Setup notation signing keys

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>

.cosign/README.md

@@ -1,9 +1,10 @@
 # Podinfo signed releases
 
-Podinfo deployment manifests are published to GitHub Container Registry as OCI artifacts
+Podinfo release assets (container image, Helm chart, Flux artifact, Timoni module)
-and are signed using [cosign](https://github.com/sigstore/cosign).
+are published to GitHub Container Registry and are signed with
+[Cosign v2](https://github.com/sigstore/cosign) keyless & GitHub Actions OIDC.
 
-## Verify the artifacts with cosign
+## Verify podinfo with cosign
 
 Install the [cosign](https://github.com/sigstore/cosign) CLI:
 
@@ -11,29 +12,50 @@ Install the [cosign](https://github.com/sigstore/cosign) CLI:
 brew install sigstore/tap/cosign
 ```
 
-Verify a podinfo release with cosign CLI:
+### Container image
+
+Verify the podinfo container image hosted on GHCR:
 
 ```sh
-cosign verify -key https://raw.githubusercontent.com/stefanprodan/podinfo/master/cosign/cosign.pub \
+cosign verify ghcr.io/stefanprodan/podinfo:6.5.0 \
-ghcr.io/stefanprodan/podinfo-deploy:latest
+--certificate-identity-regexp="^https://github.com/stefanprodan/podinfo.*$" \
+--certificate-oidc-issuer=https://token.actions.githubusercontent.com
 ```
 
-## Download the artifacts with crane
+Verify the podinfo container image hosted on Docker Hub:
-
-Install the [crane](https://github.com/google/go-containerregistry/tree/main/cmd/crane) CLI:
 
 ```sh
-brew install crane
+cosign verify docker.io/stefanprodan/podinfo:6.5.0 \
+--certificate-identity-regexp="^https://github.com/stefanprodan/podinfo.*$" \
+--certificate-oidc-issuer=https://token.actions.githubusercontent.com
 ```
 
-Download the podinfo deployment manifests with crane CLI:
+### Helm chart
 
-```console
+Verify the podinfo [Helm](https://helm.sh) chart hosted on GHCR:
-$ crane export ghcr.io/stefanprodan/podinfo-deploy:latest -| tar -xf - 
 
-$ ls -1
+```sh
-deployment.yaml
+cosign verify ghcr.io/stefanprodan/charts/podinfo:6.5.0 \
-hpa.yaml
+--certificate-identity-regexp="^https://github.com/stefanprodan/podinfo.*$" \
-kustomization.yaml
+--certificate-oidc-issuer=https://token.actions.githubusercontent.com
-service.yaml
+```
+
+### Flux artifact
+
+Verify the podinfo [Flux](https://fluxcd.io) artifact hosted on GHCR:
+
+```sh
+cosign verify ghcr.io/stefanprodan/manifests/podinfo:6.5.0 \
+--certificate-identity-regexp="^https://github.com/stefanprodan/podinfo.*$" \
+--certificate-oidc-issuer=https://token.actions.githubusercontent.com
+```
+
+### Timoni module
+
+Verify the podinfo [Timoni](https://timoni.sh) module hosted on GHCR:
+
+```sh
+cosign verify ghcr.io/stefanprodan/modules/podinfo:6.5.0 \
+--certificate-identity-regexp="^https://github.com/stefanprodan/podinfo.*$" \
+--certificate-oidc-issuer=https://token.actions.githubusercontent.com
 ```

.gitattributes

@@ -0,0 +1 @@
+timoni/podinfo/cue.mod/** linguist-vendored

.github/FUNDING.yml

@@ -0,0 +1 @@
+github: stefanprodan

.github/workflows/cve-scan.yml

@@ -3,7 +3,7 @@ name: cve-scan
 on:
   push:
     branches:
-      - 'master'
+      - "master"
 
 permissions:
   contents: read
@@ -19,7 +19,7 @@ jobs:
         run: |
           IMAGE=test/podinfo:${GITHUB_SHA}
           docker build -t ${IMAGE} .
-          echo "::set-output name=image::$IMAGE"
+          echo "image=$IMAGE" >> $GITHUB_OUTPUT
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
         with:

.github/workflows/e2e.yml

@@ -11,18 +11,14 @@ permissions:
 
 jobs:
   kind-helm:
-    strategy:
-      matrix:
-        helm-version:
-          - v3.11.0
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Setup Kubernetes
-        uses: helm/kind-action@v1.5.0
+        uses: helm/kind-action@v1.8.0
         with:
-          version: v0.17.0
+          version: v0.20.0
           cluster_name: kind
       - name: Build container image
         run: |
@@ -31,7 +27,7 @@ jobs:
       - name: Setup Helm
         uses: azure/setup-helm@v3
         with:
-          version: ${{ matrix.helm-version }}
+          version: v3.12.3
       - name: Deploy
         run: ./test/deploy.sh
       - name: Run integration tests
@@ -40,3 +36,45 @@ jobs:
         if: failure()
         run: |
           kubectl logs -l app=podinfo || true
+  kind-timoni:
+    runs-on: ubuntu-latest
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
+    env:
+      PODINFO_IMAGE_URL: "test/podinfo"
+      PODINFO_MODULE_URL: "oci://localhost:5000/podinfo"
+      PODINFO_VERSION: "0.0.0-devel"
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Setup Timoni
+        uses: stefanprodan/timoni/actions/setup@main
+      - name: Setup Kubernetes
+        uses: helm/kind-action@v1.8.0
+        with:
+          version: v0.20.0
+          cluster_name: kind
+      - name: Build container
+        run: |
+          docker build -t ${PODINFO_IMAGE_URL}:${PODINFO_VERSION} --build-arg "REVISION=${GITHUB_SHA}"  -f Dockerfile.xx .
+          kind load docker-image ${PODINFO_IMAGE_URL}:${PODINFO_VERSION}
+      - name: Vet module
+        run: |
+          timoni mod vet ./timoni/podinfo --debug
+      - name: Build module
+        run: |
+          timoni mod push ./timoni/podinfo ${PODINFO_MODULE_URL} -v ${PODINFO_VERSION}
+      - name: Apply bundle
+        run: |
+          timoni bundle apply -f ./timoni/bundles/test.podinfo.cue --runtime-from-env
+      - name: Verify status
+        run: |
+          timoni -n podinfo status backend
+          timoni -n podinfo status frontend
+      - name: Debug failure
+        if: failure()
+        run: |
+          kubectl -n podinfo get all || true

.github/workflows/release.yml

@@ -6,40 +6,55 @@ on:
       - '*'
 
 permissions:
-  contents: write # needed to write releases
+  contents: read
-  id-token: write # needed for keyless signing
-  packages: write # needed for ghcr access
 
 jobs:
   release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # needed to write releases
+      id-token: write # needed for keyless signing
+      packages: write # needed for ghcr access
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: sigstore/cosign-installer@v3
       - uses: fluxcd/flux2/action@main
-      - name: Setup Go
+      - uses: stefanprodan/timoni/actions/setup@main
-        uses: actions/setup-go@v3
+      - name: Setup Notation CLI
+        uses: notaryproject/notation-action/setup@v1
         with:
-          go-version: 1.20.x
+          version: "1.0.0"
+      - name: Setup Notation signing keys
+        run: |
+          mkdir -p ~/.config/notation/localkeys/
+          cp ./.notation/signingkeys.json ~/.config/notation/
+          cp ./.notation/notation.crt ~/.config/notation/localkeys/
+          echo "$NOTATION_KEY" > ~/.config/notation/localkeys/notation.key
+        env:
+          NOTATION_KEY: ${{ secrets.NOTATION_SIGNING_KEY }}
+      - name: Setup Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: 1.21.x
       - name: Setup Helm
         uses: azure/setup-helm@v3
         with:
-          version: v3.10.3
+          version: v3.12.3
       - name: Setup QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
         with:
           platforms: all
       - name: Setup Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
-          username: ${{ secrets.DOCKER_USERNAME }}
+          username: ${{ github.actor }}
-          password: ${{ secrets.GHCR_TOKEN }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - name: Login to Docker Hub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
@@ -55,7 +70,7 @@ jobs:
           echo "REVISION=${GITHUB_SHA}" >> $GITHUB_OUTPUT
       - name: Generate images meta
         id: meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: |
             docker.io/stefanprodan/podinfo
@@ -64,7 +79,7 @@ jobs:
             type=raw,value=${{ steps.prep.outputs.VERSION }}
             type=raw,value=latest
       - name: Publish multi-arch image
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v5
         with:
           sbom: true
           provenance: true
@@ -77,6 +92,15 @@ jobs:
           platforms: linux/amd64,linux/arm/v7,linux/arm64
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+      - name: Publish Timoni module to GHCR
+        run: |
+          timoni mod push ./timoni/podinfo oci://ghcr.io/stefanprodan/modules/podinfo \
+          --sign cosign \
+          --version ${{ steps.prep.outputs.VERSION }} \
+          -a 'org.opencontainers.image.source=https://github.com/stefanprodan/podinfo' \
+          -a 'org.opencontainers.image.licenses=Apache-2.0' \
+          -a 'org.opencontainers.image.description=A timoni.sh module for deploying Podinfo.' \
+          -a 'org.opencontainers.image.documentation=https://github.com/stefanprodan/podinfo/blob/main/timoni/podinfo/README.md'
       - name: Publish Helm chart to GHCR
         run: |
           helm package charts/podinfo
@@ -97,8 +121,12 @@ jobs:
           cosign sign ghcr.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }} --yes
           cosign sign ghcr.io/stefanprodan/charts/podinfo:${{ steps.prep.outputs.VERSION }} --yes
           cosign sign ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }} --yes
+          notation sign --signature-format cose docker.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }}
+          notation sign --signature-format cose ghcr.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }}
+          notation sign --signature-format cose ghcr.io/stefanprodan/charts/podinfo:${{ steps.prep.outputs.VERSION }}
+          notation sign --signature-format cose ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }}
       - name: Publish base image
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v5
         with:
           push: true
           builder: ${{ steps.buildx.outputs.name }}
@@ -122,6 +150,8 @@ jobs:
           echo "$COSIGN_KEY" > /tmp/cosign.key
           cosign sign -key /tmp/cosign.key ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }} --yes
           cosign sign -key /tmp/cosign.key ghcr.io/stefanprodan/podinfo-deploy:latest --yes
+          notation sign --signature-format cose ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }}
+          notation sign --signature-format cose ghcr.io/stefanprodan/podinfo-deploy:latest
         env:
           COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
           COSIGN_KEY: ${{secrets.COSIGN_KEY}}
@@ -131,7 +161,7 @@ jobs:
           echo 'CHANGELOG' > /tmp/release.txt
           github-release-notes -org stefanprodan -repo podinfo -since-latest-release >> /tmp/release.txt
       - name: Publish release
-        uses: goreleaser/goreleaser-action@v4
+        uses: goreleaser/goreleaser-action@v5
         with:
           version: latest
           args: release --release-notes=/tmp/release.txt --skip-validate

.github/workflows/test.yml

@@ -17,17 +17,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
-      - name: Restore Go cache
-        uses: actions/cache@v3
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: ${{ runner.os }}-go-
       - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v4
         with:
-          go-version: 1.20.x
+          go-version: 1.21.x
+          cache-dependency-path: |
+            **/go.sum
+            **/go.mod
       - name: Setup kubectl
         uses: azure/setup-kubectl@v3
         with:
@@ -39,7 +36,9 @@ jobs:
         with:
           version: v3.10.3
       - name: Setup CUE
-        uses: cue-lang/setup-cue@main
+        uses: cue-lang/setup-cue@v1.0.0
+      - name: Setup Timoni
+        uses: stefanprodan/timoni/actions/setup@main
       - name: Run unit tests
         run: make test
       - name: Validate Helm chart
@@ -49,12 +48,10 @@ jobs:
       - name: Validate Kustomize overlay
         run: |
           kubectl kustomize ./kustomize/ | kubeconform -strict -summary -kubernetes-version ${{ env.KUBERNETES_VERSION }}
-      - name: Generate CUE definitions
-        run: make cue-mod
       - name: Verify CUE formatting
-        working-directory: ./cue
+        working-directory: ./timoni/podinfo
         run: |
-          cue fmt .
+          cue fmt ./..
           status=$(git status . --porcelain)
           [[ -z "$status" ]] || {
             echo "CUE files are not correctly formatted"
@@ -62,11 +59,11 @@ jobs:
             git diff
             exit 1
           }
-      - name: Validate CUE
+      - name: Validate Timoni module
-        working-directory: ./cue
+        working-directory: ./timoni/podinfo
         run: |
-          cue vet --all-errors --concrete .
+          timoni mod lint . 
-          cue gen | kubeconform -strict -summary -skip=ServiceMonitor -kubernetes-version ${{ env.KUBERNETES_VERSION }}
+          timoni build podinfo . -f test_values.cue | kubeconform -strict -summary -skip=ServiceMonitor -kubernetes-version ${{ env.KUBERNETES_VERSION }}
       - name: Check if working tree is dirty
         run: |
           if [[ $(git diff --stat) != '' ]]; then

.gitignore

@@ -23,3 +23,6 @@ bin/
 cue/cue.mod/gen/
 cue/go.mod
 cue/go.sum
+
+.notation/podinfo.csr
+.notation/podinfo.key

.notation/README.md

@@ -0,0 +1,15 @@
+# Podinfo signed releases
+
+Podinfo release assets such as the Helm chart and the Flux artifact
+are published to GitHub Container Registry and are signed with
+[Notation](https://github.com/notaryproject/notation).
+
+## Generate signing keys
+
+Generate a new signing key pair:
+
+```sh
+openssl genrsa -out podinfo.key 2048
+openssl req -new -key podinfo.key -out podinfo.csr -config codesign.cnf
+openssl x509 -req -days 1826 -in podinfo.csr -signkey podinfo.key -out notation.crt -extensions v3_req -extfile codesign.cnf
+```

.notation/codesign.cnf

@@ -0,0 +1,18 @@
+[ req ]
+default_bits           = 2048
+default_keyfile        = privatekey.pem
+distinguished_name     = req_distinguished_name
+req_extensions         = v3_req
+prompt                 = no
+
+[ req_distinguished_name ]
+C                      = RO
+ST                     = BU
+L                      = Bucharest
+O                      = Notary
+CN                     = stefanprodan.com
+
+[ v3_req ]
+keyUsage               = critical,digitalSignature
+extendedKeyUsage       = critical,codeSigning
+#subjectKeyIdentifier  = hash

.notation/notation.crt

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDbDCCAlSgAwIBAgIUP7zhmTw5XTWLcgBGkBEsErMOkz4wDQYJKoZIhvcNAQEL
+BQAwWjELMAkGA1UEBhMCUk8xCzAJBgNVBAgMAkJVMRIwEAYDVQQHDAlCdWNoYXJl
+c3QxDzANBgNVBAoMBk5vdGFyeTEZMBcGA1UEAwwQc3RlZmFucHJvZGFuLmNvbTAe
+Fw0yNDAyMjUxMDAyMzZaFw0yOTAyMjQxMDAyMzZaMFoxCzAJBgNVBAYTAlJPMQsw
+CQYDVQQIDAJCVTESMBAGA1UEBwwJQnVjaGFyZXN0MQ8wDQYDVQQKDAZOb3Rhcnkx
+GTAXBgNVBAMMEHN0ZWZhbnByb2Rhbi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDtH4oPi3SyX/DGv6NdjIvmApvD9eeSgsmHdwpAly8T9D2me+fx
+Z+wRNJmq4aq/A1anX+Sg28iwHzV+1WKpsHnjYzDAJSEYP2S8A5H1nGRKUoibdijw
+C3QBh5C75rjF/tmZVSX/Vgbf3HJJEsF4WUxWabLxoV2QLo7UlEsQd9+bSeKNMncx
+1+E6FdbRCrYo90iobvZJ8K/S2zCWq/JTeHfTnmSEDhx6nMJcaSjvMPn3zyauWcQw
+dDpkcaGiJ64fEJRT2OFxXv9u+vDmIMKzo/Wjbd+IzFj6YY4VisK88aU7tmDelnk5
+gQB9eu62PFoaVsYJp4VOhblFKvGJpQwbWB9BAgMBAAGjKjAoMA4GA1UdDwEB/wQE
+AwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAzANBgkqhkiG9w0BAQsFAAOCAQEA
+6x+C6hAIbLwMvkNx4K5p7Qe/pLQR0VwQFAw10yr/5KSN+YKFpon6pQ0TebL7qll+
+uBGZvtQhN6v+DlnVqB7lvJKd+89isgirkkews5KwuXg7Gv5UPIugH0dXISZU8DMJ
+7J4oKREv5HzdFmfsUfNlQcfyVTjKL6UINXfKGdqNNxXxR9b4a1TY2JcmEhzBTHaq
+ZqX6HK784a0dB7aHgeFrFwPCCP4M684Hs7CFbk3jo2Ef4ljnB5AyWpe8pwCLMdRt
+UjSjL5xJWVQvRU+STQsPr6SvpokPCG4rLQyjgeYYk4CCj5piSxbSUZFavq8v1y7Y
+m91USVqfeUX7ZzjDxPHE2A==
+-----END CERTIFICATE-----

.notation/signingkeys.json

@@ -0,0 +1,10 @@
+{
+    "default": "stefanprodan.com",
+    "keys": [
+        {
+            "name": "stefanprodan.com",
+            "keyPath": "/home/runner/.config/notation/localkeys/notation.key",
+            "certPath": "/home/runner/.config/notation/localkeys/notation.crt"
+        }
+    ]
+}

.notation/trustpolicy.json

@@ -0,0 +1,19 @@
+{
+    "version": "1.0",
+    "trustPolicies": [
+        {
+            "name": "stefanprodan.com",
+            "registryScopes": [
+                "ghcr.io/stefanprodan/podinfo-deploy",
+                "ghcr.io/stefanprodan/charts/podinfo"
+            ],
+            "signatureVerification": {
+                "level" : "strict"
+            },
+            "trustStores": [ "ca:stefanprodan.com" ],
+            "trustedIdentities": [
+                "x509.subject: C=RO, ST=BU, L=Bucharest, O=Notary, CN=stefanprodan.com"
+            ]
+        }
+    ]
+}

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.20-alpine as builder
+FROM golang:1.21-alpine as builder
 
 ARG REVISION
 
@@ -18,7 +18,7 @@ RUN CGO_ENABLED=0 go build -ldflags "-s -w \
     -X github.com/stefanprodan/podinfo/pkg/version.REVISION=${REVISION}" \
     -a -o bin/podcli cmd/podcli/*
 
-FROM alpine:3.17
+FROM alpine:3.19
 
 ARG BUILD_DATE
 ARG VERSION

Dockerfile.base

@@ -1,4 +1,4 @@
-FROM golang:1.20
+FROM golang:1.21
 
 WORKDIR /workspace
 

Dockerfile.xx

@@ -1,5 +1,5 @@
-ARG GO_VERSION=1.20
+ARG GO_VERSION=1.21
-ARG XX_VERSION=1.2.0
+ARG XX_VERSION=1.3.0
 
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
 
@@ -28,7 +28,7 @@ RUN xx-go build -ldflags "-s -w \
     -X github.com/stefanprodan/podinfo/pkg/version.REVISION=${REVISION}" \
     -a -o bin/podcli cmd/podcli/*
 
-FROM alpine:3.17
+FROM alpine:3.19
 
 ARG BUILD_DATE
 ARG VERSION

Makefile

@@ -24,7 +24,7 @@ build:
 	GIT_COMMIT=$$(git rev-list -1 HEAD) && CGO_ENABLED=0 go build  -ldflags "-s -w -X github.com/stefanprodan/podinfo/pkg/version.REVISION=$(GIT_COMMIT)" -a -o ./bin/podcli ./cmd/podcli/*
 
 tidy:
-	rm -f go.sum; go mod tidy -compat=1.19
+	rm -f go.sum; go mod tidy -compat=1.21
 
 vet:
 	go vet ./...
@@ -82,11 +82,11 @@ version-set:
 	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/webapp/backend/deployment.yaml && \
 	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/bases/frontend/deployment.yaml && \
 	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/bases/backend/deployment.yaml && \
-	/usr/bin/sed -i '' "s/$$current/$$next/g" cue/main.cue && \
+	/usr/bin/sed -i '' "s/$$current/$$next/g" timoni/podinfo/values.cue && \
-	echo "Version $$next set in code, deployment, chart and kustomize"
+	echo "Version $$next set in code, deployment, module, chart and kustomize"
 
 release:
-	git tag $(VERSION)
+	git tag -s -m $(VERSION) $(VERSION)
 	git push origin $(VERSION)
 
 swagger:
@@ -95,13 +95,6 @@ swagger:
 	go get github.com/swaggo/swag/cmd/swag@latest
 	cd pkg/api && $$(go env GOPATH)/bin/swag init -g server.go
 
-.PHONY: cue-mod
+.PHONY: timoni-build
-cue-mod:
+timoni-build:
-	@cd cue && go mod init github.com/stefanprodan/podinfo/cue
+	@timoni build podinfo ./timoni/podinfo -f ./timoni/podinfo/debug_values.cue
-	@cd cue && go get k8s.io/api/...
-	@cd cue && cue get go k8s.io/api/...
-
-.PHONY: cue-gen
-cue-gen:
-	@cd cue && cue fmt ./... && cue vet --all-errors --concrete ./...
-	@cd cue && cue gen

README.md

@@ -20,7 +20,7 @@ Specifications:
 * 12-factor app with viper
 * Fault injection (random errors and latency)
 * Swagger docs
-* CUE, Helm and Kustomize installers
+* Timoni, Helm and Kustomize installers
 * End-to-End testing with Kubernetes Kind and Helm
 * Multi-arch container image with Docker buildx and Github Actions
 * Container image signing with Sigstore cosign
@@ -66,18 +66,23 @@ To access the Swagger UI open `<podinfo-host>/swagger/index.html` in a browser.
 
