 02 15:04:05 -0700 2006"
 #RFC822:      "02 Jan 06 15:04 MST"
 #RFC822Z:     "02 Jan 06 15:04 -0700"
 #RFC850:      "Monday, 02-Jan-06 15:04:05 MST"
 #RFC1123:     "Mon, 02 Jan 2006 15:04:05 MST"
 #RFC1123Z:    "Mon, 02 Jan 2006 15:04:05 -0700"
 #RFC3339:     "2006-01-02T15:04:05Z07:00"
 #RFC3339Nano: "2006-01-02T15:04:05.999999999Z07:00"
 #Kitchen:     "3:04PM"
 // Handy time stamps.
 #Stamp:                     "Jan _2 15:04:05"
 #StampMilli:                "Jan _2 15:04:05.000"
 #StampMicro:                "Jan _2 15:04:05.000000"
 #StampNano:                 "Jan _2 15:04:05.000000000"
 _#stdLongMonth:             257
 _#stdMonth:                 258
 _#stdNumMonth:              259
 _#stdZeroMonth:             260
 _#stdLongWeekDay:           261
 _#stdWeekDay:               262
 _#stdDay:                   263
 _#stdUnderDay:              264
 _#stdZeroDay:               265
 _#stdUnderYearDay:          266
 _#stdZeroYearDay:           267
 _#stdHour:                  524
 _#stdHour12:                525
 _#stdZeroHour12:            526
 _#stdMinute:                527
 _#stdZeroMinute:            528
 _#stdSecond:                529
 _#stdZeroSecond:            530
 _#stdLongYear:              275
 _#stdYear:                  276
 _#stdPM:                    533
 _#stdpm:                    534
 _#stdTZ:                    23
 _#stdISO8601TZ:             24
 _#stdISO8601SecondsTZ:      25
 _#stdISO8601ShortTZ:        26
 _#stdISO8601ColonTZ:        27
 _#stdISO8601ColonSecondsTZ: 28
 _#stdNumTZ:                 29
 _#stdNumSecondsTz:          30
 _#stdNumShortTZ:            31
 _#stdNumColonTZ:            32
 _#stdNumColonSecondsTZ:     33
 _#stdFracSecond0:           34
 _#stdFracSecond9:           35
 _#stdNeedDate:              256
 _#stdNeedClock:             512
 _#stdArgShift:              16
 _#stdSeparatorShift:        28
 _#stdMask:                  65535
 _#lowerhex:  "0123456789abcdef"
 _#runeSelf:  0x80
 _#runeError: 65533 // '\uFFFD'
--- a/cue/cue.mod/gen/time/time_go_gen.cue
+++ b/cue/cue.mod/gen/time/time_go_gen.cue
@@ -1,266 +0,0 @@
 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go time
 // Package time provides functionality for measuring and displaying time.
 //
 // The calendrical calculations always assume a Gregorian calendar, with
 // no leap seconds.
 //
 // Monotonic Clocks
 //
 // Operating systems provide both a “wall clock,” which is subject to
 // changes for clock synchronization, and a “monotonic clock,” which is
 // not. The general rule is that the wall clock is for telling time and
 // the monotonic clock is for measuring time. Rather than split the API,
 // in this package the Time returned by time.Now contains both a wall
 // clock reading and a monotonic clock reading; later time-telling
 // operations use the wall clock reading, but later time-measuring
 // operations, specifically comparisons and subtractions, use the
 // monotonic clock reading.
 //
 // For example, this code always computes a positive elapsed time of
 // approximately 20 milliseconds, even if the wall clock is changed during
 // the operation being timed:
 //
 // start := time.Now()
 // ... operation that takes 20 milliseconds ...
 // t := time.Now()
 // elapsed := t.Sub(start)
 //
 // Other idioms, such as time.Since(start), time.Until(deadline), and
 // time.Now().Before(deadline), are similarly robust against wall clock
 // resets.
 //
 // The rest of this section gives the precise details of how operations
 // use monotonic clocks, but understanding those details is not required
 // to use this package.
 //
 // The Time returned by time.Now contains a monotonic clock reading.
 // If Time t has a monotonic clock reading, t.Add adds the same duration to
 // both the wall clock and monotonic clock readings to compute the result.
 // Because t.AddDate(y, m, d), t.Round(d), and t.Truncate(d) are wall time
 // computations, they always strip any monotonic clock reading from their results.
 // Because t.In, t.Local, and t.UTC are used for their effect on the interpretation
 // of the wall time, they also strip any monotonic clock reading from their results.
 // The canonical way to strip a monotonic clock reading is to use t = t.Round(0).
 //
 // If Times t and u both contain monotonic clock readings, the operations
 // t.After(u), t.Before(u), t.Equal(u), and t.Sub(u) are carried out
 // using the monotonic clock readings alone, ignoring the wall clock
 // readings. If either t or u contains no monotonic clock reading, these
 // operations fall back to using the wall clock readings.
