Merge pull request #378 from stefanprodan/release-6.7.1

Release 6.7.1

.cosign/README.md

@@ -1,9 +1,10 @@
 # Podinfo signed releases
 
-Podinfo deployment manifests are published to GitHub Container Registry as OCI artifacts
-and are signed using [cosign](https://github.com/sigstore/cosign).
+Podinfo release assets (container image, Helm chart, Flux artifact, Timoni module)
+are published to GitHub Container Registry and are signed with
+[Cosign v2](https://github.com/sigstore/cosign) keyless & GitHub Actions OIDC.
 
-## Verify the artifacts with cosign
+## Verify podinfo with cosign
 
 Install the [cosign](https://github.com/sigstore/cosign) CLI:
 
@@ -11,29 +12,50 @@ Install the [cosign](https://github.com/sigstore/cosign) CLI:
 brew install sigstore/tap/cosign
 ```
 
-Verify a podinfo release with cosign CLI:
+### Container image
+
+Verify the podinfo container image hosted on GHCR:
 
 ```sh
-cosign verify -key https://raw.githubusercontent.com/stefanprodan/podinfo/master/cosign/cosign.pub \
-ghcr.io/stefanprodan/podinfo-deploy:latest
+cosign verify ghcr.io/stefanprodan/podinfo:6.5.0 \
+--certificate-identity-regexp="^https://github.com/stefanprodan/podinfo.*$" \
+--certificate-oidc-issuer=https://token.actions.githubusercontent.com
 ```
 
-## Download the artifacts with crane
-
-Install the [crane](https://github.com/google/go-containerregistry/tree/main/cmd/crane) CLI:
+Verify the podinfo container image hosted on Docker Hub:
 
 ```sh
-brew install crane
+cosign verify docker.io/stefanprodan/podinfo:6.5.0 \
+--certificate-identity-regexp="^https://github.com/stefanprodan/podinfo.*$" \
+--certificate-oidc-issuer=https://token.actions.githubusercontent.com
 ```
 
-Download the podinfo deployment manifests with crane CLI:
+### Helm chart
 
-```console
-$ crane export ghcr.io/stefanprodan/podinfo-deploy:latest -| tar -xf - 
+Verify the podinfo [Helm](https://helm.sh) chart hosted on GHCR:
 
-$ ls -1
-deployment.yaml
-hpa.yaml
-kustomization.yaml
-service.yaml
+```sh
+cosign verify ghcr.io/stefanprodan/charts/podinfo:6.5.0 \
+--certificate-identity-regexp="^https://github.com/stefanprodan/podinfo.*$" \
+--certificate-oidc-issuer=https://token.actions.githubusercontent.com
+```
+
+### Flux artifact
+
+Verify the podinfo [Flux](https://fluxcd.io) artifact hosted on GHCR:
+
+```sh
+cosign verify ghcr.io/stefanprodan/manifests/podinfo:6.5.0 \
+--certificate-identity-regexp="^https://github.com/stefanprodan/podinfo.*$" \
+--certificate-oidc-issuer=https://token.actions.githubusercontent.com
+```
+
+### Timoni module
+
+Verify the podinfo [Timoni](https://timoni.sh) module hosted on GHCR:
+
+```sh
+cosign verify ghcr.io/stefanprodan/modules/podinfo:6.5.0 \
+--certificate-identity-regexp="^https://github.com/stefanprodan/podinfo.*$" \
+--certificate-oidc-issuer=https://token.actions.githubusercontent.com
 ```

.gitattributes

@@ -0,0 +1 @@
+timoni/podinfo/cue.mod/** linguist-vendored

.github/FUNDING.yml

@@ -0,0 +1 @@
+github: stefanprodan

.github/actions/helm/action.yml

@@ -1,33 +0,0 @@
-name: Setup Helm CLI
-description: A GitHub Action for running Helm commands
-author: Stefan Prodan
-branding:
-  color: blue
-  icon: command
-inputs:
-  version:
-    description: "Helm version"
-    required: true
-runs:
-  using: composite
-  steps:
-    - name: "Download helm binary to tmp"
-      shell: bash
-      run: |
-        VERSION=${{ inputs.version }}
-        BIN_URL="https://get.helm.sh/helm-v${VERSION}-linux-amd64.tar.gz"
-        curl -sL ${BIN_URL} -o /tmp/helm.tar.gz
-        mkdir -p /tmp/helm
-        tar -C /tmp/helm/ -zxvf /tmp/helm.tar.gz
-    - name: "Add helm binary to /usr/local/bin"
-      shell: bash
-      run: |
-        sudo cp /tmp/helm/linux-amd64/helm /usr/local/bin
-    - name: "Cleanup tmp"
-      shell: bash
-      run: |
-        rm -rf /tmp/helm/ /tmp/helm.tar.gz
-    - name: "Verify correct installation of binary"
-      shell: bash
-      run: |
-        helm version

.github/actions/kubeconform/action.yml

@@ -0,0 +1,38 @@
+name: Setup kubeconform
+description: A GitHub Action for running kubeconform commands
+author: Stefan Prodan
+branding:
+  color: blue
+  icon: command
+inputs:
+  version:
+    description: "kubeconform version e.g. 0.5.0 (defaults to latest stable release)"
+    required: false
+  arch:
+    description: "arch can be amd64 or arm64"
+    required: true
+    default: "amd64"
+runs:
+  using: composite
+  steps:
+    - name: "Download binary to the GH runner cache"
+      shell: bash
+      run: |  
+        ARCH=${{ inputs.arch }}
+        VERSION=${{ inputs.version }}
+
+        if [ -z $VERSION ]; then
+          VERSION=$(curl https://api.github.com/repos/yannh/kubeconform/releases/latest -sL | grep tag_name | sed -E 's/.*"([^"]+)".*/\1/' | cut -c 2-)
+        fi
+        
+        BIN_URL="https://github.com/yannh/kubeconform/releases/download/v${VERSION}/kubeconform-linux-${ARCH}.tar.gz"
+        BIN_DIR=$RUNNER_TOOL_CACHE/kubeconform/$VERSION/$ARCH
+        
+        if [[ ! -x "$BIN_DIR/kind" ]]; then
+          mkdir -p $BIN_DIR
+          cd $BIN_DIR
+          curl -sL $BIN_URL | tar xz
+          chmod +x kubeconform
+        fi
+        
+        echo "$BIN_DIR" >> "$GITHUB_PATH"

.github/policy/kubernetes.rego

@@ -1,51 +0,0 @@
-package kubernetes
-
-name = input.metadata.name
-
-kind = input.kind
-
-is_service {
-	input.kind = "Service"
-}
-
-is_deployment {
-	input.kind = "Deployment"
-}
-
-is_pod {
-	input.kind = "Pod"
-}
-
-split_image(image) = [image, "latest"] {
-	not contains(image, ":")
-}
-
-split_image(image) = [image_name, tag] {
-	[image_name, tag] = split(image, ":")
-}
-
-pod_containers(pod) = all_containers {
-	keys = {"containers", "initContainers"}
-	all_containers = [c | keys[k]; c = pod.spec[k][_]]
-}
-
-containers[container] {
-	pods[pod]
-	all_containers = pod_containers(pod)
-	container = all_containers[_]
-}
-
-containers[container] {
-	all_containers = pod_containers(input)
-	container = all_containers[_]
-}
-
-pods[pod] {
-	is_deployment
-	pod = input.spec.template
-}
-
-pods[pod] {
-	is_pod
-	pod = input
-}

.github/policy/rules.rego

@@ -1,43 +0,0 @@
-package main
-
-import data.kubernetes
-
-name = input.metadata.name
-
-# Deny containers with latest image tag
-deny[msg] {
-	kubernetes.containers[container]
-	[image_name, "latest"] = kubernetes.split_image(container.image)
-	msg = sprintf("%s in the %s %s has an image %s, using the latest tag", [container.name, kubernetes.kind, kubernetes.name, image_name])
-}
-
-# Deny services without app label selector
-service_labels {
-  input.spec.selector["app"]
-}
-deny[msg] {
-  kubernetes.is_service
-  not service_labels
-  msg = sprintf("Service %s should set app label selector", [name])
-}
-
-# Deny deployments without app label selector
-match_labels {
-  input.spec.selector.matchLabels["app"]
-}
-deny[msg] {
-  kubernetes.is_deployment
-  not match_labels
-  msg = sprintf("Service %s should set app label selector", [name])
-}
-
-# Warn if deployments have no prometheus pod annotations
-annotations {
-  input.spec.template.metadata.annotations["prometheus.io/scrape"]
-  input.spec.template.metadata.annotations["prometheus.io/port"]
-}
-warn[msg] {
-  kubernetes.is_deployment
-  not annotations
-  msg = sprintf("Deployment %s should set prometheus.io/scrape and prometheus.io/port pod annotations", [name])
-}

.github/workflows/cve-scan.yml

@@ -3,20 +3,23 @@ name: cve-scan
 on:
   push:
     branches:
-      - 'master'
+      - "master"
+
+permissions:
+  contents: read
 
 jobs:
   trivy:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Build image
         id: build
         run: |
           IMAGE=test/podinfo:${GITHUB_SHA}
           docker build -t ${IMAGE} .
-          echo "::set-output name=image::$IMAGE"
+          echo "image=$IMAGE" >> $GITHUB_OUTPUT
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
         with:

.github/workflows/e2e.yml

@@ -6,28 +6,27 @@ on:
     branches:
       - 'master'
 
+permissions:
+  contents: read
+
 jobs:
   kind-helm:
-    strategy:
-      matrix:
-        helm-version:
-          - 3.8.1
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       - name: Setup Kubernetes
-        uses: engineerd/setup-kind@v0.5.0
+        uses: helm/kind-action@v1.10.0
         with:
-          version: v0.11.1
+          cluster_name: kind
       - name: Build container image
         run: |
           ./test/build.sh
           kind load docker-image test/podinfo:latest
       - name: Setup Helm
-        uses: ./.github/actions/helm
+        uses: azure/setup-helm@v3
         with:
-          version: ${{ matrix.helm-version }}
+          version: v3.16.1
       - name: Deploy
         run: ./test/deploy.sh
       - name: Run integration tests
@@ -36,3 +35,44 @@ jobs:
         if: failure()
         run: |
           kubectl logs -l app=podinfo || true
+  kind-timoni:
+    runs-on: ubuntu-latest
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
+    env:
+      PODINFO_IMAGE_URL: "test/podinfo"
+      PODINFO_MODULE_URL: "oci://localhost:5000/podinfo"
+      PODINFO_VERSION: "0.0.0-devel"
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Setup Timoni
+        uses: stefanprodan/timoni/actions/setup@main
+      - name: Setup Kubernetes
+        uses: helm/kind-action@v1.10.0
+        with:
+          cluster_name: kind
+      - name: Build container
+        run: |
+          docker build -t ${PODINFO_IMAGE_URL}:${PODINFO_VERSION} --build-arg "REVISION=${GITHUB_SHA}"  -f Dockerfile.xx .
+          kind load docker-image ${PODINFO_IMAGE_URL}:${PODINFO_VERSION}
+      - name: Vet module
+        run: |
+          timoni mod vet ./timoni/podinfo --debug
+      - name: Build module
+        run: |
+          timoni mod push ./timoni/podinfo ${PODINFO_MODULE_URL} -v ${PODINFO_VERSION}
+      - name: Apply bundle
+        run: |
+          timoni bundle apply -f ./timoni/bundles/test.podinfo.cue --runtime-from-env
+      - name: Verify status
+        run: |
+          timoni -n podinfo status backend
+          timoni -n podinfo status frontend
+      - name: Debug failure
+        if: failure()
+        run: |
+          kubectl -n podinfo get all || true

.github/workflows/release.yml

@@ -6,36 +6,55 @@ on:
       - '*'
 
 permissions:
-  contents: write # needed to write releases
-  id-token: write # needed for keyless signing
-  packages: write # needed for ghcr access
+  contents: read
 
 jobs:
   release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # needed to write releases
+      id-token: write # needed for keyless signing
+      packages: write # needed for ghcr access
     steps:
-      - uses: actions/checkout@v2
-      - uses: imjasonh/setup-crane@v0.1
-      - uses: sigstore/cosign-installer@main
-      - name: Setup Helm
-        uses: ./.github/actions/helm
+      - uses: actions/checkout@v4
+      - uses: sigstore/cosign-installer@v3
+      - uses: fluxcd/flux2/action@main
+      - uses: stefanprodan/timoni/actions/setup@main
+      - name: Setup Notation CLI
+        uses: notaryproject/notation-action/setup@v1
         with:
-          version: 3.8.1
+          version: "1.1.0"
+      - name: Setup Notation signing keys
+        run: |
+          mkdir -p ~/.config/notation/localkeys/
+          cp ./.notation/signingkeys.json ~/.config/notation/
+          cp ./.notation/notation.crt ~/.config/notation/localkeys/
+          echo "$NOTATION_KEY" > ~/.config/notation/localkeys/notation.key
+        env:
+          NOTATION_KEY: ${{ secrets.NOTATION_SIGNING_KEY }}
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: 1.23.x
+      - name: Setup Helm
+        uses: azure/setup-helm@v3
+        with:
+          version: v3.16.1
       - name: Setup QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v3
         with:
           platforms: all
       - name: Setup Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v3
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.GHCR_TOKEN }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - name: Login to Docker Hub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
@@ -46,43 +65,64 @@ jobs:
           if [[ $GITHUB_REF == refs/tags/* ]]; then
             VERSION=${GITHUB_REF/refs\/tags\//}
           fi
-          echo ::set-output name=BUILD_DATE::$(date -u +'%Y-%m-%dT%H:%M:%SZ')
-          echo ::set-output name=VERSION::${VERSION}
-      - name: Publish multi-arch image
-        uses: docker/build-push-action@v2
+          echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
+          echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
+          echo "REVISION=${GITHUB_SHA}" >> $GITHUB_OUTPUT
+      - name: Generate images meta
+        id: meta
+        uses: docker/metadata-action@v5
         with:
+          images: |
+            docker.io/stefanprodan/podinfo
+            ghcr.io/stefanprodan/podinfo
+          tags: |
+            type=raw,value=${{ steps.prep.outputs.VERSION }}
+            type=raw,value=latest
+      - name: Publish multi-arch image
+        uses: docker/build-push-action@v5
+        with:
+          sbom: true
+          provenance: true
           push: true
           builder: ${{ steps.buildx.outputs.name }}
           context: .
           file: ./Dockerfile.xx
+          build-args: |
+            REVISION=${{ steps.prep.outputs.REVISION }}
           platforms: linux/amd64,linux/arm/v7,linux/arm64
-          tags: |
-            docker.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }}
-            docker.io/stefanprodan/podinfo:latest
-            ghcr.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }}
-          labels: |
-            org.opencontainers.image.title=${{ github.event.repository.name }}
-            org.opencontainers.image.description=${{ github.event.repository.description }}
-            org.opencontainers.image.source=${{ github.event.repository.html_url }}
-            org.opencontainers.image.url=${{ github.event.repository.html_url }}
-            org.opencontainers.image.revision=${{ github.sha }}
-            org.opencontainers.image.version=${{ steps.prep.outputs.VERSION }}
-            org.opencontainers.image.created=${{ steps.prep.outputs.BUILD_DATE }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+      - name: Publish Timoni module to GHCR
+        run: |
+          timoni mod push ./timoni/podinfo oci://ghcr.io/stefanprodan/modules/podinfo \
+          --sign cosign \
+          --version ${{ steps.prep.outputs.VERSION }} \
+          -a 'org.opencontainers.image.source=https://github.com/stefanprodan/podinfo' \
+          -a 'org.opencontainers.image.licenses=Apache-2.0' \
+          -a 'org.opencontainers.image.description=A timoni.sh module for deploying Podinfo.' \
+          -a 'org.opencontainers.image.documentation=https://github.com/stefanprodan/podinfo/blob/main/timoni/podinfo/README.md'
       - name: Publish Helm chart to GHCR
         run: |
           helm package charts/podinfo
           helm push podinfo-${{ steps.prep.outputs.VERSION }}.tgz oci://ghcr.io/stefanprodan/charts
           rm podinfo-${{ steps.prep.outputs.VERSION }}.tgz
-      - name: Sign images
+      - name: Publish Flux OCI artifact to GHCR
+        run: |
+          flux push artifact oci://ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }} \
+            --path="./kustomize" \
+            --source="${{ github.event.repository.html_url }}" \
+            --revision="${GITHUB_REF_NAME}/${GITHUB_SHA}"
+          flux tag artifact oci://ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }} --tag latest
+      - name: Sign artifacts with Cosign
         env:
           COSIGN_EXPERIMENTAL: 1
         run: |
-          cosign sign docker.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }}
-          cosign sign docker.io/stefanprodan/podinfo:latest
-          cosign sign ghcr.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }}
-          cosign sign ghcr.io/stefanprodan/charts/podinfo:${{ steps.prep.outputs.VERSION }}
+          cosign sign docker.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }} --yes
+          cosign sign ghcr.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }} --yes
+          cosign sign ghcr.io/stefanprodan/charts/podinfo:${{ steps.prep.outputs.VERSION }} --yes
+          cosign sign ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }} --yes
       - name: Publish base image
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v5
         with:
           push: true
           builder: ${{ steps.buildx.outputs.name }}
@@ -96,26 +136,33 @@ jobs:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Publish config artifact
         run: |
-          cd kustomize
-          tar -cf config.tar * --numeric-owner --owner=0 --group=0
-          crane append -f config.tar -t ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }}
-          crane tag ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }} latest
-          rm config.tar
-      - name: Sign config artifact
+          flux push artifact oci://ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }} \
+            --path="./kustomize" \
+            --source="${{ github.event.repository.html_url }}" \
+            --revision="${GITHUB_REF_NAME}/${GITHUB_SHA}"
+          flux tag artifact oci://ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }} --tag latest
+      - name: Sign config artifact with cso
         run: |
           echo "$COSIGN_KEY" > /tmp/cosign.key
-          cosign sign -key /tmp/cosign.key ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }}
-          cosign sign -key /tmp/cosign.key ghcr.io/stefanprodan/podinfo-deploy:latest
+          cosign sign -key /tmp/cosign.key ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }} --yes
+          cosign sign -key /tmp/cosign.key ghcr.io/stefanprodan/podinfo-deploy:latest --yes
         env:
           COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
           COSIGN_KEY: ${{secrets.COSIGN_KEY}}
+      - name: Sign artifacts with Notation
+        run: |
+          notation sign --signature-format cose ghcr.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }}
+          notation sign --signature-format cose ghcr.io/stefanprodan/charts/podinfo:${{ steps.prep.outputs.VERSION }}
+          notation sign --signature-format cose ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }}
+          notation sign --signature-format cose ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }}
+          notation sign --signature-format cose ghcr.io/stefanprodan/podinfo-deploy:latest
       - uses: ./.github/actions/release-notes
       - name: Generate release notes
         run: |
           echo 'CHANGELOG' > /tmp/release.txt
           github-release-notes -org stefanprodan -repo podinfo -since-latest-release >> /tmp/release.txt
       - name: Publish release
-        uses: goreleaser/goreleaser-action@v1
+        uses: goreleaser/goreleaser-action@v5
         with:
           version: latest
           args: release --release-notes=/tmp/release.txt --skip-validate

.github/workflows/test.yml

@@ -6,30 +6,52 @@ on:
     branches:
       - 'master'
 
+permissions:
+  contents: read
+
+env:
+  KUBERNETES_VERSION: 1.31.0
+
 jobs:
   test:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
-      - name: Restore Go cache
-        uses: actions/cache@v1
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: ${{ runner.os }}-go-
+        uses: actions/checkout@v4
       - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v5
         with:
-          go-version: 1.17.x
+          go-version: 1.23.x
+          cache-dependency-path: |
+            **/go.sum
+            **/go.mod
+      - name: Setup kubectl
+        uses: azure/setup-kubectl@v3
+        with:
+          version: v${{ env.KUBERNETES_VERSION }}
+      - name: Setup kubeconform
+        uses: ./.github/actions/kubeconform
+      - name: Setup Helm
+        uses: azure/setup-helm@v3
+        with:
+          version: v3.16.1
+      - name: Setup CUE
+        uses: cue-lang/setup-cue@v1.0.0
+      - name: Setup Timoni
+        uses: stefanprodan/timoni/actions/setup@main
       - name: Run unit tests
         run: make test
-      - name: Setup CUE
-        uses: cue-lang/setup-cue@main
-      - name: Verify CUE formatting
-        working-directory: ./cue
+      - name: Validate Helm chart
         run: |
-          cue fmt .
+          helm lint ./charts/podinfo/
+          helm template ./charts/podinfo/ | kubeconform -strict -summary -kubernetes-version ${{ env.KUBERNETES_VERSION }}
+      - name: Validate Kustomize overlay
+        run: |
+          kubectl kustomize ./kustomize/ | kubeconform -strict -summary -kubernetes-version ${{ env.KUBERNETES_VERSION }}
+      - name: Verify CUE formatting
+        working-directory: ./timoni/podinfo
+        run: |
+          cue fmt ./...
           status=$(git status . --porcelain)
           [[ -z "$status" ]] || {
             echo "CUE files are not correctly formatted"
@@ -37,27 +59,14 @@ jobs:
             git diff
             exit 1
           }
-      - name: Validate CUE
-        working-directory: ./cue
-        run: cue vet --all-errors --concrete .
+      - name: Validate Timoni module
+        working-directory: ./timoni/podinfo
+        run: |
+          timoni mod lint . 
+          timoni build podinfo . -f test_values.cue | kubeconform -strict -summary -skip=ServiceMonitor -kubernetes-version ${{ env.KUBERNETES_VERSION }}
       - name: Check if working tree is dirty
         run: |
           if [[ $(git diff --stat) != '' ]]; then
             echo 'run make test and commit changes'
             exit 1
           fi
-      - name: Validate Helm chart
-        uses: stefanprodan/kube-tools@v1
-        with:
-          kubectl: 1.19.11
-          helm: 2.17.0
-          helmv3: 3.6.0
-          command: |
-            helmv3 template ./charts/podinfo | kubeval --strict --kubernetes-version 1.19.11 --schema-location https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master
-      - name: Validate kustomization
-        uses: stefanprodan/kube-tools@v1
-        with:
-          kubectl: 1.19.11
-          command: |
-            kustomize build ./kustomize | kubeval --strict --kubernetes-version 1.19.11 --schema-location https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master
-            kustomize build ./kustomize | conftest test -p .github/policy -

.gitignore

@@ -19,4 +19,10 @@ release/
 build/
 gcloud/
 dist/
-bin/
+bin/
+cue/cue.mod/gen/
+cue/go.mod
+cue/go.sum
+
+.notation/podinfo.csr
+.notation/podinfo.key

.notation/README.md

@@ -0,0 +1,15 @@
+# Podinfo signed releases
+
+Podinfo release assets such as the Helm chart and the Flux artifact
+are published to GitHub Container Registry and are signed with
+[Notation](https://github.com/notaryproject/notation).
+
+## Generate signing keys
+
+Generate a new signing key pair:
+
+```sh
+openssl genrsa -out podinfo.key 2048
+openssl req -new -key podinfo.key -out podinfo.csr -config codesign.cnf
+openssl x509 -req -days 1826 -in podinfo.csr -signkey podinfo.key -out notation.crt -extensions v3_req -extfile codesign.cnf
+```

.notation/codesign.cnf

@@ -0,0 +1,18 @@
+[ req ]
+default_bits           = 2048
+default_keyfile        = privatekey.pem
+distinguished_name     = req_distinguished_name
+req_extensions         = v3_req
+prompt                 = no
+
+[ req_distinguished_name ]
+C                      = RO
+ST                     = BU
+L                      = Bucharest
+O                      = Notary
+CN                     = stefanprodan.com
+
+[ v3_req ]
+keyUsage               = critical,digitalSignature
+extendedKeyUsage       = critical,codeSigning
+#subjectKeyIdentifier  = hash

.notation/notation.crt

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDbDCCAlSgAwIBAgIUP7zhmTw5XTWLcgBGkBEsErMOkz4wDQYJKoZIhvcNAQEL
+BQAwWjELMAkGA1UEBhMCUk8xCzAJBgNVBAgMAkJVMRIwEAYDVQQHDAlCdWNoYXJl
+c3QxDzANBgNVBAoMBk5vdGFyeTEZMBcGA1UEAwwQc3RlZmFucHJvZGFuLmNvbTAe
+Fw0yNDAyMjUxMDAyMzZaFw0yOTAyMjQxMDAyMzZaMFoxCzAJBgNVBAYTAlJPMQsw
+CQYDVQQIDAJCVTESMBAGA1UEBwwJQnVjaGFyZXN0MQ8wDQYDVQQKDAZOb3Rhcnkx
+GTAXBgNVBAMMEHN0ZWZhbnByb2Rhbi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDtH4oPi3SyX/DGv6NdjIvmApvD9eeSgsmHdwpAly8T9D2me+fx
+Z+wRNJmq4aq/A1anX+Sg28iwHzV+1WKpsHnjYzDAJSEYP2S8A5H1nGRKUoibdijw
+C3QBh5C75rjF/tmZVSX/Vgbf3HJJEsF4WUxWabLxoV2QLo7UlEsQd9+bSeKNMncx
+1+E6FdbRCrYo90iobvZJ8K/S2zCWq/JTeHfTnmSEDhx6nMJcaSjvMPn3zyauWcQw
+dDpkcaGiJ64fEJRT2OFxXv9u+vDmIMKzo/Wjbd+IzFj6YY4VisK88aU7tmDelnk5
+gQB9eu62PFoaVsYJp4VOhblFKvGJpQwbWB9BAgMBAAGjKjAoMA4GA1UdDwEB/wQE
+AwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAzANBgkqhkiG9w0BAQsFAAOCAQEA
+6x+C6hAIbLwMvkNx4K5p7Qe/pLQR0VwQFAw10yr/5KSN+YKFpon6pQ0TebL7qll+
+uBGZvtQhN6v+DlnVqB7lvJKd+89isgirkkews5KwuXg7Gv5UPIugH0dXISZU8DMJ
+7J4oKREv5HzdFmfsUfNlQcfyVTjKL6UINXfKGdqNNxXxR9b4a1TY2JcmEhzBTHaq
+ZqX6HK784a0dB7aHgeFrFwPCCP4M684Hs7CFbk3jo2Ef4ljnB5AyWpe8pwCLMdRt
+UjSjL5xJWVQvRU+STQsPr6SvpokPCG4rLQyjgeYYk4CCj5piSxbSUZFavq8v1y7Y
+m91USVqfeUX7ZzjDxPHE2A==
+-----END CERTIFICATE-----

.notation/signingkeys.json

@@ -0,0 +1,10 @@
+{
+    "default": "stefanprodan.com",
+    "keys": [
+        {
+            "name": "stefanprodan.com",
+            "keyPath": "/home/runner/.config/notation/localkeys/notation.key",
+            "certPath": "/home/runner/.config/notation/localkeys/notation.crt"
+        }
+    ]
+}

.notation/trustpolicy.json

@@ -0,0 +1,19 @@
+{
+    "version": "1.0",
+    "trustPolicies": [
+        {
+            "name": "stefanprodan.com",
+            "registryScopes": [
+                "ghcr.io/stefanprodan/podinfo-deploy",
+                "ghcr.io/stefanprodan/charts/podinfo"
+            ],
+            "signatureVerification": {
+                "level" : "strict"
+            },
+            "trustStores": [ "ca:stefanprodan.com" ],
+            "trustedIdentities": [
+                "x509.subject: C=RO, ST=BU, L=Bucharest, O=Notary, CN=stefanprodan.com"
+            ]
+        }
+    ]
+}

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.17-alpine as builder
+FROM golang:1.23-alpine as builder
 
 ARG REVISION
 
@@ -18,7 +18,7 @@ RUN CGO_ENABLED=0 go build -ldflags "-s -w \
     -X github.com/stefanprodan/podinfo/pkg/version.REVISION=${REVISION}" \
     -a -o bin/podcli cmd/podcli/*
 
-FROM alpine:3.15
+FROM alpine:3.20
 
 ARG BUILD_DATE
 ARG VERSION

Dockerfile.base

@@ -1,4 +1,4 @@
-FROM golang:1.17
+FROM golang:1.23
 
 WORKDIR /workspace
 

Dockerfile.xx

@@ -1,5 +1,5 @@
-ARG GO_VERSION=1.17
-ARG XX_VERSION=1.1.0
+ARG GO_VERSION=1.23
+ARG XX_VERSION=1.4.0
 
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
 
@@ -28,7 +28,7 @@ RUN xx-go build -ldflags "-s -w \
     -X github.com/stefanprodan/podinfo/pkg/version.REVISION=${REVISION}" \
     -a -o bin/podcli cmd/podcli/*
 
-FROM alpine:3.15
+FROM alpine:3.20
 
 ARG BUILD_DATE
 ARG VERSION

Makefile

@@ -16,7 +16,7 @@ run:
 	--ui-logo=https://raw.githubusercontent.com/stefanprodan/podinfo/gh-pages/cuddle_clap.gif $(EXTRA_RUN_ARGS)
 
 .PHONY: test
-test:
+test: tidy fmt vet
 	go test ./... -coverprofile cover.out
 
 build:
@@ -24,11 +24,13 @@ build:
 	GIT_COMMIT=$$(git rev-list -1 HEAD) && CGO_ENABLED=0 go build  -ldflags "-s -w -X github.com/stefanprodan/podinfo/pkg/version.REVISION=$(GIT_COMMIT)" -a -o ./bin/podcli ./cmd/podcli/*
 
 tidy:
-	rm -f go.sum; go mod tidy -compat=1.17
+	rm -f go.sum; go mod tidy -compat=1.23
+
+vet:
+	go vet ./...
 
 fmt:
-	gofmt -l -s -w ./
-	goimports -l -w ./
+	go fmt ./...
 
 build-charts:
 	helm lint charts/*
@@ -79,18 +81,19 @@ version-set:
 	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/webapp/backend/deployment.yaml && \
 	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/bases/frontend/deployment.yaml && \
 	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/bases/backend/deployment.yaml && \
-	/usr/bin/sed -i '' "s/$$current/$$next/g" cue/main.cue && \
-	echo "Version $$next set in code, deployment, chart and kustomize"
+	/usr/bin/sed -i '' "s/$$current/$$next/g" timoni/podinfo/values.cue && \
+	echo "Version $$next set in code, deployment, module, chart and kustomize"
 
 release:
-	git tag $(VERSION)
+	git tag -s -m $(VERSION) $(VERSION)
 	git push origin $(VERSION)
 
 swagger:
-	go get github.com/swaggo/swag/cmd/swag
-	cd pkg/api && $$(go env GOPATH)/bin/swag init -g server.go
+	go install github.com/swaggo/swag/cmd/swag@latest
+	go get github.com/swaggo/swag/gen@latest
+	go get github.com/swaggo/swag/cmd/swag@latest
+	cd pkg/api/http && $$(go env GOPATH)/bin/swag init -g server.go
 
-.PHONY: cue
-cue:
-	@cd cue && cue fmt ./... && cue vet --all-errors --concrete ./...
-	@cd cue && cue gen
+.PHONY: timoni-build
+timoni-build:
+	@timoni build podinfo ./timoni/podinfo -f ./timoni/podinfo/debug_values.cue

README.md

@@ -20,11 +20,11 @@ Specifications:
 * 12-factor app with viper
 * Fault injection (random errors and latency)
 * Swagger docs
-* Helm and Kustomize installers
+* Timoni, Helm and Kustomize installers
 * End-to-End testing with Kubernetes Kind and Helm
-* Kustomize testing with GitHub Actions and Open Policy Agent
-* Multi-arch container image with Docker buildx and Github Actions
+* Multi-arch container image with Docker buildx and GitHub Actions
 * Container image signing with Sigstore cosign
+* SBOMs and SLSA Provenance embedded in the container image
 * CVE scanning with Trivy
 
 Web API:
@@ -57,6 +57,16 @@ Web API:
 gRPC API:
 
 * `/grpc.health.v1.Health/Check` health checking
+* `/grpc.EchoService/Echo` echos the received content
+* `/grpc.VersionService/Version` returns podinfo version and Git commit hash
+* `/grpc.DelayService/Delay` returns a successful response after the given seconds in the body of gRPC request
+* `/grpc.EnvService/Env` returns environment variables as a JSON array
+* `/grpc.HeaderService/Header` returns the headers present in the gRPC request. Any custom header can also be given as a part of request and that can be returned using this API
+* `/grpc.InfoService/Info` returns the runtime information
+* `/grpc.PanicService/Panic` crashes the process with gRPC status code as '1 CANCELLED'
+* `/grpc.StatusService/Status` returns the gRPC Status code given in the request body
+* `/grpc.TokenService/TokenGenerate` issues a JWT token valid for one minute
+* `/grpc.TokenService/TokenValidate` validates the JWT token
 
 Web UI:
 
@@ -66,16 +76,23 @@ To access the Swagger UI open `<podinfo-host>/swagger/index.html` in a browser.
 