 ### Guides
 
-* [GitOps Progressive Deliver with Flagger, Helm v3 and Linkerd](https://helm.workshop.flagger.dev/intro/)
+* [Getting started with Timoni](https://timoni.sh/quickstart/)
-* [GitOps Progressive Deliver on EKS with Flagger and AppMesh](https://eks.handson.flagger.dev/prerequisites/)
+* [Getting started with Flux](https://fluxcd.io/flux/get-started/)
-* [Automated canary deployments with Flagger and Istio](https://medium.com/google-cloud/automated-canary-deployments-with-flagger-and-istio-ac747827f9d1)
+* [Progressive Deliver with Flagger and Linkerd](https://docs.flagger.app/tutorials/linkerd-progressive-delivery)
-* [Kubernetes autoscaling with Istio metrics](https://medium.com/google-cloud/kubernetes-autoscaling-with-istio-metrics-76442253a45a)
+* [Automated canary deployments with Kubernetes Gateway API](https://docs.flagger.app/tutorials/gatewayapi-progressive-delivery)
-* [Autoscaling EKS on Fargate with custom metrics](https://aws.amazon.com/blogs/containers/autoscaling-eks-on-fargate-with-custom-metrics/)
-* [Managing Helm releases the GitOps way](https://medium.com/google-cloud/managing-helm-releases-the-gitops-way-207a6ac6ff0e)
-* [Securing EKS Ingress With Contour And Let’s Encrypt The GitOps Way](https://aws.amazon.com/blogs/containers/securing-eks-ingress-contour-lets-encrypt-gitops/)
 
 ### Install
 
 To install Podinfo on Kubernetes the minimum required version is **Kubernetes v1.23**.
 
+#### Timoni
+
+Install with [Timoni](https://timoni.sh):
+
+```bash
+timoni -n default apply podinfo oci://ghcr.io/stefanprodan/modules/podinfo
+```
+
 #### Helm
 
 Install from github.io:

charts/podinfo/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
-version: 6.3.6
+version: 6.5.4
-appVersion: 6.3.6
+appVersion: 6.5.4
 name: podinfo
 engine: gotpl
 description: Podinfo Helm chart for Kubernetes

charts/podinfo/README.md

@@ -51,7 +51,7 @@ The command removes all the Kubernetes components associated with the chart and
 The following tables lists the configurable parameters of the podinfo chart and their default values.
 