 //
 // On some systems the monotonic clock will stop if the computer goes to sleep.
 // On such a system, t.Sub(u) may not accurately reflect the actual
 // time that passed between t and u.
 //
 // Because the monotonic clock reading has no meaning outside
 // the current process, the serialized forms generated by t.GobEncode,
 // t.MarshalBinary, t.MarshalJSON, and t.MarshalText omit the monotonic
 // clock reading, and t.Format provides no format for it. Similarly, the
 // constructors time.Date, time.Parse, time.ParseInLocation, and time.Unix,
 // as well as the unmarshalers t.GobDecode, t.UnmarshalBinary.
 // t.UnmarshalJSON, and t.UnmarshalText always create times with
 // no monotonic clock reading.
 //
 // Note that the Go == operator compares not just the time instant but
 // also the Location and the monotonic clock reading. See the
 // documentation for the Time type for a discussion of equality
 // testing for Time values.
 //
 // For debugging, the result of t.String does include the monotonic
 // clock reading if present. If t != u because of different monotonic clock readings,
 // that difference will be visible when printing t.String() and u.String().
 //
 package time
 // A Time represents an instant in time with nanosecond precision.
 //
 // Programs using times should typically store and pass them as values,
 // not pointers. That is, time variables and struct fields should be of
 // type time.Time, not *time.Time.
 //
 // A Time value can be used by multiple goroutines simultaneously except
 // that the methods GobDecode, UnmarshalBinary, UnmarshalJSON and
 // UnmarshalText are not concurrency-safe.
 //
 // Time instants can be compared using the Before, After, and Equal methods.
 // The Sub method subtracts two instants, producing a Duration.
 // The Add method adds a Time and a Duration, producing a Time.
 //
 // The zero value of type Time is January 1, year 1, 00:00:00.000000000 UTC.
 // As this time is unlikely to come up in practice, the IsZero method gives
 // a simple way of detecting a time that has not been initialized explicitly.
 //
 // Each Time has associated with it a Location, consulted when computing the
 // presentation form of the time, such as in the Format, Hour, and Year methods.
 // The methods Local, UTC, and In return a Time with a specific location.
 // Changing the location in this way changes only the presentation; it does not
 // change the instant in time being denoted and therefore does not affect the
 // computations described in earlier paragraphs.
 //
 // Representations of a Time value saved by the GobEncode, MarshalBinary,
 // MarshalJSON, and MarshalText methods store the Time.Location's offset, but not
 // the location name. They therefore lose information about Daylight Saving Time.
 //
 // In addition to the required “wall clock” reading, a Time may contain an optional
 // reading of the current process's monotonic clock, to provide additional precision
 // for comparison or subtraction.
 // See the “Monotonic Clocks” section in the package documentation for details.
 //
 // Note that the Go == operator compares not just the time instant but also the
 // Location and the monotonic clock reading. Therefore, Time values should not
 // be used as map or database keys without first guaranteeing that the
 // identical Location has been set for all values, which can be achieved
 // through use of the UTC or Local method, and that the monotonic clock reading
 // has been stripped by setting t = t.Round(0). In general, prefer t.Equal(u)
 // to t == u, since t.Equal uses the most accurate comparison available and
 // correctly handles the case when only one of its arguments has a monotonic
 // clock reading.
 //
 #Time: _
 _#hasMonotonic: 9223372036854775808
 _#maxWall:      int64 & 68043243391
 _#minWall:      int64 & 59453308800
 _#nsecMask:     1073741823
 _#nsecShift:    30
 // A Month specifies a month of the year (January = 1, ...).
 #Month: int // #enumMonth
 #enumMonth:
 	#January |
 	#February |
 	#March |
 	#April |
 	#May |
 	#June |
 	#July |
 	#August |
 	#September |
 	#October |
 	#November |
 	#December
 #values_Month: {
 	January:   #January
 	February:  #February
 	March:     #March
 	April:     #April
 	May:       #May
 	June:      #June
 	July:      #July
 	August:    #August
 	September: #September
 	October:   #October
 	November:  #November
 	December:  #December
 }
 #January:   #Month & 1
 #February:  #Month & 2
 #March:     #Month & 3
 #April:     #Month & 4
 #May:       #Month & 5
 #June:      #Month & 6
 #July:      #Month & 7
 #August:    #Month & 8
 #September: #Month & 9
 #October:   #Month & 10
 #November:  #Month & 11
 #December:  #Month & 12
 // A Weekday specifies a day of the week (Sunday = 0, ...).