 ### Guides
 
-* [GitOps Progressive Deliver with Flagger, Helm v3 and Linkerd](https://helm.workshop.flagger.dev/intro/)
-* [GitOps Progressive Deliver on EKS with Flagger and AppMesh](https://eks.handson.flagger.dev/prerequisites/)
-* [Automated canary deployments with Flagger and Istio](https://medium.com/google-cloud/automated-canary-deployments-with-flagger-and-istio-ac747827f9d1)
-* [Kubernetes autoscaling with Istio metrics](https://medium.com/google-cloud/kubernetes-autoscaling-with-istio-metrics-76442253a45a)
-* [Autoscaling EKS on Fargate with custom metrics](https://aws.amazon.com/blogs/containers/autoscaling-eks-on-fargate-with-custom-metrics/)
-* [Managing Helm releases the GitOps way](https://medium.com/google-cloud/managing-helm-releases-the-gitops-way-207a6ac6ff0e)
-* [Securing EKS Ingress With Contour And Let’s Encrypt The GitOps Way](https://aws.amazon.com/blogs/containers/securing-eks-ingress-contour-lets-encrypt-gitops/)
+* [Getting started with Timoni](https://timoni.sh/quickstart/)
+* [Getting started with Flux](https://fluxcd.io/flux/get-started/)
+* [Progressive Deliver with Flagger and Linkerd](https://docs.flagger.app/tutorials/linkerd-progressive-delivery)
+* [Automated canary deployments with Kubernetes Gateway API](https://docs.flagger.app/tutorials/gatewayapi-progressive-delivery)
 
 ### Install
 
+To install Podinfo on Kubernetes the minimum required version is **Kubernetes v1.23**.
+
+#### Timoni
+
+Install with [Timoni](https://timoni.sh):
+
+```bash
+timoni -n default apply podinfo oci://ghcr.io/stefanprodan/modules/podinfo
+```
+
 #### Helm
 
 Install from github.io:
@@ -89,7 +106,7 @@ helm upgrade --install --wait frontend \
 --set backend=http://backend-podinfo:9898/echo \
 podinfo/podinfo
 
-helm test frontend
+helm test frontend --namespace test
 
 helm upgrade --install --wait backend \
 --namespace test \

charts/podinfo/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
-version: 6.1.3
-appVersion: 6.1.3
+version: 6.7.1
+appVersion: 6.7.1
 name: podinfo
 engine: gotpl
 description: Podinfo Helm chart for Kubernetes
@@ -10,4 +10,4 @@ maintainers:
   name: stefanprodan
 sources:
 - https://github.com/stefanprodan/podinfo
-kubeVersion: ">=1.19.0-0"
+kubeVersion: ">=1.23.0-0"

charts/podinfo/README.md

@@ -9,7 +9,23 @@ for end-to-end testing and workshops.
 
 ## Installing the Chart
 
-To install the chart with the release name `my-release`:
+The Podinfo charts are published to
+[GitHub Container Registry](https://github.com/stefanprodan/podinfo/pkgs/container/charts%2Fpodinfo)
+and signed with [Cosign](https://github.com/sigstore/cosign) & GitHub Actions OIDC.
+
+To install the chart with the release name `my-release` from GHCR:
+
+```console
+$ helm upgrade -i my-release oci://ghcr.io/stefanprodan/charts/podinfo
+```
+
+To verify a chart with Cosign:
+
+```console
+$ cosign verify ghcr.io/stefanprodan/charts/podinfo:<VERSION>
+```
+
+Alternatively, you can install the chart from GitHub pages:
 
 ```console
 $ helm repo add podinfo https://stefanprodan.github.io/podinfo
@@ -34,60 +50,66 @@ The command removes all the Kubernetes components associated with the chart and
 
 The following tables lists the configurable parameters of the podinfo chart and their default values.
 
-Parameter | Default | Description
---- | --- | ---
-`replicaCount` | `1` | Desired number of pods
-`logLevel` | `info` | Log level: `debug`, `info`, `warn`, `error`
-`backend` | `None` | Echo backend URL
-`backends` | `[]` | Array of echo backend URLs
-`cache` | `None` | Redis address in the format `tcp://<host>:<port>`
-`redis.enabled` | `false` | Create Redis deployment for caching purposes
-`ui.color` | `#34577c` |  UI color
-`ui.message` | `None` |  UI greetings message
-`ui.logo` | `None` |  UI logo
-`faults.delay` | `false` | Random HTTP response delays between 0 and 5 seconds
-`faults.error` | `false` | 1/3 chances of a random HTTP response error
-`faults.unhealthy` | `false` | When set, the healthy state is never reached
-`faults.unready` | `false` | When set, the ready state is never reached
-`faults.testFail` | `false` | When set, a helm test is included which always fails
-`faults.testTimeout` | `false` | When set, a helm test is included which always times out
-`image.repository` | `stefanprodan/podinfo` | Image repository
-`image.tag` | `<VERSION>` | Image tag
-`image.pullPolicy` | `IfNotPresent` | Image pull policy
-`service.enabled` | `true` | Create a Kubernetes Service, should be disabled when using [Flagger](https://flagger.app)
-`service.type` | `ClusterIP` | Type of the Kubernetes Service
-`service.metricsPort` | `9797` | Prometheus metrics endpoint port
-`service.httpPort` | `9898` | Container HTTP port
-`service.externalPort` | `9898` | ClusterIP HTTP port
-`service.grpcPort` | `9999` | ClusterIP gPRC port
-`service.grpcService` | `podinfo` | gPRC service name
-`service.nodePort` | `31198` | NodePort for the HTTP endpoint
-`h2c.enabled` | `false` | Allow upgrading to h2c (non-TLS version of HTTP/2)
-`hpa.enabled` | `false` | Enables the Kubernetes HPA
-`hpa.maxReplicas` | `10` | Maximum amount of pods
-`hpa.cpu` | `None` | Target CPU usage per pod
-`hpa.memory` | `None` | Target memory usage per pod
-`hpa.requests` | `None` | Target HTTP requests per second per pod
-`serviceAccount.enabled` | `false` | Whether a service account should be created
-`serviceAccount.name` | `None` | The name of the service account to use, if not set and create is true, a name is generated using the fullname template
-`securityContext` | `{}` | The security context to be set on the podinfo container
-`linkerd.profile.enabled` | `false` | Create Linkerd service profile
-`serviceMonitor.enabled` | `false` | Whether a Prometheus Operator service monitor should be created
-`serviceMonitor.interval` | `15s` | Prometheus scraping interval
-`serviceMonitor.additionalLabels` | `{}` | Add additional labels to the service monitor |
-`ingress.enabled` | `false` | Enables Ingress
-`ingress.className ` | `""` | Use ingressClassName
-`ingress.annotations` | `{}` | Ingress annotations
-`ingress.hosts` | `[]` | Ingress accepted hosts
-`ingress.tls` | `[]` | Ingress TLS configuration
-`resources.requests.cpu` | `1m` | Pod CPU request
-`resources.requests.memory` | `16Mi` | Pod memory request
-`resources.limits.cpu` | `None` | Pod CPU limit
-`resources.limits.memory` | `None` | Pod memory limit
-`nodeSelector` | `{}` | Node labels for pod assignment
-`tolerations` | `[]` | List of node taints to tolerate
-`affinity` | `None` | Node/pod affinities
-`podAnnotations` | `{}` | Pod annotations
+| Parameter                         | Default                | Description                                                                                                            |
+| --------------------------------- | ---------------------- | ---------------------------------------------------------------------------------------------------------------------- |
+| `replicaCount`                    | `1`                    | Desired number of pods                                                                                                 |
+| `logLevel`                        | `info`                 | Log level: `debug`, `info`, `warn`, `error`                                                                            |
+| `backend`                         | `None`                 | Echo backend URL                                                                                                       |
+| `backends`                        | `[]`                   | Array of echo backend URLs                                                                                             |
+| `cache`                           | `None`                 | Redis address in the format `tcp://<host>:<port>`                                                                      |
+| `redis.enabled`                   | `false`                | Create Redis deployment for caching purposes                                                                           |
+| `ui.color`                        | `#34577c`              | UI color                                                                                                               |
+| `ui.message`                      | `None`                 | UI greetings message                                                                                                   |
+| `ui.logo`                         | `None`                 | UI logo                                                                                                                |
+| `faults.delay`                    | `false`                | Random HTTP response delays between 0 and 5 seconds                                                                    |
+| `faults.error`                    | `false`                | 1/3 chances of a random HTTP response error                                                                            |
+| `faults.unhealthy`                | `false`                | When set, the healthy state is never reached                                                                           |
+| `faults.unready`                  | `false`                | When set, the ready state is never reached                                                                             |
+| `faults.testFail`                 | `false`                | When set, a helm test is included which always fails                                                                   |
+| `faults.testTimeout`              | `false`                | When set, a helm test is included which always times out                                                               |
+| `image.repository`                | `stefanprodan/podinfo` | Image repository                                                                                                       |
+| `image.tag`                       | `<VERSION>`            | Image tag                                                                                                              |
+| `image.pullPolicy`                | `IfNotPresent`         | Image pull policy                                                                                                      |
+| `service.enabled`                 | `true`                 | Create a Kubernetes Service, should be disabled when using [Flagger](https://flagger.app)                              |
+| `service.type`                    | `ClusterIP`            | Type of the Kubernetes Service                                                                                         |
+| `service.metricsPort`             | `9797`                 | Prometheus metrics endpoint port                                                                                       |
+| `service.httpPort`                | `9898`                 | Container HTTP port                                                                                                    |
+| `service.externalPort`            | `9898`                 | ClusterIP HTTP port                                                                                                    |
+| `service.grpcPort`                | `9999`                 | ClusterIP gPRC port                                                                                                    |
+| `service.grpcService`             | `podinfo`              | gPRC service name                                                                                                      |
+| `service.nodePort`                | `31198`                | NodePort for the HTTP endpoint                                                                                         |
+| `h2c.enabled`                     | `false`                | Allow upgrading to h2c (non-TLS version of HTTP/2)                                                                     |
+| `extraEnvs`                       | `[]`                   | Extra environment variables for the podinfo container |
+| `config.path`                     | `""`                   | config file path                                                                                                       |
+| `config.name`                     | `""`                   | config file name                                                                                                       |
+| `extraArgs`                       | `[]`                   | Additional command line arguments to pass to podinfo container                                                         |
+| `hpa.enabled`                     | `false`                | Enables the Kubernetes HPA                                                                                             |
+| `hpa.maxReplicas`                 | `10`                   | Maximum amount of pods                                                                                                 |
+| `hpa.cpu`                         | `None`                 | Target CPU usage per pod                                                                                               |
+| `hpa.memory`                      | `None`                 | Target memory usage per pod                                                                                            |
+| `hpa.requests`                    | `None`                 | Target HTTP requests per second per pod                                                                                |
+| `serviceAccount.enabled`          | `false`                | Whether a service account should be created                                                                            |
+| `serviceAccount.name`             | `None`                 | The name of the service account to use, if not set and create is true, a name is generated using the fullname template |
+| `serviceAccount.imagePullSecrets` | `[]`                   | List of image pull secrets if pulling from private registries.                                                         |
+| `securityContext`                 | `{}`                   | The security context to be set on the podinfo container                                                                |
+| `linkerd.profile.enabled`         | `false`                | Create Linkerd service profile                                                                                         |
+| `serviceMonitor.enabled`          | `false`                | Whether a Prometheus Operator service monitor should be created                                                        |
+| `serviceMonitor.interval`         | `15s`                  | Prometheus scraping interval                                                                                           |
+| `serviceMonitor.additionalLabels` | `{}`                   | Add additional labels to the service monitor                                                                           |
+| `ingress.enabled`                 | `false`                | Enables Ingress                                                                                                        |
+| `ingress.className `              | `""`                   | Use ingressClassName                                                                                                   |
+| `ingress.additionalLabels`        | `{}`                   | Add additional labels to the ingress                                                                                   |
+| `ingress.annotations`             | `{}`                   | Ingress annotations                                                                                                    |
+| `ingress.hosts`                   | `[]`                   | Ingress accepted hosts                                                                                                 |
+| `ingress.tls`                     | `[]`                   | Ingress TLS configuration                                                                                              |
+| `resources.requests.cpu`          | `1m`                   | Pod CPU request                                                                                                        |
+| `resources.requests.memory`       | `16Mi`                 | Pod memory request                                                                                                     |
+| `resources.limits.cpu`            | `None`                 | Pod CPU limit                                                                                                          |
+| `resources.limits.memory`         | `None`                 | Pod memory limit                                                                                                       |
+| `nodeSelector`                    | `{}`                   | Node labels for pod assignment                                                                                         |
+| `tolerations`                     | `[]`                   | List of node taints to tolerate                                                                                        |
+| `affinity`                        | `None`                 | Node/pod affinities                                                                                                    |
+| `podAnnotations`                  | `{}`                   | Pod annotations                                                                                                        |
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
 
@@ -110,14 +132,3 @@ $ helm install my-release podinfo/podinfo -f values.yaml
 ```
 
 > **Tip**: You can use the default [values.yaml](values.yaml)
-
-## Upgrading the chart
-
-### To =< 5.0.0
-
-Version 5.0.0 is a major update.
-
-* The chart now follows the new Kubernetes label recommendations:
-<https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/>
-
-The simplest way to update is to do a force upgrade, which recreates the resources by doing a delete and an install.

charts/podinfo/templates/deployment.yaml

@@ -87,6 +87,15 @@ spec:
             {{- if .Values.h2c.enabled }}
             - --h2c
             {{- end }}
+            {{- with .Values.config.path }}
+            - --config-path={{ . }}
+            {{- end }}
+            {{- with .Values.config.name }}
+            - --config={{ . }}
+            {{- end }}
+            {{- with .Values.extraArgs }}
+              {{- toYaml . | nindent 12 }}
+            {{- end }}
           env:
           {{- if .Values.ui.message }}
           - name: PODINFO_UI_MESSAGE
@@ -104,6 +113,9 @@ spec:
           - name: PODINFO_BACKEND_URL
             value: {{ .Values.backend }}
           {{- end }}
+          {{- if .Values.extraEnvs }}
+{{ toYaml .Values.extraEnvs | indent 10 }}
+          {{- end }}
           ports:
             - name: http
               containerPort: {{ .Values.service.httpPort | default 9898 }}
@@ -129,6 +141,22 @@ spec:
               containerPort: {{ .Values.service.grpcPort }}
               protocol: TCP
             {{- end }}
+          {{- if .Values.probes.startup.enable }}
+          startupProbe:
+            exec:
+              command:
+              - podcli
+              - check
+              - http
+              - localhost:{{ .Values.service.httpPort | default 9898 }}/healthz
+            {{- with .Values.probes.startup }}
+            initialDelaySeconds: {{ .initialDelaySeconds | default 1 }}
+            timeoutSeconds: {{ .timeoutSeconds | default 5 }}
+            failureThreshold: {{ .failureThreshold | default 3 }}
+            successThreshold: {{ .successThreshold | default 1 }}
+            periodSeconds: {{ .periodSeconds | default 10 }}
+            {{- end }}
+            {{- end }}
           livenessProbe:
             exec:
               command:
@@ -136,8 +164,13 @@ spec:
               - check
               - http
               - localhost:{{ .Values.service.httpPort | default 9898 }}/healthz
-            initialDelaySeconds: 1
-            timeoutSeconds: 5
+            {{- with .Values.probes.liveness }}
+            initialDelaySeconds: {{ .initialDelaySeconds | default 1 }}
+            timeoutSeconds: {{ .timeoutSeconds | default 5 }}
+            failureThreshold: {{ .failureThreshold | default 3 }}
+            successThreshold: {{ .successThreshold | default 1 }}
+            periodSeconds: {{ .periodSeconds | default 10 }}
+            {{- end }}
           readinessProbe:
             exec:
               command:
@@ -145,8 +178,13 @@ spec:
               - check
               - http
               - localhost:{{ .Values.service.httpPort | default 9898 }}/readyz
-            initialDelaySeconds: 1
-            timeoutSeconds: 5
+            {{- with .Values.probes.readiness }}
+            initialDelaySeconds: {{ .initialDelaySeconds | default 1 }}
+            timeoutSeconds: {{ .timeoutSeconds | default 5 }}
+            failureThreshold: {{ .failureThreshold | default 3 }}
+            successThreshold: {{ .successThreshold | default 1 }}
+            periodSeconds: {{ .periodSeconds | default 10 }}
+            {{- end }}
           volumeMounts:
           - name: data
             mountPath: /data
@@ -177,3 +215,7 @@ spec:
         secret:
           secretName: {{ template "podinfo.tlsSecretName" . }}
       {{- end }}
+    {{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+{{- toYaml . | nindent 8 }}
+    {{- end }}

charts/podinfo/templates/hpa.yaml

@@ -1,5 +1,5 @@
 {{- if .Values.hpa.enabled -}}
-apiVersion: autoscaling/v2beta2
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
   name: {{ template "podinfo.fullname" . }}

charts/podinfo/templates/ingress.yaml

@@ -7,6 +7,9 @@ metadata:
   name: {{ $fullName }}
   labels:
     {{- include "podinfo.labels" . | nindent 4 }}
+    {{- with .Values.ingress.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
   {{- with .Values.ingress.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}

charts/podinfo/templates/pdb.yaml

@@ -0,0 +1,14 @@
+{{- if and .Values.podDisruptionBudget (gt (int .Values.replicaCount) 1) }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "podinfo.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "podinfo.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "podinfo.selectorLabels" . | nindent 6 }}
+  {{- toYaml .Values.podDisruptionBudget | nindent 2 }}
+{{- end }}

charts/podinfo/templates/serviceaccount.yaml

@@ -5,4 +5,8 @@ metadata:
   name: {{ template "podinfo.serviceAccountName" . }}
   labels:
     {{- include "podinfo.labels" . | nindent 4 }}
+{{- with .Values.serviceAccount.imagePullSecrets }}
+imagePullSecrets:
+  {{- toYaml . | nindent 2 }}
 {{- end -}}
+{{- end -}}

charts/podinfo/values-prod.yaml

@@ -8,7 +8,7 @@ backends: []
 
 image:
   repository: ghcr.io/stefanprodan/podinfo
-  tag: 6.1.3
+  tag: 6.7.1
   pullPolicy: IfNotPresent
 
 ui:
@@ -41,6 +41,16 @@ service:
 h2c:
   enabled: false
 
+# config file settings
+config:
+  # config file path
+  path: ""
+  # config file name
+  name: ""
+
+# Additional command line arguments to pass to podinfo container
+extraArgs: []
+
 # enable tls on the podinfo service
 tls:
   enabled: false
@@ -83,7 +93,7 @@ cache: ""
 redis:
   enabled: true
   repository: redis
-  tag: 6.0.8
+  tag: 7.0.7
 
 serviceAccount:
   # Specifies whether a service account should be created
@@ -91,6 +101,8 @@ serviceAccount:
   # The name of the service account to use.
   # If not set and create is true, a name is generated using the fullname template
   name:
+  # List of image pull secrets if pulling from private registries
+  imagePullSecrets: []
 
 # set container security context
 securityContext: {}
@@ -98,6 +110,7 @@ securityContext: {}
 ingress:
   enabled: false
   className: ""
+  additionalLabels: {}
   annotations: {}
     # kubernetes.io/ingress.class: nginx
     # kubernetes.io/tls-acme: "true"
@@ -128,6 +141,14 @@ resources:
     cpu: 100m
     memory: 64Mi
 
+# Extra environment variables for the podinfo container
+extraEnvs: []
+# Example on how to configure extraEnvs
+#  - name: OTEL_EXPORTER_OTLP_TRACES_ENDPOINT
+#    value: "http://otel:4317"
+#  - name: MULTIPLE_VALUES
+#    value: TEST
+
 nodeSelector: {}
 
 tolerations: []

charts/podinfo/values.yaml

@@ -8,7 +8,7 @@ backends: []
 
 image:
   repository: ghcr.io/stefanprodan/podinfo
-  tag: 6.1.3
+  tag: 6.7.1
   pullPolicy: IfNotPresent
 
 ui:
@@ -45,6 +45,16 @@ service:
 h2c:
   enabled: false
 
+# config file settings
+config:
+  # config file path
+  path: ""
+  # config file name
+  name: ""
+
+# Additional command line arguments to pass to podinfo container
+extraArgs: []
+
 # enable tls on the podinfo service
 tls:
   enabled: false
@@ -87,7 +97,7 @@ cache: ""
 redis:
   enabled: false
   repository: redis
-  tag: 6.0.8
+  tag: 7.0.7
 
 serviceAccount:
   # Specifies whether a service account should be created
@@ -95,6 +105,8 @@ serviceAccount:
   # The name of the service account to use.
   # If not set and create is true, a name is generated using the fullname template
   name:
+  # List of image pull secrets if pulling from private registries
+  imagePullSecrets: []
 
 # set container security context
 securityContext: {}
@@ -102,6 +114,7 @@ securityContext: {}
 ingress:
   enabled: false
   className: ""
+  additionalLabels: {}
   annotations: {}
     # kubernetes.io/ingress.class: nginx
     # kubernetes.io/tls-acme: "true"
@@ -131,6 +144,14 @@ resources:
     cpu: 1m
     memory: 16Mi
 
+# Extra environment variables for the podinfo container
+extraEnvs: []
+# Example on how to configure extraEnvs
+#  - name: OTEL_EXPORTER_OTLP_TRACES_ENDPOINT
+#    value: "http://otel:4317"
+#  - name: MULTIPLE_VALUES
+#    value: TEST
+
 nodeSelector: {}
 
 tolerations: []
@@ -138,3 +159,32 @@ tolerations: []
 affinity: {}
 
 podAnnotations: {}
+
+# https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
+topologySpreadConstraints: []
+
+# Disruption budget will be configured only when the replicaCount is greater than 1
+podDisruptionBudget: {}
+#  maxUnavailable: 1
+
+# https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+probes:
+  readiness:
+    initialDelaySeconds: 1
+    timeoutSeconds: 5
+    failureThreshold: 3
+    successThreshold: 1
+    periodSeconds: 10
+  liveness:
+    initialDelaySeconds: 1
+    timeoutSeconds: 5
+    failureThreshold: 3
+    successThreshold: 1
+    periodSeconds: 10
+  startup:
+    enable: false
+    initialDelaySeconds: 10
+    timeoutSeconds: 5
+    failureThreshold: 20
+    successThreshold: 1
+    periodSeconds: 10

cmd/podinfo/main.go

@@ -2,7 +2,6 @@ package main
 
 import (
 	"fmt"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"strconv"
@@ -14,10 +13,11 @@ import (
 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"
 
-	"github.com/stefanprodan/podinfo/pkg/api"
-	"github.com/stefanprodan/podinfo/pkg/grpc"
+	"github.com/stefanprodan/podinfo/pkg/api/grpc"
+	"github.com/stefanprodan/podinfo/pkg/api/http"
 	"github.com/stefanprodan/podinfo/pkg/signals"
 	"github.com/stefanprodan/podinfo/pkg/version"
+	go_grpc "google.golang.org/grpc"
 )
 
 func main() {
@@ -33,7 +33,7 @@ func main() {
 	fs.StringSlice("backend-url", []string{}, "backend service URL")
 	fs.Duration("http-client-timeout", 2*time.Minute, "client timeout duration")
 	fs.Duration("http-server-timeout", 30*time.Second, "server read and write timeout duration")
-	fs.Duration("http-server-shutdown-timeout", 5*time.Second, "server graceful shutdown timeout duration")
+	fs.Duration("server-shutdown-timeout", 5*time.Second, "server graceful shutdown timeout duration")
 	fs.String("data-path", "/data", "data local path")
 	fs.String("config-path", "", "config dir path")
 	fs.String("cert-path", "/data/cert", "certificate path for HTTPS port")
@@ -135,13 +135,16 @@ func main() {
 	}
 
 	// start gRPC server
+	var grpcServer *go_grpc.Server
 	if grpcCfg.Port > 0 {
 		grpcSrv, _ := grpc.NewServer(&grpcCfg, logger)
-		go grpcSrv.ListenAndServe()
+		//grpcinfoSrv, _ := grpc.NewInfoServer(&grpcCfg)
+
+		grpcServer = grpcSrv.ListenAndServe()
 	}
 
 	// load HTTP server config
-	var srvCfg api.Config
+	var srvCfg http.Config
 	if err := viper.Unmarshal(&srvCfg); err != nil {
 		logger.Panic("config unmarshal failed", zap.Error(err))
 	}
@@ -154,9 +157,13 @@ func main() {
 	)
 
 	// start HTTP server
-	srv, _ := api.NewServer(&srvCfg, logger)
+	srv, _ := http.NewServer(&srvCfg, logger)
+	httpServer, httpsServer, healthy, ready := srv.ListenAndServe()
+
+	// graceful shutdown
 	stopCh := signals.SetupSignalHandler()
-	srv.ListenAndServe(stopCh)
+	sd, _ := signals.NewShutdown(srvCfg.ServerShutdownTimeout, logger)
+	sd.Graceful(stopCh, httpServer, httpsServer, grpcServer, healthy, ready)
 }
 
 func initZap(logLevel string) (*zap.Logger, error) {
@@ -238,12 +245,12 @@ func beginStressTest(cpus int, mem int, logger *zap.Logger) {
 			logger.Error("memory stress failed", zap.Error(err))
 		}
 