 | Parameter                         | Default                | Description                                                                                                            |
-|-----------------------------------|------------------------|------------------------------------------------------------------------------------------------------------------------|
+| --------------------------------- | ---------------------- | ---------------------------------------------------------------------------------------------------------------------- |
 | `replicaCount`                    | `1`                    | Desired number of pods                                                                                                 |
 | `logLevel`                        | `info`                 | Log level: `debug`, `info`, `warn`, `error`                                                                            |
 | `backend`                         | `None`                 | Echo backend URL                                                                                                       |
@@ -94,6 +94,7 @@ The following tables lists the configurable parameters of the podinfo chart and
 | `serviceMonitor.additionalLabels` | `{}`                   | Add additional labels to the service monitor                                                                           |
 | `ingress.enabled`                 | `false`                | Enables Ingress                                                                                                        |
 | `ingress.className `              | `""`                   | Use ingressClassName                                                                                                   |
+| `ingress.additionalLabels`        | `{}`                   | Add additional labels to the ingress                                                                                   |
 | `ingress.annotations`             | `{}`                   | Ingress annotations                                                                                                    |
 | `ingress.hosts`                   | `[]`                   | Ingress accepted hosts                                                                                                 |
 | `ingress.tls`                     | `[]`                   | Ingress TLS configuration                                                                                              |
@@ -127,4 +128,3 @@ $ helm install my-release podinfo/podinfo -f values.yaml
 ```
 
 > **Tip**: You can use the default [values.yaml](values.yaml)
-

charts/podinfo/templates/ingress.yaml

@@ -7,6 +7,9 @@ metadata:
   name: {{ $fullName }}
   labels:
     {{- include "podinfo.labels" . | nindent 4 }}
+    {{- with .Values.ingress.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
   {{- with .Values.ingress.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}

charts/podinfo/values-prod.yaml

@@ -8,7 +8,7 @@ backends: []
 
 image:
   repository: ghcr.io/stefanprodan/podinfo
-  tag: 6.3.6
+  tag: 6.5.4
   pullPolicy: IfNotPresent
 
 ui:
@@ -100,6 +100,7 @@ securityContext: {}
 ingress:
   enabled: false
   className: ""
+  additionalLabels: {}
   annotations: {}
     # kubernetes.io/ingress.class: nginx
     # kubernetes.io/tls-acme: "true"

charts/podinfo/values.yaml

@@ -8,7 +8,7 @@ backends: []
 
 image:
   repository: ghcr.io/stefanprodan/podinfo
-  tag: 6.3.6
+  tag: 6.5.4
   pullPolicy: IfNotPresent
 
 ui:
@@ -104,6 +104,7 @@ securityContext: {}
 ingress:
   enabled: false
   className: ""
+  additionalLabels: {}
   annotations: {}
     # kubernetes.io/ingress.class: nginx
     # kubernetes.io/tls-acme: "true"

cue/README.md

@@ -1,60 +0,0 @@
-# Podinfo CUE module
-
-This directory contains a [CUE](https://cuelang.org/docs/) module and tooling
-for generating podinfo's Kubernetes resources.
-
-The module contains a `podinfo.#Application` definition which takes `podinfo.#Config` as input.
-
-## Prerequisites
-
-Install CUE with:
-
-```shell
-brew install cue
-```
-
-Generate the Kubernetes API definitions required by this module with:
-
-```shell
-go mod init github.com/stefanprodan/podinfo/cue
-go get k8s.io/api/...
-cue get go k8s.io/api/...
-```
-
-## Configuration
-
-Configure the application in `main.cue`:
-
-```cue
-app: podinfo.#Application & {
-	config: {
-		meta: {
-			name:      "podinfo"
-			namespace: "default"
-		}
-		image: tag: "6.1.3"
-		resources: requests: {
-			cpu:    "100m"
-			memory: "16Mi"
-		}
-		hpa: {
-			enabled:     true
-			maxReplicas: 3
-		}
-		ingress: {
-			enabled:   true
-			className: "nginx"
-			host:      "podinfo.example.com"
-			tls:       true
-			annotations: "cert-manager.io/cluster-issuer": "letsencrypt"
-		}
-		serviceMonitor: enabled: true
-	}
-}
-```
-
-## Generate the manifests
-
-```shell
-cue gen
-```

cue/cue.mod/module.cue

@@ -1 +0,0 @@
-module: "github.com/stefanprodan/podinfo/cue"

cue/main.cue

@@ -1,33 +0,0 @@
-package main
-
-import (
-	podinfo "github.com/stefanprodan/podinfo/cue/podinfo"
-)
-
-app: podinfo.#Application & {
-	config: {
-		meta: {
-			name:      "podinfo"
-			namespace: "default"
-		}
-		image: tag: "6.3.6"
-		resources: requests: {
-			cpu:    "100m"
-			memory: "16Mi"
-		}
-		hpa: {
-			enabled:     true
-			maxReplicas: 3
-		}
-		ingress: {
-			enabled:   true
-			className: "nginx"
-			host:      "podinfo.example.com"
-			tls:       true
-			annotations: "cert-manager.io/cluster-issuer": "letsencrypt"
-		}
-		serviceMonitor: enabled: true
-	}
-}
-
-objects: app.objects

cue/main_tool.cue

@@ -1,12 +0,0 @@
-package main
-
-import (
-	"tool/cli"
-	"encoding/yaml"
-)
-
-command: gen: {
-	task: print: cli.Print & {
-		text: yaml.MarshalStream([ for x in objects {x}])
-	}
-}

cue/podinfo/app.cue

@@ -1,26 +0,0 @@
-package podinfo
-
-#Application: {
-	config: #Config
-
-	objects: {
-		service:    #Service & {_config:        config}
-		account:    #ServiceAccount & {_config: config}
-		deployment: #Deployment & {
-			_config:         config
-			_serviceAccount: account.metadata.name
-		}
-	}
-
-	if config.hpa.enabled == true {
-		objects: hpa: #HorizontalPodAutoscaler & {_config: config}
-	}
-
-	if config.ingress.enabled == true {
-		objects: ingress: #Ingress & {_config: config}
-	}
-
-	if config.serviceMonitor.enabled == true {
-		objects: serviceMonitor: #ServiceMonitor & {_config: config}
-	}
-}

cue/podinfo/config.cue

@@ -1,41 +0,0 @@
-package podinfo
-
-import (
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	corev1 "k8s.io/api/core/v1"
-)
-
-#Config: {
-	meta:           metav1.#ObjectMeta
-	hpa:            #hpaConfig
-	ingress:        #ingressConfig
-	service:        #serviceConfig
-	serviceMonitor: #serviceMonConfig
-
-	image: {
-		repository: *"ghcr.io/stefanprodan/podinfo" | string
-		pullPolicy: *"IfNotPresent" | string
-		tag:        string
-	}
-
-	cache?: string & =~"^tcp://"
-	backends: [...string]
-	logLevel: *"info" | string
-	replicas: *1 | int
-
-	resources: *{
-		requests: {
-			cpu:    "1m"
-			memory: "16Mi"
-		}
-		limits: memory: "128Mi"
-	} | corev1.#ResourceRequirements
-
-	selectorLabels: *{"app.kubernetes.io/name": meta.name} | {[ string]: string}
-	meta: annotations: *{"app.kubernetes.io/version": "\(image.tag)"} | {[ string]: string}
-	meta: labels:      *selectorLabels | {[ string]:  string}
-
-	securityContext?: corev1.#PodSecurityContext
-	affinity?:        corev1.#Affinity
-	tolerations?: [ ...corev1.#Toleration]
-}

cue/podinfo/deployment.cue

@@ -1,110 +0,0 @@
-package podinfo
-
-import (
-	appsv1 "k8s.io/api/apps/v1"
-	corev1 "k8s.io/api/core/v1"
-)
-
-#Deployment: appsv1.#Deployment & {
-	_config:         #Config
-	_serviceAccount: string
-	apiVersion:      "apps/v1"
-	kind:            "Deployment"
-	metadata:        _config.meta
-	spec:            appsv1.#DeploymentSpec & {
-		if !_config.hpa.enabled {
-			replicas: _config.replicas
-		}
-		strategy: {
-			type: "RollingUpdate"
-			rollingUpdate: maxUnavailable: 1
-		}
-		selector: matchLabels: _config.selectorLabels
-		template: {
-			metadata: {
-				labels: _config.selectorLabels
-				if !_config.serviceMonitor.enabled {
-					annotations: {
-						"prometheus.io/scrape": "true"
-						"prometheus.io/port":   "\(_config.service.metricsPort)"
-					}
-				}
-			}
-			spec: corev1.#PodSpec & {
-				terminationGracePeriodSeconds: 15
-				serviceAccountName:            _serviceAccount
-				containers: [
-					{
-						name:            "podinfo"
-						image:           "\(_config.image.repository):\(_config.image.tag)"
-						imagePullPolicy: _config.image.pullPolicy
-						command: [
-							"./podinfo",
-							"--port=\(_config.service.httpPort)",
-							"--port-metrics=\(_config.service.metricsPort)",
-							"--grpc-port=\(_config.service.grpcPort)",
-							"--level=\(_config.logLevel)",
-							if _config.cache != _|_ {
-								"--cache-server=\(_config.cache)"
-							},
-							for b in _config.backends {
-								"--backend-url=\(b)"
-							},
-						]
-						ports: [
-							{
-								name:          "http"
-								containerPort: _config.service.httpPort
-								protocol:      "TCP"
-							},
-							{
-								name:          "http-metrics"
-								containerPort: _config.service.metricsPort
-								protocol:      "TCP"
-							},
-							{
-								name:          "grpc"
-								containerPort: _config.service.grpcPort
-								protocol:      "TCP"
-							},
-						]
-						livenessProbe: {
-							httpGet: {
-								path: "/healthz"
-								port: "http"
-							}
-						}
-						readinessProbe: {
-							httpGet: {
-								path: "/readyz"
-								port: "http"
-							}
-						}
-						volumeMounts: [
-							{
-								name:      "data"
-								mountPath: "/data"
-							},
-						]
-						resources: _config.resources
-						if _config.securityContext != _|_ {
-							securityContext: _config.securityContext
-						}
-					},
-				]
-				if _config.affinity != _|_ {
-					affinity: _config.affinity
-				}
-				if _config.tolerations != _|_ {
-					tolerations: _config.tolerations
-				}
-				volumes: [
-					{
-						name: "data"
-						emptyDir: {}
-					},
-				]
-			}
-		}
-	}
-}

cue/podinfo/service.cue

@@ -1,44 +0,0 @@
-package podinfo
-
-import (
-	corev1 "k8s.io/api/core/v1"
-)
-
-#serviceConfig: {
-	type:         *"ClusterIP" | string
-	externalPort: *9898 | int
-	httpPort:     *9898 | int
-	metricsPort:  *9797 | int
-	grpcPort:     *9999 | int
-}
-
-#Service: corev1.#Service & {
-	_config:    #Config
-	apiVersion: "v1"
-	kind:       "Service"
-	metadata:   _config.meta
-	spec:       corev1.#ServiceSpec & {
-		type:     _config.service.type
-		selector: _config.selectorLabels
-		ports: [
-			{
-				name:       "http"
-				port:       _config.service.externalPort
-				targetPort: "\(name)"
-				protocol:   "TCP"
-			},
-			{
-				name:       "http-metrics"
-				port:       _config.service.metricsPort
-				targetPort: "\(name)"
-				protocol:   "TCP"
-			},
-			{
-				name:       "grpc"
-				port:       _config.service.grpcPort
-				targetPort: "\(name)"
-				protocol:   "TCP"
-			},
-		]
-	}
-}

cue/podinfo/servicemonitor.cue

@@ -1,22 +0,0 @@
-package podinfo
-
-#serviceMonConfig: {
-	enabled:  *false | bool
-	interval: *"15s" | string
-}
-
-#ServiceMonitor: {
-	_config:    #Config
-	apiVersion: "monitoring.coreos.com/v1"
-	kind:       "ServiceMonitor"
-	metadata:   _config.meta
-	spec: {
-		endpoints: [{
-			path:     "/metrics"
-			port:     "http-metrics"
-			interval: _config.serviceMonitor.interval
-		}]
-		namespaceSelector: matchNames: [_config.meta.namespace]
-		selector: matchLabels: _config.meta.labels
-	}
-}

deploy/bases/backend/deployment.yaml

@@ -23,7 +23,7 @@ spec:
     spec:
       containers:
       - name: backend
-        image: ghcr.io/stefanprodan/podinfo:6.3.6
+        image: ghcr.io/stefanprodan/podinfo:6.5.4
         imagePullPolicy: IfNotPresent
         ports:
         - name: http

deploy/bases/frontend/deployment.yaml

@@ -23,7 +23,7 @@ spec:
     spec:
       containers:
       - name: frontend
-        image: ghcr.io/stefanprodan/podinfo:6.3.6
+        image: ghcr.io/stefanprodan/podinfo:6.5.4
         imagePullPolicy: IfNotPresent
         ports:
         - name: http

deploy/webapp/backend/deployment.yaml

@@ -25,7 +25,7 @@ spec:
       serviceAccountName: webapp
       containers:
       - name: backend
-        image: ghcr.io/stefanprodan/podinfo:6.3.6
+        image: ghcr.io/stefanprodan/podinfo:6.5.4
         imagePullPolicy: IfNotPresent
         ports:
         - name: http

deploy/webapp/frontend/deployment.yaml

@@ -25,7 +25,7 @@ spec:
       serviceAccountName: webapp
       containers:
       - name: frontend
-        image: ghcr.io/stefanprodan/podinfo:6.3.6
+        image: ghcr.io/stefanprodan/podinfo:6.5.4
         imagePullPolicy: IfNotPresent
         ports:
         - name: http

go.mod

@@ -1,40 +1,40 @@
 module github.com/stefanprodan/podinfo
 
-go 1.19
+go 1.21
 
 require (
 	github.com/chzyer/readline v1.5.1
-	github.com/fatih/color v1.15.0
+	github.com/fatih/color v1.16.0
-	github.com/fsnotify/fsnotify v1.6.0
+	github.com/fsnotify/fsnotify v1.7.0
 	github.com/golang-jwt/jwt/v4 v4.5.0
 	github.com/gomodule/redigo v1.8.9
-	github.com/gorilla/mux v1.8.0
+	github.com/gorilla/mux v1.8.1
-	github.com/gorilla/websocket v1.5.0
+	github.com/gorilla/websocket v1.5.1
-	github.com/prometheus/client_golang v1.15.1
+	github.com/prometheus/client_golang v1.17.0
-	github.com/spf13/cobra v1.7.0
+	github.com/spf13/cobra v1.8.0
 	github.com/spf13/pflag v1.0.5
-	github.com/spf13/viper v1.15.0
+	github.com/spf13/viper v1.18.1
 	github.com/swaggo/http-swagger v1.3.4
-	github.com/swaggo/swag v1.16.1
+	github.com/swaggo/swag v1.16.2
-	go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux v0.41.1
+	go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux v0.46.1
-	go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.41.1
+	go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.46.1
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.41.1
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1
-	go.opentelemetry.io/contrib/propagators/aws v1.16.1
+	go.opentelemetry.io/contrib/propagators/aws v1.21.1
-	go.opentelemetry.io/contrib/propagators/b3 v1.16.1
+	go.opentelemetry.io/contrib/propagators/b3 v1.21.1
-	go.opentelemetry.io/contrib/propagators/jaeger v1.16.1
+	go.opentelemetry.io/contrib/propagators/jaeger v1.21.1
-	go.opentelemetry.io/contrib/propagators/ot v1.16.1
+	go.opentelemetry.io/contrib/propagators/ot v1.21.1
-	go.opentelemetry.io/otel v1.15.1
+	go.opentelemetry.io/otel v1.21.0
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.15.1
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.15.1
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.21.0
-	go.opentelemetry.io/otel/sdk v1.15.1
+	go.opentelemetry.io/otel/sdk v1.21.0
-	go.opentelemetry.io/otel/trace v1.15.1
+	go.opentelemetry.io/otel/trace v1.21.0
-	go.uber.org/zap v1.24.0
+	go.uber.org/zap v1.26.0
-	golang.org/x/net v0.9.0
+	golang.org/x/net v0.19.0
-	google.golang.org/grpc v1.54.0
+	google.golang.org/grpc v1.60.0
 )
 
 // Fix CVE-2022-32149
-replace golang.org/x/text => golang.org/x/text v0.9.0
+replace golang.org/x/text => golang.org/x/text v0.14.0
 
 // Fix CVE-2022-28948
 replace gopkg.in/yaml.v3 => gopkg.in/yaml.v3 v3.0.1
@@ -44,43 +44,45 @@ require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
-	github.com/felixge/httpsnoop v1.0.3 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/go-logr/logr v1.2.4 // indirect
+	github.com/go-logr/logr v1.3.0 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
 	github.com/go-openapi/jsonreference v0.20.0 // indirect
 	github.com/go-openapi/spec v0.20.6 // indirect
 	github.com/go-openapi/swag v0.19.15 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mailru/easyjson v0.7.6 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-isatty v0.0.17 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
-	github.com/pelletier/go-toml/v2 v2.0.6 // indirect
+	github.com/pelletier/go-toml/v2 v2.1.0 // indirect
-	github.com/prometheus/client_model v0.3.0 // indirect
+	github.com/prometheus/client_model v0.4.1-0.20230718164431-9a2bf3000d16 // indirect
-	github.com/prometheus/common v0.42.0 // indirect
+	github.com/prometheus/common v0.44.0 // indirect
-	github.com/prometheus/procfs v0.9.0 // indirect
+	github.com/prometheus/procfs v0.11.1 // indirect
-	github.com/spf13/afero v1.9.3 // indirect
+	github.com/sagikazarmark/locafero v0.4.0 // indirect
-	github.com/spf13/cast v1.5.0 // indirect
+	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
-	github.com/spf13/jwalterweatherman v1.1.0 // indirect
+	github.com/sourcegraph/conc v0.3.0 // indirect
-	github.com/subosito/gotenv v1.4.2 // indirect
+	github.com/spf13/afero v1.11.0 // indirect
+	github.com/spf13/cast v1.6.0 // indirect
+	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/swaggo/files v0.0.0-20220610200504-28940afbdbfe // indirect
-	go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.15.1 // indirect
+	go.opentelemetry.io/otel/metric v1.21.0 // indirect
-	go.opentelemetry.io/otel/metric v0.38.1 // indirect
+	go.opentelemetry.io/proto/otlp v1.0.0 // indirect
-	go.opentelemetry.io/proto/otlp v0.19.0 // indirect
-	go.uber.org/atomic v1.9.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/sys v0.7.0 // indirect
+	golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect
-	golang.org/x/text v0.9.0 // indirect
+	golang.org/x/sys v0.15.0 // indirect
-	golang.org/x/tools v0.7.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
-	google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f // indirect
+	golang.org/x/tools v0.13.0 // indirect
-	google.golang.org/protobuf v1.30.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20231106174013-bbf56f31fb17 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20231120223509-83a465c0220f // indirect
+	google.golang.org/protobuf v1.31.0 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

go.sum

@@ -1,102 +1,34 @@
-cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
-cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU=
-cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
-cloud.google.com/go v0.44.3/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
-cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc=
-cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0=
-cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To=
-cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4=
-cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M=
-cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc=
-cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk=
-cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs=
-cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc=
-cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY=
-cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI=
-cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk=
-cloud.google.com/go v0.75.0/go.mod h1:VGuuCn7PG0dwsd5XPVm2Mm3wlh3EL55/79EKB6hlPTY=
-cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
-cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
-cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
-cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg=
-cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc=
-cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ=
-cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
-cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
-cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
-cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw=
-cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA=
-cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU=
-cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
-cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos=
-cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk=
-cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
-cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
-cloud.google.com/go/storage v1.14.0/go.mod h1:GrKmX003DSIwi9o29oFT7YDnHYwZoctc3fOKtUw0Xmo=
-dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
-github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/KyleBanks/depth v1.2.1 h1:5h8fQADFrWtarTdtDudMmGsC7GPbOAu6RVB3ffsVFHc=
 github.com/KyleBanks/depth v1.2.1/go.mod h1:jzSb9d0L43HxTQfT+oSA1EEp2q+ne2uh6XgeJcm8brE=
-github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
-github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
-github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM=
 github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
-github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
-github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
-github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
 github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/logex v1.2.1 h1:XHDu3E6q+gdHgsdTPH6ImJMIp436vR6MPtH8gP05QzM=
 github.com/chzyer/logex v1.2.1/go.mod h1:JLbx6lG2kDbNRFnfkgvh4eRJRPX1QCoOIWomwysCBrQ=
-github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/readline v1.5.1 h1:upd/6fQk4src78LMRzh5vItIt361/o4uq553V8B5sGI=
 github.com/chzyer/readline v1.5.1/go.mod h1:Eh+b79XXUwfKfcPLepksvw2tcLE/Ct21YObkaSkeBlk=
-github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/chzyer/test v1.0.0 h1:p3BQDXSxOhOG0P9z6/hGnII4LGiEPOYBhs8asl/fC04=
 github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38GC8=
-github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
-github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
-github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
-github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
-github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI=
-github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
-github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
+github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
-github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po=
+github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
-github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
+github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
-github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ=
+github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0=
+github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
-github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
-github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs=
+github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
-github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBDUSsw=
+github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
-github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk=
-github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/frankban/quicktest v1.14.3 h1:FJKSZTDHjyhriyC81FLQ0LY93eSai0ZyR/ZIkd3ZUKE=
-github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
-github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
-github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
-github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
-github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
+github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY=
-github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
@@ -111,94 +43,32 @@ github.com/go-openapi/swag v0.19.15 h1:D2NRCBzS9/pEY3gP9Nl8aDqGUcPFrwG2p+CNFrLyr
 github.com/go-openapi/swag v0.19.15/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
 github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
 github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
-github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
+github.com/golang/glog v1.1.2 h1:DVjP2PbBOzHyzA+dn3WhHIq4NdVu3Q+pvivFICf/7fo=
-github.com/golang/glog v1.0.0 h1:nfP3RFugxnNRyKgeWd4oI1nYvXpxrx8ck8ZrcizshdQ=
+github.com/golang/glog v1.1.2/go.mod h1:zR+okUeTbrL6EL3xHUDxZuEtGv04p5shwip1+mL/rLQ=
-github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4=