 #Weekday: int // #enumWeekday
 #enumWeekday:
 	#Sunday |
 	#Monday |
 	#Tuesday |
 	#Wednesday |
 	#Thursday |
 	#Friday |
 	#Saturday
 #values_Weekday: {
 	Sunday:    #Sunday
 	Monday:    #Monday
 	Tuesday:   #Tuesday
 	Wednesday: #Wednesday
 	Thursday:  #Thursday
 	Friday:    #Friday
 	Saturday:  #Saturday
 }
 #Sunday:    #Weekday & 0
 #Monday:    #Weekday & 1
 #Tuesday:   #Weekday & 2
 #Wednesday: #Weekday & 3
 #Thursday:  #Weekday & 4
 #Friday:    #Weekday & 5
 #Saturday:  #Weekday & 6
 // The unsigned zero year for internal calculations.
 // Must be 1 mod 400, and times before it will not compute correctly,
 // but otherwise can be changed at will.
 _#absoluteZeroYear: -292277022399
 // The year of the zero Time.
 // Assumed by the unixToInternal computation below.
 _#internalYear: 1
 // Offsets to convert between internal and absolute or Unix times.
 _#absoluteToInternal: int64 & -9223371966579724800
 _#internalToAbsolute: int64 & 9223371966579724800
 _#unixToInternal:     int64 & 62135596800
 _#internalToUnix:     int64 & -62135596800
 _#wallToInternal:     int64 & 59453308800
 _#internalToWall:     int64 & -59453308800
 // A Duration represents the elapsed time between two instants
 // as an int64 nanosecond count. The representation limits the
 // largest representable duration to approximately 290 years.
 #Duration: int64 // #enumDuration
 #enumDuration:
 	_#minDuration |
 	_#maxDuration |
 	#Nanosecond |
 	#Microsecond |
 	#Millisecond |
 	#Second |
 	#Minute |
 	#Hour
 #values_Duration: {
 	minDuration: _#minDuration
 	maxDuration: _#maxDuration
 	Nanosecond:  #Nanosecond
 	Microsecond: #Microsecond
 	Millisecond: #Millisecond
 	Second:      #Second
 	Minute:      #Minute
 	Hour:        #Hour
 }
 _#minDuration: #Duration & -9223372036854775808
 _#maxDuration: #Duration & 9223372036854775807
 #Nanosecond:  #Duration & 1
 #Microsecond: #Duration & 1000
 #Millisecond: #Duration & 1000000
 #Second:      #Duration & 1000000000
 #Minute:      #Duration & 60000000000
 #Hour:        #Duration & 3600000000000
 _#secondsPerMinute: 60
 _#secondsPerHour:   3600
 _#secondsPerDay:    86400
 _#secondsPerWeek:   604800
 _#daysPer400Years:  146097
 _#daysPer100Years:  36524
 _#daysPer4Years:    1461
 _#timeBinaryVersion: 1
--- a/cue/cue.mod/gen/time/zoneinfo_go_gen.cue
+++ b/cue/cue.mod/gen/time/zoneinfo_go_gen.cue
@@ -1,19 +0,0 @@
 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go time
 package time
 // A Location maps time instants to the zone in use at that time.
 // Typically, the Location represents the collection of time offsets
 // in use in a geographical area. For many Locations the time offset varies
 // depending on whether daylight savings time is in use at the time instant.
 #Location: {
 }
 _#alpha: -9223372036854775808
 _#omega: 9223372036854775807
 _#ruleJulian:       _#ruleKind & 0
 _#ruleDOY:          _#ruleKind & 1
 _#ruleMonthWeekDay: _#ruleKind & 2
--- a/cue/cue.mod/gen/time/zoneinfo_read_go_gen.cue
+++ b/cue/cue.mod/gen/time/zoneinfo_read_go_gen.cue
@@ -1,11 +0,0 @@
 // Code generated by cue get go. DO NOT EDIT.