-		stressMemoryPayload, err = ioutil.ReadFile(path)
+		stressMemoryPayload, err = os.ReadFile(path)
 		f.Close()
 		os.Remove(path)
 		if err != nil {
 			logger.Error("memory stress failed", zap.Error(err))
 		}
-		logger.Info("starting CPU stress", zap.Int("memory", len(stressMemoryPayload)))
+		logger.Info("starting MEMORY stress", zap.Int("memory", len(stressMemoryPayload)))
 	}
 }

cue/README.md

@@ -1,15 +0,0 @@
-# CUE Demo
-
-This directory contains a [cuelang module](https://cuelang.org/docs/) and tooling to generate podinfo resources.
-
-It defines a `podinfo.#Application` definition which takes a `podinfo.#Config` as input. The `podinfo.#Config` definition is modelled on the `podinfo` Helm chart `values.yaml` file.
-
-## Configuration
-
-Configure the application in `main.cue`.
-
-## Generate the manifests
-
-```shell
-cue gen
-```

cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/acme/v1/const_go_gen.cue

@@ -1,7 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/acme/v1
-
-package v1
-
-#ACMEFinalizer: "finalizer.acme.cert-manager.io"

cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/acme/v1/doc_go_gen.cue

@@ -1,8 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/acme/v1
-
-// Package v1 is the v1 version of the API.
-// +k8s:deepcopy-gen=package,register
-// +groupName=acme.cert-manager.io
-package v1

cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/acme/v1/types_challenge_go_gen.cue

@@ -1,128 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/acme/v1
-
-package v1
-
-import (
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
-)
-
-// Challenge is a type to represent a Challenge request with an ACME server
-// +k8s:openapi-gen=true
-// +kubebuilder:printcolumn:name="State",type="string",JSONPath=".status.state"
-// +kubebuilder:printcolumn:name="Domain",type="string",JSONPath=".spec.dnsName"
-// +kubebuilder:printcolumn:name="Reason",type="string",JSONPath=".status.reason",description="",priority=1
-// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC."
-// +kubebuilder:subresource:status
-// +kubebuilder:resource:path=challenges
-#Challenge: {
-	metav1.#TypeMeta
-	metadata: metav1.#ObjectMeta @go(ObjectMeta)
-	spec:     #ChallengeSpec     @go(Spec)
-
-	// +optional
-	status: #ChallengeStatus @go(Status)
-}
-
-// ChallengeList is a list of Challenges
-#ChallengeList: {
-	metav1.#TypeMeta
-	metadata: metav1.#ListMeta @go(ListMeta)
-	items: [...#Challenge] @go(Items,[]Challenge)
-}
-
-#ChallengeSpec: {
-	// The URL of the ACME Challenge resource for this challenge.
-	// This can be used to lookup details about the status of this challenge.
-	url: string @go(URL)
-
-	// The URL to the ACME Authorization resource that this
-	// challenge is a part of.
-	authorizationURL: string @go(AuthorizationURL)
-
-	// dnsName is the identifier that this challenge is for, e.g. example.com.
-	// If the requested DNSName is a 'wildcard', this field MUST be set to the
-	// non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`.
-	dnsName: string @go(DNSName)
-
-	// wildcard will be true if this challenge is for a wildcard identifier,
-	// for example '*.example.com'.
-	// +optional
-	wildcard: bool @go(Wildcard)
-
-	// The type of ACME challenge this resource represents.
-	// One of "HTTP-01" or "DNS-01".
-	type: #ACMEChallengeType @go(Type)
-
-	// The ACME challenge token for this challenge.
-	// This is the raw value returned from the ACME server.
-	token: string @go(Token)
-
-	// The ACME challenge key for this challenge
-	// For HTTP01 challenges, this is the value that must be responded with to
-	// complete the HTTP01 challenge in the format:
-	// `<private key JWK thumbprint>.<key from acme server for challenge>`.
-	// For DNS01 challenges, this is the base64 encoded SHA256 sum of the
-	// `<private key JWK thumbprint>.<key from acme server for challenge>`
-	// text that must be set as the TXT record content.
-	key: string @go(Key)
-
-	// Contains the domain solving configuration that should be used to
-	// solve this challenge resource.
-	solver: #ACMEChallengeSolver @go(Solver)
-
-	// References a properly configured ACME-type Issuer which should
-	// be used to create this Challenge.
-	// If the Issuer does not exist, processing will be retried.
-	// If the Issuer is not an 'ACME' Issuer, an error will be returned and the
-	// Challenge will be marked as failed.
-	issuerRef: cmmeta.#ObjectReference @go(IssuerRef)
-}
-
-// The type of ACME challenge. Only HTTP-01 and DNS-01 are supported.
-// +kubebuilder:validation:Enum=HTTP-01;DNS-01
-#ACMEChallengeType: string // #enumACMEChallengeType
-
-#enumACMEChallengeType:
-	#ACMEChallengeTypeHTTP01 |
-	#ACMEChallengeTypeDNS01
-
-// ACMEChallengeTypeHTTP01 denotes a Challenge is of type http-01
-// More info: https://letsencrypt.org/docs/challenge-types/#http-01-challenge
-#ACMEChallengeTypeHTTP01: #ACMEChallengeType & "HTTP-01"
-
-// ACMEChallengeTypeDNS01 denotes a Challenge is of type dns-01
-// More info: https://letsencrypt.org/docs/challenge-types/#dns-01-challenge
-#ACMEChallengeTypeDNS01: #ACMEChallengeType & "DNS-01"
-
-#ChallengeStatus: {
-	// Used to denote whether this challenge should be processed or not.
-	// This field will only be set to true by the 'scheduling' component.
-	// It will only be set to false by the 'challenges' controller, after the
-	// challenge has reached a final state or timed out.
-	// If this field is set to false, the challenge controller will not take
-	// any more action.
-	// +optional
-	processing: bool @go(Processing)
-
-	// presented will be set to true if the challenge values for this challenge
-	// are currently 'presented'.
-	// This *does not* imply the self check is passing. Only that the values
-	// have been 'submitted' for the appropriate challenge mechanism (i.e. the
-	// DNS01 TXT record has been presented, or the HTTP01 configuration has been
-	// configured).
-	// +optional
-	presented: bool @go(Presented)
-
-	// Contains human readable information on why the Challenge is in the
-	// current state.
-	// +optional
-	reason?: string @go(Reason)
-
-	// Contains the current 'state' of the challenge.
-	// If not set, the state of the challenge is unknown.
-	// +optional
-	state?: #State @go(State)
-}

cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/acme/v1/types_go_gen.cue

@@ -1,41 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/acme/v1
-
-package v1
-
-// ACMECertificateHTTP01IngressNameOverride is annotation to override ingress name.
-// If this annotation is specified on a Certificate or Order resource when
-// using the HTTP01 solver type, the ingress.name field of the HTTP01
-// solver's configuration will be set to the value given here.
-// This is especially useful for users of Ingress controllers that maintain
-// a 1:1 mapping between endpoint IP and Ingress resource.
-#ACMECertificateHTTP01IngressNameOverride: "acme.cert-manager.io/http01-override-ingress-name"
-
-// ACMECertificateHTTP01IngressClassOverride is annotation to override ingress class.
-// If this annotation is specified on a Certificate or Order resource when
-// using the HTTP01 solver type, the ingress.class field of the HTTP01
-// solver's configuration will be set to the value given here.
-// This is especially useful for users deploying many different ingress
-// classes into a single cluster that want to be able to re-use a single
-// solver for each ingress class.
-#ACMECertificateHTTP01IngressClassOverride: "acme.cert-manager.io/http01-override-ingress-class"
-
-// IngressEditInPlaceAnnotationKey is used to toggle the use of ingressClass instead
-// of ingress on the created Certificate resource
-#IngressEditInPlaceAnnotationKey: "acme.cert-manager.io/http01-edit-in-place"
-
-// DomainLabelKey is added to the labels of a Pod serving an ACME challenge.
-// Its value will be the hash of the domain name that is being verified.
-#DomainLabelKey: "acme.cert-manager.io/http-domain"
-
-// TokenLabelKey is added to the labels of a Pod serving an ACME challenge.
-// Its value will be the hash of the challenge token that is being served by the pod.
-#TokenLabelKey: "acme.cert-manager.io/http-token"
-
-// SolverIdentificationLabelKey is added to the labels of a Pod serving an ACME challenge.
-// Its value will be the "true" if the Pod is an HTTP-01 solver.
-#SolverIdentificationLabelKey: "acme.cert-manager.io/http01-solver"
-
-#OrderKind:     "Order"
-#ChallengeKind: "Challenge"

cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/acme/v1/types_issuer_go_gen.cue

@@ -1,591 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/acme/v1
-
-package v1
-
-import (
-	cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
-	corev1 "k8s.io/api/core/v1"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
-)
-
-// ACMEIssuer contains the specification for an ACME issuer.
-// This uses the RFC8555 specification to obtain certificates by completing
-// 'challenges' to prove ownership of domain identifiers.
-// Earlier draft versions of the ACME specification are not supported.
-#ACMEIssuer: {
-	// Email is the email address to be associated with the ACME account.
-	// This field is optional, but it is strongly recommended to be set.
-	// It will be used to contact you in case of issues with your account or
-	// certificates, including expiry notification emails.
-	// This field may be updated after the account is initially registered.
-	// +optional
-	email?: string @go(Email)
-
-	// Server is the URL used to access the ACME server's 'directory' endpoint.
-	// For example, for Let's Encrypt's staging endpoint, you would use:
-	// "https://acme-staging-v02.api.letsencrypt.org/directory".
-	// Only ACME v2 endpoints (i.e. RFC 8555) are supported.
-	server: string @go(Server)
-
-	// PreferredChain is the chain to use if the ACME server outputs multiple.
-	// PreferredChain is no guarantee that this one gets delivered by the ACME
-	// endpoint.
-	// For example, for Let's Encrypt's DST crosssign you would use:
-	// "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA.
-	// This value picks the first certificate bundle in the ACME alternative
-	// chains that has a certificate with this value as its issuer's CN
-	// +optional
-	// +kubebuilder:validation:MaxLength=64
-	preferredChain: string @go(PreferredChain)
-
-	// Enables or disables validation of the ACME server TLS certificate.
-	// If true, requests to the ACME server will not have their TLS certificate
-	// validated (i.e. insecure connections will be allowed).
-	// Only enable this option in development environments.
-	// The cert-manager system installed roots will be used to verify connections
-	// to the ACME server if this is false.
-	// Defaults to false.
-	// +optional
-	skipTLSVerify?: bool @go(SkipTLSVerify)
-
-	// ExternalAccountBinding is a reference to a CA external account of the ACME
-	// server.
-	// If set, upon registration cert-manager will attempt to associate the given
-	// external account credentials with the registered ACME account.
-	// +optional
-	externalAccountBinding?: null | #ACMEExternalAccountBinding @go(ExternalAccountBinding,*ACMEExternalAccountBinding)
-
-	// PrivateKey is the name of a Kubernetes Secret resource that will be used to
-	// store the automatically generated ACME account private key.
-	// Optionally, a `key` may be specified to select a specific entry within
-	// the named Secret resource.
-	// If `key` is not specified, a default of `tls.key` will be used.
-	privateKeySecretRef: cmmeta.#SecretKeySelector @go(PrivateKey)
-
-	// Solvers is a list of challenge solvers that will be used to solve
-	// ACME challenges for the matching domains.
-	// Solver configurations must be provided in order to obtain certificates
-	// from an ACME server.
-	// For more information, see: https://cert-manager.io/docs/configuration/acme/
-	// +optional
-	solvers?: [...#ACMEChallengeSolver] @go(Solvers,[]ACMEChallengeSolver)
-
-	// Enables or disables generating a new ACME account key.
-	// If true, the Issuer resource will *not* request a new account but will expect
-	// the account key to be supplied via an existing secret.
-	// If false, the cert-manager system will generate a new ACME account key
-	// for the Issuer.
-	// Defaults to false.
-	// +optional
-	disableAccountKeyGeneration?: bool @go(DisableAccountKeyGeneration)
-
-	// Enables requesting a Not After date on certificates that matches the
-	// duration of the certificate. This is not supported by all ACME servers
-	// like Let's Encrypt. If set to true when the ACME server does not support
-	// it it will create an error on the Order.
-	// Defaults to false.
-	// +optional
-	enableDurationFeature?: bool @go(EnableDurationFeature)
-}
-
-// ACMEExternalAccountBinding is a reference to a CA external account of the ACME
-// server.
-#ACMEExternalAccountBinding: {
-	// keyID is the ID of the CA key that the External Account is bound to.
-	keyID: string @go(KeyID)
-
-	// keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes
-	// Secret which holds the symmetric MAC key of the External Account Binding.
-	// The `key` is the index string that is paired with the key data in the
-	// Secret and should not be confused with the key data itself, or indeed with
-	// the External Account Binding keyID above.
-	// The secret key stored in the Secret **must** be un-padded, base64 URL
-	// encoded data.
-	keySecretRef: cmmeta.#SecretKeySelector @go(Key)
-
-	// Deprecated: keyAlgorithm field exists for historical compatibility
-	// reasons and should not be used. The algorithm is now hardcoded to HS256
-	// in golang/x/crypto/acme.
-	// +optional
-	keyAlgorithm?: #HMACKeyAlgorithm @go(KeyAlgorithm)
-}
-
-// HMACKeyAlgorithm is the name of a key algorithm used for HMAC encryption
-// +kubebuilder:validation:Enum=HS256;HS384;HS512
-#HMACKeyAlgorithm: string // #enumHMACKeyAlgorithm
-
-#enumHMACKeyAlgorithm:
-	#HS256 |
-	#HS384 |
-	#HS512
-
-#HS256: #HMACKeyAlgorithm & "HS256"
-#HS384: #HMACKeyAlgorithm & "HS384"
-#HS512: #HMACKeyAlgorithm & "HS512"
-
-// An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of.
-// A selector may be provided to use different solving strategies for different DNS names.
-// Only one of HTTP01 or DNS01 must be provided.
-#ACMEChallengeSolver: {
-	// Selector selects a set of DNSNames on the Certificate resource that
-	// should be solved using this challenge solver.
-	// If not specified, the solver will be treated as the 'default' solver
-	// with the lowest priority, i.e. if any other solver has a more specific
-	// match, it will be used instead.
-	// +optional
-	selector?: null | #CertificateDNSNameSelector @go(Selector,*CertificateDNSNameSelector)
-
-	// Configures cert-manager to attempt to complete authorizations by
-	// performing the HTTP01 challenge flow.
-	// It is not possible to obtain certificates for wildcard domain names
-	// (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
-	// +optional
-	http01?: null | #ACMEChallengeSolverHTTP01 @go(HTTP01,*ACMEChallengeSolverHTTP01)
-
-	// Configures cert-manager to attempt to complete authorizations by
-	// performing the DNS01 challenge flow.
-	// +optional
-	dns01?: null | #ACMEChallengeSolverDNS01 @go(DNS01,*ACMEChallengeSolverDNS01)
-}
-
-// CertificateDNSNameSelector selects certificates using a label selector, and
-// can optionally select individual DNS names within those certificates.
-// If both MatchLabels and DNSNames are empty, this selector will match all
-// certificates and DNS names within them.
-#CertificateDNSNameSelector: {
-	// A label selector that is used to refine the set of certificate's that
-	// this challenge solver will apply to.
-	// +optional
-	matchLabels?: {[string]: string} @go(MatchLabels,map[string]string)
-
-	// List of DNSNames that this solver will be used to solve.
-	// If specified and a match is found, a dnsNames selector will take
-	// precedence over a dnsZones selector.
-	// If multiple solvers match with the same dnsNames value, the solver
-	// with the most matching labels in matchLabels will be selected.
-	// If neither has more matches, the solver defined earlier in the list
-	// will be selected.
-	// +optional
-	dnsNames?: [...string] @go(DNSNames,[]string)
-
-	// List of DNSZones that this solver will be used to solve.
-	// The most specific DNS zone match specified here will take precedence
-	// over other DNS zone matches, so a solver specifying sys.example.com
-	// will be selected over one specifying example.com for the domain
-	// www.sys.example.com.
-	// If multiple solvers match with the same dnsZones value, the solver
-	// with the most matching labels in matchLabels will be selected.
-	// If neither has more matches, the solver defined earlier in the list
-	// will be selected.
-	// +optional
-	dnsZones?: [...string] @go(DNSZones,[]string)
-}
-
-// ACMEChallengeSolverHTTP01 contains configuration detailing how to solve
-// HTTP01 challenges within a Kubernetes cluster.
-// Typically this is accomplished through creating 'routes' of some description
-// that configure ingress controllers to direct traffic to 'solver pods', which
-// are responsible for responding to the ACME server's HTTP requests.
-// Only one of Ingress / Gateway can be specified.
-#ACMEChallengeSolverHTTP01: {
-	// The ingress based HTTP01 challenge solver will solve challenges by
-	// creating or modifying Ingress resources in order to route requests for
-	// '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
-	// provisioned by cert-manager for each Challenge to be completed.
-	// +optional
-	ingress?: null | #ACMEChallengeSolverHTTP01Ingress @go(Ingress,*ACMEChallengeSolverHTTP01Ingress)
-
-	// The Gateway API is a sig-network community API that models service networking
-	// in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
-	// create HTTPRoutes with the specified labels in the same namespace as the challenge.
-	// This solver is experimental, and fields / behaviour may change in the future.
-	// +optional
-	gatewayHTTPRoute?: null | #ACMEChallengeSolverHTTP01GatewayHTTPRoute @go(GatewayHTTPRoute,*ACMEChallengeSolverHTTP01GatewayHTTPRoute)
-}
-
-#ACMEChallengeSolverHTTP01Ingress: {
-	// Optional service type for Kubernetes solver service. Supported values
-	// are NodePort or ClusterIP. If unset, defaults to NodePort.
-	// +optional
-	serviceType?: corev1.#ServiceType @go(ServiceType)
-
-	// The ingress class to use when creating Ingress resources to solve ACME
-	// challenges that use this challenge solver.
-	// Only one of 'class' or 'name' may be specified.
-	// +optional
-	class?: null | string @go(Class,*string)
-
-	// The name of the ingress resource that should have ACME challenge solving
-	// routes inserted into it in order to solve HTTP01 challenges.
-	// This is typically used in conjunction with ingress controllers like
-	// ingress-gce, which maintains a 1:1 mapping between external IPs and
-	// ingress resources.
-	// +optional
-	name?: string @go(Name)
-
-	// Optional pod template used to configure the ACME challenge solver pods
-	// used for HTTP01 challenges.
-	// +optional
-	podTemplate?: null | #ACMEChallengeSolverHTTP01IngressPodTemplate @go(PodTemplate,*ACMEChallengeSolverHTTP01IngressPodTemplate)
-
-	// Optional ingress template used to configure the ACME challenge solver
-	// ingress used for HTTP01 challenges.
-	// +optional
-	ingressTemplate?: null | #ACMEChallengeSolverHTTP01IngressTemplate @go(IngressTemplate,*ACMEChallengeSolverHTTP01IngressTemplate)
-}
-
-// The ACMEChallengeSolverHTTP01GatewayHTTPRoute solver will create HTTPRoute objects for a Gateway class
-// routing to an ACME challenge solver pod.
-#ACMEChallengeSolverHTTP01GatewayHTTPRoute: {
-	// Optional service type for Kubernetes solver service. Supported values
-	// are NodePort or ClusterIP. If unset, defaults to NodePort.
-	// +optional
-	serviceType?: corev1.#ServiceType @go(ServiceType)
-
-	// The labels that cert-manager will use when creating the temporary
-	// HTTPRoute needed for solving the HTTP-01 challenge. These labels
-	// must match the label selector of at least one Gateway.
-	labels?: {[string]: string} @go(Labels,map[string]string)
-}
-
-#ACMEChallengeSolverHTTP01IngressPodTemplate: {
-	// ObjectMeta overrides for the pod used to solve HTTP01 challenges.
-	// Only the 'labels' and 'annotations' fields may be set.
-	// If labels or annotations overlap with in-built values, the values here
-	// will override the in-built values.
-	// +optional
-	metadata: #ACMEChallengeSolverHTTP01IngressPodObjectMeta @go(ACMEChallengeSolverHTTP01IngressPodObjectMeta)
-
-	// PodSpec defines overrides for the HTTP01 challenge solver pod.
-	// Only the 'priorityClassName', 'nodeSelector', 'affinity',
-	// 'serviceAccountName' and 'tolerations' fields are supported currently.
-	// All other fields will be ignored.
-	// +optional
-	spec: #ACMEChallengeSolverHTTP01IngressPodSpec @go(Spec)
-}
-
-#ACMEChallengeSolverHTTP01IngressPodObjectMeta: {
-	// Annotations that should be added to the create ACME HTTP01 solver pods.
-	// +optional
-	annotations?: {[string]: string} @go(Annotations,map[string]string)
-
-	// Labels that should be added to the created ACME HTTP01 solver pods.
-	// +optional
-	labels?: {[string]: string} @go(Labels,map[string]string)
-}
-
-#ACMEChallengeSolverHTTP01IngressPodSpec: {
-	// NodeSelector is a selector which must be true for the pod to fit on a node.
-	// Selector which must match a node's labels for the pod to be scheduled on that node.
-	// More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
-	// +optional
-	nodeSelector?: {[string]: string} @go(NodeSelector,map[string]string)
-
-	// If specified, the pod's scheduling constraints
-	// +optional
-	affinity?: null | corev1.#Affinity @go(Affinity,*corev1.Affinity)
-
-	// If specified, the pod's tolerations.
-	// +optional
-	tolerations?: [...corev1.#Toleration] @go(Tolerations,[]corev1.Toleration)
-
-	// If specified, the pod's priorityClassName.
-	// +optional
-	priorityClassName?: string @go(PriorityClassName)
-
-	// If specified, the pod's service account
-	// +optional
-	serviceAccountName?: string @go(ServiceAccountName)
-}
-
-#ACMEChallengeSolverHTTP01IngressTemplate: {
-	// ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
-	// Only the 'labels' and 'annotations' fields may be set.
-	// If labels or annotations overlap with in-built values, the values here
-	// will override the in-built values.
-	// +optional
-	metadata: #ACMEChallengeSolverHTTP01IngressObjectMeta @go(ACMEChallengeSolverHTTP01IngressObjectMeta)
-}
-
-#ACMEChallengeSolverHTTP01IngressObjectMeta: {
-	// Annotations that should be added to the created ACME HTTP01 solver ingress.
-	// +optional
-	annotations?: {[string]: string} @go(Annotations,map[string]string)
-
-	// Labels that should be added to the created ACME HTTP01 solver ingress.
-	// +optional
-	labels?: {[string]: string} @go(Labels,map[string]string)
-}
-
-// Used to configure a DNS01 challenge provider to be used when solving DNS01
-// challenges.
-// Only one DNS provider may be configured per solver.
-#ACMEChallengeSolverDNS01: {
-	// CNAMEStrategy configures how the DNS01 provider should handle CNAME
-	// records when found in DNS zones.
-	// +optional
-	cnameStrategy?: #CNAMEStrategy @go(CNAMEStrategy)
-
-	// Use the Akamai DNS zone management API to manage DNS01 challenge records.
-	// +optional
-	akamai?: null | #ACMEIssuerDNS01ProviderAkamai @go(Akamai,*ACMEIssuerDNS01ProviderAkamai)
-
-	// Use the Google Cloud DNS API to manage DNS01 challenge records.
-	// +optional
-	cloudDNS?: null | #ACMEIssuerDNS01ProviderCloudDNS @go(CloudDNS,*ACMEIssuerDNS01ProviderCloudDNS)
-
-	// Use the Cloudflare API to manage DNS01 challenge records.
-	// +optional
-	cloudflare?: null | #ACMEIssuerDNS01ProviderCloudflare @go(Cloudflare,*ACMEIssuerDNS01ProviderCloudflare)
-
-	// Use the AWS Route53 API to manage DNS01 challenge records.
-	// +optional
-	route53?: null | #ACMEIssuerDNS01ProviderRoute53 @go(Route53,*ACMEIssuerDNS01ProviderRoute53)
-
-	// Use the Microsoft Azure DNS API to manage DNS01 challenge records.
-	// +optional
-	azureDNS?: null | #ACMEIssuerDNS01ProviderAzureDNS @go(AzureDNS,*ACMEIssuerDNS01ProviderAzureDNS)
-
-	// Use the DigitalOcean DNS API to manage DNS01 challenge records.
-	// +optional
-	digitalocean?: null | #ACMEIssuerDNS01ProviderDigitalOcean @go(DigitalOcean,*ACMEIssuerDNS01ProviderDigitalOcean)
-
-	// Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
-	// DNS01 challenge records.
-	// +optional
-	acmeDNS?: null | #ACMEIssuerDNS01ProviderAcmeDNS @go(AcmeDNS,*ACMEIssuerDNS01ProviderAcmeDNS)
-
-	// Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
-	// to manage DNS01 challenge records.
-	// +optional
-	rfc2136?: null | #ACMEIssuerDNS01ProviderRFC2136 @go(RFC2136,*ACMEIssuerDNS01ProviderRFC2136)
-
-	// Configure an external webhook based DNS01 challenge solver to manage
-	// DNS01 challenge records.
-	// +optional
-	webhook?: null | #ACMEIssuerDNS01ProviderWebhook @go(Webhook,*ACMEIssuerDNS01ProviderWebhook)
-}
-
-// CNAMEStrategy configures how the DNS01 provider should handle CNAME records
-// when found in DNS zones.
-// By default, the None strategy will be applied (i.e. do not follow CNAMEs).
-// +kubebuilder:validation:Enum=None;Follow
-#CNAMEStrategy: string
-
-// NoneStrategy indicates that no CNAME resolution strategy should be used
-// when determining which DNS zone to update during DNS01 challenges.
-#NoneStrategy: "None"
-
-// FollowStrategy will cause cert-manager to recurse through CNAMEs in
-// order to determine which DNS zone to update during DNS01 challenges.
-// This is useful if you do not want to grant cert-manager access to your
-// root DNS zone, and instead delegate the _acme-challenge.example.com
-// subdomain to some other, less privileged domain.
-#FollowStrategy: "Follow"
-
-// ACMEIssuerDNS01ProviderAkamai is a structure containing the DNS
-// configuration for Akamai DNS—Zone Record Management API
-#ACMEIssuerDNS01ProviderAkamai: {
-	serviceConsumerDomain: string                    @go(ServiceConsumerDomain)
-	clientTokenSecretRef:  cmmeta.#SecretKeySelector @go(ClientToken)
-	clientSecretSecretRef: cmmeta.#SecretKeySelector @go(ClientSecret)
-	accessTokenSecretRef:  cmmeta.#SecretKeySelector @go(AccessToken)
-}
-
-// ACMEIssuerDNS01ProviderCloudDNS is a structure containing the DNS
-// configuration for Google Cloud DNS
-#ACMEIssuerDNS01ProviderCloudDNS: {
-	// +optional
-	serviceAccountSecretRef?: null | cmmeta.#SecretKeySelector @go(ServiceAccount,*cmmeta.SecretKeySelector)
-	project:                  string                           @go(Project)
-
-	// HostedZoneName is an optional field that tells cert-manager in which
-	// Cloud DNS zone the challenge record has to be created.
-	// If left empty cert-manager will automatically choose a zone.
-	// +optional
-	hostedZoneName?: string @go(HostedZoneName)
-}
-
-// ACMEIssuerDNS01ProviderCloudflare is a structure containing the DNS
-// configuration for Cloudflare.
-// One of `apiKeySecretRef` or `apiTokenSecretRef` must be provided.
-#ACMEIssuerDNS01ProviderCloudflare: {
-	// Email of the account, only required when using API key based authentication.
-	// +optional
-	email?: string @go(Email)
-
-	// API key to use to authenticate with Cloudflare.
-	// Note: using an API token to authenticate is now the recommended method
-	// as it allows greater control of permissions.
-	// +optional
-	apiKeySecretRef?: null | cmmeta.#SecretKeySelector @go(APIKey,*cmmeta.SecretKeySelector)
-
-	// API token used to authenticate with Cloudflare.
-	// +optional
-	apiTokenSecretRef?: null | cmmeta.#SecretKeySelector @go(APIToken,*cmmeta.SecretKeySelector)
-}
-
-// ACMEIssuerDNS01ProviderDigitalOcean is a structure containing the DNS
-// configuration for DigitalOcean Domains
-#ACMEIssuerDNS01ProviderDigitalOcean: {
-	tokenSecretRef: cmmeta.#SecretKeySelector @go(Token)
-}
-
-// ACMEIssuerDNS01ProviderRoute53 is a structure containing the Route 53
-// configuration for AWS
-#ACMEIssuerDNS01ProviderRoute53: {
-	// The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata
-	// see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
-	// +optional
-	accessKeyID?: string @go(AccessKeyID)
-
-	// The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata
-	// https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
-	// +optional
-	secretAccessKeySecretRef: cmmeta.#SecretKeySelector @go(SecretAccessKey)
-
-	// Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
-	// or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
-	// +optional
-	role?: string @go(Role)
-
-	// If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
-	// +optional
-	hostedZoneID?: string @go(HostedZoneID)
-
-	// Always set the region when using AccessKeyID and SecretAccessKey
-	region: string @go(Region)
-}
-
-// ACMEIssuerDNS01ProviderAzureDNS is a structure containing the
-// configuration for Azure DNS
-#ACMEIssuerDNS01ProviderAzureDNS: {
-	// if both this and ClientSecret are left unset MSI will be used
-	// +optional
-	clientID?: string @go(ClientID)
-
-	// if both this and ClientID are left unset MSI will be used
-	// +optional
-	clientSecretSecretRef?: null | cmmeta.#SecretKeySelector @go(ClientSecret,*cmmeta.SecretKeySelector)
-
-	// ID of the Azure subscription
-	subscriptionID: string @go(SubscriptionID)
-
-	// when specifying ClientID and ClientSecret then this field is also needed
-	// +optional
-	tenantID?: string @go(TenantID)
-
-	// resource group the DNS zone is located in
-	resourceGroupName: string @go(ResourceGroupName)
-
-	// name of the DNS zone that should be used
-	// +optional
-	hostedZoneName?: string @go(HostedZoneName)
-
-	// name of the Azure environment (default AzurePublicCloud)
-	// +optional
-	environment?: #AzureDNSEnvironment @go(Environment)
-
-	// managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID
-	// +optional
-	managedIdentity?: null | #AzureManagedIdentity @go(ManagedIdentity,*AzureManagedIdentity)
-}
-
-#AzureManagedIdentity: {
-	// client ID of the managed identity, can not be used at the same time as resourceID
-	// +optional
-	clientID?: string @go(ClientID)
-
-	// resource ID of the managed identity, can not be used at the same time as clientID
-	// +optional
-	resourceID?: string @go(ResourceID)
-}
-
-// +kubebuilder:validation:Enum=AzurePublicCloud;AzureChinaCloud;AzureGermanCloud;AzureUSGovernmentCloud
-#AzureDNSEnvironment: string // #enumAzureDNSEnvironment
-
-#enumAzureDNSEnvironment:
-	#AzurePublicCloud |
-	#AzureChinaCloud |
-	#AzureGermanCloud |
-	#AzureUSGovernmentCloud
-
-#AzurePublicCloud:       #AzureDNSEnvironment & "AzurePublicCloud"
-#AzureChinaCloud:        #AzureDNSEnvironment & "AzureChinaCloud"
-#AzureGermanCloud:       #AzureDNSEnvironment & "AzureGermanCloud"
-#AzureUSGovernmentCloud: #AzureDNSEnvironment & "AzureUSGovernmentCloud"
-
-// ACMEIssuerDNS01ProviderAcmeDNS is a structure containing the
-// configuration for ACME-DNS servers
-#ACMEIssuerDNS01ProviderAcmeDNS: {
-	host:             string                    @go(Host)
-	accountSecretRef: cmmeta.#SecretKeySelector @go(AccountSecret)
-}
-
-// ACMEIssuerDNS01ProviderRFC2136 is a structure containing the
-// configuration for RFC2136 DNS
-#ACMEIssuerDNS01ProviderRFC2136: {
-	// The IP address or hostname of an authoritative DNS server supporting
-	// RFC2136 in the form host:port. If the host is an IPv6 address it must be
-	// enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
-	// This field is required.
-	nameserver: string @go(Nameserver)
-
-	// The name of the secret containing the TSIG value.
-	// If ``tsigKeyName`` is defined, this field is required.
-	// +optional
-	tsigSecretSecretRef?: cmmeta.#SecretKeySelector @go(TSIGSecret)
-
-	// The TSIG Key name configured in the DNS.
-	// If ``tsigSecretSecretRef`` is defined, this field is required.
-	// +optional
-	tsigKeyName?: string @go(TSIGKeyName)
-
-	// The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
-	// when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
-	// Supported values are (case-insensitive): ``HMACMD5`` (default),
-	// ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
-	// +optional
-	tsigAlgorithm?: string @go(TSIGAlgorithm)
-}
-
-// ACMEIssuerDNS01ProviderWebhook specifies configuration for a webhook DNS01
-// provider, including where to POST ChallengePayload resources.
-#ACMEIssuerDNS01ProviderWebhook: {
-	// The API group name that should be used when POSTing ChallengePayload
-	// resources to the webhook apiserver.
-	// This should be the same as the GroupName specified in the webhook
-	// provider implementation.
-	groupName: string @go(GroupName)
-
-	// The name of the solver to use, as defined in the webhook provider
-	// implementation.
-	// This will typically be the name of the provider, e.g. 'cloudflare'.
-	solverName: string @go(SolverName)
-
-	// Additional configuration that should be passed to the webhook apiserver
-	// when challenges are processed.
-	// This can contain arbitrary JSON data.
-	// Secret values should not be specified in this stanza.
-	// If secret values are needed (e.g. credentials for a DNS service), you
-	// should use a SecretKeySelector to reference a Secret resource.
-	// For details on the schema of this field, consult the webhook provider
-	// implementation's documentation.
-	// +optional
-	config?: null | apiextensionsv1.#JSON @go(Config,*apiextensionsv1.JSON)
-}
-
-#ACMEIssuerStatus: {
-	// URI is the unique account identifier, which can also be used to retrieve
-	// account details from the CA
-	// +optional
-	uri?: string @go(URI)
-
-	// LastRegisteredEmail is the email associated with the latest registered
-	// ACME account, in order to track changes made to registered account
-	// associated with the  Issuer
-	// +optional
-	lastRegisteredEmail?: string @go(LastRegisteredEmail)
-}

cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/acme/v1/types_order_go_gen.cue

@@ -1,228 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/acme/v1
-
-package v1
-
-import (
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
-)
-
-// Order is a type to represent an Order with an ACME server
-// +k8s:openapi-gen=true
-#Order: {
-	metav1.#TypeMeta
-	metadata: metav1.#ObjectMeta @go(ObjectMeta)
-	spec:     #OrderSpec         @go(Spec)
-
-	// +optional
-	status: #OrderStatus @go(Status)
-}
-
-// OrderList is a list of Orders
-#OrderList: {
-	metav1.#TypeMeta
-	metadata: metav1.#ListMeta @go(ListMeta)
-	items: [...#Order] @go(Items,[]Order)
-}
-
-#OrderSpec: {
-	// Certificate signing request bytes in DER encoding.
-	// This will be used when finalizing the order.
-	// This field must be set on the order.
-	request: bytes @go(Request,[]byte)
-
-	// IssuerRef references a properly configured ACME-type Issuer which should
-	// be used to create this Order.
-	// If the Issuer does not exist, processing will be retried.
-	// If the Issuer is not an 'ACME' Issuer, an error will be returned and the
-	// Order will be marked as failed.
-	issuerRef: cmmeta.#ObjectReference @go(IssuerRef)
-
-	// CommonName is the common name as specified on the DER encoded CSR.
-	// If specified, this value must also be present in `dnsNames` or `ipAddresses`.
-	// This field must match the corresponding field on the DER encoded CSR.
-	// +optional
-	commonName?: string @go(CommonName)
-
-	// DNSNames is a list of DNS names that should be included as part of the Order
-	// validation process.
-	// This field must match the corresponding field on the DER encoded CSR.
-	//+optional
-	dnsNames?: [...string] @go(DNSNames,[]string)
-
-	// IPAddresses is a list of IP addresses that should be included as part of the Order
-	// validation process.
-	// This field must match the corresponding field on the DER encoded CSR.
-	// +optional
-	ipAddresses?: [...string] @go(IPAddresses,[]string)
-
-	// Duration is the duration for the not after date for the requested certificate.
-	// this is set on order creation as pe the ACME spec.
-	// +optional
-	duration?: null | metav1.#Duration @go(Duration,*metav1.Duration)
-}
-
-#OrderStatus: {
-	// URL of the Order.
-	// This will initially be empty when the resource is first created.
-	// The Order controller will populate this field when the Order is first processed.
-	// This field will be immutable after it is initially set.
-	// +optional
-	url?: string @go(URL)
-
-	// FinalizeURL of the Order.
-	// This is used to obtain certificates for this order once it has been completed.
-	// +optional
-	finalizeURL?: string @go(FinalizeURL)
-
-	// Authorizations contains data returned from the ACME server on what
-	// authorizations must be completed in order to validate the DNS names
-	// specified on the Order.
-	// +optional
-	authorizations?: [...#ACMEAuthorization] @go(Authorizations,[]ACMEAuthorization)
-
-	// Certificate is a copy of the PEM encoded certificate for this Order.
-	// This field will be populated after the order has been successfully
-	// finalized with the ACME server, and the order has transitioned to the
-	// 'valid' state.
-	// +optional
-	certificate?: bytes @go(Certificate,[]byte)
-
-	// State contains the current state of this Order resource.
-	// States 'success' and 'expired' are 'final'
-	// +optional
-	state?: #State @go(State)
-
-	// Reason optionally provides more information about a why the order is in
-	// the current state.
-	// +optional
-	reason?: string @go(Reason)
-
-	// FailureTime stores the time that this order failed.
-	// This is used to influence garbage collection and back-off.
-	// +optional
-	failureTime?: null | metav1.#Time @go(FailureTime,*metav1.Time)
-}
-
-// ACMEAuthorization contains data returned from the ACME server on an
-// authorization that must be completed in order validate a DNS name on an ACME
-// Order resource.
-#ACMEAuthorization: {
-	// URL is the URL of the Authorization that must be completed
-	url: string @go(URL)
-
-	// Identifier is the DNS name to be validated as part of this authorization
-	// +optional
-	identifier?: string @go(Identifier)
-
-	// Wildcard will be true if this authorization is for a wildcard DNS name.
-	// If this is true, the identifier will be the *non-wildcard* version of
-	// the DNS name.
-	// For example, if '*.example.com' is the DNS name being validated, this
-	// field will be 'true' and the 'identifier' field will be 'example.com'.
-	// +optional
-	wildcard?: null | bool @go(Wildcard,*bool)
-
-	// InitialState is the initial state of the ACME authorization when first
-	// fetched from the ACME server.
-	// If an Authorization is already 'valid', the Order controller will not
-	// create a Challenge resource for the authorization. This will occur when
-	// working with an ACME server that enables 'authz reuse' (such as Let's
-	// Encrypt's production endpoint).
-	// If not set and 'identifier' is set, the state is assumed to be pending
-	// and a Challenge will be created.
-	// +optional
-	initialState?: #State @go(InitialState)
-
-	// Challenges specifies the challenge types offered by the ACME server.
-	// One of these challenge types will be selected when validating the DNS
-	// name and an appropriate Challenge resource will be created to perform
-	// the ACME challenge process.
-	// +optional
-	challenges?: [...#ACMEChallenge] @go(Challenges,[]ACMEChallenge)
-}
-
-// Challenge specifies a challenge offered by the ACME server for an Order.
-// An appropriate Challenge resource can be created to perform the ACME
-// challenge process.
-#ACMEChallenge: {
-	// URL is the URL of this challenge. It can be used to retrieve additional
-	// metadata about the Challenge from the ACME server.
-	url: string @go(URL)
-
-	// Token is the token that must be presented for this challenge.
-	// This is used to compute the 'key' that must also be presented.
-	token: string @go(Token)
-
-	// Type is the type of challenge being offered, e.g. 'http-01', 'dns-01',
-	// 'tls-sni-01', etc.
-	// This is the raw value retrieved from the ACME server.
-	// Only 'http-01' and 'dns-01' are supported by cert-manager, other values
-	// will be ignored.
-	type: string @go(Type)
-}
-
-// State represents the state of an ACME resource, such as an Order.
-// The possible options here map to the corresponding values in the
-// ACME specification.
-// Full details of these values can be found here: https://tools.ietf.org/html/draft-ietf-acme-acme-15#section-7.1.6
-// Clients utilising this type must also gracefully handle unknown
-// values, as the contents of this enumeration may be added to over time.
-// +kubebuilder:validation:Enum=valid;ready;pending;processing;invalid;expired;errored
-#State: string // #enumState
-
-#enumState:
-	#Unknown |
-	#Valid |
-	#Ready |
-	#Pending |
-	#Processing |
-	#Invalid |
-	#Expired |
-	#Errored
-
-// Unknown is not a real state as part of the ACME spec.
-// It is used to represent an unrecognised value.
-#Unknown: #State & ""
-
-// Valid signifies that an ACME resource is in a valid state.
-// If an order is 'valid', it has been finalized with the ACME server and
-// the certificate can be retrieved from the ACME server using the
-// certificate URL stored in the Order's status subresource.
-// This is a final state.
-#Valid: #State & "valid"
-
-// Ready signifies that an ACME resource is in a ready state.
-// If an order is 'ready', all of its challenges have been completed
-// successfully and the order is ready to be finalized.
-// Once finalized, it will transition to the Valid state.
-// This is a transient state.
-#Ready: #State & "ready"
-
-// Pending signifies that an ACME resource is still pending and is not yet ready.
-// If an Order is marked 'Pending', the validations for that Order are still in progress.
-// This is a transient state.
-#Pending: #State & "pending"
-
-// Processing signifies that an ACME resource is being processed by the server.
-// If an Order is marked 'Processing', the validations for that Order are currently being processed.
-// This is a transient state.
-#Processing: #State & "processing"
-
-// Invalid signifies that an ACME resource is invalid for some reason.
-// If an Order is marked 'invalid', one of its validations be have invalid for some reason.
-// This is a final state.
-#Invalid: #State & "invalid"
-
-// Expired signifies that an ACME resource has expired.
-// If an Order is marked 'Expired', one of its validations may have expired or the Order itself.
-// This is a final state.
-#Expired: #State & "expired"
-
-// Errored signifies that the ACME resource has errored for some reason.
-// This is a catch-all state, and is used for marking internal cert-manager
-// errors such as validation failures.
-// This is a final state.
-#Errored: #State & "errored"

cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/certmanager/v1/const_go_gen.cue

@@ -1,27 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/certmanager/v1
-
-package v1
-
-import "time"
-
-// minimum permitted certificate duration by cert-manager
-#MinimumCertificateDuration: time.#Duration & 3600000000000
-
-// default certificate duration if Issuer.spec.duration is not set
-#DefaultCertificateDuration: time.#Duration & 7776000000000000
-
-// minimum certificate duration before certificate expiration
-#MinimumRenewBefore: time.#Duration & 300000000000
-
-// Deprecated: the default is now 2/3 of Certificate's duration
-#DefaultRenewBefore: time.#Duration & 2592000000000000
-
-// Default index key for the Secret reference for Token authentication
-#DefaultVaultTokenAuthSecretKey: "token"
-
-// Default mount path location for Kubernetes ServiceAccount authentication
-// (/v1/auth/kubernetes). The endpoint will then be called at `/login`, so
-// left as the default, `/v1/auth/kubernetes/login` will be called.
-#DefaultVaultKubernetesAuthMountPath: "/v1/auth/kubernetes"

cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/certmanager/v1/doc_go_gen.cue

@@ -1,9 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/certmanager/v1
-
-// Package v1 is the v1 version of the API.
-// +k8s:deepcopy-gen=package,register
-// +groupName=cert-manager.io
-// +groupGoName=Certmanager
-package v1

cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/certmanager/v1/generic_issuer_go_gen.cue

@@ -1,7 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/certmanager/v1
-
-package v1
-
-#GenericIssuer: _

cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/certmanager/v1/types_certificate_go_gen.cue

@@ -1,496 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/certmanager/v1
-
-package v1
-
-import (
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
-)
-
-// A Certificate resource should be created to ensure an up to date and signed
-// x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`.
-//
-// The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`).
-// +k8s:openapi-gen=true
-#Certificate: {
-	metav1.#TypeMeta
-	metadata?: metav1.#ObjectMeta @go(ObjectMeta)
-
-	// Desired state of the Certificate resource.
-	spec: #CertificateSpec @go(Spec)
-
-	// Status of the Certificate. This is set and managed automatically.
-	// +optional
-	status: #CertificateStatus @go(Status)
-}
-
-// CertificateList is a list of Certificates
-#CertificateList: {
-	metav1.#TypeMeta
-	metadata: metav1.#ListMeta @go(ListMeta)
-	items: [...#Certificate] @go(Items,[]Certificate)
-}
-
-// +kubebuilder:validation:Enum=RSA;ECDSA;Ed25519
-#PrivateKeyAlgorithm: string // #enumPrivateKeyAlgorithm
-
-#enumPrivateKeyAlgorithm:
-	#RSAKeyAlgorithm |
-	#ECDSAKeyAlgorithm |
-	#Ed25519KeyAlgorithm
-
-// Denotes the RSA private key type.
-#RSAKeyAlgorithm: #PrivateKeyAlgorithm & "RSA"
-
-// Denotes the ECDSA private key type.
-#ECDSAKeyAlgorithm: #PrivateKeyAlgorithm & "ECDSA"
-
-// Denotes the Ed25519 private key type.
-#Ed25519KeyAlgorithm: #PrivateKeyAlgorithm & "Ed25519"
-
-// +kubebuilder:validation:Enum=PKCS1;PKCS8
-#PrivateKeyEncoding: string // #enumPrivateKeyEncoding
-
-#enumPrivateKeyEncoding:
-	#PKCS1 |
-	#PKCS8
-
-// PKCS1 key encoding will produce PEM files that include the type of
-// private key as part of the PEM header, e.g. `BEGIN RSA PRIVATE KEY`.
-// If the keyAlgorithm is set to 'ECDSA', this will produce private keys
-// that use the `BEGIN EC PRIVATE KEY` header.
-#PKCS1: #PrivateKeyEncoding & "PKCS1"
-
-// PKCS8 key encoding will produce PEM files with the `BEGIN PRIVATE KEY`
-// header. It encodes the keyAlgorithm of the private key as part of the
-// DER encoded PEM block.
-#PKCS8: #PrivateKeyEncoding & "PKCS8"
-
-// CertificateSpec defines the desired state of Certificate.
-// A valid Certificate requires at least one of a CommonName, DNSName, or
-// URISAN to be valid.
-#CertificateSpec: {
-	// Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
-	// +optional
-	subject?: null | #X509Subject @go(Subject,*X509Subject)
-
-	// CommonName is a common name to be used on the Certificate.
-	// The CommonName should have a length of 64 characters or fewer to avoid
-	// generating invalid CSRs.
-	// This value is ignored by TLS clients when any subject alt name is set.
-	// This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4
-	// +optional
-	commonName?: string @go(CommonName)
-
-	// The requested 'duration' (i.e. lifetime) of the Certificate. This option
-	// may be ignored/overridden by some issuer types. If unset this defaults to
-	// 90 days. Certificate will be renewed either 2/3 through its duration or
-	// `renewBefore` period before its expiry, whichever is later. Minimum
-	// accepted duration is 1 hour. Value must be in units accepted by Go
-	// time.ParseDuration https://golang.org/pkg/time/#ParseDuration
-	// +optional
-	duration?: null | metav1.#Duration @go(Duration,*metav1.Duration)
-
-	// How long before the currently issued certificate's expiry
-	// cert-manager should renew the certificate. The default is 2/3 of the
-	// issued certificate's duration. Minimum accepted value is 5 minutes.
-	// Value must be in units accepted by Go time.ParseDuration
-	// https://golang.org/pkg/time/#ParseDuration
-	// +optional
-	renewBefore?: null | metav1.#Duration @go(RenewBefore,*metav1.Duration)
-
-	// DNSNames is a list of DNS subjectAltNames to be set on the Certificate.
-	// +optional
-	dnsNames?: [...string] @go(DNSNames,[]string)
-
-	// IPAddresses is a list of IP address subjectAltNames to be set on the Certificate.
-	// +optional
-	ipAddresses?: [...string] @go(IPAddresses,[]string)
-
-	// URIs is a list of URI subjectAltNames to be set on the Certificate.
-	// +optional
-	uris?: [...string] @go(URIs,[]string)
-
-	// EmailAddresses is a list of email subjectAltNames to be set on the Certificate.
-	// +optional
-	emailAddresses?: [...string] @go(EmailAddresses,[]string)
-
-	// SecretName is the name of the secret resource that will be automatically
-	// created and managed by this Certificate resource.
-	// It will be populated with a private key and certificate, signed by the
-	// denoted issuer.
-	secretName: string @go(SecretName)
-
-	// SecretTemplate defines annotations and labels to be copied to the
-	// Certificate's Secret. Labels and annotations on the Secret will be changed
-	// as they appear on the SecretTemplate when added or removed. SecretTemplate
-	// annotations are added in conjunction with, and cannot overwrite, the base
-	// set of annotations cert-manager sets on the Certificate's Secret.
-	// +optional
-	secretTemplate?: null | #CertificateSecretTemplate @go(SecretTemplate,*CertificateSecretTemplate)
-
-	// Keystores configures additional keystore output formats stored in the
-	// `secretName` Secret resource.
-	// +optional
-	keystores?: null | #CertificateKeystores @go(Keystores,*CertificateKeystores)
-
-	// IssuerRef is a reference to the issuer for this certificate.
-	// If the `kind` field is not set, or set to `Issuer`, an Issuer resource
-	// with the given name in the same namespace as the Certificate will be used.
-	// If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the
-	// provided name will be used.
-	// The `name` field in this stanza is required at all times.
-	issuerRef: cmmeta.#ObjectReference @go(IssuerRef)
-
-	// IsCA will mark this Certificate as valid for certificate signing.
-	// This will automatically add the `cert sign` usage to the list of `usages`.
-	// +optional
-	isCA?: bool @go(IsCA)
-
-	// Usages is the set of x509 usages that are requested for the certificate.
-	// Defaults to `digital signature` and `key encipherment` if not specified.
-	// +optional
-	usages?: [...#KeyUsage] @go(Usages,[]KeyUsage)
-
-	// Options to control private keys used for the Certificate.
-	// +optional
-	privateKey?: null | #CertificatePrivateKey @go(PrivateKey,*CertificatePrivateKey)
-
-	// EncodeUsagesInRequest controls whether key usages should be present
-	// in the CertificateRequest
-	// +optional
-	encodeUsagesInRequest?: null | bool @go(EncodeUsagesInRequest,*bool)
-
-	// revisionHistoryLimit is the maximum number of CertificateRequest revisions
-	// that are maintained in the Certificate's history. Each revision represents
-	// a single `CertificateRequest` created by this Certificate, either when it
-	// was created, renewed, or Spec was changed. Revisions will be removed by
-	// oldest first if the number of revisions exceeds this number. If set,
-	// revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`),
-	// revisions will not be garbage collected. Default value is `nil`.
-	// +kubebuilder:validation:ExclusiveMaximum=false
-	// +optional
-	revisionHistoryLimit?: null | int32 @go(RevisionHistoryLimit,*int32)
-
-	// AdditionalOutputFormats defines extra output formats of the private key
-	// and signed certificate chain to be written to this Certificate's target
-	// Secret. This is an Alpha Feature and is only enabled with the
-	// `--feature-gates=AdditionalCertificateOutputFormats=true` option on both
-	// the controller and webhook components.
-	// +optional
-	additionalOutputFormats?: [...#CertificateAdditionalOutputFormat] @go(AdditionalOutputFormats,[]CertificateAdditionalOutputFormat)
-}
-
-// CertificatePrivateKey contains configuration options for private keys
-// used by the Certificate controller.
-// This allows control of how private keys are rotated.
-#CertificatePrivateKey: {
-	// RotationPolicy controls how private keys should be regenerated when a
-	// re-issuance is being processed.
-	// If set to Never, a private key will only be generated if one does not
-	// already exist in the target `spec.secretName`. If one does exists but it
-	// does not have the correct algorithm or size, a warning will be raised
-	// to await user intervention.
-	// If set to Always, a private key matching the specified requirements
-	// will be generated whenever a re-issuance occurs.
-	// Default is 'Never' for backward compatibility.
-	// +optional
-	rotationPolicy?: #PrivateKeyRotationPolicy @go(RotationPolicy)
-
-	// The private key cryptography standards (PKCS) encoding for this
-	// certificate's private key to be encoded in.
-	// If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1
-	// and PKCS#8, respectively.
-	// Defaults to `PKCS1` if not specified.
-	// +optional
-	encoding?: #PrivateKeyEncoding @go(Encoding)
-
-	// Algorithm is the private key algorithm of the corresponding private key
-	// for this certificate. If provided, allowed values are either `RSA`,`Ed25519` or `ECDSA`
-	// If `algorithm` is specified and `size` is not provided,
-	// key size of 256 will be used for `ECDSA` key algorithm and
-	// key size of 2048 will be used for `RSA` key algorithm.
-	// key size is ignored when using the `Ed25519` key algorithm.
-	// +optional
-	algorithm?: #PrivateKeyAlgorithm @go(Algorithm)
-
-	// Size is the key bit size of the corresponding private key for this certificate.
-	// If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`,
-	// and will default to `2048` if not specified.
-	// If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`,
-	// and will default to `256` if not specified.
-	// If `algorithm` is set to `Ed25519`, Size is ignored.
-	// No other values are allowed.
-	// +optional
-	size?: int @go(Size)
-}
-
-// Denotes how private keys should be generated or sourced when a Certificate
-// is being issued.
-#PrivateKeyRotationPolicy: string
-
-// CertificateOutputFormatType specifies which additional output formats should
-// be written to the Certificate's target Secret.
-// Allowed values are `DER` or `CombinedPEM`.
-// When Type is set to `DER` an additional entry `key.der` will be written to
-// the Secret, containing the binary format of the private key.
-// When Type is set to `CombinedPEM` an additional entry `tls-combined.pem`
-// will be written to the Secret, containing the PEM formatted private key and
-// signed certificate chain (tls.key + tls.crt concatenated).
-// +kubebuilder:validation:Enum=DER;CombinedPEM
-#CertificateOutputFormatType: string // #enumCertificateOutputFormatType
-
-#enumCertificateOutputFormatType:
-	#CertificateOutputFormatDER |
-	#CertificateOutputFormatCombinedPEM
-
-// CertificateOutputFormatDERKey is the name of the data entry in the Secret
-// resource used to store the DER formatted private key.
-#CertificateOutputFormatDERKey: "key.der"
-
-// CertificateOutputFormatDER  writes the Certificate's private key in DER
-// binary format to the `key.der` target Secret Data key.
-#CertificateOutputFormatDER: #CertificateOutputFormatType & "DER"
-
-// CertificateOutputFormatCombinedPEMKey is the name of the data entry in the Secret
-// resource used to store the combined PEM (key + signed certificate).
-#CertificateOutputFormatCombinedPEMKey: "tls-combined.pem"
-
-// CertificateOutputFormatCombinedPEM  writes the Certificate's signed
-// certificate chain and private key, in PEM format, to the
-// `tls-combined.pem` target Secret Data key. The value at this key will
-// include the private key PEM document, followed by at least one new line
-// character, followed by the chain of signed certificate PEM documents
-// (`<private key> + \n + <signed certificate chain>`).
-#CertificateOutputFormatCombinedPEM: #CertificateOutputFormatType & "CombinedPEM"
-
-// CertificateAdditionalOutputFormat defines an additional output format of a
-// Certificate resource. These contain supplementary data formats of the signed
-// certificate chain and paired private key.
-#CertificateAdditionalOutputFormat: {
-	// Type is the name of the format type that should be written to the
-	// Certificate's target Secret.
-	type: #CertificateOutputFormatType @go(Type)
-}
-
-// X509Subject Full X509 name specification
-#X509Subject: {
-	// Organizations to be used on the Certificate.
-	// +optional
-	organizations?: [...string] @go(Organizations,[]string)
-
-	// Countries to be used on the Certificate.
-	// +optional
-	countries?: [...string] @go(Countries,[]string)
-
-	// Organizational Units to be used on the Certificate.
-	// +optional
-	organizationalUnits?: [...string] @go(OrganizationalUnits,[]string)
-
-	// Cities to be used on the Certificate.
-	// +optional
-	localities?: [...string] @go(Localities,[]string)
-
-	// State/Provinces to be used on the Certificate.
-	// +optional
-	provinces?: [...string] @go(Provinces,[]string)
-
-	// Street addresses to be used on the Certificate.
-	// +optional
-	streetAddresses?: [...string] @go(StreetAddresses,[]string)
-
-	// Postal codes to be used on the Certificate.
-	// +optional
-	postalCodes?: [...string] @go(PostalCodes,[]string)
-
-	// Serial number to be used on the Certificate.
-	// +optional
-	serialNumber?: string @go(SerialNumber)
-}
-
-// CertificateKeystores configures additional keystore output formats to be
-// created in the Certificate's output Secret.
-#CertificateKeystores: {
-	// JKS configures options for storing a JKS keystore in the
-	// `spec.secretName` Secret resource.
-	// +optional
-	jks?: null | #JKSKeystore @go(JKS,*JKSKeystore)
-
-	// PKCS12 configures options for storing a PKCS12 keystore in the
-	// `spec.secretName` Secret resource.
-	// +optional
-	pkcs12?: null | #PKCS12Keystore @go(PKCS12,*PKCS12Keystore)
-}
-
-// JKS configures options for storing a JKS keystore in the `spec.secretName`
-// Secret resource.
-#JKSKeystore: {
-	// Create enables JKS keystore creation for the Certificate.
-	// If true, a file named `keystore.jks` will be created in the target
-	// Secret resource, encrypted using the password stored in
-	// `passwordSecretRef`.
-	// The keystore file will only be updated upon re-issuance.
-	// A file named `truststore.jks` will also be created in the target
-	// Secret resource, encrypted using the password stored in
-	// `passwordSecretRef` containing the issuing Certificate Authority
-	create: bool @go(Create)
-
-	// PasswordSecretRef is a reference to a key in a Secret resource
-	// containing the password used to encrypt the JKS keystore.
-	passwordSecretRef: cmmeta.#SecretKeySelector @go(PasswordSecretRef)
-}
-
-// PKCS12 configures options for storing a PKCS12 keystore in the
-// `spec.secretName` Secret resource.
-#PKCS12Keystore: {
-	// Create enables PKCS12 keystore creation for the Certificate.
-	// If true, a file named `keystore.p12` will be created in the target
-	// Secret resource, encrypted using the password stored in
-	// `passwordSecretRef`.
-	// The keystore file will only be updated upon re-issuance.
-	// A file named `truststore.p12` will also be created in the target
-	// Secret resource, encrypted using the password stored in
-	// `passwordSecretRef` containing the issuing Certificate Authority
-	create: bool @go(Create)
-
-	// PasswordSecretRef is a reference to a key in a Secret resource
-	// containing the password used to encrypt the PKCS12 keystore.
-	passwordSecretRef: cmmeta.#SecretKeySelector @go(PasswordSecretRef)
-}
-
-// CertificateStatus defines the observed state of Certificate
-#CertificateStatus: {
-	// List of status conditions to indicate the status of certificates.
-	// Known condition types are `Ready` and `Issuing`.
-	// +optional
-	conditions?: [...#CertificateCondition] @go(Conditions,[]CertificateCondition)
-
-	// LastFailureTime is the time as recorded by the Certificate controller
-	// of the most recent failure to complete a CertificateRequest for this
-	// Certificate resource.
-	// If set, cert-manager will not re-request another Certificate until
-	// 1 hour has elapsed from this time.
-	// +optional
-	lastFailureTime?: null | metav1.#Time @go(LastFailureTime,*metav1.Time)
-
-	// The time after which the certificate stored in the secret named
-	// by this resource in spec.secretName is valid.
-	// +optional
-	notBefore?: null | metav1.#Time @go(NotBefore,*metav1.Time)
-
-	// The expiration time of the certificate stored in the secret named
-	// by this resource in `spec.secretName`.
-	// +optional
-	notAfter?: null | metav1.#Time @go(NotAfter,*metav1.Time)
-
-	// RenewalTime is the time at which the certificate will be next
-	// renewed.
-	// If not set, no upcoming renewal is scheduled.
-	// +optional
-	renewalTime?: null | metav1.#Time @go(RenewalTime,*metav1.Time)
-
-	// The current 'revision' of the certificate as issued.
-	//
-	// When a CertificateRequest resource is created, it will have the
-	// `cert-manager.io/certificate-revision` set to one greater than the
-	// current value of this field.
-	//
-	// Upon issuance, this field will be set to the value of the annotation
-	// on the CertificateRequest resource used to issue the certificate.
-	//
-	// Persisting the value on the CertificateRequest resource allows the
-	// certificates controller to know whether a request is part of an old
-	// issuance or if it is part of the ongoing revision's issuance by
-	// checking if the revision value in the annotation is greater than this
-	// field.
-	// +optional
-	revision?: null | int @go(Revision,*int)
-
-	// The name of the Secret resource containing the private key to be used
-	// for the next certificate iteration.
-	// The keymanager controller will automatically set this field if the
-	// `Issuing` condition is set to `True`.
-	// It will automatically unset this field when the Issuing condition is
-	// not set or False.
-	// +optional
-	nextPrivateKeySecretName?: null | string @go(NextPrivateKeySecretName,*string)
-}
-
-// CertificateCondition contains condition information for an Certificate.
-#CertificateCondition: {
-	// Type of the condition, known values are (`Ready`, `Issuing`).
-	type: #CertificateConditionType @go(Type)
-
-	// Status of the condition, one of (`True`, `False`, `Unknown`).
-	status: cmmeta.#ConditionStatus @go(Status)
-
-	// LastTransitionTime is the timestamp corresponding to the last status
-	// change of this condition.
-	// +optional
-	lastTransitionTime?: null | metav1.#Time @go(LastTransitionTime,*metav1.Time)
-
-	// Reason is a brief machine readable explanation for the condition's last
-	// transition.
-	// +optional
-	reason?: string @go(Reason)
-
-	// Message is a human readable description of the details of the last
-	// transition, complementing reason.
-	// +optional
-	message?: string @go(Message)
-
-	// If set, this represents the .metadata.generation that the condition was
-	// set based upon.
-	// For instance, if .metadata.generation is currently 12, but the
-	// .status.condition[x].observedGeneration is 9, the condition is out of date
-	// with respect to the current state of the Certificate.
-	// +optional
-	observedGeneration?: int64 @go(ObservedGeneration)
-}
-
-// CertificateConditionType represents an Certificate condition value.
-#CertificateConditionType: string // #enumCertificateConditionType
-
-#enumCertificateConditionType:
-	#CertificateConditionReady |
-	#CertificateConditionIssuing
-
-// CertificateConditionReady indicates that a certificate is ready for use.
-// This is defined as:
-// - The target secret exists
-// - The target secret contains a certificate that has not expired
-// - The target secret contains a private key valid for the certificate
-// - The commonName and dnsNames attributes match those specified on the Certificate
-#CertificateConditionReady: #CertificateConditionType & "Ready"
-
-// A condition added to Certificate resources when an issuance is required.
-// This condition will be automatically added and set to true if:
-//   * No keypair data exists in the target Secret
-//   * The data stored in the Secret cannot be decoded
-//   * The private key and certificate do not have matching public keys
-//   * If a CertificateRequest for the current revision exists and the
-//     certificate data stored in the Secret does not match the
-//    `status.certificate` on the CertificateRequest.
-//   * If no CertificateRequest resource exists for the current revision,
-//     the options on the Certificate resource are compared against the
-//     x509 data in the Secret, similar to what's done in earlier versions.
-//     If there is a mismatch, an issuance is triggered.
-// This condition may also be added by external API consumers to trigger
-// a re-issuance manually for any other reason.
-//
-// It will be removed by the 'issuing' controller upon completing issuance.
-#CertificateConditionIssuing: #CertificateConditionType & "Issuing"
-
-// CertificateSecretTemplate defines the default labels and annotations
-// to be copied to the Kubernetes Secret resource named in `CertificateSpec.secretName`.
-#CertificateSecretTemplate: {
-	// Annotations is a key value map to be copied to the target Kubernetes Secret.
-	// +optional
-	annotations?: {[string]: string} @go(Annotations,map[string]string)
-
-	// Labels is a key value map to be copied to the target Kubernetes Secret.
-	// +optional
-	labels?: {[string]: string} @go(Labels,map[string]string)
-}

cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/certmanager/v1/types_certificaterequest_go_gen.cue

@@ -1,195 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/certmanager/v1
-
-package v1
-
-import (
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
-)
-
-// Pending indicates that a CertificateRequest is still in progress.
-#CertificateRequestReasonPending: "Pending"
-
-// Failed indicates that a CertificateRequest has failed, either due to
-// timing out or some other critical failure.
-#CertificateRequestReasonFailed: "Failed"
-
-// Issued indicates that a CertificateRequest has been completed, and that
-// the `status.certificate` field is set.
-#CertificateRequestReasonIssued: "Issued"
-
-// Denied is a Ready condition reason that indicates that a
-// CertificateRequest has been denied, and the CertificateRequest will never
-// be issued.
-#CertificateRequestReasonDenied: "Denied"
-
-// A CertificateRequest is used to request a signed certificate from one of the
-// configured issuers.
-//
-// All fields within the CertificateRequest's `spec` are immutable after creation.
-// A CertificateRequest will either succeed or fail, as denoted by its `status.state`
-// field.
-//
-// A CertificateRequest is a one-shot resource, meaning it represents a single
-// point in time request for a certificate and cannot be re-used.
-// +k8s:openapi-gen=true
-#CertificateRequest: {
-	metav1.#TypeMeta
-	metadata?: metav1.#ObjectMeta @go(ObjectMeta)
-
-	// Desired state of the CertificateRequest resource.
-	spec: #CertificateRequestSpec @go(Spec)
-
-	// Status of the CertificateRequest. This is set and managed automatically.
-	// +optional
-	status: #CertificateRequestStatus @go(Status)
-}
-
-// CertificateRequestList is a list of Certificates
-#CertificateRequestList: {
-	metav1.#TypeMeta
-	metadata: metav1.#ListMeta @go(ListMeta)
-	items: [...#CertificateRequest] @go(Items,[]CertificateRequest)
-}
-
-// CertificateRequestSpec defines the desired state of CertificateRequest
-#CertificateRequestSpec: {
-	// The requested 'duration' (i.e. lifetime) of the Certificate.
-	// This option may be ignored/overridden by some issuer types.
-	// +optional
-	duration?: null | metav1.#Duration @go(Duration,*metav1.Duration)
-
-	// IssuerRef is a reference to the issuer for this CertificateRequest.  If
-	// the `kind` field is not set, or set to `Issuer`, an Issuer resource with
-	// the given name in the same namespace as the CertificateRequest will be
-	// used.  If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with
-	// the provided name will be used. The `name` field in this stanza is
-	// required at all times. The group field refers to the API group of the
-	// issuer which defaults to `cert-manager.io` if empty.
-	issuerRef: cmmeta.#ObjectReference @go(IssuerRef)
-
-	// The PEM-encoded x509 certificate signing request to be submitted to the
-	// CA for signing.
-	request: bytes @go(Request,[]byte)
-
-	// IsCA will request to mark the certificate as valid for certificate signing
-	// when submitting to the issuer.
-	// This will automatically add the `cert sign` usage to the list of `usages`.
-	// +optional
-	isCA?: bool @go(IsCA)
-
-	// Usages is the set of x509 usages that are requested for the certificate.
-	// If usages are set they SHOULD be encoded inside the CSR spec
-	// Defaults to `digital signature` and `key encipherment` if not specified.
-	// +optional
-	usages?: [...#KeyUsage] @go(Usages,[]KeyUsage)
-
-	// Username contains the name of the user that created the CertificateRequest.
-	// Populated by the cert-manager webhook on creation and immutable.
-	// +optional
-	username?: string @go(Username)
-
-	// UID contains the uid of the user that created the CertificateRequest.
-	// Populated by the cert-manager webhook on creation and immutable.
-	// +optional
-	uid?: string @go(UID)
-
-	// Groups contains group membership of the user that created the CertificateRequest.
-	// Populated by the cert-manager webhook on creation and immutable.
-	// +listType=atomic
-	// +optional
-	groups?: [...string] @go(Groups,[]string)
-
-	// Extra contains extra attributes of the user that created the CertificateRequest.
-	// Populated by the cert-manager webhook on creation and immutable.
-	// +optional
-	extra?: {[string]: [...string]} @go(Extra,map[string][]string)
-}
-
-// CertificateRequestStatus defines the observed state of CertificateRequest and
-// resulting signed certificate.
-#CertificateRequestStatus: {
-	// List of status conditions to indicate the status of a CertificateRequest.
-	// Known condition types are `Ready` and `InvalidRequest`.
-	// +optional
-	conditions?: [...#CertificateRequestCondition] @go(Conditions,[]CertificateRequestCondition)
-
-	// The PEM encoded x509 certificate resulting from the certificate
-	// signing request.
-	// If not set, the CertificateRequest has either not been completed or has
-	// failed. More information on failure can be found by checking the
-	// `conditions` field.
-	// +optional
-	certificate?: bytes @go(Certificate,[]byte)
-
-	// The PEM encoded x509 certificate of the signer, also known as the CA
-	// (Certificate Authority).
-	// This is set on a best-effort basis by different issuers.
-	// If not set, the CA is assumed to be unknown/not available.
-	// +optional
-	ca?: bytes @go(CA,[]byte)
-
-	// FailureTime stores the time that this CertificateRequest failed. This is
-	// used to influence garbage collection and back-off.
-	// +optional
-	failureTime?: null | metav1.#Time @go(FailureTime,*metav1.Time)
-}
-
-// CertificateRequestCondition contains condition information for a CertificateRequest.
-#CertificateRequestCondition: {
-	// Type of the condition, known values are (`Ready`, `InvalidRequest`,
-	// `Approved`, `Denied`).
-	type: #CertificateRequestConditionType @go(Type)
-
-	// Status of the condition, one of (`True`, `False`, `Unknown`).
-	status: cmmeta.#ConditionStatus @go(Status)
-
-	// LastTransitionTime is the timestamp corresponding to the last status
-	// change of this condition.
-	// +optional
-	lastTransitionTime?: null | metav1.#Time @go(LastTransitionTime,*metav1.Time)
-
-	// Reason is a brief machine readable explanation for the condition's last
-	// transition.
-	// +optional
-	reason?: string @go(Reason)
-
-	// Message is a human readable description of the details of the last
-	// transition, complementing reason.
-	// +optional
-	message?: string @go(Message)
-}
-
-// CertificateRequestConditionType represents an Certificate condition value.
-#CertificateRequestConditionType: string // #enumCertificateRequestConditionType
-
-#enumCertificateRequestConditionType:
-	#CertificateRequestConditionReady |
-	#CertificateRequestConditionInvalidRequest |
-	#CertificateRequestConditionApproved |
-	#CertificateRequestConditionDenied
-
-// CertificateRequestConditionReady indicates that a certificate is ready for use.
-// This is defined as:
-// - The target certificate exists in CertificateRequest.Status
-#CertificateRequestConditionReady: #CertificateRequestConditionType & "Ready"
-
-// CertificateRequestConditionInvalidRequest indicates that a certificate
-// signer has refused to sign the request due to at least one of the input
-// parameters being invalid. Additional information about why the request
-// was rejected can be found in the `reason` and `message` fields.
-#CertificateRequestConditionInvalidRequest: #CertificateRequestConditionType & "InvalidRequest"
-
-// CertificateRequestConditionApproved indicates that a certificate request
-// is approved and ready for signing. Condition must never have a status of
-// `False`, and cannot be modified once set. Cannot be set alongside
-// `Denied`.
-#CertificateRequestConditionApproved: #CertificateRequestConditionType & "Approved"
-
-// CertificateRequestConditionDenied indicates that a certificate request is
-// denied, and must never be signed. Condition must never have a status of
-// `False`, and cannot be modified once set. Cannot be set alongside
-// `Approved`.
-#CertificateRequestConditionDenied: #CertificateRequestConditionType & "Denied"

cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/certmanager/v1/types_go_gen.cue

@@ -1,195 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/certmanager/v1
-
-package v1
-
-// Annotation key for DNS subjectAltNames.
-#AltNamesAnnotationKey: "cert-manager.io/alt-names"
-
-// Annotation key for IP subjectAltNames.
-#IPSANAnnotationKey: "cert-manager.io/ip-sans"
-
-// Annotation key for URI subjectAltNames.
-#URISANAnnotationKey: "cert-manager.io/uri-sans"
-
-// Annotation key for certificate common name.
-#CommonNameAnnotationKey: "cert-manager.io/common-name"
-
-// Duration key for certificate duration.
-#DurationAnnotationKey: "cert-manager.io/duration"
-
-// Annotation key for certificate renewBefore.
-#RenewBeforeAnnotationKey: "cert-manager.io/renew-before"
-
-// Annotation key for certificate key usages.
-#UsagesAnnotationKey: "cert-manager.io/usages"
-
-// Annotation key the 'name' of the Issuer resource.
-#IssuerNameAnnotationKey: "cert-manager.io/issuer-name"
-
-// Annotation key for the 'kind' of the Issuer resource.
-#IssuerKindAnnotationKey: "cert-manager.io/issuer-kind"
-
-// Annotation key for the 'group' of the Issuer resource.
-#IssuerGroupAnnotationKey: "cert-manager.io/issuer-group"
-
-// Annotation key for the name of the certificate that a resource is related to.
-#CertificateNameKey: "cert-manager.io/certificate-name"
-
-// Annotation key used to denote whether a Secret is named on a Certificate
-// as a 'next private key' Secret resource.
-#IsNextPrivateKeySecretLabelKey: "cert-manager.io/next-private-key"
-
-// IngressIssuerNameAnnotationKey holds the issuerNameAnnotation value which can be
-// used to override the issuer specified on the created Certificate resource.
-#IngressIssuerNameAnnotationKey: "cert-manager.io/issuer"
-
-// IngressClusterIssuerNameAnnotationKey holds the clusterIssuerNameAnnotation value which
-// can be used to override the issuer specified on the created Certificate resource. The Certificate
-// will reference the specified *ClusterIssuer* instead of normal issuer.
-#IngressClusterIssuerNameAnnotationKey: "cert-manager.io/cluster-issuer"
-
-// IngressACMEIssuerHTTP01IngressClassAnnotationKey holds the acmeIssuerHTTP01IngressClassAnnotation value
-// which can be used to override the http01 ingressClass if the challenge type is set to http01
-#IngressACMEIssuerHTTP01IngressClassAnnotationKey: "acme.cert-manager.io/http01-ingress-class"
-
-// IngressClassAnnotationKey picks a specific "class" for the Ingress. The
-// controller only processes Ingresses with this annotation either unset, or
-// set to either the configured value or the empty string.
-#IngressClassAnnotationKey: "kubernetes.io/ingress.class"
-
-// Annotation added to CertificateRequest resources to denote the name of
-// a Secret resource containing the private key used to sign the CSR stored
-// on the resource.
-// This annotation *may* not be present, and is used by the 'self signing'
-// issuer type to self-sign certificates.
-#CertificateRequestPrivateKeyAnnotationKey: "cert-manager.io/private-key-secret-name"
-
-// Annotation to declare the CertificateRequest "revision", belonging to a Certificate Resource
-#CertificateRequestRevisionAnnotationKey: "cert-manager.io/certificate-revision"
-
-// IssueTemporaryCertificateAnnotation is an annotation that can be added to
-// Certificate resources.
-// If it is present, a temporary internally signed certificate will be
-// stored in the target Secret resource whilst the real Issuer is processing
-// the certificate request.
-#IssueTemporaryCertificateAnnotation: "cert-manager.io/issue-temporary-certificate"
-
-#ClusterIssuerKind:      "ClusterIssuer"
-#IssuerKind:             "Issuer"
-#CertificateKind:        "Certificate"
-#CertificateRequestKind: "CertificateRequest"
-
-// WantInjectAnnotation is the annotation that specifies that a particular
-// object wants injection of CAs.  It takes the form of a reference to a certificate
-// as namespace/name.  The certificate is expected to have the is-serving-for annotations.
-#WantInjectAnnotation: "cert-manager.io/inject-ca-from"
-
-// WantInjectAPIServerCAAnnotation will - if set to "true" - make the cainjector
-// inject the CA certificate for the Kubernetes apiserver into the resource.
-// It discovers the apiserver's CA by inspecting the service account credentials
-// mounted into the cainjector pod.
-#WantInjectAPIServerCAAnnotation: "cert-manager.io/inject-apiserver-ca"
-
-// WantInjectFromSecretAnnotation is the annotation that specifies that a particular
-// object wants injection of CAs.  It takes the form of a reference to a Secret
-// as namespace/name.
-#WantInjectFromSecretAnnotation: "cert-manager.io/inject-ca-from-secret"
-
-// AllowsInjectionFromSecretAnnotation is an annotation that must be added
-// to Secret resource that want to denote that they can be directly
-// injected into injectables that have a `inject-ca-from-secret` annotation.
-// If an injectable references a Secret that does NOT have this annotation,
-// the cainjector will refuse to inject the secret.
-#AllowsInjectionFromSecretAnnotation: "cert-manager.io/allow-direct-injection"
-
-// VenafiCustomFieldsAnnotationKey is the annotation that passes on JSON encoded custom fields to the Venafi issuer
-// This will only work with Venafi TPP v19.3 and higher
-// The value is an array with objects containing the name and value keys
-// for example: `[{"name": "custom-field", "value": "custom-value"}]`
-#VenafiCustomFieldsAnnotationKey: "venafi.cert-manager.io/custom-fields"
-
-// VenafiPickupIDAnnotationKey is the annotation key used to record the
-// Venafi Pickup ID of a certificate signing request that has been submitted
-// to the Venafi API for collection later.
-#VenafiPickupIDAnnotationKey: "venafi.cert-manager.io/pickup-id"
-
-// KeyUsage specifies valid usage contexts for keys.
-// See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3
-//      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
-// Valid KeyUsage values are as follows:
-// "signing",
-// "digital signature",
-// "content commitment",
-// "key encipherment",
-// "key agreement",
-// "data encipherment",
-// "cert sign",
-// "crl sign",
-// "encipher only",
-// "decipher only",
-// "any",
-// "server auth",
-// "client auth",
-// "code signing",
-// "email protection",
-// "s/mime",
-// "ipsec end system",
-// "ipsec tunnel",
-// "ipsec user",
-// "timestamping",
-// "ocsp signing",
-// "microsoft sgc",
-// "netscape sgc"
-// +kubebuilder:validation:Enum="signing";"digital signature";"content commitment";"key encipherment";"key agreement";"data encipherment";"cert sign";"crl sign";"encipher only";"decipher only";"any";"server auth";"client auth";"code signing";"email protection";"s/mime";"ipsec end system";"ipsec tunnel";"ipsec user";"timestamping";"ocsp signing";"microsoft sgc";"netscape sgc"
-#KeyUsage: string // #enumKeyUsage
-
-#enumKeyUsage:
-	#UsageSigning |
-	#UsageDigitalSignature |
-	#UsageContentCommitment |
-	#UsageKeyEncipherment |
-	#UsageKeyAgreement |
-	#UsageDataEncipherment |
-	#UsageCertSign |
-	#UsageCRLSign |
-	#UsageEncipherOnly |
-	#UsageDecipherOnly |
-	#UsageAny |
-	#UsageServerAuth |
-	#UsageClientAuth |
-	#UsageCodeSigning |
-	#UsageEmailProtection |
-	#UsageSMIME |
-	#UsageIPsecEndSystem |
-	#UsageIPsecTunnel |
-	#UsageIPsecUser |
-	#UsageTimestamping |
-	#UsageOCSPSigning |
-	#UsageMicrosoftSGC |
-	#UsageNetscapeSGC
-
-#UsageSigning:           #KeyUsage & "signing"
-#UsageDigitalSignature:  #KeyUsage & "digital signature"
-#UsageContentCommitment: #KeyUsage & "content commitment"
-#UsageKeyEncipherment:   #KeyUsage & "key encipherment"
-#UsageKeyAgreement:      #KeyUsage & "key agreement"
-#UsageDataEncipherment:  #KeyUsage & "data encipherment"
-#UsageCertSign:          #KeyUsage & "cert sign"
-#UsageCRLSign:           #KeyUsage & "crl sign"
-#UsageEncipherOnly:      #KeyUsage & "encipher only"
-#UsageDecipherOnly:      #KeyUsage & "decipher only"
-#UsageAny:               #KeyUsage & "any"
-#UsageServerAuth:        #KeyUsage & "server auth"
-#UsageClientAuth:        #KeyUsage & "client auth"
-#UsageCodeSigning:       #KeyUsage & "code signing"
-#UsageEmailProtection:   #KeyUsage & "email protection"
-#UsageSMIME:             #KeyUsage & "s/mime"
-#UsageIPsecEndSystem:    #KeyUsage & "ipsec end system"
-#UsageIPsecTunnel:       #KeyUsage & "ipsec tunnel"
-#UsageIPsecUser:         #KeyUsage & "ipsec user"
-#UsageTimestamping:      #KeyUsage & "timestamping"
-#UsageOCSPSigning:       #KeyUsage & "ocsp signing"
-#UsageMicrosoftSGC:      #KeyUsage & "microsoft sgc"
-#UsageNetscapeSGC:       #KeyUsage & "netscape sgc"

cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/certmanager/v1/types_issuer_go_gen.cue