-github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
-github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
-github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
-github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
-github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
-github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
-github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk=
-github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
-github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
-github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
-github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
-github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
-github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
-github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
-github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
 github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/gomodule/redigo v1.8.9 h1:Sl3u+2BI/kk+VEatbj0scLdrFhjPmbxOc1myhDP41ws=
 github.com/gomodule/redigo v1.8.9/go.mod h1:7ArFNvsTjH8GMMzB4uy1snslv2BwmginuMs06a1uzZE=
-github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
-github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
-github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
-github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
-github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
+github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
-github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
+github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
-github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
+github.com/gorilla/websocket v1.5.1 h1:gmztn0JnHVt9JZquRuzLw3g4wouNVzKL15iLr/zn/QY=
-github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
+github.com/gorilla/websocket v1.5.1/go.mod h1:x3kM2JMyaluk02fnUJpQuwD2dCS5NDG2ZHL0uE0tcaY=
-github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 h1:YBftPWNWd4WwGqtY2yeZL2ef8rHAxPBD8KFhJpmcqms=
-github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0/go.mod h1:YN5jB8ie0yfIUg6VvR9Kz84aCaG7AsGZnLjhHbUqwPg=
-github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
-github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
-github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
-github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g=
-github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI=
-github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
-github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=
-github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0 h1:BZHcxBETFHIdVyhyEfOvn/RdU/QGdLI4y34qQGjGWO0=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0/go.mod h1:hgWBS7lorOAVIJEQMi4ZsPv9hVvWI6+ch50m39Pf2Ks=
-github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
-github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
-github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
-github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
-github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
@@ -212,449 +82,162 @@ github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJ
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
-github.com/mattn/go-isatty v0.0.17 h1:BTarxUcIeDqL27Mc+vyvdWYSL28zpIhv3RoTdsLMPng=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
-github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
 github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
-github.com/pelletier/go-toml/v2 v2.0.6 h1:nrzqCb7j9cDFj2coyLNLaZuJTLjWjlaz6nvTvIwycIU=
+github.com/pelletier/go-toml/v2 v2.1.0 h1:FnwAJ4oYMvbT/34k9zzHuZNrhlz48GB3/s6at6/MHO4=
-github.com/pelletier/go-toml/v2 v2.0.6/go.mod h1:eumQOmlWiOPt5WriQQqoM5y18pDHwha2N+QD+EUNTek=
+github.com/pelletier/go-toml/v2 v2.1.0/go.mod h1:tJU2Z3ZkXwnxa4DPO899bsyIoywizdUvyaeZurnPPDc=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qRg=
-github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_golang v1.15.1 h1:8tXpTmJbyH5lydzFPoxSIJ0J46jdh3tylbvM1xCv0LI=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
-github.com/prometheus/client_golang v1.15.1/go.mod h1:e9yaBhRPU2pPNsZwE+JdQl0KEt1N9XgF6zxWmaC0xOk=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/client_golang v1.17.0 h1:rl2sfwZMtSthVU752MqfjQozy7blglC+1SOtjMAMh+Q=
-github.com/prometheus/client_model v0.3.0 h1:UBgGFHqYdG/TPFD1B1ogZywDqEkwp3fBMvqdiQ7Xew4=
+github.com/prometheus/client_golang v1.17.0/go.mod h1:VeL+gMmOAxkS2IqfCq0ZmHSL+LjWfWDUmp1mBz9JgUY=
-github.com/prometheus/client_model v0.3.0/go.mod h1:LDGWKZIo7rky3hgvBe+caln+Dr3dPggB5dvjtD7w9+w=
+github.com/prometheus/client_model v0.4.1-0.20230718164431-9a2bf3000d16 h1:v7DLqVdK4VrYkVD5diGdl4sxJurKJEMnODWRJlxV9oM=
-github.com/prometheus/common v0.42.0 h1:EKsfXEYo4JpWMHH5cg+KOUWeuJSov1Id8zGR8eeI1YM=
+github.com/prometheus/client_model v0.4.1-0.20230718164431-9a2bf3000d16/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU=
-github.com/prometheus/common v0.42.0/go.mod h1:xBwqVerjNdUDjgODMpudtOMwlOwf2SaTr1yjz4b7Zbc=
+github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdOOfY=
-github.com/prometheus/procfs v0.9.0 h1:wzCHvIvM5SxWqYvwgVL7yJY8Lz3PKn49KQtpgMYJfhI=
+github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY=
-github.com/prometheus/procfs v0.9.0/go.mod h1:+pB4zwohETzFnmlpe6yd2lSc+0/46IYZRB/chUwxUZY=
+github.com/prometheus/procfs v0.11.1 h1:xRC8Iq1yyca5ypa9n1EZnWZkt7dwcoRPQwX/5gwaUuI=
-github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
+github.com/prometheus/procfs v0.11.1/go.mod h1:eesXgaPo1q7lBpVMoMy0ZOFTth9hBn4W/y0/p/ScXhY=
-github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
+github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
-github.com/rogpeppe/go-internal v1.6.1 h1:/FiVV8dS/e+YqF2JvO3yXRFbBLTIuSDkuC7aBOAvL+k=
+github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
+github.com/sagikazarmark/locafero v0.4.0 h1:HApY1R9zGo4DBgr7dqsTH/JJxLTTsOt7u6keLGt6kNQ=
-github.com/spf13/afero v1.9.3 h1:41FoI0fD7OR7mGcKE/aOiLkGreyf8ifIOQmJANWogMk=
+github.com/sagikazarmark/locafero v0.4.0/go.mod h1:Pe1W6UlPYUk/+wc/6KFhbORCfqzgYEpgQ3O5fPuL3H4=
-github.com/spf13/afero v1.9.3/go.mod h1:iUV7ddyEEZPO5gA3zD4fJt6iStLlL+Lg4m2cihcDf8Y=
+github.com/sagikazarmark/slog-shim v0.1.0 h1:diDBnUNK9N/354PgrxMywXnAwEr1QZcOr6gto+ugjYE=
-github.com/spf13/cast v1.5.0 h1:rj3WzYc11XZaIZMPKmwP96zkFEnnAmV8s6XbB2aY32w=
+github.com/sagikazarmark/slog-shim v0.1.0/go.mod h1:SrcSrq8aKtyuqEI1uvTDTK1arOWRIczQRv+GVI1AkeQ=
-github.com/spf13/cast v1.5.0/go.mod h1:SpXXQ5YoyJw6s3/6cMTQuxvgRl3PCJiyaX9p6b155UU=
+github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo=
-github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
+github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0=
-github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
+github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8=
-github.com/spf13/jwalterweatherman v1.1.0 h1:ue6voC5bR5F8YxI5S67j9i582FU4Qvo2bmqnqMYADFk=
+github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY=
-github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo=
+github.com/spf13/cast v1.6.0 h1:GEiTHELF+vaR5dhz3VqZfFSzZjYbgeKDpBxQVS4GYJ0=
+github.com/spf13/cast v1.6.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
+github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=
+github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spf13/viper v1.15.0 h1:js3yy885G8xwJa6iOISGFwd+qlUo5AvyXb7CiihdtiU=
+github.com/spf13/viper v1.18.1 h1:rmuU42rScKWlhhJDyXZRKJQHXFX02chSVW1IvkPGiVM=
-github.com/spf13/viper v1.15.0/go.mod h1:fFcTBJxvhhzSJiZy8n+PeW6t8l+KeT/uTARa0jHOQLA=
+github.com/spf13/viper v1.18.1/go.mod h1:EKmWIqdnk5lOcmR72yw6hS+8OPYcwD0jteitLMVB+yk=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
-github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
-github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
-github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-github.com/subosito/gotenv v1.4.2 h1:X1TuBLAMDFbaTAChgCBLu3DU3UPyELpnF2jjJ2cz/S8=
+github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
-github.com/subosito/gotenv v1.4.2/go.mod h1:ayKnFf/c6rvx/2iiLrJUk1e6plDbT3edrFNGqEflhK0=
+github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
 github.com/swaggo/files v0.0.0-20220610200504-28940afbdbfe h1:K8pHPVoTgxFJt1lXuIzzOX7zZhZFldJQK/CgKx9BFIc=
 github.com/swaggo/files v0.0.0-20220610200504-28940afbdbfe/go.mod h1:lKJPbtWzJ9JhsTN1k1gZgleJWY/cqq0psdoMmaThG3w=
 github.com/swaggo/http-swagger v1.3.4 h1:q7t/XLx0n15H1Q9/tk3Y9L4n210XzJF5WtnDX64a5ww=
 github.com/swaggo/http-swagger v1.3.4/go.mod h1:9dAh0unqMBAlbp1uE2Uc2mQTxNMU/ha4UbucIg1MFkQ=
-github.com/swaggo/swag v1.16.1 h1:fTNRhKstPKxcnoKsytm4sahr8FaYzUcT7i1/3nd/fBg=
+github.com/swaggo/swag v1.16.2 h1:28Pp+8DkQoV+HLzLx8RGJZXNGKbFqnuvSbAAtoxiY04=
-github.com/swaggo/swag v1.16.1/go.mod h1:9/LMvHycG3NFHfR6LwvikHv5iFvmPADQ359cKikGxto=
+github.com/swaggo/swag v1.16.2/go.mod h1:6YzXnDcpr0767iOejs318CwYkCQqyGer6BizOg03f+E=
-github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
+go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux v0.46.1 h1:Ifzy1lucGMQJh6wPRxusde8bWaDhYjSNOqDyn6Hb4TM=
-go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
+go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux v0.46.1/go.mod h1:YfFNem80G9UZ/mL5zd5GGXZSy95eXK+RhzIWBkLjLSc=
-go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
+go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.46.1 h1:gbhw/u49SS3gkPWiYweQNJGm/uJN5GkI/FrosxSHT7A=
-go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
+go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.46.1/go.mod h1:GnOaBaFQ2we3b9AGWJpsBa7v1S5RlQzlC3O7dRMxZhM=
-go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 h1:aFJWCqJMNjENlcleuuOkGAPH82y0yULBScfXcIEdS24=
-go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1/go.mod h1:sEGXWArGqc3tVa+ekntsN65DmVbVeW+7lTKTjZF3/Fo=
-go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux v0.41.1 h1:+dnM18FnwN3FC+0qquugd6cT4csOj4o5OXfWVYkrhys=
+go.opentelemetry.io/contrib/propagators/aws v1.21.1 h1:uQIQIDWb0gzyvon2ICnghpLAf9w7ADOCUiIiwCQgR2o=
-go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux v0.41.1/go.mod h1:CY62MFODuCVxifusuibZ8c6G1lQlfVhgi59NrKehMxQ=
+go.opentelemetry.io/contrib/propagators/aws v1.21.1/go.mod h1:kCcto3ACQxm+VrkQX/NK/TkDmAd99MQhvffzyTKhzL4=
-go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.41.1 h1:QKNnjTL0PkxqiMbrVRYOKbWM+rgR3bY+e2JwLS/mzLg=
+go.opentelemetry.io/contrib/propagators/b3 v1.21.1 h1:WPYiUgmw3+b7b3sQ1bFBFAf0q+Di9dvNc3AtYfnT4RQ=
-go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.41.1/go.mod h1:r2Guf+UO/9TSYcqZMnZVUEd7dCcBQuEyWneWuwr3248=
+go.opentelemetry.io/contrib/propagators/b3 v1.21.1/go.mod h1:EmzokPoSqsYMBVK4nRnhsfm5mbn8J1eDuz/U1UaQaWg=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.41.1 h1:pX+lppB8PArapyhS6nBStyQmkaDUPWdQf0UmEGRCQ54=
+go.opentelemetry.io/contrib/propagators/jaeger v1.21.1 h1:f4beMGDKiVzg9IcX7/VuWVy+oGdjx3dNJ72YehmtY5k=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.41.1/go.mod h1:2FmkXne0k9nkp27LD/m+uoh8dNlstsiCJ7PLc/S72aI=
+go.opentelemetry.io/contrib/propagators/jaeger v1.21.1/go.mod h1:U9jhkEl8d1LL+QXY7q3kneJWJugiN3kZJV2OWz3hkBY=
-go.opentelemetry.io/contrib/propagators/aws v1.16.1 h1:Jf017vtD4kDqpK1YKafZLLGYoQX5Qp5yn0NIEUDYmHc=
+go.opentelemetry.io/contrib/propagators/ot v1.21.1 h1:3TN5vkXjKYWp0YdMcnUEC/A+pBPvqz9V3nCS2xmcurk=
-go.opentelemetry.io/contrib/propagators/aws v1.16.1/go.mod h1:X+DmBEHeFa1F82LtjVsw37nyEZIdeI2tY2ZaDczg+e8=
+go.opentelemetry.io/contrib/propagators/ot v1.21.1/go.mod h1:oy0MYCbS/b3cqUDW37wBWtlwBIsutngS++Lklpgh+fc=
-go.opentelemetry.io/contrib/propagators/b3 v1.16.1 h1:Y9Dk1kR93eSHadRTkqnm+QyQVhHthCcvTkoP/Afh7+4=
+go.opentelemetry.io/otel v1.21.0 h1:hzLeKBZEL7Okw2mGzZ0cc4k/A7Fta0uoPgaJCr8fsFc=
-go.opentelemetry.io/contrib/propagators/b3 v1.16.1/go.mod h1:IR0G6txqoetQrjjdoDGe+udhFegxnQQd0dOJfFS8Jg0=
+go.opentelemetry.io/otel v1.21.0/go.mod h1:QZzNPQPm1zLX4gZK4cMi+71eaorMSGT3A4znnUvNNEo=
-go.opentelemetry.io/contrib/propagators/jaeger v1.16.1 h1:mwCNB3kgSxBQ8F5sVBpJSHvrygBy/+NfGOb/RmNCSaU=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0 h1:cl5P5/GIfFh4t6xyruOgJP5QiA1pw4fYYdv6nc6CBWw=
-go.opentelemetry.io/contrib/propagators/jaeger v1.16.1/go.mod h1:X5lRM5nm5gcI9rlfT97imQqHfrklct+VujWt/+qkpG0=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0/go.mod h1:zgBdWWAu7oEEMC06MMKc5NLbA/1YDXV1sMpSqEeLQLg=
-go.opentelemetry.io/contrib/propagators/ot v1.16.1 h1:3WV1I2H0UiNbisvGU6oqmrxN9Cfyk4yPkxUKiikqYyU=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.21.0 h1:tIqheXEFWAZ7O8A7m+J0aPTmpJN3YQ7qetUAdkkkKpk=
-go.opentelemetry.io/contrib/propagators/ot v1.16.1/go.mod h1:8330C6LX5qEV4x/2k+RIHh7H7Bggs9d9Hs42RmsA4j0=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.21.0/go.mod h1:nUeKExfxAQVbiVFn32YXpXZZHZ61Cc3s3Rn1pDBGAb0=
-go.opentelemetry.io/otel v1.15.1 h1:3Iwq3lfRByPaws0f6bU3naAqOR1n5IeDWd9390kWHa8=
+go.opentelemetry.io/otel/metric v1.21.0 h1:tlYWfeo+Bocx5kLEloTjbcDwBuELRrIFxwdQ36PlJu4=
-go.opentelemetry.io/otel v1.15.1/go.mod h1:mHHGEHVDLal6YrKMmk9LqC4a3sF5g+fHfrttQIB1NTc=
+go.opentelemetry.io/otel/metric v1.21.0/go.mod h1:o1p3CA8nNHW8j5yuQLdc1eeqEaPfzug24uvsyIEJRWM=
-go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.15.1 h1:XYDQtNzdb2T4uM1pku2m76eSMDJgqhJ+6KzkqgQBALc=
+go.opentelemetry.io/otel/sdk v1.21.0 h1:FTt8qirL1EysG6sTQRZ5TokkU8d0ugCj8htOgThZXQ8=
-go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.15.1/go.mod h1:uOTV75+LOzV+ODmL8ahRLWkFA3eQcSC2aAsbxIu4duk=
+go.opentelemetry.io/otel/sdk v1.21.0/go.mod h1:Nna6Yv7PWTdgJHVRD9hIYywQBRx7pbox6nwBnZIxl/E=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.15.1 h1:tyoeaUh8REKay72DVYsSEBYV18+fGONe+YYPaOxgLoE=
+go.opentelemetry.io/otel/trace v1.21.0 h1:WD9i5gzvoUPuXIXH24ZNBudiarZDKuekPqi/E8fpfLc=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.15.1/go.mod h1:HUSnrjQQ19KX9ECjpQxufsF+3ioD3zISPMlauTPZu2g=
+go.opentelemetry.io/otel/trace v1.21.0/go.mod h1:LGbsEB0f9LGjN+OZaQQ26sohbOmiMR+BaslueVtS/qQ=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.15.1 h1:pIfoG5IAZFzp9EUlJzdSkpUwpaUAAnD+Ru1nBLTACIQ=
+go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.15.1/go.mod h1:poNKBqF5+nR/6ke2oGTDjHfksrsHDOHXAl2g4+9ONsY=
+go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM=
-go.opentelemetry.io/otel/metric v0.38.1 h1:2MM7m6wPw9B8Qv8iHygoAgkbejed59uUR6ezR5T3X2s=
+go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
-go.opentelemetry.io/otel/metric v0.38.1/go.mod h1:FwqNHD3I/5iX9pfrRGZIlYICrJv0rHEUl2Ln5vdIVnQ=
+go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-go.opentelemetry.io/otel/sdk v1.15.1 h1:5FKR+skgpzvhPQHIEfcwMYjCBr14LWzs3uSqKiQzETI=
-go.opentelemetry.io/otel/sdk v1.15.1/go.mod h1:8rVtxQfrbmbHKfqzpQkT5EzZMcbMBwTzNAggbEAM0KA=
-go.opentelemetry.io/otel/trace v1.15.1 h1:uXLo6iHJEzDfrNC0L0mNjItIp06SyaBQxu5t3xMlngY=
-go.opentelemetry.io/otel/trace v1.15.1/go.mod h1:IWdQG/5N1x7f6YUlmdLeJvH9yxtuJAfc4VW5Agv9r/8=
-go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
-go.opentelemetry.io/proto/otlp v0.19.0 h1:IVN6GR+mhC4s5yfcTbmzHYODqvWAp3ZedA2SJPI1Nnw=
-go.opentelemetry.io/proto/otlp v0.19.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U=
-go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE=
-go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
-go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
-go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60=
+go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo=
-go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg=
+go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/exp v0.0.0-20230905200255-921286631fa9 h1:GoHiUyI/Tp2nVkLI2mCxVkOjsbSXD66ic0XW0js0R9g=
-golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/exp v0.0.0-20230905200255-921286631fa9/go.mod h1:S2oDrQGGwySpoQPVqRShND87VCbxmc6bL1Yd2oYrm6k=
-golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
-golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek=
-golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY=
-golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
-golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
-golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
-golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
-golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
-golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
-golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
-golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
-golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
-golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
-golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
-golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
-golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
-golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
-golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
-golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.9.0 h1:KENHtAZL2y3NLMYZeHY9DW8HW8V+kQyJsY/V9JlKvCs=
+golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
-golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.9.0 h1:aWJ/m6xSmxWBx+V0XRHTlrYrPG56jKsLdTFmsSsCzOM=
+golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
-golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
+golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
-golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.7.0 h1:3jlCCIQZPdOYu1h8BkNvLz8Kgwtae2cagcG/VamtZRU=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
+golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE=
+golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
-golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
-golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
-golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
-golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
-golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
-golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
-golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
-golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE=
-golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.7.0 h1:W4OVu8VVOaIO0yzWMNdepAulS7YfoS3Zabrm8DOXXU4=
+golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ=
-golang.org/x/tools v0.7.0/go.mod h1:4pg6aUX35JBAogB10C9AtvVL+qowtN4pT3CGSQex14s=
+golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17 h1:wpZ8pe2x1Q3f2KyT5f8oP/fa9rHAKgFPr/HZdNuS+PQ=
-google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
+google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17/go.mod h1:J7XzRzVy1+IPwWHZUzoD0IccYZIrXILAQpc+Qy9CMhY=
-google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
+google.golang.org/genproto/googleapis/api v0.0.0-20231106174013-bbf56f31fb17 h1:JpwMPBpFN3uKhdaekDpiNlImDdkUAyiJ6ez/uxGaUSo=
-google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
+google.golang.org/genproto/googleapis/api v0.0.0-20231106174013-bbf56f31fb17/go.mod h1:0xJLfVdJqpAPl8tDg1ujOCGzx6LFLttXT5NhllGOXY4=
-google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20231120223509-83a465c0220f h1:ultW7fxlIvee4HYrtnaRPon9HpEgFk5zYpmfMgtKB5I=
-google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20231120223509-83a465c0220f/go.mod h1:L9KNLi232K1/xB6f7AlSX692koaRnKaWSR0stBki0Yc=
-google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
+google.golang.org/grpc v1.60.0 h1:6FQAR0kM31P6MRdeluor2w2gPaS4SVNrD/DNTxrQ15k=
-google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
+google.golang.org/grpc v1.60.0/go.mod h1:OlCHIeLYqSSsLi6i49B5QGdzaMZK9+M7LXN2FKz4eGM=
-google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
-google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
-google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM=
-google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc=
-google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg=
-google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE=
-google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8=
-google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
-google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
-google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
-google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
-google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
-google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
-google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA=
-google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U=
-google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
-google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA=
-google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20211118181313-81c1377c94b1/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f h1:BWUVssLB0HVOSY78gIdvk1dTVYtT1y8SBWtPYuTJ/6w=
-google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
-google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
-google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
-google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
-google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
-google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
-google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60=
-google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
-google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0=
-google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
-google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8=
-google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
-google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
-google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
-google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
-google.golang.org/grpc v1.54.0 h1:EhTqbhiYeixwWQtAEZAxmV9MGqcjEU2mFx52xCzNyag=
-google.golang.org/grpc v1.54.0/go.mod h1:PUSEXI6iWghWaB6lXM4knEgpJNu2qUcKfDtNci3EC2g=
-google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
-google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
-google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
-google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
-google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
-google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
-google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
-google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng=
+google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
-gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
 gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
-honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
-rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
-rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=

kustomize/deployment.yaml

@@ -23,7 +23,7 @@ spec:
     spec:
       containers:
       - name: podinfod
-        image: ghcr.io/stefanprodan/podinfo:6.3.6
+        image: ghcr.io/stefanprodan/podinfo:6.5.4
         imagePullPolicy: IfNotPresent
         ports:
         - name: http

pkg/api/docs/docs.go

@@ -1,5 +1,4 @@
-// Code generated by swaggo/swag. DO NOT EDIT.
+// Package docs Code generated by swaggo/swag. DO NOT EDIT
-
 package docs
 
 import "github.com/swaggo/swag"

pkg/api/echo_test.go

@@ -8,27 +8,41 @@ import (
 )
 
 func TestEchoHandler(t *testing.T) {
-	expected := `{"test": true}`
+	cases := []struct {
-	req, err := http.NewRequest("POST", "/api/echo", strings.NewReader(expected))
+		url      string
-	if err != nil {
+		method   string
-		t.Fatal(err)
+		expected string
+	}{
+		{url: "/api/echo", method: "POST", expected: `{"test": true}`},
+		{url: "/api/echo", method: "PUT", expected: `{"test": true}`},
+		{url: "/echo", method: "PUT", expected: `{"test": true}`},
+		{url: "/echo/", method: "POST", expected: `{"test": true}`},
+		{url: "/echo/test", method: "POST", expected: `{"test": true}`},
+		{url: "/echo/test/", method: "POST", expected: `{"test": true}`},
+		{url: "/echo/test/test123-test", method: "POST", expected: `{"test": true}`},