 //cue:generate cue get go time
 package time
 _#maxFileSize: 10485760
 _#seekStart:   0
 _#seekCurrent: 1
 _#seekEnd:     2
--- a/cue/cue.mod/module.cue
+++ b/cue/cue.mod/module.cue
@@ -1 +0,0 @@
 module: "github.com/stefanprodan/podinfo/cue"
--- a/cue/go.mod
+++ b/cue/go.mod
@@ -1,23 +0,0 @@
 module github.com/stefanprodan/podinfo/cue
 go 1.17
 require (
 	github.com/go-logr/logr v1.2.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/go-cmp v0.5.5 // indirect
 	github.com/google/gofuzz v1.1.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	golang.org/x/net v0.0.0-20211209124913-491a49abca63 // indirect
 	golang.org/x/text v0.3.7 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	k8s.io/api v0.23.5 // indirect
 	k8s.io/apimachinery v0.23.5 // indirect
 	k8s.io/klog/v2 v2.30.0 // indirect
 	k8s.io/utils v0.0.0-20211116205334-6203023598ed // indirect
 	sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect
 )
--- a/cue/go.sum
+++ b/cue/go.sum
@@ -1,231 +0,0 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
 github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
 github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
 github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
 github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
 github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
 github.com/getkin/kin-openapi v0.76.0/go.mod h1:660oXbgy5JFMKreazJaQTw7o+X00qeSyhcnluiMv+Xg=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
 github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
 github.com/go-logr/logr v1.2.0 h1:QK40JKJyMdUDz+h+xvCsru/bJhvG0UxvePV0ufL/AcE=
 github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
 github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
 github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8=
 github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
 github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
 github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
 github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
 github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
 github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g=
 github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2cUuW7uA/OeU=
 github.com/googleapis/gnostic v0.5.5/go.mod h1:7+EbHbldMins07ALC74bsA81Ovc97DwqyJO1AENw9kA=
 github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
 github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
 github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
 github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY=
 github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20211209124913-491a49abca63 h1:iocB37TsdFuN6IBRZ+ry36wrkoV51/tl5vOWqkcPGvY=
 golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210831042530-f4d43177bf5e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200505023115-26f46d2f7ef8/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
 google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
 google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
 google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
 google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 k8s.io/api v0.23.5 h1:zno3LUiMubxD/V1Zw3ijyKO3wxrhbUF1Ck+VjBvfaoA=
 k8s.io/api v0.23.5/go.mod h1:Na4XuKng8PXJ2JsploYYrivXrINeTaycCGcYgF91Xm8=
 k8s.io/apimachinery v0.23.5 h1:Va7dwhp8wgkUPWsEXk6XglXWU4IKYLKNlv8VkX7SDM0=
 k8s.io/apimachinery v0.23.5/go.mod h1:BEuFMMBaIbcOqVIJqNZJXGFTP4W6AycEpb5+m/97hrM=
 k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
 k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
 k8s.io/klog/v2 v2.30.0 h1:bUO6drIvCIsvZ/XFgfxoGFQU/a4Qkh0iAlvUR7vlHJw=
 k8s.io/klog/v2 v2.30.0/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
 k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65/go.mod h1:sX9MT8g7NVZM5lVL/j8QyCCJe8YSMW30QvGZWaCIDIk=
 k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 k8s.io/utils v0.0.0-20211116205334-6203023598ed h1:ck1fRPWPJWsMd8ZRFsWc6mh/zHp5fZ/shhbrgPUxDAE=
 k8s.io/utils v0.0.0-20211116205334-6203023598ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6 h1:fD1pz4yfdADVNfFmcP2aBEtudwUQ1AlLnRBALr33v3s=
 sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6/go.mod h1:p4QtZmO4uMYipTQNzagwnNoseA6OxSUutVw05NhYDRs=
 sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
 sigs.k8s.io/structured-merge-diff/v4 v4.2.1 h1:bKCqE9GvQ5tiVHn5rfn1r+yao3aLQEaLzkkmAkf+A6Y=
 sigs.k8s.io/structured-merge-diff/v4 v4.2.1/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4=
 sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
--- a/cue/main.cue
+++ b/cue/main.cue
@@ -1,27 +0,0 @@
 package main
 import (
 	podinfo "github.com/stefanprodan/podinfo/cue/podinfo"
 )
 resources: (podinfo.#Application & {
 	input: {
 		meta: {
 			name: "podinfo"
 			annotations: {
 				"app.kubernetes.io/part-of": "podinfo"
 			}
 		}
 		image: {
 			repository: "ghcr.io/stefanprodan/podinfo"
 			tag:        "6.1.2"
 		}
 		resources: requests: cpu: "100m"
 		hpa: {
 			enabled:     true
 			minReplicas: 2
 			maxReplicas: 4
 			cpu:         99
 		}
 	}
 }).out
--- a/cue/main_tool.cue
+++ b/cue/main_tool.cue
@@ -1,12 +0,0 @@
 package main
 import (
 	"tool/cli"
 	"encoding/yaml"
 )
 command: gen: {
 	task: print: cli.Print & {
 		text: yaml.MarshalStream([ for x in resources {x}])
 	}
 }
--- a/cue/podinfo/app.cue
+++ b/cue/podinfo/app.cue
@@ -1,21 +0,0 @@
 package podinfo
 #Application: {
 	input: #Config
 	out: {
 		sa:     #ServiceAccount & {_config: input}
 		deploy: #Deployment & {
 			_config:         input
 			_serviceAccount: sa.metadata.name
 		}
 		service: #Service & {_config: input}}
 	if input.hpa.enabled == true {
 		out: hpa: #HorizontalPodAutoscaler & {_config: input}
 	}
 	if input.serviceMonitor.enabled == true {
 		out: serviceMonitor: #ServiceMonitor & {_config: input}
 	}
 	if input.ingress.enabled == true {
 		out: ingress: #Ingress & {_config: input}
 	}
 }
--- a/cue/podinfo/certificate.cue
+++ b/cue/podinfo/certificate.cue
@@ -1,24 +0,0 @@
 package podinfo
 import (
 	certmanv1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
 	"encoding/yaml"
 )
 #certConfig: {
 	dnsNames: [string]
 	tlsSecretName: string
 	issuerRef:     string
 }
 #Certificate: certmanv1.#Certificate & {
 	_config:    #Config
 	apiVersion: "v1"
 	kind:       "Certificate"
 	metadata:   _config.meta
 	spec:       certmanv1.#CertificateSpec & {
 		dnsNames:   _config.cert.dnsNames
 		secretName: _config.cert.tlsSecretName
 		issuerRef:  yaml.Marshal(_config.cert.issuerRef)
 	}
 }
--- a/cue/podinfo/config.cue
+++ b/cue/podinfo/config.cue
@@ -1,59 +0,0 @@
 package podinfo
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	corev1 "k8s.io/api/core/v1"
 )
 #Config: {
 	meta: metav1.#ObjectMeta
 	image: {
 		repository: *"ghcr.io/stefanprodan/podinfo" | string
 		tag:        string
 		pullPolicy: *"IfNotPresent" | string
 	}
 	selectorLabels: {
 		"app.kubernetes.io/name": meta.name
 	}
 	replicas: *1 | int
 	service:  #serviceConfig
 	host:     string
 	cache:    string
 	backends: [string]
 	logLevel: *"info" | string
 	faults: {
 		delay:     *false | bool
 		error:     *false | bool
 		unhealthy: *false | bool
 		unready:   *false | bool
 	}
 	h2c: {
 		enabled: *false | bool
 	}
 	ui: {
 		color:   *"#34577c" | string
 		message: *"" | string
 		logo:    *"" | string
 	}
 	podAnnotations: {[ string]: string}
 	securityContext: corev1.#PodSecurityContext
 	resources:       *{
 		requests: {
 			cpu:    "1m"
 			memory: "16Mi"
 		}
 	} | corev1.#ResourceRequirements
 	nodeSelector: {[ string]: string}
 	affinity: corev1.#Affinity
 	tolerations: [ ...corev1.#Toleration]
 	tls: {
 		enabled:    *false | bool
 		port:       *9899 | int
 		certPath:   *"/data/cert" | string
 		secretName: *"" | string
 	}
 	cert:           #certConfig
 	hpa:            #hpaConfig
 	ingress:        #ingressConfig
 	serviceMonitor: #serviceMonConfig
 }
--- a/cue/podinfo/deployment.cue
+++ b/cue/podinfo/deployment.cue
@@ -1,123 +0,0 @@
 package podinfo
 import (
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 )
 #Deployment: appsv1.#Deployment & {
 	_config:         #Config
 	_serviceAccount: string
 	apiVersion:      "apps/v1"
 	kind:            "Deployment"
 	metadata:        _config.meta
 	spec:            appsv1.#DeploymentSpec & {
 		if _config.hpa.enabled == false {
 			replicas: _config.replicas
 		}
 		strategy: {
 			type: "RollingUpdate"
 			rollingUpdate: maxUnavailable: 1
 		}
 		selector: matchLabels: _config.selectorLabels
 		template: {
 			metadata: {
 				labels: _config.selectorLabels
 				annotations: {
 					"prometheus.io/scrape": "true"
 					"prometheus.io/port":   "\(_config.service.metricsPort)"
 					_config.podAnnotations
 				}
 			}
 			spec: corev1.#PodSpec & {
 				terminationGracePeriodSeconds: 30
 				serviceAccountName:            _serviceAccount
 				containers: [
 					{
 						name:            "podinfo"
 						image:           "\(_config.image.repository):\(_config.image.tag)"
 						imagePullPolicy: _config.image.pullPolicy
 						securityContext: _config.securityContext