@@ -1,316 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/certmanager/v1
-
-package v1
-
-import (
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	cmacme "github.com/jetstack/cert-manager/pkg/apis/acme/v1"
-	cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
-)
-
-// A ClusterIssuer represents a certificate issuing authority which can be
-// referenced as part of `issuerRef` fields.
-// It is similar to an Issuer, however it is cluster-scoped and therefore can
-// be referenced by resources that exist in *any* namespace, not just the same
-// namespace as the referent.
-#ClusterIssuer: {
-	metav1.#TypeMeta
-	metadata?: metav1.#ObjectMeta @go(ObjectMeta)
-
-	// Desired state of the ClusterIssuer resource.
-	spec: #IssuerSpec @go(Spec)
-
-	// Status of the ClusterIssuer. This is set and managed automatically.
-	// +optional
-	status: #IssuerStatus @go(Status)
-}
-
-// ClusterIssuerList is a list of Issuers
-#ClusterIssuerList: {
-	metav1.#TypeMeta
-	metadata: metav1.#ListMeta @go(ListMeta)
-	items: [...#ClusterIssuer] @go(Items,[]ClusterIssuer)
-}
-
-// An Issuer represents a certificate issuing authority which can be
-// referenced as part of `issuerRef` fields.
-// It is scoped to a single namespace and can therefore only be referenced by
-// resources within the same namespace.
-#Issuer: {
-	metav1.#TypeMeta
-	metadata?: metav1.#ObjectMeta @go(ObjectMeta)
-
-	// Desired state of the Issuer resource.
-	spec: #IssuerSpec @go(Spec)
-
-	// Status of the Issuer. This is set and managed automatically.
-	// +optional
-	status: #IssuerStatus @go(Status)
-}
-
-// IssuerList is a list of Issuers
-#IssuerList: {
-	metav1.#TypeMeta
-	metadata: metav1.#ListMeta @go(ListMeta)
-	items: [...#Issuer] @go(Items,[]Issuer)
-}
-
-// IssuerSpec is the specification of an Issuer. This includes any
-// configuration required for the issuer.
-#IssuerSpec: {
-	#IssuerConfig
-}
-
-// The configuration for the issuer.
-// Only one of these can be set.
-#IssuerConfig: {
-	// ACME configures this issuer to communicate with a RFC8555 (ACME) server
-	// to obtain signed x509 certificates.
-	// +optional
-	acme?: null | cmacme.#ACMEIssuer @go(ACME,*cmacme.ACMEIssuer)
-
-	// CA configures this issuer to sign certificates using a signing CA keypair
-	// stored in a Secret resource.
-	// This is used to build internal PKIs that are managed by cert-manager.
-	// +optional
-	ca?: null | #CAIssuer @go(CA,*CAIssuer)
-
-	// Vault configures this issuer to sign certificates using a HashiCorp Vault
-	// PKI backend.
-	// +optional
-	vault?: null | #VaultIssuer @go(Vault,*VaultIssuer)
-
-	// SelfSigned configures this issuer to 'self sign' certificates using the
-	// private key used to create the CertificateRequest object.
-	// +optional
-	selfSigned?: null | #SelfSignedIssuer @go(SelfSigned,*SelfSignedIssuer)
-
-	// Venafi configures this issuer to sign certificates using a Venafi TPP
-	// or Venafi Cloud policy zone.
-	// +optional
-	venafi?: null | #VenafiIssuer @go(Venafi,*VenafiIssuer)
-}
-
-// Configures an issuer to sign certificates using a Venafi TPP
-// or Cloud policy zone.
-#VenafiIssuer: {
-	// Zone is the Venafi Policy Zone to use for this issuer.
-	// All requests made to the Venafi platform will be restricted by the named
-	// zone policy.
-	// This field is required.
-	zone: string @go(Zone)
-
-	// TPP specifies Trust Protection Platform configuration settings.
-	// Only one of TPP or Cloud may be specified.
-	// +optional
-	tpp?: null | #VenafiTPP @go(TPP,*VenafiTPP)
-
-	// Cloud specifies the Venafi cloud configuration settings.
-	// Only one of TPP or Cloud may be specified.
-	// +optional
-	cloud?: null | #VenafiCloud @go(Cloud,*VenafiCloud)
-}
-
-// VenafiTPP defines connection configuration details for a Venafi TPP instance
-#VenafiTPP: {
-	// URL is the base URL for the vedsdk endpoint of the Venafi TPP instance,
-	// for example: "https://tpp.example.com/vedsdk".
-	url: string @go(URL)
-
-	// CredentialsRef is a reference to a Secret containing the username and
-	// password for the TPP server.
-	// The secret must contain two keys, 'username' and 'password'.
-	credentialsRef: cmmeta.#LocalObjectReference @go(CredentialsRef)
-
-	// CABundle is a PEM encoded TLS certificate to use to verify connections to
-	// the TPP instance.
-	// If specified, system roots will not be used and the issuing CA for the
-	// TPP instance must be verifiable using the provided root.
-	// If not specified, the connection will be verified using the cert-manager
-	// system root certificates.
-	// +optional
-	caBundle?: bytes @go(CABundle,[]byte)
-}
-
-// VenafiCloud defines connection configuration details for Venafi Cloud
-#VenafiCloud: {
-	// URL is the base URL for Venafi Cloud.
-	// Defaults to "https://api.venafi.cloud/v1".
-	// +optional
-	url?: string @go(URL)
-
-	// APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
-	apiTokenSecretRef: cmmeta.#SecretKeySelector @go(APITokenSecretRef)
-}
-
-// Configures an issuer to 'self sign' certificates using the
-// private key used to create the CertificateRequest object.
-#SelfSignedIssuer: {
-	// The CRL distribution points is an X.509 v3 certificate extension which identifies
-	// the location of the CRL from which the revocation of this certificate can be checked.
-	// If not set certificate will be issued without CDP. Values are strings.
-	// +optional
-	crlDistributionPoints?: [...string] @go(CRLDistributionPoints,[]string)
-}
-
-// Configures an issuer to sign certificates using a HashiCorp Vault
-// PKI backend.
-#VaultIssuer: {
-	// Auth configures how cert-manager authenticates with the Vault server.
-	auth: #VaultAuth @go(Auth)
-
-	// Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".
-	server: string @go(Server)
-
-	// Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g:
-	// "my_pki_mount/sign/my-role-name".
-	path: string @go(Path)
-
-	// Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1"
-	// More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-	// +optional
-	namespace?: string @go(Namespace)
-
-	// PEM-encoded CA bundle (base64-encoded) used to validate Vault server
-	// certificate. Only used if the Server URL is using HTTPS protocol. This
-	// parameter is ignored for plain HTTP protocol connection. If not set the
-	// system root certificates are used to validate the TLS connection.
-	// +optional
-	caBundle?: bytes @go(CABundle,[]byte)
-}
-
-// Configuration used to authenticate with a Vault server.
-// Only one of `tokenSecretRef`, `appRole` or `kubernetes` may be specified.
-#VaultAuth: {
-	// TokenSecretRef authenticates with Vault by presenting a token.
-	// +optional
-	tokenSecretRef?: null | cmmeta.#SecretKeySelector @go(TokenSecretRef,*cmmeta.SecretKeySelector)
-
-	// AppRole authenticates with Vault using the App Role auth mechanism,
-	// with the role and secret stored in a Kubernetes Secret resource.
-	// +optional
-	appRole?: null | #VaultAppRole @go(AppRole,*VaultAppRole)
-
-	// Kubernetes authenticates with Vault by passing the ServiceAccount
-	// token stored in the named Secret resource to the Vault server.
-	// +optional
-	kubernetes?: null | #VaultKubernetesAuth @go(Kubernetes,*VaultKubernetesAuth)
-}
-
-// VaultAppRole authenticates with Vault using the App Role auth mechanism,
-// with the role and secret stored in a Kubernetes Secret resource.
-#VaultAppRole: {
-	// Path where the App Role authentication backend is mounted in Vault, e.g:
-	// "approle"
-	path: string @go(Path)
-
-	// RoleID configured in the App Role authentication backend when setting
-	// up the authentication backend in Vault.
-	roleId: string @go(RoleId)
-
-	// Reference to a key in a Secret that contains the App Role secret used
-	// to authenticate with Vault.
-	// The `key` field must be specified and denotes which entry within the Secret
-	// resource is used as the app role secret.
-	secretRef: cmmeta.#SecretKeySelector @go(SecretRef)
-}
-
-// Authenticate against Vault using a Kubernetes ServiceAccount token stored in
-// a Secret.
-#VaultKubernetesAuth: {
-	// The Vault mountPath here is the mount path to use when authenticating with
-	// Vault. For example, setting a value to `/v1/auth/foo`, will use the path
-	// `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
-	// default value "/v1/auth/kubernetes" will be used.
-	// +optional
-	mountPath?: string @go(Path)
-
-	// The required Secret field containing a Kubernetes ServiceAccount JWT used
-	// for authenticating with Vault. Use of 'ambient credentials' is not
-	// supported.
-	secretRef: cmmeta.#SecretKeySelector @go(SecretRef)
-
-	// A required field containing the Vault Role to assume. A Role binds a
-	// Kubernetes ServiceAccount with a set of Vault policies.
-	role: string @go(Role)
-}
-
-#CAIssuer: {
-	// SecretName is the name of the secret used to sign Certificates issued
-	// by this Issuer.
-	secretName: string @go(SecretName)
-
-	// The CRL distribution points is an X.509 v3 certificate extension which identifies
-	// the location of the CRL from which the revocation of this certificate can be checked.
-	// If not set, certificates will be issued without distribution points set.
-	// +optional
-	crlDistributionPoints?: [...string] @go(CRLDistributionPoints,[]string)
-
-	// The OCSP server list is an X.509 v3 extension that defines a list of
-	// URLs of OCSP responders. The OCSP responders can be queried for the
-	// revocation status of an issued certificate. If not set, the
-	// certificate will be issued with no OCSP servers set. For example, an
-	// OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
-	// +optional
-	ocspServers?: [...string] @go(OCSPServers,[]string)
-}
-
-// IssuerStatus contains status information about an Issuer
-#IssuerStatus: {
-	// List of status conditions to indicate the status of a CertificateRequest.
-	// Known condition types are `Ready`.
-	// +optional
-	conditions?: [...#IssuerCondition] @go(Conditions,[]IssuerCondition)
-
-	// ACME specific status options.
-	// This field should only be set if the Issuer is configured to use an ACME
-	// server to issue certificates.
-	// +optional
-	acme?: null | cmacme.#ACMEIssuerStatus @go(ACME,*cmacme.ACMEIssuerStatus)
-}
-
-// IssuerCondition contains condition information for an Issuer.
-#IssuerCondition: {
-	// Type of the condition, known values are (`Ready`).
-	type: #IssuerConditionType @go(Type)
-
-	// Status of the condition, one of (`True`, `False`, `Unknown`).
-	status: cmmeta.#ConditionStatus @go(Status)
-
-	// LastTransitionTime is the timestamp corresponding to the last status
-	// change of this condition.
-	// +optional
-	lastTransitionTime?: null | metav1.#Time @go(LastTransitionTime,*metav1.Time)
-
-	// Reason is a brief machine readable explanation for the condition's last
-	// transition.
-	// +optional
-	reason?: string @go(Reason)
-
-	// Message is a human readable description of the details of the last
-	// transition, complementing reason.
-	// +optional
-	message?: string @go(Message)
-
-	// If set, this represents the .metadata.generation that the condition was
-	// set based upon.
-	// For instance, if .metadata.generation is currently 12, but the
-	// .status.condition[x].observedGeneration is 9, the condition is out of date
-	// with respect to the current state of the Issuer.
-	// +optional
-	observedGeneration?: int64 @go(ObservedGeneration)
-}
-
-// IssuerConditionType represents an Issuer condition value.
-#IssuerConditionType: string // #enumIssuerConditionType
-
-#enumIssuerConditionType:
-	#IssuerConditionReady
-
-// IssuerConditionReady represents the fact that a given Issuer condition
-// is in ready state and able to issue certificates.
-// If the `status` of this condition is `False`, CertificateRequest controllers
-// should prevent attempts to sign certificates.
-#IssuerConditionReady: #IssuerConditionType & "Ready"

cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/meta/v1/doc_go_gen.cue

@@ -1,9 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/meta/v1
-
-// Package v1 contains meta types for cert-manager APIs
-// +k8s:deepcopy-gen=package
-// +gencrdrefdocs:force
-// +groupName=meta.cert-manager.io
-package v1

cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/meta/v1/types_go_gen.cue

@@ -1,64 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/meta/v1
-
-package v1
-
-// ConditionStatus represents a condition's status.
-// +kubebuilder:validation:Enum=True;False;Unknown
-#ConditionStatus: string // #enumConditionStatus
-
-#enumConditionStatus:
-	#ConditionTrue |
-	#ConditionFalse |
-	#ConditionUnknown
-
-// ConditionTrue represents the fact that a given condition is true
-#ConditionTrue: #ConditionStatus & "True"
-
-// ConditionFalse represents the fact that a given condition is false
-#ConditionFalse: #ConditionStatus & "False"
-
-// ConditionUnknown represents the fact that a given condition is unknown
-#ConditionUnknown: #ConditionStatus & "Unknown"
-
-// A reference to an object in the same namespace as the referent.
-// If the referent is a cluster-scoped resource (e.g. a ClusterIssuer),
-// the reference instead refers to the resource with the given name in the
-// configured 'cluster resource namespace', which is set as a flag on the
-// controller component (and defaults to the namespace that cert-manager
-// runs in).
-#LocalObjectReference: {
-	// Name of the resource being referred to.
-	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-	name: string @go(Name)
-}
-
-// ObjectReference is a reference to an object with a given name, kind and group.
-#ObjectReference: {
-	// Name of the resource being referred to.
-	name: string @go(Name)
-
-	// Kind of the resource being referred to.
-	// +optional
-	kind?: string @go(Kind)
-
-	// Group of the resource being referred to.
-	// +optional
-	group?: string @go(Group)
-}
-
-// A reference to a specific 'key' within a Secret resource.
-// In some instances, `key` is a required field.
-#SecretKeySelector: {
-	#LocalObjectReference
-
-	// The key of the entry in the Secret resource's `data` field to be used.
-	// Some instances of this field may be defaulted, in others it may be
-	// required.
-	// +optional
-	key?: string @go(Key)
-}
-
-// Used as a data key in Secret resources to store a CA certificate.
-#TLSCAKey: "ca.crt"

cue/cue.mod/gen/k8s.io/apimachinery/pkg/types/nodename_go_gen.cue

@@ -1,31 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go k8s.io/apimachinery/pkg/types
-
-package types
-
-// NodeName is a type that holds a api.Node's Name identifier.
-// Being a type captures intent and helps make sure that the node name
-// is not confused with similar concepts (the hostname, the cloud provider id,
-// the cloud provider name etc)
-//
-// To clarify the various types:
-//
-// * Node.Name is the Name field of the Node in the API.  This should be stored in a NodeName.
-//   Unfortunately, because Name is part of ObjectMeta, we can't store it as a NodeName at the API level.
-//
-// * Hostname is the hostname of the local machine (from uname -n).
-//   However, some components allow the user to pass in a --hostname-override flag,
-//   which will override this in most places. In the absence of anything more meaningful,
-//   kubelet will use Hostname as the Node.Name when it creates the Node.
-//
-// * The cloudproviders have the own names: GCE has InstanceName, AWS has InstanceId.
-//
-//   For GCE, InstanceName is the Name of an Instance object in the GCE API.  On GCE, Instance.Name becomes the
-//   Hostname, and thus it makes sense also to use it as the Node.Name.  But that is GCE specific, and it is up
-//   to the cloudprovider how to do this mapping.
-//
-//   For AWS, the InstanceID is not yet suitable for use as a Node.Name, so we actually use the
-//   PrivateDnsName for the Node.Name.  And this is _not_ always the same as the hostname: if
-//   we are using a custom DHCP domain it won't be.
-#NodeName: string

cue/cue.mod/gen/time/format_go_gen.cue

@@ -1,68 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go time
-
-package time
-
-#Layout:      "01/02 03:04:05PM '06 -0700"
-#ANSIC:       "Mon Jan _2 15:04:05 2006"
-#UnixDate:    "Mon Jan _2 15:04:05 MST 2006"
-#RubyDate:    "Mon Jan 02 15:04:05 -0700 2006"
-#RFC822:      "02 Jan 06 15:04 MST"
-#RFC822Z:     "02 Jan 06 15:04 -0700"
-#RFC850:      "Monday, 02-Jan-06 15:04:05 MST"
-#RFC1123:     "Mon, 02 Jan 2006 15:04:05 MST"
-#RFC1123Z:    "Mon, 02 Jan 2006 15:04:05 -0700"
-#RFC3339:     "2006-01-02T15:04:05Z07:00"
-#RFC3339Nano: "2006-01-02T15:04:05.999999999Z07:00"
-#Kitchen:     "3:04PM"
-
-// Handy time stamps.
-#Stamp:                     "Jan _2 15:04:05"
-#StampMilli:                "Jan _2 15:04:05.000"
-#StampMicro:                "Jan _2 15:04:05.000000"
-#StampNano:                 "Jan _2 15:04:05.000000000"
-_#stdLongMonth:             257
-_#stdMonth:                 258
-_#stdNumMonth:              259
-_#stdZeroMonth:             260
-_#stdLongWeekDay:           261
-_#stdWeekDay:               262
-_#stdDay:                   263
-_#stdUnderDay:              264
-_#stdZeroDay:               265
-_#stdUnderYearDay:          266
-_#stdZeroYearDay:           267
-_#stdHour:                  524
-_#stdHour12:                525
-_#stdZeroHour12:            526
-_#stdMinute:                527
-_#stdZeroMinute:            528
-_#stdSecond:                529
-_#stdZeroSecond:            530
-_#stdLongYear:              275
-_#stdYear:                  276
-_#stdPM:                    533
-_#stdpm:                    534
-_#stdTZ:                    23
-_#stdISO8601TZ:             24
-_#stdISO8601SecondsTZ:      25
-_#stdISO8601ShortTZ:        26
-_#stdISO8601ColonTZ:        27
-_#stdISO8601ColonSecondsTZ: 28
-_#stdNumTZ:                 29
-_#stdNumSecondsTz:          30
-_#stdNumShortTZ:            31
-_#stdNumColonTZ:            32
-_#stdNumColonSecondsTZ:     33
-_#stdFracSecond0:           34
-_#stdFracSecond9:           35
-_#stdNeedDate:              256
-_#stdNeedClock:             512
-_#stdArgShift:              16
-_#stdSeparatorShift:        28
-_#stdMask:                  65535
-
-_#lowerhex:  "0123456789abcdef"
-_#runeSelf:  0x80
-_#runeError: 65533 // '\uFFFD'

cue/cue.mod/gen/time/time_go_gen.cue

@@ -1,266 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go time
-
-// Package time provides functionality for measuring and displaying time.
-//
-// The calendrical calculations always assume a Gregorian calendar, with
-// no leap seconds.
-//
-// Monotonic Clocks
-//
-// Operating systems provide both a “wall clock,” which is subject to
-// changes for clock synchronization, and a “monotonic clock,” which is
-// not. The general rule is that the wall clock is for telling time and
-// the monotonic clock is for measuring time. Rather than split the API,
-// in this package the Time returned by time.Now contains both a wall
-// clock reading and a monotonic clock reading; later time-telling
-// operations use the wall clock reading, but later time-measuring
-// operations, specifically comparisons and subtractions, use the
-// monotonic clock reading.
-//
-// For example, this code always computes a positive elapsed time of
-// approximately 20 milliseconds, even if the wall clock is changed during
-// the operation being timed:
-//
-// start := time.Now()
-// ... operation that takes 20 milliseconds ...
-// t := time.Now()
-// elapsed := t.Sub(start)
-//
-// Other idioms, such as time.Since(start), time.Until(deadline), and
-// time.Now().Before(deadline), are similarly robust against wall clock
-// resets.
-//
-// The rest of this section gives the precise details of how operations
-// use monotonic clocks, but understanding those details is not required
-// to use this package.
-//
-// The Time returned by time.Now contains a monotonic clock reading.
-// If Time t has a monotonic clock reading, t.Add adds the same duration to
-// both the wall clock and monotonic clock readings to compute the result.
-// Because t.AddDate(y, m, d), t.Round(d), and t.Truncate(d) are wall time
-// computations, they always strip any monotonic clock reading from their results.
-// Because t.In, t.Local, and t.UTC are used for their effect on the interpretation
-// of the wall time, they also strip any monotonic clock reading from their results.
-// The canonical way to strip a monotonic clock reading is to use t = t.Round(0).
-//
-// If Times t and u both contain monotonic clock readings, the operations
-// t.After(u), t.Before(u), t.Equal(u), and t.Sub(u) are carried out
-// using the monotonic clock readings alone, ignoring the wall clock
-// readings. If either t or u contains no monotonic clock reading, these
-// operations fall back to using the wall clock readings.
-//
-// On some systems the monotonic clock will stop if the computer goes to sleep.
-// On such a system, t.Sub(u) may not accurately reflect the actual
-// time that passed between t and u.
-//
-// Because the monotonic clock reading has no meaning outside
-// the current process, the serialized forms generated by t.GobEncode,
-// t.MarshalBinary, t.MarshalJSON, and t.MarshalText omit the monotonic
-// clock reading, and t.Format provides no format for it. Similarly, the
-// constructors time.Date, time.Parse, time.ParseInLocation, and time.Unix,
-// as well as the unmarshalers t.GobDecode, t.UnmarshalBinary.
-// t.UnmarshalJSON, and t.UnmarshalText always create times with
-// no monotonic clock reading.
-//
-// Note that the Go == operator compares not just the time instant but
-// also the Location and the monotonic clock reading. See the
-// documentation for the Time type for a discussion of equality
-// testing for Time values.
-//
-// For debugging, the result of t.String does include the monotonic
-// clock reading if present. If t != u because of different monotonic clock readings,
-// that difference will be visible when printing t.String() and u.String().
-//
-package time
-
-// A Time represents an instant in time with nanosecond precision.
-//
-// Programs using times should typically store and pass them as values,
-// not pointers. That is, time variables and struct fields should be of
-// type time.Time, not *time.Time.
-//
-// A Time value can be used by multiple goroutines simultaneously except
-// that the methods GobDecode, UnmarshalBinary, UnmarshalJSON and
-// UnmarshalText are not concurrency-safe.
-//
-// Time instants can be compared using the Before, After, and Equal methods.
-// The Sub method subtracts two instants, producing a Duration.
-// The Add method adds a Time and a Duration, producing a Time.
-//
-// The zero value of type Time is January 1, year 1, 00:00:00.000000000 UTC.
-// As this time is unlikely to come up in practice, the IsZero method gives
-// a simple way of detecting a time that has not been initialized explicitly.
-//
-// Each Time has associated with it a Location, consulted when computing the
-// presentation form of the time, such as in the Format, Hour, and Year methods.
-// The methods Local, UTC, and In return a Time with a specific location.
-// Changing the location in this way changes only the presentation; it does not
-// change the instant in time being denoted and therefore does not affect the
-// computations described in earlier paragraphs.
-//
-// Representations of a Time value saved by the GobEncode, MarshalBinary,
-// MarshalJSON, and MarshalText methods store the Time.Location's offset, but not
-// the location name. They therefore lose information about Daylight Saving Time.
-//
-// In addition to the required “wall clock” reading, a Time may contain an optional
-// reading of the current process's monotonic clock, to provide additional precision
-// for comparison or subtraction.
-// See the “Monotonic Clocks” section in the package documentation for details.
-//
-// Note that the Go == operator compares not just the time instant but also the
-// Location and the monotonic clock reading. Therefore, Time values should not
-// be used as map or database keys without first guaranteeing that the
-// identical Location has been set for all values, which can be achieved
-// through use of the UTC or Local method, and that the monotonic clock reading
-// has been stripped by setting t = t.Round(0). In general, prefer t.Equal(u)
-// to t == u, since t.Equal uses the most accurate comparison available and
-// correctly handles the case when only one of its arguments has a monotonic
-// clock reading.
-//
-#Time: _
-
-_#hasMonotonic: 9223372036854775808
-_#maxWall:      int64 & 68043243391
-_#minWall:      int64 & 59453308800
-_#nsecMask:     1073741823
-_#nsecShift:    30
-
-// A Month specifies a month of the year (January = 1, ...).
-#Month: int // #enumMonth
-
-#enumMonth:
-	#January |
-	#February |
-	#March |
-	#April |
-	#May |
-	#June |
-	#July |
-	#August |
-	#September |
-	#October |
-	#November |
-	#December
-
-#values_Month: {
-	January:   #January
-	February:  #February
-	March:     #March
-	April:     #April
-	May:       #May
-	June:      #June
-	July:      #July
-	August:    #August
-	September: #September
-	October:   #October
-	November:  #November
-	December:  #December
-}
-
-#January:   #Month & 1
-#February:  #Month & 2
-#March:     #Month & 3
-#April:     #Month & 4
-#May:       #Month & 5
-#June:      #Month & 6
-#July:      #Month & 7
-#August:    #Month & 8
-#September: #Month & 9
-#October:   #Month & 10
-#November:  #Month & 11
-#December:  #Month & 12
-
-// A Weekday specifies a day of the week (Sunday = 0, ...).
-#Weekday: int // #enumWeekday
-
-#enumWeekday:
-	#Sunday |
-	#Monday |
-	#Tuesday |
-	#Wednesday |
-	#Thursday |
-	#Friday |
-	#Saturday
-
-#values_Weekday: {
-	Sunday:    #Sunday
-	Monday:    #Monday
-	Tuesday:   #Tuesday
-	Wednesday: #Wednesday
-	Thursday:  #Thursday
-	Friday:    #Friday
-	Saturday:  #Saturday
-}
-
-#Sunday:    #Weekday & 0
-#Monday:    #Weekday & 1
-#Tuesday:   #Weekday & 2
-#Wednesday: #Weekday & 3
-#Thursday:  #Weekday & 4
-#Friday:    #Weekday & 5
-#Saturday:  #Weekday & 6
-
-// The unsigned zero year for internal calculations.
-// Must be 1 mod 400, and times before it will not compute correctly,
-// but otherwise can be changed at will.
-_#absoluteZeroYear: -292277022399
-
-// The year of the zero Time.
-// Assumed by the unixToInternal computation below.
-_#internalYear: 1
-
-// Offsets to convert between internal and absolute or Unix times.
-_#absoluteToInternal: int64 & -9223371966579724800
-_#internalToAbsolute: int64 & 9223371966579724800
-_#unixToInternal:     int64 & 62135596800
-_#internalToUnix:     int64 & -62135596800
-_#wallToInternal:     int64 & 59453308800
-_#internalToWall:     int64 & -59453308800
-
-// A Duration represents the elapsed time between two instants
-// as an int64 nanosecond count. The representation limits the
-// largest representable duration to approximately 290 years.
-#Duration: int64 // #enumDuration
-
-#enumDuration:
-	_#minDuration |
-	_#maxDuration |
-	#Nanosecond |
-	#Microsecond |
-	#Millisecond |
-	#Second |
-	#Minute |
-	#Hour
-
-#values_Duration: {
-	minDuration: _#minDuration
-	maxDuration: _#maxDuration
-	Nanosecond:  #Nanosecond
-	Microsecond: #Microsecond
-	Millisecond: #Millisecond
-	Second:      #Second
-	Minute:      #Minute
-	Hour:        #Hour
-}
-
-_#minDuration: #Duration & -9223372036854775808
-_#maxDuration: #Duration & 9223372036854775807
-
-#Nanosecond:  #Duration & 1
-#Microsecond: #Duration & 1000
-#Millisecond: #Duration & 1000000
-#Second:      #Duration & 1000000000
-#Minute:      #Duration & 60000000000
-#Hour:        #Duration & 3600000000000
-
-_#secondsPerMinute: 60
-_#secondsPerHour:   3600
-_#secondsPerDay:    86400
-_#secondsPerWeek:   604800
-_#daysPer400Years:  146097
-_#daysPer100Years:  36524
-_#daysPer4Years:    1461
-
-_#timeBinaryVersion: 1

cue/cue.mod/gen/time/zoneinfo_go_gen.cue

@@ -1,19 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go time
-
-package time
-
-// A Location maps time instants to the zone in use at that time.
-// Typically, the Location represents the collection of time offsets
-// in use in a geographical area. For many Locations the time offset varies
-// depending on whether daylight savings time is in use at the time instant.
-#Location: {
-}
-
-_#alpha: -9223372036854775808
-_#omega: 9223372036854775807
-
-_#ruleJulian:       _#ruleKind & 0
-_#ruleDOY:          _#ruleKind & 1
-_#ruleMonthWeekDay: _#ruleKind & 2

cue/cue.mod/gen/time/zoneinfo_read_go_gen.cue

@@ -1,11 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go time
-
-package time
-
-_#maxFileSize: 10485760
-
-_#seekStart:   0
-_#seekCurrent: 1
-_#seekEnd:     2

cue/cue.mod/module.cue

@@ -1 +0,0 @@
-module: "github.com/stefanprodan/podinfo/cue"

cue/go.mod

@@ -1,23 +0,0 @@
-module github.com/stefanprodan/podinfo/cue
-
-go 1.17
-
-require (
-	github.com/go-logr/logr v1.2.0 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/google/go-cmp v0.5.5 // indirect
-	github.com/google/gofuzz v1.1.0 // indirect
-	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.2 // indirect
-	golang.org/x/net v0.0.0-20211209124913-491a49abca63 // indirect
-	golang.org/x/text v0.3.7 // indirect
-	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
-	k8s.io/api v0.23.5 // indirect
-	k8s.io/apimachinery v0.23.5 // indirect
-	k8s.io/klog/v2 v2.30.0 // indirect
-	k8s.io/utils v0.0.0-20211116205334-6203023598ed // indirect
-	sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6 // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect
-)

cue/go.sum

@@ -1,231 +0,0 @@
-cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
-github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
-github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
-github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
-github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
-github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
-github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
-github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
-github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
-github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
-github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
-github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
-github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
-github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
-github.com/getkin/kin-openapi v0.76.0/go.mod h1:660oXbgy5JFMKreazJaQTw7o+X00qeSyhcnluiMv+Xg=
-github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
-github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
-github.com/go-logr/logr v1.2.0 h1:QK40JKJyMdUDz+h+xvCsru/bJhvG0UxvePV0ufL/AcE=
-github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
-github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
-github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8=
-github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
-github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
-github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
-github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
-github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
-github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
-github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
-github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
-github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
-github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
-github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=
-github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g=
-github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2cUuW7uA/OeU=
-github.com/googleapis/gnostic v0.5.5/go.mod h1:7+EbHbldMins07ALC74bsA81Ovc97DwqyJO1AENw9kA=
-github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
-github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
-github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
-github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
-github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
-github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
-github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
-github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
-github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c=
-github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
-github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
-github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
-github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
-github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
-github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
-github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY=
-github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
-github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
-github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
-github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8=
-github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
-golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
-golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
-golang.org/x/net v0.0.0-20211209124913-491a49abca63 h1:iocB37TsdFuN6IBRZ+ry36wrkoV51/tl5vOWqkcPGvY=
-golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210831042530-f4d43177bf5e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
-golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
-golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200505023115-26f46d2f7ef8/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
-google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
-google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
-google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
-google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
-google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
-google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
-google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
-google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
-google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
-google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
-google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
-google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
-google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
-gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
-gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
-gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
-gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-k8s.io/api v0.23.5 h1:zno3LUiMubxD/V1Zw3ijyKO3wxrhbUF1Ck+VjBvfaoA=
-k8s.io/api v0.23.5/go.mod h1:Na4XuKng8PXJ2JsploYYrivXrINeTaycCGcYgF91Xm8=
-k8s.io/apimachinery v0.23.5 h1:Va7dwhp8wgkUPWsEXk6XglXWU4IKYLKNlv8VkX7SDM0=
-k8s.io/apimachinery v0.23.5/go.mod h1:BEuFMMBaIbcOqVIJqNZJXGFTP4W6AycEpb5+m/97hrM=
-k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
-k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
-k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
-k8s.io/klog/v2 v2.30.0 h1:bUO6drIvCIsvZ/XFgfxoGFQU/a4Qkh0iAlvUR7vlHJw=
-k8s.io/klog/v2 v2.30.0/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
-k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65/go.mod h1:sX9MT8g7NVZM5lVL/j8QyCCJe8YSMW30QvGZWaCIDIk=
-k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
-k8s.io/utils v0.0.0-20211116205334-6203023598ed h1:ck1fRPWPJWsMd8ZRFsWc6mh/zHp5fZ/shhbrgPUxDAE=
-k8s.io/utils v0.0.0-20211116205334-6203023598ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
-sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6 h1:fD1pz4yfdADVNfFmcP2aBEtudwUQ1AlLnRBALr33v3s=
-sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6/go.mod h1:p4QtZmO4uMYipTQNzagwnNoseA6OxSUutVw05NhYDRs=
-sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
-sigs.k8s.io/structured-merge-diff/v4 v4.2.1 h1:bKCqE9GvQ5tiVHn5rfn1r+yao3aLQEaLzkkmAkf+A6Y=
-sigs.k8s.io/structured-merge-diff/v4 v4.2.1/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4=
-sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=

cue/main.cue

@@ -1,27 +0,0 @@
-package main
-
-import (
-	podinfo "github.com/stefanprodan/podinfo/cue/podinfo"
-)
-
-resources: (podinfo.#Application & {
-	input: {
-		meta: {
-			name: "podinfo"
-			annotations: {
-				"app.kubernetes.io/part-of": "podinfo"
-			}
-		}
-		image: {
-			repository: "ghcr.io/stefanprodan/podinfo"
-			tag:        "6.1.3"
-		}
-		resources: requests: cpu: "100m"
-		hpa: {
-			enabled:     true
-			minReplicas: 2
-			maxReplicas: 4
-			cpu:         99
-		}
-	}
-}).out