 	}
 
-	rr := httptest.NewRecorder()
 	srv := NewMockServer()
 	handler := http.HandlerFunc(srv.echoHandler)
 
-	handler.ServeHTTP(rr, req)
+	for _, c := range cases {
+		req, err := http.NewRequest(c.method, c.url, strings.NewReader(c.expected))
+		if err != nil {
+			t.Fatal(err)
+		}
+		rr := httptest.NewRecorder()
+		handler.ServeHTTP(rr, req)
 
-	// Check the status code is what we expect.
+		// Check the status code is what we expect.
-	if status := rr.Code; status != http.StatusAccepted {
+		if status := rr.Code; status != http.StatusAccepted {
-		t.Errorf("handler returned wrong status code: got %v want %v",
+			t.Errorf("handler returned wrong status code: got %v want %v",
-			status, http.StatusAccepted)
+				status, http.StatusAccepted)
-	}
+		}
 
-	// Check the response body is what we expect.
+		// Check the response body is what we expect.
-	if rr.Body.String() != expected {
+		if rr.Body.String() != c.expected {
-		t.Fatalf("handler returned unexpected body:\ngot \n%v \nwant \n%s",
+			t.Fatalf("handler returned unexpected body:\ngot \n%v \nwant \n%s",
-			rr.Body.String(), expected)
+				rr.Body.String(), c.expected)
+		}
 	}
 }

pkg/api/server.go

@@ -100,7 +100,8 @@ func (s *Server) registerHandlers() {
 	s.router.HandleFunc("/", s.indexHandler).HeadersRegexp("User-Agent", "^Mozilla.*").Methods("GET")
 	s.router.HandleFunc("/", s.infoHandler).Methods("GET")
 	s.router.HandleFunc("/version", s.versionHandler).Methods("GET")
-	s.router.HandleFunc("/echo", s.echoHandler).Methods("POST")
+	s.router.HandleFunc("/echo", s.echoHandler)
+	s.router.PathPrefix("/echo/").HandlerFunc(s.echoHandler)
 	s.router.HandleFunc("/env", s.envHandler).Methods("GET", "POST")
 	s.router.HandleFunc("/headers", s.echoHeadersHandler).Methods("GET", "POST")
 	s.router.HandleFunc("/delay/{wait:[0-9]+}", s.delayHandler).Methods("GET").Name("delay")
@@ -119,7 +120,8 @@ func (s *Server) registerHandlers() {
 	s.router.HandleFunc("/token", s.tokenGenerateHandler).Methods("POST")
 	s.router.HandleFunc("/token/validate", s.tokenValidateHandler).Methods("GET")
 	s.router.HandleFunc("/api/info", s.infoHandler).Methods("GET")
-	s.router.HandleFunc("/api/echo", s.echoHandler).Methods("POST")
+	s.router.HandleFunc("/api/echo", s.echoHandler)
+	s.router.PathPrefix("/api/echo/").HandlerFunc(s.echoHandler)
 	s.router.HandleFunc("/ws/echo", s.echoWsHandler)
 	s.router.HandleFunc("/chunked", s.chunkedHandler)
 	s.router.HandleFunc("/chunked/{wait:[0-9]+}", s.chunkedHandler)

pkg/signals/shutdown.go

@@ -48,7 +48,8 @@ func (s *Shutdown) Graceful(stopCh <-chan struct{}, httpServer *http.Server, htt
 
 	s.logger.Info("Shutting down HTTP/HTTPS server", zap.Duration("timeout", s.serverShutdownTimeout))
 
-	// wait for Kubernetes readiness probe to remove this instance from the load balancer
+	// There could be a period where a terminating pod may still receive requests. Implementing a brief wait can mitigate this.
+	// See: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination
 	// the readiness check interval must be lower than the timeout
 	if viper.GetString("level") != "debug" {
 		time.Sleep(3 * time.Second)

pkg/version/version.go

@@ -1,4 +1,4 @@
 package version
 
-var VERSION = "6.3.6"
+var VERSION = "6.5.4"
 var REVISION = "unknown"

timoni/bundles/test.podinfo.cue

@@ -0,0 +1,68 @@
+bundle: {
+	apiVersion: "v1alpha1"
+	name:       "podinfo"
+
+	_modURL: "oci://ghcr.io/stefanprodan/modules/podinfo" @timoni(runtime:string:PODINFO_MODULE_URL)
+	_imgURL: "ghcr.io/stefanprodan/modules/podinfo"       @timoni(runtime:string:PODINFO_IMAGE_URL)
+	_imgTag: "latest"                                     @timoni(runtime:string:PODINFO_VERSION)
+
+	instances: {
+		backend: {
+			module: url: _modURL
+			namespace: "podinfo"
+			values: {
+				image: {
+					repository: _imgURL
+					tag:        _imgTag
+				}
+				resources: requests: {
+					cpu:    "100m"
+					memory: "128Mi"
+				}
+				autoscaling: {
+					enabled:     true
+					minReplicas: 1
+					maxReplicas: 10
+					cpu:         90
+				}
+				test: enabled: true
+			}
+		}
+		frontend: {
+			module: url: _modURL
+			namespace: "podinfo"
+			values: {
+				image: {
+					repository: _imgURL
+					tag:        _imgTag
+				}
+				ui: backend: "http://backend.podinfo.svc.cluster.local/echo"
+				replicas: 2
+				podSecurityContext: {
+					runAsUser:  100
+					runAsGroup: 101
+					fsGroup:    101
+				}
+				securityContext: {
+					allowPrivilegeEscalation: false
+					readOnlyRootFilesystem:   true
+					runAsNonRoot:             true
+					capabilities: drop: ["ALL"]
+					seccompProfile: type: "RuntimeDefault"
+				}
+				ingress: {
+					enabled:   true
+					className: "nginx"
+					host:      "podinfo.local"
+					tls:       true
+					annotations: {
+						"nginx.ingress.kubernetes.io/ssl-redirect":       "false"
+						"nginx.ingress.kubernetes.io/force-ssl-redirect": "false"
+						"cert-manager.io/cluster-issuer":                 "self-signed"
+					}
+				}
+				test: enabled: true
+			}
+		}
+	}
+}

timoni/podinfo/README.md

@@ -0,0 +1,140 @@
+# Podinfo
+
+[Podinfo](https://github.com/stefanprodan/podinfo) is a tiny web application
+made with Go that showcases best practices of running microservices in Kubernetes.
+
+## Module Repository
+
+This module is available on GitHub Container Registry at
+[ghcr.io/stefanprodan/modules/podinfo](https://github.com/stefanprodan/podinfo/pkgs/container/modules%2Fpodinfo).
+
+## Install
+
+To create an instance using the default values:
+
+```shell
+timoni -n default apply podinfo oci://ghcr.io/stefanprodan/modules/podinfo
+```
+
+To install a specific module version:
+
+```shell
+timoni -n default apply podinfo oci://ghcr.io/stefanprodan/modules/podinfo -v 6.5.0
+```
+
+To change the [default configuration](#configuration),
+create one or more `values.cue` files and apply them to the instance.
+
+For example, create a file `my-values.cue` with the following content:
+
+```cue
+values: {
+	resources: requests: {
+		cpu:    "100m"
+		memory: "128Mi"
+	}
+}
+```
+
+And apply the values with:
+
+```shell
+timoni -n default apply podinfo oci://ghcr.io/stefanprodan/modules/podinfo \
+--values ./my-values.cue
+```
+
+## Uninstall
+
+To uninstall an instance and delete all its Kubernetes resources:
+
+```shell
+timoni -n default delete podinfo
+```
+
+## Configuration
+
+### General values
+
+| Key                          | Type                                    | Default                        | Description                                                                                                                                  |
+|------------------------------|-----------------------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------|
+| `image: tag:`                | `string`                                | `<latest version>`             | Container image tag                                                                                                                          |
+| `image: digest:`             | `string`                                | `""`                           | Container image digest, takes precedence over `tag` when specified                                                                           |
+| `image: repository:`         | `string`                                | `ghcr.io/stefanprodan/podinfo` | Container image repository                                                                                                                   |
+| `image: pullPolicy:`         | `string`                                | `IfNotPresent`                 | [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy)                                     |
+| `metadata: labels:`          | `{[ string]: string}`                   | `{}`                           | Common labels for all resources                                                                                                              |
+| `metadata: annotations:`     | `{[ string]: string}`                   | `{}`                           | Common annotations for all resources                                                                                                         |
+| `podAnnotations:`            | `{[ string]: string}`                   | `{}`                           | Annotations applied to pods                                                                                                                  |
+| `imagePullSecrets:`          | `[...corev1.LocalObjectReference]`      | `[]`                           | [Kubernetes image pull secrets](https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod)                 |
+| `tolerations:`               | `[ ...corev1.#Toleration]`              | `[]`                           | [Kubernetes toleration](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration)                                        |
+| `affinity:`                  | `corev1.#Affinity`                      | `{}`                           | [Kubernetes affinity and anti-affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) |
+| `resources:`                 | `corev1.#ResourceRequirements`          | `{}`                           | [Kubernetes resource requests and limits](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers)                     |
+| `topologySpreadConstraints:` | `[...corev1.#TopologySpreadConstraint]` | `[]`                           | [Kubernetes pod topology spread constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints)            |
+| `podSecurityContext:`        | `corev1.#PodSecurityContext`            | `{}`                           | [Kubernetes pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context)                                 |
+| `securityContext:`           | `corev1.#SecurityContext`               | `{}`                           | [Kubernetes container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context)                           |
+| `test: enabled:`             | `bool`                                  | `false`                        | Run end-to-end tests at install and upgrades                                                                                                 |
+
+#### Recommended values
+
+Comply with the
+restricted [Kubernetes pod security standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/):
+
+```cue
+values: {
+	podSecurityContext: {
+		runAsUser:  100
+		runAsGroup: 101
+		fsGroup:    101
+	}
+	securityContext: {
+		allowPrivilegeEscalation: false
+		readOnlyRootFilesystem:   true
+		runAsNonRoot:             true
+		capabilities: drop: ["ALL"]
+		seccompProfile: type: "RuntimeDefault"
+	}
+}
+```
+
+### Autoscaling values
+
+| Key                         | Type     | Default       | Description                                                                                                  |
+|-----------------------------|----------|---------------|--------------------------------------------------------------------------------------------------------------|
+| `replicas:`                 | `int`    | `1`           | Number of pods when autoscaling is disabled                                                                  |
+| `autoscaling: enabled:`     | `bool`   | `false`       | Enable [Kubernetes HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) creation |
+| `autoscaling: minReplicas:` | `int`    | `replicas`    | Minimum number of pods                                                                                       |
+| `autoscaling: maxReplicas:` | `int`    | `minReplicas` | Maximum number of pods                                                                                       |
+| `autoscaling: cpu:`         | `int`    | `99`          | CPU average utilization (percentage)                                                                         |
+| `autoscaling: memory:`      | `string` | `""`          | memory average value (e.g. `1024Mi`)                                                                         |
+
+### Ingress values
+
+| Key                     | Type                  | Default         | Description                                                                                            |
+|-------------------------|-----------------------|-----------------|--------------------------------------------------------------------------------------------------------|
+| `service: port:`        | `int`                 | `80`            | Kubernetes Service ClusterIP port                                                                      |
+| `ingress: enabled:`     | `bool`                | `false`         | Enable [Kubernetes Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) creation |
+| `ingress: tls:`         | `bool`                | `false`         | Enable TLS (requires cert-manager)                                                                     |
+| `ingress: host:`        | `string`              | `podinfo.local` | Ingress host                                                                                           |
+| `ingress: className:`   | `string`              | `""`            | Ingress class name                                                                                     |
+| `ingress: annotations:` | `{[ string]: string}` | `{}`            | Annotations applied to ingress                                                                         |
+
+### Monitoring values
+
+| Key                     | Type   | Default | Description                                                                   |
+|-------------------------|--------|---------|-------------------------------------------------------------------------------|
+| `monitoring: enabled:`  | `bool` | `false` | Enable [Prometheus ServiceMonitor](https://prometheus-operator.dev/) creation |
+| `monitoring: interval:` | `int`  | `15`    | Prometheus scrape interval in seconds                                         |
+
+### Cashing values
+
+| Key                  | Type     | Default | Description                                             |
+|----------------------|----------|---------|---------------------------------------------------------|
+| `caching: enabled:`  | `bool`   | `false` | Enable Redis caching                                    |
+| `caching: redisURL:` | `string` | `""`    | Redis URL in the format `tcp://:[password]@host[:port]` |
+
+### UI values
+
+| Key            | Type     | Default   | Description      |
+|----------------|----------|-----------|------------------|
+| `ui: color:`   | `string` | `#34577c` | Background color |
+| `ui: message:` | `string` | `""`      | Greeting message |
+| `ui: backend:` | `string` | `""`      | Backend URL      |

timoni/podinfo/cue.mod/gen/k8s.io/api/admission/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/admission/v1
+
+package v1
+
+#GroupName: "admission.k8s.io"

timoni/podinfo/cue.mod/gen/k8s.io/api/admission/v1/types_go_gen.cue

@@ -0,0 +1,172 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/admission/v1
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	authenticationv1 "k8s.io/api/authentication/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// AdmissionReview describes an admission review request/response.
+#AdmissionReview: {
+	metav1.#TypeMeta
+
+	// Request describes the attributes for the admission request.
+	// +optional
+	request?: null | #AdmissionRequest @go(Request,*AdmissionRequest) @protobuf(1,bytes,opt)
+
+	// Response describes the attributes for the admission response.
+	// +optional
+	response?: null | #AdmissionResponse @go(Response,*AdmissionResponse) @protobuf(2,bytes,opt)
+}
+
+// AdmissionRequest describes the admission.Attributes for the admission request.
+#AdmissionRequest: {
+	// UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are
+	// otherwise identical (parallel requests, requests when earlier requests did not modify etc)
+	// The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request.
+	// It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
+	uid: types.#UID @go(UID) @protobuf(1,bytes,opt)
+
+	// Kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale)
+	kind: metav1.#GroupVersionKind @go(Kind) @protobuf(2,bytes,opt)
+
+	// Resource is the fully-qualified resource being requested (for example, v1.pods)
+	resource: metav1.#GroupVersionResource @go(Resource) @protobuf(3,bytes,opt)
+
+	// SubResource is the subresource being requested, if any (for example, "status" or "scale")
+	// +optional
+	subResource?: string @go(SubResource) @protobuf(4,bytes,opt)
+
+	// RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).
+	// If this is specified and differs from the value in "kind", an equivalent match and conversion was performed.
+	//
+	// For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
+	// `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
+	// an API request to apps/v1beta1 deployments would be converted and sent to the webhook
+	// with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for),
+	// and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request).
+	//
+	// See documentation for the "matchPolicy" field in the webhook configuration type for more details.
+	// +optional
+	requestKind?: null | metav1.#GroupVersionKind @go(RequestKind,*metav1.GroupVersionKind) @protobuf(13,bytes,opt)
+
+	// RequestResource is the fully-qualified resource of the original API request (for example, v1.pods).
+	// If this is specified and differs from the value in "resource", an equivalent match and conversion was performed.
+	//
+	// For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
+	// `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
+	// an API request to apps/v1beta1 deployments would be converted and sent to the webhook
+	// with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for),
+	// and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request).
+	//
+	// See documentation for the "matchPolicy" field in the webhook configuration type.
+	// +optional
+	requestResource?: null | metav1.#GroupVersionResource @go(RequestResource,*metav1.GroupVersionResource) @protobuf(14,bytes,opt)
+
+	// RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale")
+	// If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed.
+	// See documentation for the "matchPolicy" field in the webhook configuration type.
+	// +optional
+	requestSubResource?: string @go(RequestSubResource) @protobuf(15,bytes,opt)
+
+	// Name is the name of the object as presented in the request.  On a CREATE operation, the client may omit name and
+	// rely on the server to generate the name.  If that is the case, this field will contain an empty string.
+	// +optional
+	name?: string @go(Name) @protobuf(5,bytes,opt)
+
+	// Namespace is the namespace associated with the request (if any).
+	// +optional
+	namespace?: string @go(Namespace) @protobuf(6,bytes,opt)
+
+	// Operation is the operation being performed. This may be different than the operation
+	// requested. e.g. a patch can result in either a CREATE or UPDATE Operation.
+	operation: #Operation @go(Operation) @protobuf(7,bytes,opt)
+
+	// UserInfo is information about the requesting user
+	userInfo: authenticationv1.#UserInfo @go(UserInfo) @protobuf(8,bytes,opt)
+
+	// Object is the object from the incoming request.
+	// +optional
+	object?: runtime.#RawExtension @go(Object) @protobuf(9,bytes,opt)
+
+	// OldObject is the existing object. Only populated for DELETE and UPDATE requests.
+	// +optional
+	oldObject?: runtime.#RawExtension @go(OldObject) @protobuf(10,bytes,opt)
+
+	// DryRun indicates that modifications will definitely not be persisted for this request.
+	// Defaults to false.
+	// +optional
+	dryRun?: null | bool @go(DryRun,*bool) @protobuf(11,varint,opt)
+
+	// Options is the operation option structure of the operation being performed.
+	// e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be
+	// different than the options the caller provided. e.g. for a patch request the performed
+	// Operation might be a CREATE, in which case the Options will a
+	// `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.
+	// +optional
+	options?: runtime.#RawExtension @go(Options) @protobuf(12,bytes,opt)
+}
+
+// AdmissionResponse describes an admission response.
+#AdmissionResponse: {
+	// UID is an identifier for the individual request/response.
+	// This must be copied over from the corresponding AdmissionRequest.
+	uid: types.#UID @go(UID) @protobuf(1,bytes,opt)
+
+	// Allowed indicates whether or not the admission request was permitted.
+	allowed: bool @go(Allowed) @protobuf(2,varint,opt)
+
+	// Result contains extra details into why an admission request was denied.
+	// This field IS NOT consulted in any way if "Allowed" is "true".
+	// +optional
+	status?: null | metav1.#Status @go(Result,*metav1.Status) @protobuf(3,bytes,opt)
+
+	// The patch body. Currently we only support "JSONPatch" which implements RFC 6902.
+	// +optional
+	patch?: bytes @go(Patch,[]byte) @protobuf(4,bytes,opt)
+
+	// The type of Patch. Currently we only allow "JSONPatch".
+	// +optional
+	patchType?: null | #PatchType @go(PatchType,*PatchType) @protobuf(5,bytes,opt)
+
+	// AuditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted).
+	// MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controller will prefix the keys with
+	// admission webhook name (e.g. imagepolicy.example.com/error=image-blacklisted). AuditAnnotations will be provided by
+	// the admission webhook to add additional context to the audit log for this request.
+	// +optional
+	auditAnnotations?: {[string]: string} @go(AuditAnnotations,map[string]string) @protobuf(6,bytes,opt)
+
+	// warnings is a list of warning messages to return to the requesting API client.
+	// Warning messages describe a problem the client making the API request should correct or be aware of.
+	// Limit warnings to 120 characters if possible.
+	// Warnings over 256 characters and large numbers of warnings may be truncated.
+	// +optional
+	warnings?: [...string] @go(Warnings,[]string) @protobuf(7,bytes,rep)
+}
+
+// PatchType is the type of patch being used to represent the mutated object
+#PatchType: string // #enumPatchType
+
+#enumPatchType:
+	#PatchTypeJSONPatch
+
+#PatchTypeJSONPatch: #PatchType & "JSONPatch"
+
+// Operation is the type of resource operation being checked for admission control
+#Operation: string // #enumOperation
+
+#enumOperation:
+	#Create |
+	#Update |
+	#Delete |
+	#Connect
+
+#Create:  #Operation & "CREATE"
+#Update:  #Operation & "UPDATE"
+#Delete:  #Operation & "DELETE"
+#Connect: #Operation & "CONNECT"

timoni/podinfo/cue.mod/gen/k8s.io/api/admissionregistration/v1/doc_go_gen.cue

@@ -0,0 +1,9 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/admissionregistration/v1
+
+// Package v1 is the v1 version of the API.
+// AdmissionConfiguration and AdmissionPluginConfiguration are legacy static admission plugin configuration
+// MutatingWebhookConfiguration and ValidatingWebhookConfiguration are for the
+// new dynamic admission controller configuration.
+package v1

timoni/podinfo/cue.mod/gen/k8s.io/api/admissionregistration/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/admissionregistration/v1
+
+package v1
+
+#GroupName: "admissionregistration.k8s.io"

timoni/podinfo/cue.mod/gen/k8s.io/api/admissionregistration/v1/types_go_gen.cue

@@ -0,0 +1,645 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/admissionregistration/v1
+
+package v1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// Rule is a tuple of APIGroups, APIVersion, and Resources.It is recommended
+// to make sure that all the tuple expansions are valid.
+#Rule: {
+	// APIGroups is the API groups the resources belong to. '*' is all groups.
+	// If '*' is present, the length of the slice must be one.
+	// Required.
+	// +listType=atomic
+	apiGroups?: [...string] @go(APIGroups,[]string) @protobuf(1,bytes,rep)