 						command: [
 							"./podinfo",
 							"--port=\(_config.service.httpPort)",
 							"--port-metrics=\(_config.service.metricsPort)",
 							"--grpc-port=\(_config.service.grpcPort)",
 							"--level=\(_config.logLevel)",
 							"--random-delay=\(_config.faults.delay)",
 							"--random-error=\(_config.faults.error)",
 						]
 						ports: [
 							{
 								name:          "http"
 								containerPort: _config.service.httpPort
 								protocol:      "TCP"
 							},
 							{
 								name:          "http-metrics"
 								containerPort: _config.service.metricsPort
 								protocol:      "TCP"
 							},
 							{
 								name:          "grpc"
 								containerPort: _config.service.grpcPort
 								protocol:      "TCP"
 							},
 						]
 						livenessProbe: {
 							exec: {
 								command: [
 									"podcli",
 									"check",
 									"http",
 									"localhost:\(_config.service.httpPort)/healthz",
 								]
 							}
 							initialDelaySeconds: 1
 							timeoutSeconds:      5
 						}
 						readinessProbe: {
 							exec: {
 								command: [
 									"podcli",
 									"check",
 									"http",
 									"localhost:\(_config.service.httpPort)/readyz",
 								]
 							}
 							initialDelaySeconds: 1
 							timeoutSeconds:      5
 						}
 						volumeMounts: [
 							{
 								name:      "data"
 								mountPath: "/data"
 							},
 							if _config.tls.secretName != "" {
 								name:      "tls"
 								mountPath: _config.tls.certPath
 								readOnly:  true
 							},
 						]
 						resources: _config.resources
 					},
 				]
 				nodeSelector: _config.nodeSelector
 				affinity:     _config.affinity
 				tolerations:  _config.tolerations
 				volumes: [
 					{
 						name: "data"
 						emptyDir: {}
 					},
 					if _config.tls.secretName != "" {
 						name: "tls"
 						secret: {
 							secretName: _config.tls.secretName
 						}
 					},
 				]
 			}
 		}
 	}
 }
--- a/cue/podinfo/ingress.cue
+++ b/cue/podinfo/ingress.cue
@@ -1,48 +0,0 @@
 package podinfo
 import (
 	netv1 "k8s.io/api/networking/v1"
 )
 #ingressConfig: {
 	svcName:   string
 	svcPort:   int
 	enabled:   *false | bool
 	className: *"" | string
 	tls: [{
 		hosts: [string]
 		secretName: string
 	}]
 	hosts: [{
 		host: "podinfo.local"
 		paths: [{
 			path:     "/"
 			pathType: "ImplementationSpecific"
 		}]
 	}]
 }
 #Ingress: netv1.#Ingress & {
 	_config:    #Config
 	apiVersion: "networking.k8s.io/v1"
 	kind:       "Ingress"
 	metadata:   _config.meta
 	spec:       netv1.#IngressSpec & {
 		ingressClassName: _config.ingress.className
 		tls: [ for t in _config.ingress.tls {
 			hosts:      t.hosts
 			secretName: t.secretName
 		}]
 		rules: [ for h in _config.ingress.hosts {
 			host: h.host
 			http: paths: [ for p in h.paths {
 				path:     p.path
 				pathType: p.pathType
 				backend: service: {
 					name: _config.meta.name
 					port: number: _config.service.externalPort
 				}
 			}]
 		}]
 	}
 }
--- a/cue/podinfo/service.cue
+++ b/cue/podinfo/service.cue
@@ -1,43 +0,0 @@
 package podinfo
 import (
 	corev1 "k8s.io/api/core/v1"
 )
 #serviceConfig: {
 	type:         *"ClusterIP" | string
 	externalPort: *9898 | int
 	httpPort:     *9898 | int
 	metricsPort:  *9797 | int
 	grpcPort:     *9999 | int
 	grpcService:  "podinfo" | string
 	nodePort:     *31198 | int
 }
 #Service: corev1.#Service & {
 	_config:    #Config
 	apiVersion: "v1"
 	kind:       "Service"
 	metadata:   _config.meta
 	spec:       corev1.#ServiceSpec & {
 		type:     "ClusterIP"
 		selector: _config.selectorLabels
 		ports: [{
 			name:       "http"
 			port:       _config.service.externalPort
 			targetPort: _config.service.httpPort
 			protocol:   "TCP"
 		}, if _config.tls.enabled == true {
 			name:       "https"
 			port:       _config.tls.port
 			targetPort: "https"
 			protocol:   "TCP"
 		}, if _config.service.grpcPort != _|_ {
 			name:       "grpc"
 			port:       _config.service.grpcPort
 			targetPort: "grpc"
 			protocol:   "TCP"
 		},
 		]
 	}
 }
--- a/cue/podinfo/servicemonitor.cue
+++ b/cue/podinfo/servicemonitor.cue
@@ -1,23 +0,0 @@
 package podinfo
 #serviceMonConfig: {
 	enabled:  *false | bool
 	interval: *"15s" | string
 	matchLabels: {}
 }
 #ServiceMonitor: {
 	_config:    #Config
 	apiVersion: "monitoring.coreos.com/v1"
 	kind:       "ServiceMonitor"
 	metadata:   _config.meta
 	spec: {
 		endpoints: [{
 			path:     "/metrics"
 			port:     "http"
 			interval: _config.serviceMonitor.interval
 		}]
 		namespaceSelector: matchNames: _config.meta.namespace