cue/main_tool.cue

@@ -1,12 +0,0 @@
-package main
-
-import (
-	"tool/cli"
-	"encoding/yaml"
-)
-
-command: gen: {
-	task: print: cli.Print & {
-		text: yaml.MarshalStream([ for x in resources {x}])
-	}
-}

cue/podinfo/app.cue

@@ -1,21 +0,0 @@
-package podinfo
-
-#Application: {
-	input: #Config
-	out: {
-		sa:     #ServiceAccount & {_config: input}
-		deploy: #Deployment & {
-			_config:         input
-			_serviceAccount: sa.metadata.name
-		}
-		service: #Service & {_config: input}}
-	if input.hpa.enabled == true {
-		out: hpa: #HorizontalPodAutoscaler & {_config: input}
-	}
-	if input.serviceMonitor.enabled == true {
-		out: serviceMonitor: #ServiceMonitor & {_config: input}
-	}
-	if input.ingress.enabled == true {
-		out: ingress: #Ingress & {_config: input}
-	}
-}

cue/podinfo/certificate.cue

@@ -1,24 +0,0 @@
-package podinfo
-
-import (
-	certmanv1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
-	"encoding/yaml"
-)
-
-#certConfig: {
-	dnsNames: [string]
-	tlsSecretName: string
-	issuerRef:     string
-}
-
-#Certificate: certmanv1.#Certificate & {
-	_config:    #Config
-	apiVersion: "v1"
-	kind:       "Certificate"
-	metadata:   _config.meta
-	spec:       certmanv1.#CertificateSpec & {
-		dnsNames:   _config.cert.dnsNames
-		secretName: _config.cert.tlsSecretName
-		issuerRef:  yaml.Marshal(_config.cert.issuerRef)
-	}
-}

cue/podinfo/config.cue

@@ -1,59 +0,0 @@
-package podinfo
-
-import (
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	corev1 "k8s.io/api/core/v1"
-)
-
-#Config: {
-	meta: metav1.#ObjectMeta
-	image: {
-		repository: *"ghcr.io/stefanprodan/podinfo" | string
-		tag:        string
-		pullPolicy: *"IfNotPresent" | string
-	}
-	selectorLabels: {
-		"app.kubernetes.io/name": meta.name
-	}
-	replicas: *1 | int
-	service:  #serviceConfig
-	host:     string
-	cache:    string
-	backends: [string]
-	logLevel: *"info" | string
-	faults: {
-		delay:     *false | bool
-		error:     *false | bool
-		unhealthy: *false | bool
-		unready:   *false | bool
-	}
-	h2c: {
-		enabled: *false | bool
-	}
-	ui: {
-		color:   *"#34577c" | string
-		message: *"" | string
-		logo:    *"" | string
-	}
-	podAnnotations: {[ string]: string}
-	securityContext: corev1.#PodSecurityContext
-	resources:       *{
-		requests: {
-			cpu:    "1m"
-			memory: "16Mi"
-		}
-	} | corev1.#ResourceRequirements
-	nodeSelector: {[ string]: string}
-	affinity: corev1.#Affinity
-	tolerations: [ ...corev1.#Toleration]
-	tls: {
-		enabled:    *false | bool
-		port:       *9899 | int
-		certPath:   *"/data/cert" | string
-		secretName: *"" | string
-	}
-	cert:           #certConfig
-	hpa:            #hpaConfig
-	ingress:        #ingressConfig
-	serviceMonitor: #serviceMonConfig
-}

cue/podinfo/deployment.cue

@@ -1,123 +0,0 @@
-package podinfo
-
-import (
-	appsv1 "k8s.io/api/apps/v1"
-	corev1 "k8s.io/api/core/v1"
-)
-
-#Deployment: appsv1.#Deployment & {
-	_config:         #Config
-	_serviceAccount: string
-	apiVersion:      "apps/v1"
-	kind:            "Deployment"
-	metadata:        _config.meta
-	spec:            appsv1.#DeploymentSpec & {
-		if _config.hpa.enabled == false {
-			replicas: _config.replicas
-		}
-		strategy: {
-			type: "RollingUpdate"
-			rollingUpdate: maxUnavailable: 1
-		}
-		selector: matchLabels: _config.selectorLabels
-		template: {
-			metadata: {
-				labels: _config.selectorLabels
-				annotations: {
-					"prometheus.io/scrape": "true"
-					"prometheus.io/port":   "\(_config.service.metricsPort)"
-					_config.podAnnotations
-				}
-			}
-			spec: corev1.#PodSpec & {
-				terminationGracePeriodSeconds: 30
-				serviceAccountName:            _serviceAccount
-				containers: [
-					{
-						name:            "podinfo"
-						image:           "\(_config.image.repository):\(_config.image.tag)"
-						imagePullPolicy: _config.image.pullPolicy
-						securityContext: _config.securityContext
-						command: [
-							"./podinfo",
-							"--port=\(_config.service.httpPort)",
-							"--port-metrics=\(_config.service.metricsPort)",
-							"--grpc-port=\(_config.service.grpcPort)",
-							"--level=\(_config.logLevel)",
-							"--random-delay=\(_config.faults.delay)",
-							"--random-error=\(_config.faults.error)",
-						]
-						ports: [
-							{
-								name:          "http"
-								containerPort: _config.service.httpPort
-								protocol:      "TCP"
-							},
-							{
-								name:          "http-metrics"
-								containerPort: _config.service.metricsPort
-								protocol:      "TCP"
-							},
-							{
-								name:          "grpc"
-								containerPort: _config.service.grpcPort
-								protocol:      "TCP"
-							},
-						]
-						livenessProbe: {
-							exec: {
-								command: [
-									"podcli",
-									"check",
-									"http",
-									"localhost:\(_config.service.httpPort)/healthz",
-								]
-							}
-							initialDelaySeconds: 1
-							timeoutSeconds:      5
-						}
-						readinessProbe: {
-							exec: {
-								command: [
-									"podcli",
-									"check",
-									"http",
-									"localhost:\(_config.service.httpPort)/readyz",
-								]
-							}
-							initialDelaySeconds: 1
-							timeoutSeconds:      5
-						}
-						volumeMounts: [
-							{
-								name:      "data"
-								mountPath: "/data"
-							},
-							if _config.tls.secretName != "" {
-								name:      "tls"
-								mountPath: _config.tls.certPath
-								readOnly:  true
-							},
-						]
-						resources: _config.resources
-					},
-				]
-				nodeSelector: _config.nodeSelector
-				affinity:     _config.affinity
-				tolerations:  _config.tolerations
-				volumes: [
-					{
-						name: "data"
-						emptyDir: {}
-					},
-					if _config.tls.secretName != "" {
-						name: "tls"
-						secret: {
-							secretName: _config.tls.secretName
-						}
-					},
-				]
-			}
-		}
-	}
-}

cue/podinfo/ingress.cue

@@ -1,48 +0,0 @@
-package podinfo
-
-import (
-	netv1 "k8s.io/api/networking/v1"
-)
-
-#ingressConfig: {
-	svcName:   string
-	svcPort:   int
-	enabled:   *false | bool
-	className: *"" | string
-	tls: [{
-		hosts: [string]
-		secretName: string
-	}]
-	hosts: [{
-		host: "podinfo.local"
-		paths: [{
-			path:     "/"
-			pathType: "ImplementationSpecific"
-		}]
-	}]
-}
-
-#Ingress: netv1.#Ingress & {
-	_config:    #Config
-	apiVersion: "networking.k8s.io/v1"
-	kind:       "Ingress"
-	metadata:   _config.meta
-	spec:       netv1.#IngressSpec & {
-		ingressClassName: _config.ingress.className
-		tls: [ for t in _config.ingress.tls {
-			hosts:      t.hosts
-			secretName: t.secretName
-		}]
-		rules: [ for h in _config.ingress.hosts {
-			host: h.host
-			http: paths: [ for p in h.paths {
-				path:     p.path
-				pathType: p.pathType
-				backend: service: {
-					name: _config.meta.name
-					port: number: _config.service.externalPort
-				}
-			}]
-		}]
-	}
-}

cue/podinfo/service.cue

@@ -1,43 +0,0 @@
-package podinfo
-
-import (
-	corev1 "k8s.io/api/core/v1"
-)
-
-#serviceConfig: {
-	type:         *"ClusterIP" | string
-	externalPort: *9898 | int
-	httpPort:     *9898 | int
-	metricsPort:  *9797 | int
-	grpcPort:     *9999 | int
-	grpcService:  "podinfo" | string
-	nodePort:     *31198 | int
-}
-
-#Service: corev1.#Service & {
-	_config:    #Config
-	apiVersion: "v1"
-	kind:       "Service"
-	metadata:   _config.meta
-	spec:       corev1.#ServiceSpec & {
-		type:     "ClusterIP"
-		selector: _config.selectorLabels
-		ports: [{
-			name:       "http"
-			port:       _config.service.externalPort
-			targetPort: _config.service.httpPort
-			protocol:   "TCP"
-		}, if _config.tls.enabled == true {
-			name:       "https"
-			port:       _config.tls.port
-			targetPort: "https"
-			protocol:   "TCP"
-		}, if _config.service.grpcPort != _|_ {
-			name:       "grpc"
-			port:       _config.service.grpcPort
-			targetPort: "grpc"
-			protocol:   "TCP"
-		},
-		]
-	}
-}

cue/podinfo/servicemonitor.cue

@@ -1,23 +0,0 @@
-package podinfo
-
-#serviceMonConfig: {
-	enabled:  *false | bool
-	interval: *"15s" | string
-	matchLabels: {}
-}
-
-#ServiceMonitor: {
-	_config:    #Config
-	apiVersion: "monitoring.coreos.com/v1"
-	kind:       "ServiceMonitor"
-	metadata:   _config.meta
-	spec: {
-		endpoints: [{
-			path:     "/metrics"
-			port:     "http"
-			interval: _config.serviceMonitor.interval
-		}]
-		namespaceSelector: matchNames: _config.meta.namespace
-		selector: matchLabels:         _config.selectorLabels
-	}
-}

deploy/bases/backend/deployment.yaml

@@ -23,7 +23,7 @@ spec:
     spec:
       containers:
       - name: backend
-        image: ghcr.io/stefanprodan/podinfo:6.1.3
+        image: ghcr.io/stefanprodan/podinfo:6.7.1
         imagePullPolicy: IfNotPresent
         ports:
         - name: http
@@ -42,7 +42,7 @@ spec:
         - --grpc-port=9999
         - --grpc-service-name=backend
         - --level=info
-        - --cache-server=cache:6379
+        - --cache-server=tcp://cache:6379
         env:
         - name: PODINFO_UI_COLOR
           value: "#34577c"

deploy/bases/backend/hpa.yaml

@@ -1,4 +1,4 @@
-apiVersion: autoscaling/v2beta2
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
   name: backend

deploy/bases/cache/deployment.yaml

@@ -13,7 +13,7 @@ spec:
     spec:
       containers:
         - name: redis
-          image: redis:6.0.1
+          image: redis:7.0.7
           imagePullPolicy: IfNotPresent
           command:
             - redis-server

deploy/bases/frontend/deployment.yaml

@@ -23,7 +23,7 @@ spec:
     spec:
       containers:
       - name: frontend
-        image: ghcr.io/stefanprodan/podinfo:6.1.3
+        image: ghcr.io/stefanprodan/podinfo:6.7.1
         imagePullPolicy: IfNotPresent
         ports:
         - name: http
@@ -41,7 +41,7 @@ spec:
         - --port-metrics=9797
         - --level=info
         - --backend-url=http://backend:9898/echo
-        - --cache-server=cache:6379
+        - --cache-server=tcp://cache:6379
         env:
         - name: PODINFO_UI_COLOR
           value: "#34577c"

deploy/bases/frontend/hpa.yaml

@@ -1,4 +1,4 @@
-apiVersion: autoscaling/v2beta2
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
   name: frontend

deploy/secure/backend/hpa.yaml

@@ -1,4 +1,4 @@
-apiVersion: autoscaling/v2beta2
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
   name: backend

deploy/secure/frontend/hpa.yaml

@@ -1,4 +1,4 @@
-apiVersion: autoscaling/v2beta2
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
   name: frontend

deploy/webapp/backend/deployment.yaml

@@ -25,7 +25,7 @@ spec:
       serviceAccountName: webapp
       containers:
       - name: backend
-        image: ghcr.io/stefanprodan/podinfo:6.1.3
+        image: ghcr.io/stefanprodan/podinfo:6.7.1
         imagePullPolicy: IfNotPresent
         ports:
         - name: http

deploy/webapp/backend/hpa.yaml

@@ -1,4 +1,4 @@
-apiVersion: autoscaling/v2beta2
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
   name: backend

deploy/webapp/frontend/deployment.yaml

@@ -25,7 +25,7 @@ spec:
       serviceAccountName: webapp
       containers:
       - name: frontend
-        image: ghcr.io/stefanprodan/podinfo:6.1.3
+        image: ghcr.io/stefanprodan/podinfo:6.7.1
         imagePullPolicy: IfNotPresent
         ports:
         - name: http

deploy/webapp/frontend/hpa.yaml

@@ -1,4 +1,4 @@
-apiVersion: autoscaling/v2beta2
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
   name: frontend

go.mod

@@ -1,84 +1,89 @@
 module github.com/stefanprodan/podinfo
 
-go 1.17
+go 1.23
 
 require (
-	github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751
-	github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e
-	github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1
-	github.com/fatih/color v1.9.0
-	github.com/fsnotify/fsnotify v1.4.9
-	github.com/gomodule/redigo v1.8.4
-	github.com/gorilla/mux v1.8.0
-	github.com/gorilla/websocket v1.4.2
-	github.com/prometheus/client_golang v1.11.0
-	github.com/spf13/cobra v1.2.1
+	github.com/chzyer/readline v1.5.1
+	github.com/fatih/color v1.17.0
+	github.com/fsnotify/fsnotify v1.7.0
+	github.com/golang-jwt/jwt/v4 v4.5.0
+	github.com/gomodule/redigo v1.9.2
+	github.com/gorilla/mux v1.8.1
+	github.com/gorilla/websocket v1.5.3
+	github.com/prometheus/client_golang v1.20.4
+	github.com/spf13/cobra v1.8.1
 	github.com/spf13/pflag v1.0.5
-	github.com/spf13/viper v1.8.1
-	github.com/swaggo/http-swagger v1.0.0
-	github.com/swaggo/swag v1.7.6
-	go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux v0.28.0
-	go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.28.0
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.28.0
-	go.opentelemetry.io/contrib/propagators/aws v1.3.0
-	go.opentelemetry.io/contrib/propagators/b3 v1.3.0
-	go.opentelemetry.io/contrib/propagators/jaeger v1.3.0
-	go.opentelemetry.io/contrib/propagators/ot v1.3.0
-	go.opentelemetry.io/otel v1.3.0
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.3.0
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.3.0
-	go.opentelemetry.io/otel/sdk v1.3.0
-	go.opentelemetry.io/otel/trace v1.3.0
-	go.uber.org/zap v1.19.1
-	golang.org/x/net v0.0.0-20211216030914-fe4d6282115f
-	google.golang.org/grpc v1.43.0
+	github.com/spf13/viper v1.19.0
+	github.com/swaggo/http-swagger v1.3.4
+	github.com/swaggo/swag v1.16.3
+	go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux v0.55.0
+	go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.55.0
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.55.0
+	go.opentelemetry.io/contrib/propagators/aws v1.30.0
+	go.opentelemetry.io/contrib/propagators/b3 v1.30.0
+	go.opentelemetry.io/contrib/propagators/jaeger v1.30.0
+	go.opentelemetry.io/contrib/propagators/ot v1.30.0
+	go.opentelemetry.io/otel v1.30.0
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.30.0
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.30.0
+	go.opentelemetry.io/otel/sdk v1.30.0
+	go.opentelemetry.io/otel/trace v1.30.0
+	go.uber.org/zap v1.27.0
+	golang.org/x/net v0.30.0
+	google.golang.org/grpc v1.67.1
+	google.golang.org/protobuf v1.35.0
 )
 
+// Fix CVE-2022-32149
+replace golang.org/x/text => golang.org/x/text v0.19.0
+
+// Fix CVE-2022-28948
+replace gopkg.in/yaml.v3 => gopkg.in/yaml.v3 v3.0.1
+
 require (
 	github.com/KyleBanks/depth v1.2.1 // indirect
-	github.com/PuerkitoBio/purell v1.1.1 // indirect
-	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/cenkalti/backoff/v4 v4.1.2 // indirect
-	github.com/cespare/xxhash/v2 v2.1.1 // indirect
-	github.com/felixge/httpsnoop v1.0.2 // indirect
-	github.com/go-logr/logr v1.2.1 // indirect
-	github.com/go-logr/stdr v1.2.0 // indirect
-	github.com/go-openapi/jsonpointer v0.19.5 // indirect
-	github.com/go-openapi/jsonreference v0.19.5 // indirect
-	github.com/go-openapi/spec v0.20.3 // indirect
-	github.com/go-openapi/swag v0.19.14 // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
-	github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect
+	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-openapi/jsonpointer v0.21.0 // indirect
+	github.com/go-openapi/jsonreference v0.21.0 // indirect
+	github.com/go-openapi/spec v0.21.0 // indirect
+	github.com/go-openapi/swag v0.23.0 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
-	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
-	github.com/magiconair/properties v1.8.5 // indirect
-	github.com/mailru/easyjson v0.7.6 // indirect
-	github.com/mattn/go-colorable v0.1.4 // indirect
-	github.com/mattn/go-isatty v0.0.12 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
-	github.com/mitchellh/mapstructure v1.4.1 // indirect
-	github.com/pelletier/go-toml v1.9.3 // indirect
-	github.com/prometheus/client_model v0.2.0 // indirect
-	github.com/prometheus/common v0.26.0 // indirect
-	github.com/prometheus/procfs v0.6.0 // indirect
-	github.com/spf13/afero v1.6.0 // indirect
-	github.com/spf13/cast v1.3.1 // indirect
-	github.com/spf13/jwalterweatherman v1.1.0 // indirect
-	github.com/subosito/gotenv v1.2.0 // indirect
-	github.com/swaggo/files v0.0.0-20190704085106-630677cd5c14 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.3.0 // indirect
-	go.opentelemetry.io/otel/internal/metric v0.26.0 // indirect
-	go.opentelemetry.io/otel/metric v0.26.0 // indirect
-	go.opentelemetry.io/proto/otlp v0.11.0 // indirect
-	go.uber.org/atomic v1.7.0 // indirect
-	go.uber.org/multierr v1.6.0 // indirect
-	golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40 // indirect
-	golang.org/x/text v0.3.6 // indirect
-	golang.org/x/tools v0.1.5 // indirect
-	google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c // indirect
-	google.golang.org/protobuf v1.27.1 // indirect
-	gopkg.in/ini.v1 v1.62.0 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
+	github.com/klauspost/compress v1.17.9 // indirect
+	github.com/magiconair/properties v1.8.7 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.2 // indirect
+	github.com/prometheus/client_model v0.6.1 // indirect
+	github.com/prometheus/common v0.55.0 // indirect
+	github.com/prometheus/procfs v0.15.1 // indirect
+	github.com/sagikazarmark/locafero v0.4.0 // indirect
+	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
+	github.com/sourcegraph/conc v0.3.0 // indirect
+	github.com/spf13/afero v1.11.0 // indirect
+	github.com/spf13/cast v1.6.0 // indirect
+	github.com/subosito/gotenv v1.6.0 // indirect
+	github.com/swaggo/files v1.0.1 // indirect
+	go.opentelemetry.io/otel/metric v1.30.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.3.1 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect
+	golang.org/x/sys v0.26.0 // indirect
+	golang.org/x/text v0.19.0 // indirect
+	golang.org/x/tools v0.26.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

kustomize/deployment.yaml

@@ -23,7 +23,7 @@ spec:
     spec:
       containers:
       - name: podinfod
-        image: ghcr.io/stefanprodan/podinfo:6.1.3
+        image: ghcr.io/stefanprodan/podinfo:6.7.1
         imagePullPolicy: IfNotPresent
         ports:
         - name: http
@@ -72,3 +72,9 @@ spec:
           requests:
             cpu: 100m
             memory: 64Mi
+        volumeMounts:
+          - name: data
+            mountPath: /data
+      volumes:
+        - name: data
+          emptyDir: {}

kustomize/hpa.yaml

@@ -1,4 +1,4 @@
-apiVersion: autoscaling/v2beta2
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
   name: podinfo

kustomize/kustomization.yaml

@@ -4,4 +4,3 @@ resources:
   - hpa.yaml
   - deployment.yaml
   - service.yaml
-

pkg/api/echo_test.go

@@ -1,34 +0,0 @@
-package api
-
-import (
-	"net/http"
-	"net/http/httptest"
-	"strings"
-	"testing"
-)
-
-func TestEchoHandler(t *testing.T) {
-	expected := `{"test": true}`
-	req, err := http.NewRequest("POST", "/api/echo", strings.NewReader(expected))
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	rr := httptest.NewRecorder()
-	srv := NewMockServer()
-	handler := http.HandlerFunc(srv.echoHandler)
-
-	handler.ServeHTTP(rr, req)
-
-	// Check the status code is what we expect.
-	if status := rr.Code; status != http.StatusAccepted {
-		t.Errorf("handler returned wrong status code: got %v want %v",
-			status, http.StatusAccepted)
-	}
-
-	// Check the response body is what we expect.
-	if rr.Body.String() != expected {
-		t.Fatalf("handler returned unexpected body:\ngot \n%v \nwant \n%s",
-			rr.Body.String(), expected)
-	}
-}

pkg/api/grpc/delay.go

@@ -0,0 +1,21 @@
+package grpc
+
+import (
+	"context"
+	"time"
+
+	pb "github.com/stefanprodan/podinfo/pkg/api/grpc/delay"
+	"go.uber.org/zap"
+)
+
+type DelayServer struct {
+	pb.UnimplementedDelayServiceServer
+	config *Config
+	logger *zap.Logger
+}
+
+func (s *DelayServer) Delay(ctx context.Context, delayInput *pb.DelayRequest) (*pb.DelayResponse, error) {
+
+	time.Sleep(time.Duration(delayInput.Seconds) * time.Second)
+	return &pb.DelayResponse{Message: delayInput.Seconds}, nil
+}

pkg/api/grpc/delay/delay.pb.go

@@ -0,0 +1,211 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.28.1
+// 	protoc        v4.25.0
+// source: delay/delay.proto
+
+package delay
+
+import (
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+type DelayRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Seconds int64 `protobuf:"varint,1,opt,name=seconds,proto3" json:"seconds,omitempty"`
+}
+
+func (x *DelayRequest) Reset() {
+	*x = DelayRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_delay_delay_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *DelayRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*DelayRequest) ProtoMessage() {}
+
+func (x *DelayRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_delay_delay_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use DelayRequest.ProtoReflect.Descriptor instead.
+func (*DelayRequest) Descriptor() ([]byte, []int) {
+	return file_delay_delay_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *DelayRequest) GetSeconds() int64 {
+	if x != nil {
+		return x.Seconds
+	}
+	return 0
+}
+
+type DelayResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Message int64 `protobuf:"varint,1,opt,name=message,proto3" json:"message,omitempty"`
+}
+
+func (x *DelayResponse) Reset() {
+	*x = DelayResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_delay_delay_proto_msgTypes[1]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *DelayResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*DelayResponse) ProtoMessage() {}
+
+func (x *DelayResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_delay_delay_proto_msgTypes[1]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use DelayResponse.ProtoReflect.Descriptor instead.
+func (*DelayResponse) Descriptor() ([]byte, []int) {
+	return file_delay_delay_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *DelayResponse) GetMessage() int64 {
+	if x != nil {
+		return x.Message
+	}
+	return 0
+}
+
+var File_delay_delay_proto protoreflect.FileDescriptor
+
+var file_delay_delay_proto_rawDesc = []byte{
+	0x0a, 0x11, 0x64, 0x65, 0x6c, 0x61, 0x79, 0x2f, 0x64, 0x65, 0x6c, 0x61, 0x79, 0x2e, 0x70, 0x72,
+	0x6f, 0x74, 0x6f, 0x12, 0x05, 0x64, 0x65, 0x6c, 0x61, 0x79, 0x22, 0x28, 0x0a, 0x0c, 0x44, 0x65,
+	0x6c, 0x61, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x18, 0x0a, 0x07, 0x73, 0x65,
+	0x63, 0x6f, 0x6e, 0x64, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x07, 0x73, 0x65, 0x63,
+	0x6f, 0x6e, 0x64, 0x73, 0x22, 0x29, 0x0a, 0x0d, 0x44, 0x65, 0x6c, 0x61, 0x79, 0x52, 0x65, 0x73,
+	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x07, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x32,
+	0x44, 0x0a, 0x0c, 0x44, 0x65, 0x6c, 0x61, 0x79, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12,
+	0x34, 0x0a, 0x05, 0x44, 0x65, 0x6c, 0x61, 0x79, 0x12, 0x13, 0x2e, 0x64, 0x65, 0x6c, 0x61, 0x79,
+	0x2e, 0x44, 0x65, 0x6c, 0x61, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x14, 0x2e,
+	0x64, 0x65, 0x6c, 0x61, 0x79, 0x2e, 0x44, 0x65, 0x6c, 0x61, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f,
+	0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0x09, 0x5a, 0x07, 0x2e, 0x2f, 0x64, 0x65, 0x6c, 0x61, 0x79,
+	0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+}
+
+var (
+	file_delay_delay_proto_rawDescOnce sync.Once
+	file_delay_delay_proto_rawDescData = file_delay_delay_proto_rawDesc
+)
+
+func file_delay_delay_proto_rawDescGZIP() []byte {
+	file_delay_delay_proto_rawDescOnce.Do(func() {
+		file_delay_delay_proto_rawDescData = protoimpl.X.CompressGZIP(file_delay_delay_proto_rawDescData)
+	})
+	return file_delay_delay_proto_rawDescData
+}
+
+var file_delay_delay_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
+var file_delay_delay_proto_goTypes = []interface{}{
+	(*DelayRequest)(nil),  // 0: delay.DelayRequest
+	(*DelayResponse)(nil), // 1: delay.DelayResponse
+}
+var file_delay_delay_proto_depIdxs = []int32{
+	0, // 0: delay.DelayService.Delay:input_type -> delay.DelayRequest
+	1, // 1: delay.DelayService.Delay:output_type -> delay.DelayResponse
+	1, // [1:2] is the sub-list for method output_type
+	0, // [0:1] is the sub-list for method input_type
+	0, // [0:0] is the sub-list for extension type_name
+	0, // [0:0] is the sub-list for extension extendee
+	0, // [0:0] is the sub-list for field type_name
+}
+
+func init() { file_delay_delay_proto_init() }
+func file_delay_delay_proto_init() {
+	if File_delay_delay_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_delay_delay_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*DelayRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_delay_delay_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*DelayResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_delay_delay_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   2,
+			NumExtensions: 0,
+			NumServices:   1,
+		},
+		GoTypes:           file_delay_delay_proto_goTypes,
+		DependencyIndexes: file_delay_delay_proto_depIdxs,
+		MessageInfos:      file_delay_delay_proto_msgTypes,
+	}.Build()
+	File_delay_delay_proto = out.File
+	file_delay_delay_proto_rawDesc = nil
+	file_delay_delay_proto_goTypes = nil
+	file_delay_delay_proto_depIdxs = nil
+}

pkg/api/grpc/delay/delay.proto

@@ -0,0 +1,17 @@
+syntax = "proto3";
+
+option go_package = "./delay";
+
+package delay;
+
+message DelayRequest {
+    int64 seconds = 1;
+}
+
+message DelayResponse {
+    int64 message = 1;
+}
+
+service DelayService {
+    rpc Delay (DelayRequest) returns (DelayResponse) {}
+}