+
+	// APIVersions is the API versions the resources belong to. '*' is all versions.
+	// If '*' is present, the length of the slice must be one.
+	// Required.
+	// +listType=atomic
+	apiVersions?: [...string] @go(APIVersions,[]string) @protobuf(2,bytes,rep)
+
+	// Resources is a list of resources this rule applies to.
+	//
+	// For example:
+	// 'pods' means pods.
+	// 'pods/log' means the log subresource of pods.
+	// '*' means all resources, but not subresources.
+	// 'pods/*' means all subresources of pods.
+	// '*/scale' means all scale subresources.
+	// '*/*' means all resources and their subresources.
+	//
+	// If wildcard is present, the validation rule will ensure resources do not
+	// overlap with each other.
+	//
+	// Depending on the enclosing object, subresources might not be allowed.
+	// Required.
+	// +listType=atomic
+	resources?: [...string] @go(Resources,[]string) @protobuf(3,bytes,rep)
+
+	// scope specifies the scope of this rule.
+	// Valid values are "Cluster", "Namespaced", and "*"
+	// "Cluster" means that only cluster-scoped resources will match this rule.
+	// Namespace API objects are cluster-scoped.
+	// "Namespaced" means that only namespaced resources will match this rule.
+	// "*" means that there are no scope restrictions.
+	// Subresources match the scope of their parent resource.
+	// Default is "*".
+	//
+	// +optional
+	scope?: null | #ScopeType @go(Scope,*ScopeType) @protobuf(4,bytes,rep)
+}
+
+// ScopeType specifies a scope for a Rule.
+// +enum
+#ScopeType: string // #enumScopeType
+
+#enumScopeType:
+	#ClusterScope |
+	#NamespacedScope |
+	#AllScopes
+
+// ClusterScope means that scope is limited to cluster-scoped objects.
+// Namespace objects are cluster-scoped.
+#ClusterScope: #ScopeType & "Cluster"
+
+// NamespacedScope means that scope is limited to namespaced objects.
+#NamespacedScope: #ScopeType & "Namespaced"
+
+// AllScopes means that all scopes are included.
+#AllScopes: #ScopeType & "*"
+
+// FailurePolicyType specifies a failure policy that defines how unrecognized errors from the admission endpoint are handled.
+// +enum
+#FailurePolicyType: string // #enumFailurePolicyType
+
+#enumFailurePolicyType:
+	#Ignore |
+	#Fail
+
+// Ignore means that an error calling the webhook is ignored.
+#Ignore: #FailurePolicyType & "Ignore"
+
+// Fail means that an error calling the webhook causes the admission to fail.
+#Fail: #FailurePolicyType & "Fail"
+
+// MatchPolicyType specifies the type of match policy.
+// +enum
+#MatchPolicyType: string // #enumMatchPolicyType
+
+#enumMatchPolicyType:
+	#Exact |
+	#Equivalent
+
+// Exact means requests should only be sent to the webhook if they exactly match a given rule.
+#Exact: #MatchPolicyType & "Exact"
+
+// Equivalent means requests should be sent to the webhook if they modify a resource listed in rules via another API group or version.
+#Equivalent: #MatchPolicyType & "Equivalent"
+
+// SideEffectClass specifies the types of side effects a webhook may have.
+// +enum
+#SideEffectClass: string // #enumSideEffectClass
+
+#enumSideEffectClass:
+	#SideEffectClassUnknown |
+	#SideEffectClassNone |
+	#SideEffectClassSome |
+	#SideEffectClassNoneOnDryRun
+
+// SideEffectClassUnknown means that no information is known about the side effects of calling the webhook.
+// If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail.
+#SideEffectClassUnknown: #SideEffectClass & "Unknown"
+
+// SideEffectClassNone means that calling the webhook will have no side effects.
+#SideEffectClassNone: #SideEffectClass & "None"
+
+// SideEffectClassSome means that calling the webhook will possibly have side effects.
+// If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail.
+#SideEffectClassSome: #SideEffectClass & "Some"
+
+// SideEffectClassNoneOnDryRun means that calling the webhook will possibly have side effects, but if the
+// request being reviewed has the dry-run attribute, the side effects will be suppressed.
+#SideEffectClassNoneOnDryRun: #SideEffectClass & "NoneOnDryRun"
+
+// ValidatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and object without changing it.
+#ValidatingWebhookConfiguration: {
+	metav1.#TypeMeta
+
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Webhooks is a list of webhooks and the affected resources and operations.
+	// +optional
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	webhooks?: [...#ValidatingWebhook] @go(Webhooks,[]ValidatingWebhook) @protobuf(2,bytes,rep,name=Webhooks)
+}
+
+// ValidatingWebhookConfigurationList is a list of ValidatingWebhookConfiguration.
+#ValidatingWebhookConfigurationList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// List of ValidatingWebhookConfiguration.
+	items: [...#ValidatingWebhookConfiguration] @go(Items,[]ValidatingWebhookConfiguration) @protobuf(2,bytes,rep)
+}
+
+// MutatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and may change the object.
+#MutatingWebhookConfiguration: {
+	metav1.#TypeMeta
+
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Webhooks is a list of webhooks and the affected resources and operations.
+	// +optional
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	webhooks?: [...#MutatingWebhook] @go(Webhooks,[]MutatingWebhook) @protobuf(2,bytes,rep,name=Webhooks)
+}
+
+// MutatingWebhookConfigurationList is a list of MutatingWebhookConfiguration.
+#MutatingWebhookConfigurationList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// List of MutatingWebhookConfiguration.
+	items: [...#MutatingWebhookConfiguration] @go(Items,[]MutatingWebhookConfiguration) @protobuf(2,bytes,rep)
+}
+
+// ValidatingWebhook describes an admission webhook and the resources and operations it applies to.
+#ValidatingWebhook: {
+	// The name of the admission webhook.
+	// Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
+	// "imagepolicy" is the name of the webhook, and kubernetes.io is the name
+	// of the organization.
+	// Required.
+	name: string @go(Name) @protobuf(1,bytes,opt)
+
+	// ClientConfig defines how to communicate with the hook.
+	// Required
+	clientConfig: #WebhookClientConfig @go(ClientConfig) @protobuf(2,bytes,opt)
+
+	// Rules describes what operations on what resources/subresources the webhook cares about.
+	// The webhook cares about an operation if it matches _any_ Rule.
+	// However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks
+	// from putting the cluster in a state which cannot be recovered from without completely
+	// disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called
+	// on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
+	rules?: [...#RuleWithOperations] @go(Rules,[]RuleWithOperations) @protobuf(3,bytes,rep)
+
+	// FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
+	// allowed values are Ignore or Fail. Defaults to Fail.
+	// +optional
+	failurePolicy?: null | #FailurePolicyType @go(FailurePolicy,*FailurePolicyType) @protobuf(4,bytes,opt,casttype=FailurePolicyType)
+
+	// matchPolicy defines how the "rules" list is used to match incoming requests.
+	// Allowed values are "Exact" or "Equivalent".
+	//
+	// - Exact: match a request only if it exactly matches a specified rule.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
+	//
+	// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
+	//
+	// Defaults to "Equivalent"
+	// +optional
+	matchPolicy?: null | #MatchPolicyType @go(MatchPolicy,*MatchPolicyType) @protobuf(9,bytes,opt,casttype=MatchPolicyType)
+
+	// NamespaceSelector decides whether to run the webhook on an object based
+	// on whether the namespace for that object matches the selector. If the
+	// object itself is a namespace, the matching is performed on
+	// object.metadata.labels. If the object is another cluster scoped resource,
+	// it never skips the webhook.
+	//
+	// For example, to run the webhook on any objects whose namespace is not
+	// associated with "runlevel" of "0" or "1";  you will set the selector as
+	// follows:
+	// "namespaceSelector": {
+	//   "matchExpressions": [
+	//     {
+	//       "key": "runlevel",
+	//       "operator": "NotIn",
+	//       "values": [
+	//         "0",
+	//         "1"
+	//       ]
+	//     }
+	//   ]
+	// }
+	//
+	// If instead you want to only run the webhook on any objects whose
+	// namespace is associated with the "environment" of "prod" or "staging";
+	// you will set the selector as follows:
+	// "namespaceSelector": {
+	//   "matchExpressions": [
+	//     {
+	//       "key": "environment",
+	//       "operator": "In",
+	//       "values": [
+	//         "prod",
+	//         "staging"
+	//       ]
+	//     }
+	//   ]
+	// }
+	//
+	// See
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
+	// for more examples of label selectors.
+	//
+	// Default to the empty LabelSelector, which matches everything.
+	// +optional
+	namespaceSelector?: null | metav1.#LabelSelector @go(NamespaceSelector,*metav1.LabelSelector) @protobuf(5,bytes,opt)
+
+	// ObjectSelector decides whether to run the webhook based on if the
+	// object has matching labels. objectSelector is evaluated against both
+	// the oldObject and newObject that would be sent to the webhook, and
+	// is considered to match if either object matches the selector. A null
+	// object (oldObject in the case of create, or newObject in the case of
+	// delete) or an object that cannot have labels (like a
+	// DeploymentRollback or a PodProxyOptions object) is not considered to
+	// match.
+	// Use the object selector only if the webhook is opt-in, because end
+	// users may skip the admission webhook by setting the labels.
+	// Default to the empty LabelSelector, which matches everything.
+	// +optional
+	objectSelector?: null | metav1.#LabelSelector @go(ObjectSelector,*metav1.LabelSelector) @protobuf(10,bytes,opt)
+
+	// SideEffects states whether this webhook has side effects.
+	// Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
+	// Webhooks with side effects MUST implement a reconciliation system, since a request may be
+	// rejected by a future step in the admission chain and the side effects therefore need to be undone.
+	// Requests with the dryRun attribute will be auto-rejected if they match a webhook with
+	// sideEffects == Unknown or Some.
+	sideEffects?: null | #SideEffectClass @go(SideEffects,*SideEffectClass) @protobuf(6,bytes,opt,casttype=SideEffectClass)
+
+	// TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
+	// the webhook call will be ignored or the API call will fail based on the
+	// failure policy.
+	// The timeout value must be between 1 and 30 seconds.
+	// Default to 10 seconds.
+	// +optional
+	timeoutSeconds?: null | int32 @go(TimeoutSeconds,*int32) @protobuf(7,varint,opt)
+
+	// AdmissionReviewVersions is an ordered list of preferred `AdmissionReview`
+	// versions the Webhook expects. API server will try to use first version in
+	// the list which it supports. If none of the versions specified in this list
+	// supported by API server, validation will fail for this object.
+	// If a persisted webhook configuration specifies allowed versions and does not
+	// include any versions known to the API Server, calls to the webhook will fail
+	// and be subject to the failure policy.
+	admissionReviewVersions: [...string] @go(AdmissionReviewVersions,[]string) @protobuf(8,bytes,rep)
+
+	// MatchConditions is a list of conditions that must be met for a request to be sent to this
+	// webhook. Match conditions filter requests that have already been matched by the rules,
+	// namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
+	// There are a maximum of 64 match conditions allowed.
+	//
+	// The exact matching logic is (in order):
+	//   1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.
+	//   2. If ALL matchConditions evaluate to TRUE, the webhook is called.
+	//   3. If any matchCondition evaluates to an error (but none are FALSE):
+	//      - If failurePolicy=Fail, reject the request
+	//      - If failurePolicy=Ignore, the error is ignored and the webhook is skipped
+	//
+	// This is a beta feature and managed by the AdmissionWebhookMatchConditions feature gate.
+	//
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=name
+	// +featureGate=AdmissionWebhookMatchConditions
+	// +optional
+	matchConditions?: [...#MatchCondition] @go(MatchConditions,[]MatchCondition) @protobuf(11,bytes,opt)
+}
+
+// MutatingWebhook describes an admission webhook and the resources and operations it applies to.
+#MutatingWebhook: {
+	// The name of the admission webhook.
+	// Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
+	// "imagepolicy" is the name of the webhook, and kubernetes.io is the name
+	// of the organization.
+	// Required.
+	name: string @go(Name) @protobuf(1,bytes,opt)
+
+	// ClientConfig defines how to communicate with the hook.
+	// Required
+	clientConfig: #WebhookClientConfig @go(ClientConfig) @protobuf(2,bytes,opt)
+
+	// Rules describes what operations on what resources/subresources the webhook cares about.
+	// The webhook cares about an operation if it matches _any_ Rule.
+	// However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks
+	// from putting the cluster in a state which cannot be recovered from without completely
+	// disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called
+	// on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
+	rules?: [...#RuleWithOperations] @go(Rules,[]RuleWithOperations) @protobuf(3,bytes,rep)
+
+	// FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
+	// allowed values are Ignore or Fail. Defaults to Fail.
+	// +optional
+	failurePolicy?: null | #FailurePolicyType @go(FailurePolicy,*FailurePolicyType) @protobuf(4,bytes,opt,casttype=FailurePolicyType)
+
+	// matchPolicy defines how the "rules" list is used to match incoming requests.
+	// Allowed values are "Exact" or "Equivalent".
+	//
+	// - Exact: match a request only if it exactly matches a specified rule.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
+	//
+	// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
+	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+	// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+	// a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
+	//
+	// Defaults to "Equivalent"
+	// +optional
+	matchPolicy?: null | #MatchPolicyType @go(MatchPolicy,*MatchPolicyType) @protobuf(9,bytes,opt,casttype=MatchPolicyType)
+
+	// NamespaceSelector decides whether to run the webhook on an object based
+	// on whether the namespace for that object matches the selector. If the
+	// object itself is a namespace, the matching is performed on
+	// object.metadata.labels. If the object is another cluster scoped resource,
+	// it never skips the webhook.
+	//
+	// For example, to run the webhook on any objects whose namespace is not
+	// associated with "runlevel" of "0" or "1";  you will set the selector as
+	// follows:
+	// "namespaceSelector": {
+	//   "matchExpressions": [
+	//     {
+	//       "key": "runlevel",
+	//       "operator": "NotIn",
+	//       "values": [
+	//         "0",
+	//         "1"
+	//       ]
+	//     }
+	//   ]
+	// }
+	//
+	// If instead you want to only run the webhook on any objects whose
+	// namespace is associated with the "environment" of "prod" or "staging";
+	// you will set the selector as follows:
+	// "namespaceSelector": {
+	//   "matchExpressions": [
+	//     {
+	//       "key": "environment",
+	//       "operator": "In",
+	//       "values": [
+	//         "prod",
+	//         "staging"
+	//       ]
+	//     }
+	//   ]
+	// }
+	//
+	// See
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+	// for more examples of label selectors.
+	//
+	// Default to the empty LabelSelector, which matches everything.
+	// +optional
+	namespaceSelector?: null | metav1.#LabelSelector @go(NamespaceSelector,*metav1.LabelSelector) @protobuf(5,bytes,opt)
+
+	// ObjectSelector decides whether to run the webhook based on if the
+	// object has matching labels. objectSelector is evaluated against both
+	// the oldObject and newObject that would be sent to the webhook, and
+	// is considered to match if either object matches the selector. A null
+	// object (oldObject in the case of create, or newObject in the case of
+	// delete) or an object that cannot have labels (like a
+	// DeploymentRollback or a PodProxyOptions object) is not considered to
+	// match.
+	// Use the object selector only if the webhook is opt-in, because end
+	// users may skip the admission webhook by setting the labels.
+	// Default to the empty LabelSelector, which matches everything.
+	// +optional
+	objectSelector?: null | metav1.#LabelSelector @go(ObjectSelector,*metav1.LabelSelector) @protobuf(11,bytes,opt)
+
+	// SideEffects states whether this webhook has side effects.
+	// Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
+	// Webhooks with side effects MUST implement a reconciliation system, since a request may be
+	// rejected by a future step in the admission chain and the side effects therefore need to be undone.
+	// Requests with the dryRun attribute will be auto-rejected if they match a webhook with
+	// sideEffects == Unknown or Some.
+	sideEffects?: null | #SideEffectClass @go(SideEffects,*SideEffectClass) @protobuf(6,bytes,opt,casttype=SideEffectClass)
+
+	// TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
+	// the webhook call will be ignored or the API call will fail based on the
+	// failure policy.
+	// The timeout value must be between 1 and 30 seconds.
+	// Default to 10 seconds.
+	// +optional
+	timeoutSeconds?: null | int32 @go(TimeoutSeconds,*int32) @protobuf(7,varint,opt)
+
+	// AdmissionReviewVersions is an ordered list of preferred `AdmissionReview`
+	// versions the Webhook expects. API server will try to use first version in
+	// the list which it supports. If none of the versions specified in this list
+	// supported by API server, validation will fail for this object.
+	// If a persisted webhook configuration specifies allowed versions and does not
+	// include any versions known to the API Server, calls to the webhook will fail
+	// and be subject to the failure policy.
+	admissionReviewVersions: [...string] @go(AdmissionReviewVersions,[]string) @protobuf(8,bytes,rep)
+
+	// reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation.
+	// Allowed values are "Never" and "IfNeeded".
+	//
+	// Never: the webhook will not be called more than once in a single admission evaluation.
+	//
+	// IfNeeded: the webhook will be called at least one additional time as part of the admission evaluation
+	// if the object being admitted is modified by other admission plugins after the initial webhook call.
+	// Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted.
+	// Note:
+	// * the number of additional invocations is not guaranteed to be exactly one.
+	// * if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again.
+	// * webhooks that use this option may be reordered to minimize the number of additional invocations.
+	// * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead.
+	//
+	// Defaults to "Never".
+	// +optional
+	reinvocationPolicy?: null | #ReinvocationPolicyType @go(ReinvocationPolicy,*ReinvocationPolicyType) @protobuf(10,bytes,opt,casttype=ReinvocationPolicyType)
+
+	// MatchConditions is a list of conditions that must be met for a request to be sent to this
+	// webhook. Match conditions filter requests that have already been matched by the rules,
+	// namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
+	// There are a maximum of 64 match conditions allowed.
+	//
+	// The exact matching logic is (in order):
+	//   1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.
+	//   2. If ALL matchConditions evaluate to TRUE, the webhook is called.
+	//   3. If any matchCondition evaluates to an error (but none are FALSE):
+	//      - If failurePolicy=Fail, reject the request
+	//      - If failurePolicy=Ignore, the error is ignored and the webhook is skipped
+	//
+	// This is a beta feature and managed by the AdmissionWebhookMatchConditions feature gate.
+	//
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=name
+	// +featureGate=AdmissionWebhookMatchConditions
+	// +optional
+	matchConditions?: [...#MatchCondition] @go(MatchConditions,[]MatchCondition) @protobuf(12,bytes,opt)
+}
+
+// ReinvocationPolicyType specifies what type of policy the admission hook uses.
+// +enum
+#ReinvocationPolicyType: string // #enumReinvocationPolicyType
+
+#enumReinvocationPolicyType:
+	#NeverReinvocationPolicy |
+	#IfNeededReinvocationPolicy
+
+// NeverReinvocationPolicy indicates that the webhook must not be called more than once in a
+// single admission evaluation.
+#NeverReinvocationPolicy: #ReinvocationPolicyType & "Never"
+
+// IfNeededReinvocationPolicy indicates that the webhook may be called at least one
+// additional time as part of the admission evaluation if the object being admitted is
+// modified by other admission plugins after the initial webhook call.
+#IfNeededReinvocationPolicy: #ReinvocationPolicyType & "IfNeeded"
+
+// RuleWithOperations is a tuple of Operations and Resources. It is recommended to make
+// sure that all the tuple expansions are valid.
+#RuleWithOperations: {
+	// Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *
+	// for all of those operations and any future admission operations that are added.
+	// If '*' is present, the length of the slice must be one.
+	// Required.
+	// +listType=atomic
+	operations?: [...#OperationType] @go(Operations,[]OperationType) @protobuf(1,bytes,rep,casttype=OperationType)
+
+	#Rule
+}
+
+// OperationType specifies an operation for a request.
+// +enum
+#OperationType: string // #enumOperationType
+
+#enumOperationType:
+	#OperationAll |
+	#Create |
+	#Update |
+	#Delete |
+	#Connect
+
+#OperationAll: #OperationType & "*"
+#Create:       #OperationType & "CREATE"
+#Update:       #OperationType & "UPDATE"
+#Delete:       #OperationType & "DELETE"
+#Connect:      #OperationType & "CONNECT"
+
+// WebhookClientConfig contains the information to make a TLS
+// connection with the webhook
+#WebhookClientConfig: {
+	// `url` gives the location of the webhook, in standard URL form
+	// (`scheme://host:port/path`). Exactly one of `url` or `service`
+	// must be specified.
+	//
+	// The `host` should not refer to a service running in the cluster; use
+	// the `service` field instead. The host might be resolved via external
+	// DNS in some apiservers (e.g., `kube-apiserver` cannot resolve
+	// in-cluster DNS as that would be a layering violation). `host` may
+	// also be an IP address.
+	//
+	// Please note that using `localhost` or `127.0.0.1` as a `host` is
+	// risky unless you take great care to run this webhook on all hosts
+	// which run an apiserver which might need to make calls to this
+	// webhook. Such installs are likely to be non-portable, i.e., not easy
+	// to turn up in a new cluster.
+	//
+	// The scheme must be "https"; the URL must begin with "https://".
+	//
+	// A path is optional, and if present may be any string permissible in
+	// a URL. You may use the path to pass an arbitrary string to the
+	// webhook, for example, a cluster identifier.
+	//
+	// Attempting to use a user or basic auth e.g. "user:password@" is not
+	// allowed. Fragments ("#...") and query parameters ("?...") are not
+	// allowed, either.
+	//
+	// +optional
+	url?: null | string @go(URL,*string) @protobuf(3,bytes,opt)
+
+	// `service` is a reference to the service for this webhook. Either
+	// `service` or `url` must be specified.
+	//
+	// If the webhook is running within the cluster, then you should use `service`.
+	//
+	// +optional
+	service?: null | #ServiceReference @go(Service,*ServiceReference) @protobuf(1,bytes,opt)
+
+	// `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
+	// If unspecified, system trust roots on the apiserver are used.
+	// +optional
+	caBundle?: bytes @go(CABundle,[]byte) @protobuf(2,bytes,opt)
+}
+
+// ServiceReference holds a reference to Service.legacy.k8s.io
+#ServiceReference: {