 		selector: matchLabels:         _config.selectorLabels
 	}
 }
--- a/deploy/bases/backend/deployment.yaml
+++ b/deploy/bases/backend/deployment.yaml
@@ -12,18 +12,18 @@ spec:
    type: RollingUpdate
  selector:
    matchLabels:
-      app: backend
+      app.kubernetes.io/name: backend
  template:
    metadata:
      annotations:
        prometheus.io/scrape: "true"
        prometheus.io/port: "9797"
      labels:
-        app: backend
+        app.kubernetes.io/name: backend
    spec:
      containers:
      - name: backend
-        image: ghcr.io/stefanprodan/podinfo:6.1.2
+        image: ghcr.io/stefanprodan/podinfo:6.11.2
        imagePullPolicy: IfNotPresent
        ports:
        - name: http
@@ -42,7 +42,7 @@ spec:
        - --grpc-port=9999
        - --grpc-service-name=backend
        - --level=info
-        - --cache-server=cache:6379
+        - --cache-server=tcp://cache:6379
        env:
        - name: PODINFO_UI_COLOR
          value: "#34577c"
--- a/deploy/bases/backend/hpa.yaml
+++ b/deploy/bases/backend/hpa.yaml
@@ -1,4 +1,4 @@
-apiVersion: autoscaling/v2beta2
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
  name: backend
--- a/deploy/bases/backend/service.yaml
+++ b/deploy/bases/backend/service.yaml
@@ -5,7 +5,7 @@ metadata:
 spec:
  type: ClusterIP
  selector:
-    app: backend
+    app.kubernetes.io/name: backend
  ports:
    - name: http
      port: 9898
--- a/deploy/bases/cache/deployment.yaml
+++ b/deploy/bases/cache/deployment.yaml
@@ -5,15 +5,15 @@ metadata:
 spec:
  selector:
    matchLabels:
-      app: cache
+      app.kubernetes.io/name: cache
  template:
    metadata:
      labels:
-        app: cache
+        app.kubernetes.io/name: cache
    spec:
      containers:
        - name: redis
-          image: redis:6.0.1
+          image: docker.io/redis:8.6.1
          imagePullPolicy: IfNotPresent
          command:
            - redis-server
--- a/deploy/bases/cache/service.yaml
+++ b/deploy/bases/cache/service.yaml
@@ -5,7 +5,7 @@ metadata:
 spec:
  type: ClusterIP
  selector:
-    app: cache
+    app.kubernetes.io/name: cache
  ports:
    - name: redis
      port: 6379
--- a/deploy/bases/database/README.md
+++ b/deploy/bases/database/README.md
@@ -0,0 +1,76 @@
 # Database Setup
 This directory contains the Kubernetes manifests to simulate a database setup
 with a primary database, read replicas, and scheduled maintenance tasks using CronJobs.
 ## Components
 ### Core Resources
 | Resource | File | Description |
 |----------|------|-------------|
 | ServiceAccount | `serviceaccount.yaml` | Shared service account for all database workloads |
 | PVC | `pvc-primary.yaml` | 1Gi persistent storage for primary database |
 | StatefulSet | `statefulset-primary.yaml` | Primary database with persistent storage at `/data` |
 | Deployment | `deployment-replica.yaml` | Read replica deployment |
 | Service (Headless) | `service-primary.yaml` | Headless service for StatefulSet |
 | Service | `service-replica.yaml` | ClusterIP service for replicas |
 | HPA | `hpa-replica.yaml` | Autoscaler for replicas (2-3 pods, 99% CPU) |
 ### CronJobs
 | CronJob | Schedule | Duration | TTL Cleanup | Description |
 |---------|----------|----------|-------------|-------------|
 | `rollup-daily` | Every 10 min | ~1 min | 1 hour | Daily rollup simulation (6 iterations) |
 | `rollup-weekly` | Every 30 min | ~2 min | 1 day | Weekly rollup simulation (12 iterations) |
 | `backup-daily` | Daily at midnight | ~1 min | 1 day | Backup simulation (configured to fail) |
 ### Scripts
 Located in `scripts/` directory:
 - `rollup.sh` - Rollup simulation script with configurable steps via `ROLLUP_STEPS` env var
 - `backup.sh` - Backup simulation script with configurable exit code via `BACKUP_EXIT` env var
 ## Labels
 All resources use Kubernetes recommended labels:
 - `app.kubernetes.io/name` - Component name
 - `app.kubernetes.io/part-of: database` - Part of database application
 ## Configuration
 ### Primary Database
 - **Port**: 3306 (MySQL standard)
 - **Storage**: 1Gi PersistentVolumeClaim mounted at `/data`
 - **Service**: Headless (`clusterIP: None`) for StatefulSet
 ### Replica Database
 - **Port**: 3306
 - **Scaling**: HPA with 2-3 replicas at 99% CPU utilization
 - **Service**: ClusterIP
 ### CronJob Scripts
 The scripts check database-replica health before running:
 ```sh
 podcli check http database-replica:3306/readyz
 ```
 ## Usage
 Deploy with Kustomize:
 ```bash
 kubectl apply -k deploy/bases/database
 ```
 Or include in an overlay:
 ```yaml