pkg/api/grpc/delay/delay_grpc.pb.go

@@ -0,0 +1,105 @@
+// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
+// versions:
+// - protoc-gen-go-grpc v1.2.0
+// - protoc             v4.25.0
+// source: delay/delay.proto
+
+package delay
+
+import (
+	context "context"
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+)
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+// Requires gRPC-Go v1.32.0 or later.
+const _ = grpc.SupportPackageIsVersion7
+
+// DelayServiceClient is the client API for DelayService service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
+type DelayServiceClient interface {
+	Delay(ctx context.Context, in *DelayRequest, opts ...grpc.CallOption) (*DelayResponse, error)
+}
+
+type delayServiceClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewDelayServiceClient(cc grpc.ClientConnInterface) DelayServiceClient {
+	return &delayServiceClient{cc}
+}
+
+func (c *delayServiceClient) Delay(ctx context.Context, in *DelayRequest, opts ...grpc.CallOption) (*DelayResponse, error) {
+	out := new(DelayResponse)
+	err := c.cc.Invoke(ctx, "/delay.DelayService/Delay", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// DelayServiceServer is the server API for DelayService service.
+// All implementations must embed UnimplementedDelayServiceServer
+// for forward compatibility
+type DelayServiceServer interface {
+	Delay(context.Context, *DelayRequest) (*DelayResponse, error)
+	mustEmbedUnimplementedDelayServiceServer()
+}
+
+// UnimplementedDelayServiceServer must be embedded to have forward compatible implementations.
+type UnimplementedDelayServiceServer struct {
+}
+
+func (UnimplementedDelayServiceServer) Delay(context.Context, *DelayRequest) (*DelayResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method Delay not implemented")
+}
+func (UnimplementedDelayServiceServer) mustEmbedUnimplementedDelayServiceServer() {}
+
+// UnsafeDelayServiceServer may be embedded to opt out of forward compatibility for this service.
+// Use of this interface is not recommended, as added methods to DelayServiceServer will
+// result in compilation errors.
+type UnsafeDelayServiceServer interface {
+	mustEmbedUnimplementedDelayServiceServer()
+}
+
+func RegisterDelayServiceServer(s grpc.ServiceRegistrar, srv DelayServiceServer) {
+	s.RegisterService(&DelayService_ServiceDesc, srv)
+}
+
+func _DelayService_Delay_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(DelayRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DelayServiceServer).Delay(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/delay.DelayService/Delay",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DelayServiceServer).Delay(ctx, req.(*DelayRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+// DelayService_ServiceDesc is the grpc.ServiceDesc for DelayService service.
+// It's only intended for direct use with grpc.RegisterService,
+// and not to be introspected or modified (even as a copy)
+var DelayService_ServiceDesc = grpc.ServiceDesc{
+	ServiceName: "delay.DelayService",
+	HandlerType: (*DelayServiceServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "Delay",
+			Handler:    _DelayService_Delay_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "delay/delay.proto",
+}

pkg/api/grpc/delay_test.go

@@ -0,0 +1,75 @@
+package grpc
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"net"
+	"regexp"
+	"strconv"
+	"testing"
+
+	"github.com/stefanprodan/podinfo/pkg/api/grpc/delay"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/status"
+	"google.golang.org/grpc/test/bufconn"
+)
+
+func TestGrpcDelay(t *testing.T) {
+
+	// Server initialization
+	// bufconn => uses in-memory connection instead of system network I/O
+	lis := bufconn.Listen(1024 * 1024)
+	t.Cleanup(func() {
+		lis.Close()
+	})
+
+	srv := grpc.NewServer()
+	t.Cleanup(func() {
+		srv.Stop()
+	})
+
+	delay.RegisterDelayServiceServer(srv, &DelayServer{})
+
+	go func() {
+		if err := srv.Serve(lis); err != nil {
+			log.Fatalf("srv.Serve %v", err)
+		}
+	}()
+
+	// - Test
+	dialer := func(context.Context, string) (net.Conn, error) {
+		return lis.Dial()
+	}
+
+	ctx := context.Background()
+
+	conn, err := grpc.DialContext(ctx, "", grpc.WithContextDialer(dialer), grpc.WithInsecure())
+	t.Cleanup(func() {
+		conn.Close()
+	})
+
+	if err != nil {
+		t.Fatalf("grpc.DialContext %v", err)
+	}
+
+	client := delay.NewDelayServiceClient(conn)
+	res, err := client.Delay(context.Background(), &delay.DelayRequest{Seconds: 3})
+
+	// Check the status code is what we expect.
+	if _, ok := status.FromError(err); !ok {
+		t.Errorf("Delay returned type %T, want %T", err, status.Error)
+	}
+
+	if res != nil {
+		fmt.Printf("res %v\n", res)
+	}
+
+	// Check the response body is what we expect. Here we expect the response to be "3" as the delay is set to 3 seconds.
+	expected := "3"
+	r := regexp.MustCompile(expected)
+	if !r.MatchString(strconv.FormatInt(res.Message, 10)) {
+		t.Fatalf("Returned unexpected body:\ngot \n%v \nwant \n%s",
+			res.Message, expected)
+	}
+}

pkg/api/grpc/echo.go

@@ -0,0 +1,20 @@
+package grpc
+
+import (
+	"context"
+
+	"github.com/stefanprodan/podinfo/pkg/api/grpc/echo"
+	"go.uber.org/zap"
+)
+
+type echoServer struct {
+	echo.UnimplementedEchoServiceServer
+	config *Config
+	logger *zap.Logger
+}
+
+func (s *echoServer) Echo(ctx context.Context, message *echo.Message) (*echo.Message, error) {
+
+	s.logger.Info("Received message body from client:", zap.String("input body", message.Body))
+	return &echo.Message{Body: message.Body}, nil
+}

pkg/api/grpc/echo/echo.pb.go

@@ -0,0 +1,146 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.26.0
+// 	protoc        v4.24.3
+// source: echo/echo.proto
+
+package echo
+
+import (
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+type Message struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Body string `protobuf:"bytes,1,opt,name=body,proto3" json:"body,omitempty"`
+}
+
+func (x *Message) Reset() {
+	*x = Message{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_echo_echo_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *Message) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Message) ProtoMessage() {}
+
+func (x *Message) ProtoReflect() protoreflect.Message {
+	mi := &file_echo_echo_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use Message.ProtoReflect.Descriptor instead.
+func (*Message) Descriptor() ([]byte, []int) {
+	return file_echo_echo_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *Message) GetBody() string {
+	if x != nil {
+		return x.Body
+	}
+	return ""
+}
+
+var File_echo_echo_proto protoreflect.FileDescriptor
+
+var file_echo_echo_proto_rawDesc = []byte{
+	0x0a, 0x0f, 0x65, 0x63, 0x68, 0x6f, 0x2f, 0x65, 0x63, 0x68, 0x6f, 0x2e, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x12, 0x04, 0x65, 0x63, 0x68, 0x6f, 0x22, 0x1d, 0x0a, 0x07, 0x4d, 0x65, 0x73, 0x73, 0x61,
+	0x67, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x62, 0x6f, 0x64, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x04, 0x62, 0x6f, 0x64, 0x79, 0x32, 0x35, 0x0a, 0x0b, 0x45, 0x63, 0x68, 0x6f, 0x53, 0x65,
+	0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x26, 0x0a, 0x04, 0x45, 0x63, 0x68, 0x6f, 0x12, 0x0d, 0x2e,
+	0x65, 0x63, 0x68, 0x6f, 0x2e, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x0d, 0x2e, 0x65,
+	0x63, 0x68, 0x6f, 0x2e, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x42, 0x08, 0x5a,
+	0x06, 0x2e, 0x2f, 0x65, 0x63, 0x68, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+}
+
+var (
+	file_echo_echo_proto_rawDescOnce sync.Once
+	file_echo_echo_proto_rawDescData = file_echo_echo_proto_rawDesc
+)
+
+func file_echo_echo_proto_rawDescGZIP() []byte {
+	file_echo_echo_proto_rawDescOnce.Do(func() {
+		file_echo_echo_proto_rawDescData = protoimpl.X.CompressGZIP(file_echo_echo_proto_rawDescData)
+	})
+	return file_echo_echo_proto_rawDescData
+}
+
+var file_echo_echo_proto_msgTypes = make([]protoimpl.MessageInfo, 1)
+var file_echo_echo_proto_goTypes = []interface{}{
+	(*Message)(nil), // 0: echo.Message
+}
+var file_echo_echo_proto_depIdxs = []int32{
+	0, // 0: echo.EchoService.Echo:input_type -> echo.Message
+	0, // 1: echo.EchoService.Echo:output_type -> echo.Message
+	1, // [1:2] is the sub-list for method output_type
+	0, // [0:1] is the sub-list for method input_type
+	0, // [0:0] is the sub-list for extension type_name
+	0, // [0:0] is the sub-list for extension extendee
+	0, // [0:0] is the sub-list for field type_name
+}
+
+func init() { file_echo_echo_proto_init() }
+func file_echo_echo_proto_init() {
+	if File_echo_echo_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_echo_echo_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*Message); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_echo_echo_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   1,
+			NumExtensions: 0,
+			NumServices:   1,
+		},
+		GoTypes:           file_echo_echo_proto_goTypes,
+		DependencyIndexes: file_echo_echo_proto_depIdxs,
+		MessageInfos:      file_echo_echo_proto_msgTypes,
+	}.Build()
+	File_echo_echo_proto = out.File
+	file_echo_echo_proto_rawDesc = nil
+	file_echo_echo_proto_goTypes = nil
+	file_echo_echo_proto_depIdxs = nil
+}

pkg/api/grpc/echo/echo.proto

@@ -0,0 +1,14 @@
+syntax = "proto3";
+
+option go_package = "./echo";
+
+package echo;
+
+message Message {
+    string body = 1;
+}
+
+
+service EchoService {
+    rpc Echo(Message) returns (Message) {}
+}

pkg/api/grpc/echo/echo_grpc.pb.go

@@ -0,0 +1,109 @@
+// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
+// versions:
+// - protoc-gen-go-grpc v1.3.0
+// - protoc             v4.24.3
+// source: echo/echo.proto
+
+package echo
+
+import (
+	context "context"
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+)
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+// Requires gRPC-Go v1.32.0 or later.
+const _ = grpc.SupportPackageIsVersion7
+
+const (
+	EchoService_Echo_FullMethodName = "/echo.EchoService/Echo"
+)
+
+// EchoServiceClient is the client API for EchoService service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
+type EchoServiceClient interface {
+	Echo(ctx context.Context, in *Message, opts ...grpc.CallOption) (*Message, error)
+}
+
+type echoServiceClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewEchoServiceClient(cc grpc.ClientConnInterface) EchoServiceClient {
+	return &echoServiceClient{cc}
+}
+
+func (c *echoServiceClient) Echo(ctx context.Context, in *Message, opts ...grpc.CallOption) (*Message, error) {
+	out := new(Message)
+	err := c.cc.Invoke(ctx, EchoService_Echo_FullMethodName, in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// EchoServiceServer is the server API for EchoService service.
+// All implementations must embed UnimplementedEchoServiceServer
+// for forward compatibility
+type EchoServiceServer interface {
+	Echo(context.Context, *Message) (*Message, error)
+	mustEmbedUnimplementedEchoServiceServer()
+}
+
+// UnimplementedEchoServiceServer must be embedded to have forward compatible implementations.
+type UnimplementedEchoServiceServer struct {
+}
+
+func (UnimplementedEchoServiceServer) Echo(context.Context, *Message) (*Message, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method Echo not implemented")
+}
+func (UnimplementedEchoServiceServer) mustEmbedUnimplementedEchoServiceServer() {}
+
+// UnsafeEchoServiceServer may be embedded to opt out of forward compatibility for this service.
+// Use of this interface is not recommended, as added methods to EchoServiceServer will
+// result in compilation errors.
+type UnsafeEchoServiceServer interface {
+	mustEmbedUnimplementedEchoServiceServer()
+}
+
+func RegisterEchoServiceServer(s grpc.ServiceRegistrar, srv EchoServiceServer) {
+	s.RegisterService(&EchoService_ServiceDesc, srv)
+}
+
+func _EchoService_Echo_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(Message)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(EchoServiceServer).Echo(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: EchoService_Echo_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(EchoServiceServer).Echo(ctx, req.(*Message))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+// EchoService_ServiceDesc is the grpc.ServiceDesc for EchoService service.
+// It's only intended for direct use with grpc.RegisterService,
+// and not to be introspected or modified (even as a copy)
+var EchoService_ServiceDesc = grpc.ServiceDesc{
+	ServiceName: "echo.EchoService",
+	HandlerType: (*EchoServiceServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "Echo",
+			Handler:    _EchoService_Echo_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "echo/echo.proto",
+}

pkg/api/grpc/echo_test.go

@@ -0,0 +1,65 @@
+package grpc
+
+import (
+	"context"
+	"log"
+	"net"
+	"regexp"
+	"testing"
+
+	"github.com/stefanprodan/podinfo/pkg/api/grpc/echo"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/status"
+	"google.golang.org/grpc/test/bufconn"
+)
+
+func TestGrpcEcho(t *testing.T) {
+
+	lis := bufconn.Listen(1024 * 1024)
+	t.Cleanup(func() {
+		lis.Close()
+	})
+
+	s := NewMockGrpcServer()
+	srv := grpc.NewServer()
+	t.Cleanup(func() {
+		srv.Stop()
+	})
+
+	echo.RegisterEchoServiceServer(srv, &echoServer{config: s.config, logger: s.logger})
+
+	go func() {
+		if err := srv.Serve(lis); err != nil {
+			log.Fatalf("srv.Serve %v", err)
+		}
+	}()
+
+	dialer := func(context.Context, string) (net.Conn, error) {
+		return lis.Dial()
+	}
+
+	ctx := context.Background()
+
+	conn, err := grpc.DialContext(ctx, "", grpc.WithContextDialer(dialer), grpc.WithInsecure())
+	t.Cleanup(func() {
+		conn.Close()
+	})
+
+	if err != nil {
+		t.Fatalf("grpc.DialContext %v", err)
+	}
+
+	client := echo.NewEchoServiceClient(conn)
+	res, err := client.Echo(context.Background(), &echo.Message{Body: "test123-test"})
+
+	if _, ok := status.FromError(err); !ok {
+		t.Errorf("Echo returned type %T, want %T", err, status.Error)
+	}
+
+	expected := ".*body.*test123-test.*"
+	r := regexp.MustCompile(expected)
+	if !r.MatchString(res.String()) {
+		t.Fatalf("Returned unexpected body:\ngot \n%v \nwant \n%s",
+			res, expected)
+	}
+}

pkg/api/grpc/env.go

@@ -0,0 +1,19 @@
+package grpc
+
+import (
+	"context"
+	"go.uber.org/zap"
+	"os"
+
+	pb "github.com/stefanprodan/podinfo/pkg/api/grpc/env"
+)
+
+type EnvServer struct {
+	pb.UnimplementedEnvServiceServer
+	config *Config
+	logger *zap.Logger
+}
+
+func (s *EnvServer) Env(ctx context.Context, envInput *pb.EnvRequest) (*pb.EnvResponse, error) {
+	return &pb.EnvResponse{EnvVars: os.Environ()}, nil
+}

pkg/api/grpc/env/env.pb.go

@@ -0,0 +1,199 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.28.1
+// 	protoc        v4.25.0
+// source: env/env.proto
+
+package env
+
+import (
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+type EnvRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+}
+
+func (x *EnvRequest) Reset() {
+	*x = EnvRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_env_env_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *EnvRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*EnvRequest) ProtoMessage() {}
+
+func (x *EnvRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_env_env_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use EnvRequest.ProtoReflect.Descriptor instead.
+func (*EnvRequest) Descriptor() ([]byte, []int) {
+	return file_env_env_proto_rawDescGZIP(), []int{0}
+}
+
+type EnvResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	EnvVars []string `protobuf:"bytes,1,rep,name=envVars,proto3" json:"envVars,omitempty"`
+}
+
+func (x *EnvResponse) Reset() {
+	*x = EnvResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_env_env_proto_msgTypes[1]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *EnvResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*EnvResponse) ProtoMessage() {}
+
+func (x *EnvResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_env_env_proto_msgTypes[1]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use EnvResponse.ProtoReflect.Descriptor instead.
+func (*EnvResponse) Descriptor() ([]byte, []int) {
+	return file_env_env_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *EnvResponse) GetEnvVars() []string {
+	if x != nil {
+		return x.EnvVars
+	}
+	return nil
+}
+
+var File_env_env_proto protoreflect.FileDescriptor
+
+var file_env_env_proto_rawDesc = []byte{
+	0x0a, 0x0d, 0x65, 0x6e, 0x76, 0x2f, 0x65, 0x6e, 0x76, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12,
+	0x03, 0x65, 0x6e, 0x76, 0x22, 0x0c, 0x0a, 0x0a, 0x45, 0x6e, 0x76, 0x52, 0x65, 0x71, 0x75, 0x65,
+	0x73, 0x74, 0x22, 0x27, 0x0a, 0x0b, 0x45, 0x6e, 0x76, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
+	0x65, 0x12, 0x18, 0x0a, 0x07, 0x65, 0x6e, 0x76, 0x56, 0x61, 0x72, 0x73, 0x18, 0x01, 0x20, 0x03,
+	0x28, 0x09, 0x52, 0x07, 0x65, 0x6e, 0x76, 0x56, 0x61, 0x72, 0x73, 0x32, 0x38, 0x0a, 0x0a, 0x45,
+	0x6e, 0x76, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x2a, 0x0a, 0x03, 0x45, 0x6e, 0x76,
+	0x12, 0x0f, 0x2e, 0x65, 0x6e, 0x76, 0x2e, 0x45, 0x6e, 0x76, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
+	0x74, 0x1a, 0x10, 0x2e, 0x65, 0x6e, 0x76, 0x2e, 0x45, 0x6e, 0x76, 0x52, 0x65, 0x73, 0x70, 0x6f,
+	0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0x07, 0x5a, 0x05, 0x2e, 0x2f, 0x65, 0x6e, 0x76, 0x62, 0x06,
+	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+}
+
+var (
+	file_env_env_proto_rawDescOnce sync.Once
+	file_env_env_proto_rawDescData = file_env_env_proto_rawDesc
+)
+
+func file_env_env_proto_rawDescGZIP() []byte {
+	file_env_env_proto_rawDescOnce.Do(func() {
+		file_env_env_proto_rawDescData = protoimpl.X.CompressGZIP(file_env_env_proto_rawDescData)
+	})
+	return file_env_env_proto_rawDescData
+}
+
+var file_env_env_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
+var file_env_env_proto_goTypes = []interface{}{
+	(*EnvRequest)(nil),  // 0: env.EnvRequest
+	(*EnvResponse)(nil), // 1: env.EnvResponse
+}
+var file_env_env_proto_depIdxs = []int32{
+	0, // 0: env.EnvService.Env:input_type -> env.EnvRequest
+	1, // 1: env.EnvService.Env:output_type -> env.EnvResponse
+	1, // [1:2] is the sub-list for method output_type
+	0, // [0:1] is the sub-list for method input_type
+	0, // [0:0] is the sub-list for extension type_name
+	0, // [0:0] is the sub-list for extension extendee
+	0, // [0:0] is the sub-list for field type_name
+}
+
+func init() { file_env_env_proto_init() }
+func file_env_env_proto_init() {
+	if File_env_env_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_env_env_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*EnvRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_env_env_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*EnvResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_env_env_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   2,
+			NumExtensions: 0,
+			NumServices:   1,
+		},
+		GoTypes:           file_env_env_proto_goTypes,
+		DependencyIndexes: file_env_env_proto_depIdxs,
+		MessageInfos:      file_env_env_proto_msgTypes,
+	}.Build()
+	File_env_env_proto = out.File
+	file_env_env_proto_rawDesc = nil
+	file_env_env_proto_goTypes = nil
+	file_env_env_proto_depIdxs = nil
+}

pkg/api/grpc/env/env.proto

@@ -0,0 +1,15 @@
+syntax = "proto3";
+
+option go_package = "./env";
+
+package env;
+
+message EnvRequest {}
+
+message EnvResponse {
+    repeated string envVars = 1;
+}
+
+service EnvService {
+    rpc Env (EnvRequest) returns (EnvResponse) {}
+}

pkg/api/grpc/env/env_grpc.pb.go

@@ -0,0 +1,105 @@
+// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
+// versions:
+// - protoc-gen-go-grpc v1.2.0
+// - protoc             v4.25.0
+// source: env/env.proto
+
+package env
+
+import (
+	context "context"
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+)
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+// Requires gRPC-Go v1.32.0 or later.
+const _ = grpc.SupportPackageIsVersion7
+
+// EnvServiceClient is the client API for EnvService service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
+type EnvServiceClient interface {
+	Env(ctx context.Context, in *EnvRequest, opts ...grpc.CallOption) (*EnvResponse, error)
+}
+
+type envServiceClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewEnvServiceClient(cc grpc.ClientConnInterface) EnvServiceClient {
+	return &envServiceClient{cc}
+}
+
+func (c *envServiceClient) Env(ctx context.Context, in *EnvRequest, opts ...grpc.CallOption) (*EnvResponse, error) {
+	out := new(EnvResponse)
+	err := c.cc.Invoke(ctx, "/env.EnvService/Env", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// EnvServiceServer is the server API for EnvService service.
+// All implementations must embed UnimplementedEnvServiceServer
+// for forward compatibility
+type EnvServiceServer interface {
+	Env(context.Context, *EnvRequest) (*EnvResponse, error)
+	mustEmbedUnimplementedEnvServiceServer()
+}
+
+// UnimplementedEnvServiceServer must be embedded to have forward compatible implementations.
+type UnimplementedEnvServiceServer struct {
+}
+
+func (UnimplementedEnvServiceServer) Env(context.Context, *EnvRequest) (*EnvResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method Env not implemented")
+}
+func (UnimplementedEnvServiceServer) mustEmbedUnimplementedEnvServiceServer() {}
+
+// UnsafeEnvServiceServer may be embedded to opt out of forward compatibility for this service.
+// Use of this interface is not recommended, as added methods to EnvServiceServer will
+// result in compilation errors.
+type UnsafeEnvServiceServer interface {
+	mustEmbedUnimplementedEnvServiceServer()
+}
+
+func RegisterEnvServiceServer(s grpc.ServiceRegistrar, srv EnvServiceServer) {
+	s.RegisterService(&EnvService_ServiceDesc, srv)
+}
+
+func _EnvService_Env_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(EnvRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(EnvServiceServer).Env(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/env.EnvService/Env",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(EnvServiceServer).Env(ctx, req.(*EnvRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+// EnvService_ServiceDesc is the grpc.ServiceDesc for EnvService service.
+// It's only intended for direct use with grpc.RegisterService,
+// and not to be introspected or modified (even as a copy)
+var EnvService_ServiceDesc = grpc.ServiceDesc{
+	ServiceName: "env.EnvService",
+	HandlerType: (*EnvServiceServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "Env",
+			Handler:    _EnvService_Env_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "env/env.proto",
+}

pkg/api/grpc/env_test.go

@@ -0,0 +1,64 @@
+package grpc
+
+import (
+	"context"
+	"log"
+	"net"
+	"regexp"
+	"testing"
+
+	"github.com/stefanprodan/podinfo/pkg/api/grpc/env"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/status"
+	"google.golang.org/grpc/test/bufconn"
+)
+
+func TestGrpcEnv(t *testing.T) {
+
+	lis := bufconn.Listen(1024 * 1024)
+	t.Cleanup(func() {
+		lis.Close()
+	})
+
+	srv := grpc.NewServer()
+	t.Cleanup(func() {
+		srv.Stop()
+	})
+
+	env.RegisterEnvServiceServer(srv, &EnvServer{})
+
+	go func() {
+		if err := srv.Serve(lis); err != nil {
+			log.Fatalf("srv.Serve %v", err)
+		}
+	}()
+
+	dialer := func(context.Context, string) (net.Conn, error) {
+		return lis.Dial()
+	}
+
+	ctx := context.Background()
+
+	conn, err := grpc.DialContext(ctx, "", grpc.WithContextDialer(dialer), grpc.WithInsecure())
+	t.Cleanup(func() {
+		conn.Close()
+	})
+
+	if err != nil {
+		t.Fatalf("grpc.DialContext %v", err)
+	}
+
+	client := env.NewEnvServiceClient(conn)
+	res, err := client.Env(context.Background(), &env.EnvRequest{})
+
+	if _, ok := status.FromError(err); !ok {
+		t.Errorf("Env returned type %T, want %T", err, status.Error)
+	}
+
+	expected := ".*PATH.*"
+	r := regexp.MustCompile(expected)
+	if !r.MatchString(res.String()) {
+		t.Fatalf("Returned unexpected body:\ngot \n%v \nwant \n%s",
+			res, expected)
+	}
+}

pkg/api/grpc/headers.go

@@ -0,0 +1,34 @@
+package grpc
+
+import (
+	"context"
+	"strings"
+
+	pb "github.com/stefanprodan/podinfo/pkg/api/grpc/headers"
+	"go.uber.org/zap"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/metadata"
+	"google.golang.org/grpc/status"
+)
+
+type HeaderServer struct {
+	pb.UnimplementedHeaderServiceServer
+	config *Config
+	logger *zap.Logger
+}
+
+func (s *HeaderServer) Header(ctx context.Context, in *pb.HeaderRequest) (*pb.HeaderResponse, error) {
+	md, ok := metadata.FromIncomingContext(ctx)
+	if !ok {
+		return nil, status.Errorf(codes.DataLoss, "UnaryEcho: failed to get metadata")
+	}
+
+	// Creating slices beacause echoing the header metadata can't be predetermined by the proto contract
+	res := []string{}
+	for i, e := range md {
+		res = append(res, i+"="+strings.Join(e, ","))
+	}
+
+	return &pb.HeaderResponse{Headers: res}, nil
+
+}

pkg/api/grpc/headers/headers.pb.go

@@ -0,0 +1,201 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.28.1
+// 	protoc        v4.25.0
+// source: headers/headers.proto
+
+package header
+
+import (
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+type HeaderRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+}
+
+func (x *HeaderRequest) Reset() {
+	*x = HeaderRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_headers_headers_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *HeaderRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*HeaderRequest) ProtoMessage() {}
+
+func (x *HeaderRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_headers_headers_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use HeaderRequest.ProtoReflect.Descriptor instead.
+func (*HeaderRequest) Descriptor() ([]byte, []int) {
+	return file_headers_headers_proto_rawDescGZIP(), []int{0}
+}
+
+type HeaderResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Headers []string `protobuf:"bytes,1,rep,name=headers,proto3" json:"headers,omitempty"`
+}
+
+func (x *HeaderResponse) Reset() {
+	*x = HeaderResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_headers_headers_proto_msgTypes[1]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *HeaderResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*HeaderResponse) ProtoMessage() {}
+
+func (x *HeaderResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_headers_headers_proto_msgTypes[1]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use HeaderResponse.ProtoReflect.Descriptor instead.
+func (*HeaderResponse) Descriptor() ([]byte, []int) {
+	return file_headers_headers_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *HeaderResponse) GetHeaders() []string {
+	if x != nil {
+		return x.Headers
+	}
+	return nil
+}
+
+var File_headers_headers_proto protoreflect.FileDescriptor
+
+var file_headers_headers_proto_rawDesc = []byte{
+	0x0a, 0x15, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x2f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72,
+	0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x22,
+	0x0f, 0x0a, 0x0d, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
+	0x22, 0x2a, 0x0a, 0x0e, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
+	0x73, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x18, 0x01, 0x20,
+	0x03, 0x28, 0x09, 0x52, 0x07, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x32, 0x4a, 0x0a, 0x0d,
+	0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x39, 0x0a,
+	0x06, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x15, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72,
+	0x2e, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16,
+	0x2e, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x52, 0x65,
+	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0x0a, 0x5a, 0x08, 0x2e, 0x2f, 0x68, 0x65,
+	0x61, 0x64, 0x65, 0x72, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+}
+
+var (
+	file_headers_headers_proto_rawDescOnce sync.Once
+	file_headers_headers_proto_rawDescData = file_headers_headers_proto_rawDesc
+)
+
+func file_headers_headers_proto_rawDescGZIP() []byte {
+	file_headers_headers_proto_rawDescOnce.Do(func() {
+		file_headers_headers_proto_rawDescData = protoimpl.X.CompressGZIP(file_headers_headers_proto_rawDescData)
+	})
+	return file_headers_headers_proto_rawDescData
+}
+
+var file_headers_headers_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
+var file_headers_headers_proto_goTypes = []interface{}{
+	(*HeaderRequest)(nil),  // 0: header.headerRequest
+	(*HeaderResponse)(nil), // 1: header.headerResponse
+}
+var file_headers_headers_proto_depIdxs = []int32{
+	0, // 0: header.HeaderService.Header:input_type -> header.headerRequest
+	1, // 1: header.HeaderService.Header:output_type -> header.headerResponse
+	1, // [1:2] is the sub-list for method output_type
+	0, // [0:1] is the sub-list for method input_type
+	0, // [0:0] is the sub-list for extension type_name
+	0, // [0:0] is the sub-list for extension extendee
+	0, // [0:0] is the sub-list for field type_name
+}
+
+func init() { file_headers_headers_proto_init() }
+func file_headers_headers_proto_init() {
+	if File_headers_headers_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_headers_headers_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*HeaderRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_headers_headers_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*HeaderResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_headers_headers_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   2,
+			NumExtensions: 0,
+			NumServices:   1,
+		},
+		GoTypes:           file_headers_headers_proto_goTypes,
+		DependencyIndexes: file_headers_headers_proto_depIdxs,
+		MessageInfos:      file_headers_headers_proto_msgTypes,
+	}.Build()
+	File_headers_headers_proto = out.File
+	file_headers_headers_proto_rawDesc = nil
+	file_headers_headers_proto_goTypes = nil
+	file_headers_headers_proto_depIdxs = nil
+}

pkg/api/grpc/headers/headers.proto

@@ -0,0 +1,15 @@
+syntax = "proto3";
+
+option go_package = "./header";
+
+package header;
+
+message HeaderRequest {}
+
+message HeaderResponse {
+   repeated string headers = 1;
+}
+
+service HeaderService {
+    rpc Header(HeaderRequest) returns (HeaderResponse) {}
+}