+	// `namespace` is the namespace of the service.
+	// Required
+	namespace: string @go(Namespace) @protobuf(1,bytes,opt)
+
+	// `name` is the name of the service.
+	// Required
+	name: string @go(Name) @protobuf(2,bytes,opt)
+
+	// `path` is an optional URL path which will be sent in any request to
+	// this service.
+	// +optional
+	path?: null | string @go(Path,*string) @protobuf(3,bytes,opt)
+
+	// If specified, the port on the service that hosting webhook.
+	// Default to 443 for backward compatibility.
+	// `port` should be a valid port number (1-65535, inclusive).
+	// +optional
+	port?: null | int32 @go(Port,*int32) @protobuf(4,varint,opt)
+}
+
+// MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.
+#MatchCondition: {
+	// Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+	// as well as providing an identifier for logging purposes. A good name should be descriptive of
+	// the associated expression.
+	// Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+	// must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or
+	// '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+	// optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+	//
+	// Required.
+	name: string @go(Name) @protobuf(1,bytes,opt)
+
+	// Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+	// CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+	//
+	// 'object' - The object from the incoming request. The value is null for DELETE requests.
+	// 'oldObject' - The existing object. The value is null for CREATE requests.
+	// 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+	// 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+	//   See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+	// 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+	//   request resource.
+	// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+	//
+	// Required.
+	expression: string @go(Expression) @protobuf(2,bytes,opt)
+}

timoni/podinfo/cue.mod/gen/k8s.io/api/apps/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/apps/v1
+
+package v1
+
+#GroupName: "apps"

timoni/podinfo/cue.mod/gen/k8s.io/api/apps/v1/types_go_gen.cue

@@ -0,0 +1,946 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/apps/v1
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+#ControllerRevisionHashLabelKey: "controller-revision-hash"
+#StatefulSetRevisionLabel:       "controller-revision-hash"
+#DeprecatedRollbackTo:           "deprecated.deployment.rollback.to"
+#DeprecatedTemplateGeneration:   "deprecated.daemonset.template.generation"
+#StatefulSetPodNameLabel:        "statefulset.kubernetes.io/pod-name"
+#PodIndexLabel:                  "apps.kubernetes.io/pod-index"
+
+// StatefulSet represents a set of pods with consistent identities.
+// Identities are defined as:
+//   - Network: A single stable DNS and hostname.
+//   - Storage: As many VolumeClaims as requested.
+//
+// The StatefulSet guarantees that a given network identity will always
+// map to the same storage identity.
+#StatefulSet: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Spec defines the desired identities of pods in this set.
+	// +optional
+	spec?: #StatefulSetSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// Status is the current status of Pods in this StatefulSet. This data
+	// may be out of date by some window of time.
+	// +optional
+	status?: #StatefulSetStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// PodManagementPolicyType defines the policy for creating pods under a stateful set.
+// +enum
+#PodManagementPolicyType: string // #enumPodManagementPolicyType
+
+#enumPodManagementPolicyType:
+	#OrderedReadyPodManagement |
+	#ParallelPodManagement
+
+// OrderedReadyPodManagement will create pods in strictly increasing order on
+// scale up and strictly decreasing order on scale down, progressing only when
+// the previous pod is ready or terminated. At most one pod will be changed
+// at any time.
+#OrderedReadyPodManagement: #PodManagementPolicyType & "OrderedReady"
+
+// ParallelPodManagement will create and delete pods as soon as the stateful set
+// replica count is changed, and will not wait for pods to be ready or complete
+// termination.
+#ParallelPodManagement: #PodManagementPolicyType & "Parallel"
+
+// StatefulSetUpdateStrategy indicates the strategy that the StatefulSet
+// controller will use to perform updates. It includes any additional parameters
+// necessary to perform the update for the indicated strategy.
+#StatefulSetUpdateStrategy: {
+	// Type indicates the type of the StatefulSetUpdateStrategy.
+	// Default is RollingUpdate.
+	// +optional
+	type?: #StatefulSetUpdateStrategyType @go(Type) @protobuf(1,bytes,opt,casttype=StatefulSetStrategyType)
+
+	// RollingUpdate is used to communicate parameters when Type is RollingUpdateStatefulSetStrategyType.
+	// +optional
+	rollingUpdate?: null | #RollingUpdateStatefulSetStrategy @go(RollingUpdate,*RollingUpdateStatefulSetStrategy) @protobuf(2,bytes,opt)
+}
+
+// StatefulSetUpdateStrategyType is a string enumeration type that enumerates
+// all possible update strategies for the StatefulSet controller.
+// +enum
+#StatefulSetUpdateStrategyType: string // #enumStatefulSetUpdateStrategyType
+
+#enumStatefulSetUpdateStrategyType:
+	#RollingUpdateStatefulSetStrategyType |
+	#OnDeleteStatefulSetStrategyType
+
+// RollingUpdateStatefulSetStrategyType indicates that update will be
+// applied to all Pods in the StatefulSet with respect to the StatefulSet
+// ordering constraints. When a scale operation is performed with this
+// strategy, new Pods will be created from the specification version indicated
+// by the StatefulSet's updateRevision.
+#RollingUpdateStatefulSetStrategyType: #StatefulSetUpdateStrategyType & "RollingUpdate"
+
+// OnDeleteStatefulSetStrategyType triggers the legacy behavior. Version
+// tracking and ordered rolling restarts are disabled. Pods are recreated
+// from the StatefulSetSpec when they are manually deleted. When a scale
+// operation is performed with this strategy,specification version indicated
+// by the StatefulSet's currentRevision.
+#OnDeleteStatefulSetStrategyType: #StatefulSetUpdateStrategyType & "OnDelete"
+
+// RollingUpdateStatefulSetStrategy is used to communicate parameter for RollingUpdateStatefulSetStrategyType.
+#RollingUpdateStatefulSetStrategy: {
+	// Partition indicates the ordinal at which the StatefulSet should be partitioned
+	// for updates. During a rolling update, all pods from ordinal Replicas-1 to
+	// Partition are updated. All pods from ordinal Partition-1 to 0 remain untouched.
+	// This is helpful in being able to do a canary based deployment. The default value is 0.
+	// +optional
+	partition?: null | int32 @go(Partition,*int32) @protobuf(1,varint,opt)
+
+	// The maximum number of pods that can be unavailable during the update.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// Absolute number is calculated from percentage by rounding up. This can not be 0.
+	// Defaults to 1. This field is alpha-level and is only honored by servers that enable the
+	// MaxUnavailableStatefulSet feature. The field applies to all pods in the range 0 to
+	// Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it
+	// will be counted towards MaxUnavailable.
+	// +optional
+	maxUnavailable?: null | intstr.#IntOrString @go(MaxUnavailable,*intstr.IntOrString) @protobuf(2,varint,opt)
+}
+
+// PersistentVolumeClaimRetentionPolicyType is a string enumeration of the policies that will determine
+// when volumes from the VolumeClaimTemplates will be deleted when the controlling StatefulSet is
+// deleted or scaled down.
+#PersistentVolumeClaimRetentionPolicyType: string // #enumPersistentVolumeClaimRetentionPolicyType
+
+#enumPersistentVolumeClaimRetentionPolicyType:
+	#RetainPersistentVolumeClaimRetentionPolicyType |
+	#DeletePersistentVolumeClaimRetentionPolicyType
+
+// RetainPersistentVolumeClaimRetentionPolicyType is the default
+// PersistentVolumeClaimRetentionPolicy and specifies that
+// PersistentVolumeClaims associated with StatefulSet VolumeClaimTemplates
+// will not be deleted.
+#RetainPersistentVolumeClaimRetentionPolicyType: #PersistentVolumeClaimRetentionPolicyType & "Retain"
+
+// RetentionPersistentVolumeClaimRetentionPolicyType specifies that
+// PersistentVolumeClaims associated with StatefulSet VolumeClaimTemplates
+// will be deleted in the scenario specified in
+// StatefulSetPersistentVolumeClaimRetentionPolicy.
+#DeletePersistentVolumeClaimRetentionPolicyType: #PersistentVolumeClaimRetentionPolicyType & "Delete"
+
+// StatefulSetPersistentVolumeClaimRetentionPolicy describes the policy used for PVCs
+// created from the StatefulSet VolumeClaimTemplates.
+#StatefulSetPersistentVolumeClaimRetentionPolicy: {
+	// WhenDeleted specifies what happens to PVCs created from StatefulSet
+	// VolumeClaimTemplates when the StatefulSet is deleted. The default policy
+	// of `Retain` causes PVCs to not be affected by StatefulSet deletion. The
+	// `Delete` policy causes those PVCs to be deleted.
+	whenDeleted?: #PersistentVolumeClaimRetentionPolicyType @go(WhenDeleted) @protobuf(1,bytes,opt,casttype=PersistentVolumeClaimRetentionPolicyType)
+
+	// WhenScaled specifies what happens to PVCs created from StatefulSet
+	// VolumeClaimTemplates when the StatefulSet is scaled down. The default
+	// policy of `Retain` causes PVCs to not be affected by a scaledown. The
+	// `Delete` policy causes the associated PVCs for any excess pods above
+	// the replica count to be deleted.
+	whenScaled?: #PersistentVolumeClaimRetentionPolicyType @go(WhenScaled) @protobuf(2,bytes,opt,casttype=PersistentVolumeClaimRetentionPolicyType)
+}
+
+// StatefulSetOrdinals describes the policy used for replica ordinal assignment
+// in this StatefulSet.
+#StatefulSetOrdinals: {
+	// start is the number representing the first replica's index. It may be used
+	// to number replicas from an alternate index (eg: 1-indexed) over the default
+	// 0-indexed names, or to orchestrate progressive movement of replicas from
+	// one StatefulSet to another.
+	// If set, replica indices will be in the range:
+	//   [.spec.ordinals.start, .spec.ordinals.start + .spec.replicas).
+	// If unset, defaults to 0. Replica indices will be in the range:
+	//   [0, .spec.replicas).
+	// +optional
+	start: int32 @go(Start) @protobuf(1,varint,opt)
+}
+
+// A StatefulSetSpec is the specification of a StatefulSet.
+#StatefulSetSpec: {
+	// replicas is the desired number of replicas of the given Template.
+	// These are replicas in the sense that they are instantiations of the
+	// same Template, but individual replicas also have a consistent identity.
+	// If unspecified, defaults to 1.
+	// TODO: Consider a rename of this field.
+	// +optional
+	replicas?: null | int32 @go(Replicas,*int32) @protobuf(1,varint,opt)
+
+	// selector is a label query over pods that should match the replica count.
+	// It must match the pod template's labels.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes,opt)
+
+	// template is the object that describes the pod that will be created if
+	// insufficient replicas are detected. Each pod stamped out by the StatefulSet
+	// will fulfill this Template, but have a unique identity from the rest
+	// of the StatefulSet. Each pod will be named with the format
+	// <statefulsetname>-<podindex>. For example, a pod in a StatefulSet named
+	// "web" with index number "3" would be named "web-3".
+	// The only allowed template.spec.restartPolicy value is "Always".
+	template: v1.#PodTemplateSpec @go(Template) @protobuf(3,bytes,opt)
+
+	// volumeClaimTemplates is a list of claims that pods are allowed to reference.
+	// The StatefulSet controller is responsible for mapping network identities to
+	// claims in a way that maintains the identity of a pod. Every claim in
+	// this list must have at least one matching (by name) volumeMount in one
+	// container in the template. A claim in this list takes precedence over
+	// any volumes in the template, with the same name.
+	// TODO: Define the behavior if a claim already exists with the same name.
+	// +optional
+	volumeClaimTemplates?: [...v1.#PersistentVolumeClaim] @go(VolumeClaimTemplates,[]v1.PersistentVolumeClaim) @protobuf(4,bytes,rep)
+
+	// serviceName is the name of the service that governs this StatefulSet.
+	// This service must exist before the StatefulSet, and is responsible for
+	// the network identity of the set. Pods get DNS/hostnames that follow the
+	// pattern: pod-specific-string.serviceName.default.svc.cluster.local
+	// where "pod-specific-string" is managed by the StatefulSet controller.
+	serviceName: string @go(ServiceName) @protobuf(5,bytes,opt)
+
+	// podManagementPolicy controls how pods are created during initial scale up,
+	// when replacing pods on nodes, or when scaling down. The default policy is
+	// `OrderedReady`, where pods are created in increasing order (pod-0, then
+	// pod-1, etc) and the controller will wait until each pod is ready before
+	// continuing. When scaling down, the pods are removed in the opposite order.
+	// The alternative policy is `Parallel` which will create pods in parallel
+	// to match the desired scale without waiting, and on scale down will delete
+	// all pods at once.
+	// +optional
+	podManagementPolicy?: #PodManagementPolicyType @go(PodManagementPolicy) @protobuf(6,bytes,opt,casttype=PodManagementPolicyType)
+
+	// updateStrategy indicates the StatefulSetUpdateStrategy that will be
+	// employed to update Pods in the StatefulSet when a revision is made to
+	// Template.
+	updateStrategy?: #StatefulSetUpdateStrategy @go(UpdateStrategy) @protobuf(7,bytes,opt)
+
+	// revisionHistoryLimit is the maximum number of revisions that will
+	// be maintained in the StatefulSet's revision history. The revision history
+	// consists of all revisions not represented by a currently applied
+	// StatefulSetSpec version. The default value is 10.
+	revisionHistoryLimit?: null | int32 @go(RevisionHistoryLimit,*int32) @protobuf(8,varint,opt)
+
+	// Minimum number of seconds for which a newly created pod should be ready
+	// without any of its container crashing for it to be considered available.
+	// Defaults to 0 (pod will be considered available as soon as it is ready)
+	// +optional
+	minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(9,varint,opt)
+
+	// persistentVolumeClaimRetentionPolicy describes the lifecycle of persistent
+	// volume claims created from volumeClaimTemplates. By default, all persistent
+	// volume claims are created as needed and retained until manually deleted. This
+	// policy allows the lifecycle to be altered, for example by deleting persistent
+	// volume claims when their stateful set is deleted, or when their pod is scaled
+	// down. This requires the StatefulSetAutoDeletePVC feature gate to be enabled,
+	// which is alpha.  +optional
+	persistentVolumeClaimRetentionPolicy?: null | #StatefulSetPersistentVolumeClaimRetentionPolicy @go(PersistentVolumeClaimRetentionPolicy,*StatefulSetPersistentVolumeClaimRetentionPolicy) @protobuf(10,bytes,opt)
+
+	// ordinals controls the numbering of replica indices in a StatefulSet. The
+	// default ordinals behavior assigns a "0" index to the first replica and
+	// increments the index by one for each additional replica requested. Using
+	// the ordinals field requires the StatefulSetStartOrdinal feature gate to be
+	// enabled, which is beta.
+	// +optional
+	ordinals?: null | #StatefulSetOrdinals @go(Ordinals,*StatefulSetOrdinals) @protobuf(11,bytes,opt)
+}
+
+// StatefulSetStatus represents the current state of a StatefulSet.
+#StatefulSetStatus: {
+	// observedGeneration is the most recent generation observed for this StatefulSet. It corresponds to the
+	// StatefulSet's generation, which is updated on mutation by the API Server.
+	// +optional
+	observedGeneration?: int64 @go(ObservedGeneration) @protobuf(1,varint,opt)
+
+	// replicas is the number of Pods created by the StatefulSet controller.
+	replicas: int32 @go(Replicas) @protobuf(2,varint,opt)
+
+	// readyReplicas is the number of pods created for this StatefulSet with a Ready Condition.
+	readyReplicas?: int32 @go(ReadyReplicas) @protobuf(3,varint,opt)
+
+	// currentReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version
+	// indicated by currentRevision.
+	currentReplicas?: int32 @go(CurrentReplicas) @protobuf(4,varint,opt)
+
+	// updatedReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version
+	// indicated by updateRevision.
+	updatedReplicas?: int32 @go(UpdatedReplicas) @protobuf(5,varint,opt)
+
+	// currentRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the
+	// sequence [0,currentReplicas).
+	currentRevision?: string @go(CurrentRevision) @protobuf(6,bytes,opt)
+
+	// updateRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the sequence
+	// [replicas-updatedReplicas,replicas)
+	updateRevision?: string @go(UpdateRevision) @protobuf(7,bytes,opt)
+
+	// collisionCount is the count of hash collisions for the StatefulSet. The StatefulSet controller
+	// uses this field as a collision avoidance mechanism when it needs to create the name for the
+	// newest ControllerRevision.
+	// +optional
+	collisionCount?: null | int32 @go(CollisionCount,*int32) @protobuf(9,varint,opt)
+
+	// Represents the latest available observations of a statefulset's current state.
+	// +optional
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	conditions?: [...#StatefulSetCondition] @go(Conditions,[]StatefulSetCondition) @protobuf(10,bytes,rep)
+
+	// Total number of available pods (ready for at least minReadySeconds) targeted by this statefulset.
+	// +optional
+	availableReplicas: int32 @go(AvailableReplicas) @protobuf(11,varint,opt)
+}
+
+#StatefulSetConditionType: string
+
+// StatefulSetCondition describes the state of a statefulset at a certain point.
+#StatefulSetCondition: {
+	// Type of statefulset condition.
+	type: #StatefulSetConditionType @go(Type) @protobuf(1,bytes,opt,casttype=StatefulSetConditionType)
+
+	// Status of the condition, one of True, False, Unknown.
+	status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus)
+
+	// Last time the condition transitioned from one status to another.
+	// +optional
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt)
+
+	// The reason for the condition's last transition.
+	// +optional
+	reason?: string @go(Reason) @protobuf(4,bytes,opt)
+
+	// A human readable message indicating details about the transition.
+	// +optional
+	message?: string @go(Message) @protobuf(5,bytes,opt)
+}
+
+// StatefulSetList is a collection of StatefulSets.
+#StatefulSetList: {
+	metav1.#TypeMeta
+
+	// Standard list's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// Items is the list of stateful sets.
+	items: [...#StatefulSet] @go(Items,[]StatefulSet) @protobuf(2,bytes,rep)
+}
+
+// Deployment enables declarative updates for Pods and ReplicaSets.
+#Deployment: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Specification of the desired behavior of the Deployment.
+	// +optional
+	spec?: #DeploymentSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// Most recently observed status of the Deployment.
+	// +optional
+	status?: #DeploymentStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// DeploymentSpec is the specification of the desired behavior of the Deployment.
+#DeploymentSpec: {
+	// Number of desired pods. This is a pointer to distinguish between explicit
+	// zero and not specified. Defaults to 1.
+	// +optional
+	replicas?: null | int32 @go(Replicas,*int32) @protobuf(1,varint,opt)
+
+	// Label selector for pods. Existing ReplicaSets whose pods are
+	// selected by this will be the ones affected by this deployment.
+	// It must match the pod template's labels.
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes,opt)
+
+	// Template describes the pods that will be created.
+	// The only allowed template.spec.restartPolicy value is "Always".
+	template: v1.#PodTemplateSpec @go(Template) @protobuf(3,bytes,opt)
+
+	// The deployment strategy to use to replace existing pods with new ones.
+	// +optional
+	// +patchStrategy=retainKeys
+	strategy?: #DeploymentStrategy @go(Strategy) @protobuf(4,bytes,opt)
+
+	// Minimum number of seconds for which a newly created pod should be ready
+	// without any of its container crashing, for it to be considered available.
+	// Defaults to 0 (pod will be considered available as soon as it is ready)
+	// +optional
+	minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(5,varint,opt)
+
+	// The number of old ReplicaSets to retain to allow rollback.
+	// This is a pointer to distinguish between explicit zero and not specified.
+	// Defaults to 10.
+	// +optional
+	revisionHistoryLimit?: null | int32 @go(RevisionHistoryLimit,*int32) @protobuf(6,varint,opt)
+
+	// Indicates that the deployment is paused.
+	// +optional
+	paused?: bool @go(Paused) @protobuf(7,varint,opt)
+
+	// The maximum time in seconds for a deployment to make progress before it
+	// is considered to be failed. The deployment controller will continue to
+	// process failed deployments and a condition with a ProgressDeadlineExceeded
+	// reason will be surfaced in the deployment status. Note that progress will
+	// not be estimated during the time a deployment is paused. Defaults to 600s.
+	progressDeadlineSeconds?: null | int32 @go(ProgressDeadlineSeconds,*int32) @protobuf(9,varint,opt)
+}
+
+// DefaultDeploymentUniqueLabelKey is the default key of the selector that is added
+// to existing ReplicaSets (and label key that is added to its pods) to prevent the existing ReplicaSets
+// to select new pods (and old pods being select by new ReplicaSet).
+#DefaultDeploymentUniqueLabelKey: "pod-template-hash"
+
+// DeploymentStrategy describes how to replace existing pods with new ones.
+#DeploymentStrategy: {
+	// Type of deployment. Can be "Recreate" or "RollingUpdate". Default is RollingUpdate.
+	// +optional
+	type?: #DeploymentStrategyType @go(Type) @protobuf(1,bytes,opt,casttype=DeploymentStrategyType)
+
+	// Rolling update config params. Present only if DeploymentStrategyType =
+	// RollingUpdate.
+	//---
+	// TODO: Update this to follow our convention for oneOf, whatever we decide it
+	// to be.
+	// +optional
+	rollingUpdate?: null | #RollingUpdateDeployment @go(RollingUpdate,*RollingUpdateDeployment) @protobuf(2,bytes,opt)
+}
+
+// +enum
+#DeploymentStrategyType: string // #enumDeploymentStrategyType
+
+#enumDeploymentStrategyType:
+	#RecreateDeploymentStrategyType |
+	#RollingUpdateDeploymentStrategyType
+
+// Kill all existing pods before creating new ones.
+#RecreateDeploymentStrategyType: #DeploymentStrategyType & "Recreate"
+
+// Replace the old ReplicaSets by new one using rolling update i.e gradually scale down the old ReplicaSets and scale up the new one.
+#RollingUpdateDeploymentStrategyType: #DeploymentStrategyType & "RollingUpdate"
+
+// Spec to control the desired behavior of rolling update.
+#RollingUpdateDeployment: {
+	// The maximum number of pods that can be unavailable during the update.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// Absolute number is calculated from percentage by rounding down.
+	// This can not be 0 if MaxSurge is 0.
+	// Defaults to 25%.
+	// Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods
+	// immediately when the rolling update starts. Once new pods are ready, old ReplicaSet
+	// can be scaled down further, followed by scaling up the new ReplicaSet, ensuring
+	// that the total number of pods available at all times during the update is at
+	// least 70% of desired pods.
+	// +optional
+	maxUnavailable?: null | intstr.#IntOrString @go(MaxUnavailable,*intstr.IntOrString) @protobuf(1,bytes,opt)
+
+	// The maximum number of pods that can be scheduled above the desired number of
+	// pods.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// This can not be 0 if MaxUnavailable is 0.
+	// Absolute number is calculated from percentage by rounding up.
+	// Defaults to 25%.