 # kustomization.yaml
 resources:
  - ../../bases/database
 ```
--- a/deploy/bases/database/cronjob-backup-daily.yaml
+++ b/deploy/bases/database/cronjob-backup-daily.yaml
@@ -0,0 +1,48 @@
 apiVersion: batch/v1
 kind: CronJob
 metadata:
  name: backup-daily
 spec:
  # Runs every day at midnight for 1 minute
  schedule: "0 0 * * *"
  concurrencyPolicy: Forbid
  successfulJobsHistoryLimit: 1
  failedJobsHistoryLimit: 1
  jobTemplate:
    spec:
      # Cleanup after 1 day
      ttlSecondsAfterFinished: 86400
      backoffLimit: 1
      template:
        metadata:
          labels:
            app.kubernetes.io/name: backup-daily
            app.kubernetes.io/part-of: database
        spec:
          serviceAccountName: database
          restartPolicy: Never
          containers:
          - name: backup
            image: ghcr.io/stefanprodan/podinfo:6.11.2
            imagePullPolicy: IfNotPresent
            command:
            - /bin/sh
            - /scripts/backup.sh
            env:
            - name: BACKUP_EXIT
              value: "1"
            resources:
              limits:
                cpu: 100m
                memory: 32Mi
              requests:
                cpu: 10m
                memory: 16Mi
            volumeMounts:
            - name: scripts
              mountPath: /scripts
          volumes:
          - name: scripts
            configMap:
              name: backup-script
              defaultMode: 0755
--- a/deploy/bases/database/cronjob-rollup-daily.yaml
+++ b/deploy/bases/database/cronjob-rollup-daily.yaml
@@ -0,0 +1,48 @@
 apiVersion: batch/v1
 kind: CronJob
 metadata:
  name: rollup-daily
 spec:
  # Runs every 10 minutes for 1 minute
  schedule: "*/10 * * * *"
  concurrencyPolicy: Forbid
  successfulJobsHistoryLimit: 1
  failedJobsHistoryLimit: 1
  jobTemplate:
    spec:
      # Cleanup after 1 hour
      ttlSecondsAfterFinished: 3600
      backoffLimit: 3
      template:
        metadata:
          labels:
            app.kubernetes.io/name: rollup-daily
            app.kubernetes.io/part-of: database
        spec:
          serviceAccountName: database
          restartPolicy: OnFailure
          containers:
          - name: healthcheck
            image: ghcr.io/stefanprodan/podinfo:6.11.2
            imagePullPolicy: IfNotPresent
            command:
            - /bin/sh
            - /scripts/rollup.sh
            env:
            - name: ROLLUP_STEPS
              value: "6"
            resources:
              limits:
                cpu: 100m
                memory: 32Mi
              requests:
                cpu: 10m
                memory: 16Mi
            volumeMounts:
            - name: scripts
              mountPath: /scripts
          volumes:
          - name: scripts
            configMap:
              name: rollup-script
              defaultMode: 0755
--- a/deploy/bases/database/cronjob-rollup-weekly.yaml
+++ b/deploy/bases/database/cronjob-rollup-weekly.yaml
@@ -0,0 +1,48 @@
 apiVersion: batch/v1
 kind: CronJob
 metadata:
  name: rollup-weekly
 spec:
  # Runs every 30 minutes for 2 minutes
  schedule: "*/30 * * * *"
  concurrencyPolicy: Forbid
  successfulJobsHistoryLimit: 1
  failedJobsHistoryLimit: 1
  jobTemplate:
    spec:
      # Cleanup after 1 day
      ttlSecondsAfterFinished: 86400
      backoffLimit: 3
      template:
        metadata:
          labels:
            app.kubernetes.io/name: rollup-weekly
            app.kubernetes.io/part-of: database
        spec:
          serviceAccountName: database
          restartPolicy: OnFailure
          containers:
          - name: healthcheck
            image: ghcr.io/stefanprodan/podinfo:6.11.2
            imagePullPolicy: IfNotPresent
            command:
            - /bin/sh
            - /scripts/rollup.sh
            env:
            - name: ROLLUP_STEPS
              value: "12"
            resources:
              limits:
                cpu: 100m
                memory: 32Mi
              requests:
                cpu: 10m
                memory: 16Mi
            volumeMounts:
            - name: scripts
              mountPath: /scripts
          volumes:
          - name: scripts
            configMap:
              name: rollup-script
              defaultMode: 0755
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1 @@`
							`timoni/podinfo/cue.mod/** linguist-vendored`
`@@ -1,4 +1,4 @@`
	`FROM golang:1.17`	`FROM golang:1.26`

	`WORKDIR /workspace`	`WORKDIR /workspace`
		`@@ -1 +0,0 @@`
			`module: "github.com/stefanprodan/podinfo/cue"`