+	// Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when
+	// the rolling update starts, such that the total number of old and new pods do not exceed
+	// 130% of desired pods. Once old pods have been killed,
+	// new ReplicaSet can be scaled up further, ensuring that total number of pods running
+	// at any time during the update is at most 130% of desired pods.
+	// +optional
+	maxSurge?: null | intstr.#IntOrString @go(MaxSurge,*intstr.IntOrString) @protobuf(2,bytes,opt)
+}
+
+// DeploymentStatus is the most recently observed status of the Deployment.
+#DeploymentStatus: {
+	// The generation observed by the deployment controller.
+	// +optional
+	observedGeneration?: int64 @go(ObservedGeneration) @protobuf(1,varint,opt)
+
+	// Total number of non-terminated pods targeted by this deployment (their labels match the selector).
+	// +optional
+	replicas?: int32 @go(Replicas) @protobuf(2,varint,opt)
+
+	// Total number of non-terminated pods targeted by this deployment that have the desired template spec.
+	// +optional
+	updatedReplicas?: int32 @go(UpdatedReplicas) @protobuf(3,varint,opt)
+
+	// readyReplicas is the number of pods targeted by this Deployment with a Ready Condition.
+	// +optional
+	readyReplicas?: int32 @go(ReadyReplicas) @protobuf(7,varint,opt)
+
+	// Total number of available pods (ready for at least minReadySeconds) targeted by this deployment.
+	// +optional
+	availableReplicas?: int32 @go(AvailableReplicas) @protobuf(4,varint,opt)
+
+	// Total number of unavailable pods targeted by this deployment. This is the total number of
+	// pods that are still required for the deployment to have 100% available capacity. They may
+	// either be pods that are running but not yet available or pods that still have not been created.
+	// +optional
+	unavailableReplicas?: int32 @go(UnavailableReplicas) @protobuf(5,varint,opt)
+
+	// Represents the latest available observations of a deployment's current state.
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	conditions?: [...#DeploymentCondition] @go(Conditions,[]DeploymentCondition) @protobuf(6,bytes,rep)
+
+	// Count of hash collisions for the Deployment. The Deployment controller uses this
+	// field as a collision avoidance mechanism when it needs to create the name for the
+	// newest ReplicaSet.
+	// +optional
+	collisionCount?: null | int32 @go(CollisionCount,*int32) @protobuf(8,varint,opt)
+}
+
+#DeploymentConditionType: string // #enumDeploymentConditionType
+
+#enumDeploymentConditionType:
+	#DeploymentAvailable |
+	#DeploymentProgressing |
+	#DeploymentReplicaFailure
+
+// Available means the deployment is available, ie. at least the minimum available
+// replicas required are up and running for at least minReadySeconds.
+#DeploymentAvailable: #DeploymentConditionType & "Available"
+
+// Progressing means the deployment is progressing. Progress for a deployment is
+// considered when a new replica set is created or adopted, and when new pods scale
+// up or old pods scale down. Progress is not estimated for paused deployments or
+// when progressDeadlineSeconds is not specified.
+#DeploymentProgressing: #DeploymentConditionType & "Progressing"
+
+// ReplicaFailure is added in a deployment when one of its pods fails to be created
+// or deleted.
+#DeploymentReplicaFailure: #DeploymentConditionType & "ReplicaFailure"
+
+// DeploymentCondition describes the state of a deployment at a certain point.
+#DeploymentCondition: {
+	// Type of deployment condition.
+	type: #DeploymentConditionType @go(Type) @protobuf(1,bytes,opt,casttype=DeploymentConditionType)
+
+	// Status of the condition, one of True, False, Unknown.
+	status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus)
+
+	// The last time this condition was updated.
+	lastUpdateTime?: metav1.#Time @go(LastUpdateTime) @protobuf(6,bytes,opt)
+
+	// Last time the condition transitioned from one status to another.
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(7,bytes,opt)
+
+	// The reason for the condition's last transition.
+	reason?: string @go(Reason) @protobuf(4,bytes,opt)
+
+	// A human readable message indicating details about the transition.
+	message?: string @go(Message) @protobuf(5,bytes,opt)
+}
+
+// DeploymentList is a list of Deployments.
+#DeploymentList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// Items is the list of Deployments.
+	items: [...#Deployment] @go(Items,[]Deployment) @protobuf(2,bytes,rep)
+}
+
+// DaemonSetUpdateStrategy is a struct used to control the update strategy for a DaemonSet.
+#DaemonSetUpdateStrategy: {
+	// Type of daemon set update. Can be "RollingUpdate" or "OnDelete". Default is RollingUpdate.
+	// +optional
+	type?: #DaemonSetUpdateStrategyType @go(Type) @protobuf(1,bytes,opt)
+
+	// Rolling update config params. Present only if type = "RollingUpdate".
+	//---
+	// TODO: Update this to follow our convention for oneOf, whatever we decide it
+	// to be. Same as Deployment `strategy.rollingUpdate`.
+	// See https://github.com/kubernetes/kubernetes/issues/35345
+	// +optional
+	rollingUpdate?: null | #RollingUpdateDaemonSet @go(RollingUpdate,*RollingUpdateDaemonSet) @protobuf(2,bytes,opt)
+}
+
+// +enum
+#DaemonSetUpdateStrategyType: string // #enumDaemonSetUpdateStrategyType
+
+#enumDaemonSetUpdateStrategyType:
+	#RollingUpdateDaemonSetStrategyType |
+	#OnDeleteDaemonSetStrategyType
+
+// Replace the old daemons by new ones using rolling update i.e replace them on each node one after the other.
+#RollingUpdateDaemonSetStrategyType: #DaemonSetUpdateStrategyType & "RollingUpdate"
+
+// Replace the old daemons only when it's killed
+#OnDeleteDaemonSetStrategyType: #DaemonSetUpdateStrategyType & "OnDelete"
+
+// Spec to control the desired behavior of daemon set rolling update.
+#RollingUpdateDaemonSet: {
+	// The maximum number of DaemonSet pods that can be unavailable during the
+	// update. Value can be an absolute number (ex: 5) or a percentage of total
+	// number of DaemonSet pods at the start of the update (ex: 10%). Absolute
+	// number is calculated from percentage by rounding up.
+	// This cannot be 0 if MaxSurge is 0
+	// Default value is 1.
+	// Example: when this is set to 30%, at most 30% of the total number of nodes
+	// that should be running the daemon pod (i.e. status.desiredNumberScheduled)
+	// can have their pods stopped for an update at any given time. The update
+	// starts by stopping at most 30% of those DaemonSet pods and then brings
+	// up new DaemonSet pods in their place. Once the new pods are available,
+	// it then proceeds onto other DaemonSet pods, thus ensuring that at least
+	// 70% of original number of DaemonSet pods are available at all times during
+	// the update.
+	// +optional
+	maxUnavailable?: null | intstr.#IntOrString @go(MaxUnavailable,*intstr.IntOrString) @protobuf(1,bytes,opt)
+
+	// The maximum number of nodes with an existing available DaemonSet pod that
+	// can have an updated DaemonSet pod during during an update.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// This can not be 0 if MaxUnavailable is 0.
+	// Absolute number is calculated from percentage by rounding up to a minimum of 1.
+	// Default value is 0.
+	// Example: when this is set to 30%, at most 30% of the total number of nodes
+	// that should be running the daemon pod (i.e. status.desiredNumberScheduled)
+	// can have their a new pod created before the old pod is marked as deleted.
+	// The update starts by launching new pods on 30% of nodes. Once an updated
+	// pod is available (Ready for at least minReadySeconds) the old DaemonSet pod
+	// on that node is marked deleted. If the old pod becomes unavailable for any
+	// reason (Ready transitions to false, is evicted, or is drained) an updated
+	// pod is immediatedly created on that node without considering surge limits.
+	// Allowing surge implies the possibility that the resources consumed by the
+	// daemonset on any given node can double if the readiness check fails, and
+	// so resource intensive daemonsets should take into account that they may
+	// cause evictions during disruption.
+	// +optional
+	maxSurge?: null | intstr.#IntOrString @go(MaxSurge,*intstr.IntOrString) @protobuf(2,bytes,opt)
+}
+
+// DaemonSetSpec is the specification of a daemon set.
+#DaemonSetSpec: {
+	// A label query over pods that are managed by the daemon set.
+	// Must match in order to be controlled.
+	// It must match the pod template's labels.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(1,bytes,opt)
+
+	// An object that describes the pod that will be created.
+	// The DaemonSet will create exactly one copy of this pod on every node
+	// that matches the template's node selector (or on every node if no node
+	// selector is specified).
+	// The only allowed template.spec.restartPolicy value is "Always".
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
+	template: v1.#PodTemplateSpec @go(Template) @protobuf(2,bytes,opt)
+
+	// An update strategy to replace existing DaemonSet pods with new pods.
+	// +optional
+	updateStrategy?: #DaemonSetUpdateStrategy @go(UpdateStrategy) @protobuf(3,bytes,opt)
+
+	// The minimum number of seconds for which a newly created DaemonSet pod should
+	// be ready without any of its container crashing, for it to be considered
+	// available. Defaults to 0 (pod will be considered available as soon as it
+	// is ready).
+	// +optional
+	minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(4,varint,opt)
+
+	// The number of old history to retain to allow rollback.
+	// This is a pointer to distinguish between explicit zero and not specified.
+	// Defaults to 10.
+	// +optional
+	revisionHistoryLimit?: null | int32 @go(RevisionHistoryLimit,*int32) @protobuf(6,varint,opt)
+}
+
+// DaemonSetStatus represents the current status of a daemon set.
+#DaemonSetStatus: {
+	// The number of nodes that are running at least 1
+	// daemon pod and are supposed to run the daemon pod.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+	currentNumberScheduled: int32 @go(CurrentNumberScheduled) @protobuf(1,varint,opt)
+
+	// The number of nodes that are running the daemon pod, but are
+	// not supposed to run the daemon pod.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+	numberMisscheduled: int32 @go(NumberMisscheduled) @protobuf(2,varint,opt)
+
+	// The total number of nodes that should be running the daemon
+	// pod (including nodes correctly running the daemon pod).
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+	desiredNumberScheduled: int32 @go(DesiredNumberScheduled) @protobuf(3,varint,opt)
+
+	// numberReady is the number of nodes that should be running the daemon pod and have one
+	// or more of the daemon pod running with a Ready Condition.
+	numberReady: int32 @go(NumberReady) @protobuf(4,varint,opt)
+
+	// The most recent generation observed by the daemon set controller.
+	// +optional
+	observedGeneration?: int64 @go(ObservedGeneration) @protobuf(5,varint,opt)
+
+	// The total number of nodes that are running updated daemon pod
+	// +optional
+	updatedNumberScheduled?: int32 @go(UpdatedNumberScheduled) @protobuf(6,varint,opt)
+
+	// The number of nodes that should be running the
+	// daemon pod and have one or more of the daemon pod running and
+	// available (ready for at least spec.minReadySeconds)
+	// +optional
+	numberAvailable?: int32 @go(NumberAvailable) @protobuf(7,varint,opt)
+
+	// The number of nodes that should be running the
+	// daemon pod and have none of the daemon pod running and available
+	// (ready for at least spec.minReadySeconds)
+	// +optional
+	numberUnavailable?: int32 @go(NumberUnavailable) @protobuf(8,varint,opt)
+
+	// Count of hash collisions for the DaemonSet. The DaemonSet controller
+	// uses this field as a collision avoidance mechanism when it needs to
+	// create the name for the newest ControllerRevision.
+	// +optional
+	collisionCount?: null | int32 @go(CollisionCount,*int32) @protobuf(9,varint,opt)
+
+	// Represents the latest available observations of a DaemonSet's current state.
+	// +optional
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	conditions?: [...#DaemonSetCondition] @go(Conditions,[]DaemonSetCondition) @protobuf(10,bytes,rep)
+}
+
+#DaemonSetConditionType: string
+
+// DaemonSetCondition describes the state of a DaemonSet at a certain point.
+#DaemonSetCondition: {
+	// Type of DaemonSet condition.
+	type: #DaemonSetConditionType @go(Type) @protobuf(1,bytes,opt,casttype=DaemonSetConditionType)
+
+	// Status of the condition, one of True, False, Unknown.
+	status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus)
+
+	// Last time the condition transitioned from one status to another.
+	// +optional
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt)
+
+	// The reason for the condition's last transition.
+	// +optional
+	reason?: string @go(Reason) @protobuf(4,bytes,opt)
+
+	// A human readable message indicating details about the transition.
+	// +optional
+	message?: string @go(Message) @protobuf(5,bytes,opt)
+}
+
+// DaemonSet represents the configuration of a daemon set.
+#DaemonSet: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// The desired behavior of this daemon set.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	spec?: #DaemonSetSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// The current status of this daemon set. This data may be
+	// out of date by some window of time.
+	// Populated by the system.
+	// Read-only.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	status?: #DaemonSetStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// DefaultDaemonSetUniqueLabelKey is the default label key that is added
+// to existing DaemonSet pods to distinguish between old and new
+// DaemonSet pods during DaemonSet template updates.
+#DefaultDaemonSetUniqueLabelKey: "controller-revision-hash"
+
+// DaemonSetList is a collection of daemon sets.
+#DaemonSetList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// A list of daemon sets.
+	items: [...#DaemonSet] @go(Items,[]DaemonSet) @protobuf(2,bytes,rep)
+}
+
+// ReplicaSet ensures that a specified number of pod replicas are running at any given time.
+#ReplicaSet: {
+	metav1.#TypeMeta
+
+	// If the Labels of a ReplicaSet are empty, they are defaulted to
+	// be the same as the Pod(s) that the ReplicaSet manages.
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Spec defines the specification of the desired behavior of the ReplicaSet.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	spec?: #ReplicaSetSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// Status is the most recently observed status of the ReplicaSet.
+	// This data may be out of date by some window of time.
+	// Populated by the system.
+	// Read-only.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	status?: #ReplicaSetStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// ReplicaSetList is a collection of ReplicaSets.
+#ReplicaSetList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// List of ReplicaSets.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller
+	items: [...#ReplicaSet] @go(Items,[]ReplicaSet) @protobuf(2,bytes,rep)
+}
+
+// ReplicaSetSpec is the specification of a ReplicaSet.
+#ReplicaSetSpec: {
+	// Replicas is the number of desired replicas.
+	// This is a pointer to distinguish between explicit zero and unspecified.
+	// Defaults to 1.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller
+	// +optional
+	replicas?: null | int32 @go(Replicas,*int32) @protobuf(1,varint,opt)
+
+	// Minimum number of seconds for which a newly created pod should be ready
+	// without any of its container crashing, for it to be considered available.
+	// Defaults to 0 (pod will be considered available as soon as it is ready)
+	// +optional
+	minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(4,varint,opt)
+
+	// Selector is a label query over pods that should match the replica count.
+	// Label keys and values that must match in order to be controlled by this replica set.
+	// It must match the pod template's labels.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes,opt)
+
+	// Template is the object that describes the pod that will be created if
+	// insufficient replicas are detected.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
+	// +optional
+	template?: v1.#PodTemplateSpec @go(Template) @protobuf(3,bytes,opt)
+}
+
+// ReplicaSetStatus represents the current status of a ReplicaSet.
+#ReplicaSetStatus: {
+	// Replicas is the most recently observed number of replicas.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller
+	replicas: int32 @go(Replicas) @protobuf(1,varint,opt)
+
+	// The number of pods that have labels matching the labels of the pod template of the replicaset.
+	// +optional
+	fullyLabeledReplicas?: int32 @go(FullyLabeledReplicas) @protobuf(2,varint,opt)
+
+	// readyReplicas is the number of pods targeted by this ReplicaSet with a Ready Condition.
+	// +optional
+	readyReplicas?: int32 @go(ReadyReplicas) @protobuf(4,varint,opt)
+
+	// The number of available replicas (ready for at least minReadySeconds) for this replica set.
+	// +optional
+	availableReplicas?: int32 @go(AvailableReplicas) @protobuf(5,varint,opt)
+
+	// ObservedGeneration reflects the generation of the most recently observed ReplicaSet.
+	// +optional
+	observedGeneration?: int64 @go(ObservedGeneration) @protobuf(3,varint,opt)
+
+	// Represents the latest available observations of a replica set's current state.
+	// +optional
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	conditions?: [...#ReplicaSetCondition] @go(Conditions,[]ReplicaSetCondition) @protobuf(6,bytes,rep)
+}
+
+#ReplicaSetConditionType: string // #enumReplicaSetConditionType
+
+#enumReplicaSetConditionType:
+	#ReplicaSetReplicaFailure
+
+// ReplicaSetReplicaFailure is added in a replica set when one of its pods fails to be created
+// due to insufficient quota, limit ranges, pod security policy, node selectors, etc. or deleted
+// due to kubelet being down or finalizers are failing.
+#ReplicaSetReplicaFailure: #ReplicaSetConditionType & "ReplicaFailure"
+
+// ReplicaSetCondition describes the state of a replica set at a certain point.
+#ReplicaSetCondition: {
+	// Type of replica set condition.
+	type: #ReplicaSetConditionType @go(Type) @protobuf(1,bytes,opt,casttype=ReplicaSetConditionType)
+
+	// Status of the condition, one of True, False, Unknown.
+	status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus)
+
+	// The last time the condition transitioned from one status to another.
+	// +optional
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt)
+
+	// The reason for the condition's last transition.
+	// +optional
+	reason?: string @go(Reason) @protobuf(4,bytes,opt)
+
+	// A human readable message indicating details about the transition.
+	// +optional
+	message?: string @go(Message) @protobuf(5,bytes,opt)
+}
+
+// ControllerRevision implements an immutable snapshot of state data. Clients
+// are responsible for serializing and deserializing the objects that contain
+// their internal state.
+// Once a ControllerRevision has been successfully created, it can not be updated.
+// The API Server will fail validation of all requests that attempt to mutate
+// the Data field. ControllerRevisions may, however, be deleted. Note that, due to its use by both
+// the DaemonSet and StatefulSet controllers for update and rollback, this object is beta. However,
+// it may be subject to name and representation changes in future releases, and clients should not
+// depend on its stability. It is primarily for internal use by controllers.
+#ControllerRevision: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Data is the serialized representation of the state.
+	data?: runtime.#RawExtension @go(Data) @protobuf(2,bytes,opt)
+
+	// Revision indicates the revision of the state represented by Data.
+	revision: int64 @go(Revision) @protobuf(3,varint,opt)
+}
+
+// ControllerRevisionList is a resource containing a list of ControllerRevision objects.
+#ControllerRevisionList: {
+	metav1.#TypeMeta
+
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// Items is the list of ControllerRevisions
+	items: [...#ControllerRevision] @go(Items,[]ControllerRevision) @protobuf(2,bytes,rep)
+}

timoni/podinfo/cue.mod/gen/k8s.io/api/authentication/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/authentication/v1
+
+package v1
+
+#GroupName: "authentication.k8s.io"

timoni/podinfo/cue.mod/gen/k8s.io/api/authentication/v1/types_go_gen.cue

@@ -0,0 +1,206 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/authentication/v1
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+// ImpersonateUserHeader is used to impersonate a particular user during an API server request
+#ImpersonateUserHeader: "Impersonate-User"
+
+// ImpersonateGroupHeader is used to impersonate a particular group during an API server request.
+// It can be repeated multiplied times for multiple groups.
+#ImpersonateGroupHeader: "Impersonate-Group"
+
+// ImpersonateUIDHeader is used to impersonate a particular UID during an API server request
+#ImpersonateUIDHeader: "Impersonate-Uid"
+
+// ImpersonateUserExtraHeaderPrefix is a prefix for any header used to impersonate an entry in the
+// extra map[string][]string for user.Info.  The key will be every after the prefix.
+// It can be repeated multiplied times for multiple map keys and the same key can be repeated multiple
+// times to have multiple elements in the slice under a single key
+#ImpersonateUserExtraHeaderPrefix: "Impersonate-Extra-"
+
+// TokenReview attempts to authenticate a token to a known user.
+// Note: TokenReview requests may be cached by the webhook token authenticator
+// plugin in the kube-apiserver.
+#TokenReview: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Spec holds information about the request being evaluated
+	spec: #TokenReviewSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// Status is filled in by the server and indicates whether the request can be authenticated.
+	// +optional
+	status?: #TokenReviewStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// TokenReviewSpec is a description of the token authentication request.
+#TokenReviewSpec: {
+	// Token is the opaque bearer token.
+	// +optional
+	token?: string @go(Token) @protobuf(1,bytes,opt)
+
+	// Audiences is a list of the identifiers that the resource server presented
+	// with the token identifies as. Audience-aware token authenticators will
+	// verify that the token was intended for at least one of the audiences in
+	// this list. If no audiences are provided, the audience will default to the
+	// audience of the Kubernetes apiserver.
+	// +optional
+	audiences?: [...string] @go(Audiences,[]string) @protobuf(2,bytes,rep)
+}
+
+// TokenReviewStatus is the result of the token authentication request.
+#TokenReviewStatus: {
+	// Authenticated indicates that the token was associated with a known user.
+	// +optional
+	authenticated?: bool @go(Authenticated) @protobuf(1,varint,opt)
+
+	// User is the UserInfo associated with the provided token.
+	// +optional
+	user?: #UserInfo @go(User) @protobuf(2,bytes,opt)
+
+	// Audiences are audience identifiers chosen by the authenticator that are
+	// compatible with both the TokenReview and token. An identifier is any
+	// identifier in the intersection of the TokenReviewSpec audiences and the
+	// token's audiences. A client of the TokenReview API that sets the
+	// spec.audiences field should validate that a compatible audience identifier
+	// is returned in the status.audiences field to ensure that the TokenReview
+	// server is audience aware. If a TokenReview returns an empty
+	// status.audience field where status.authenticated is "true", the token is
+	// valid against the audience of the Kubernetes API server.
+	// +optional
+	audiences?: [...string] @go(Audiences,[]string) @protobuf(4,bytes,rep)
+
+	// Error indicates that the token couldn't be checked
+	// +optional
+	error?: string @go(Error) @protobuf(3,bytes,opt)
+}
+
+// UserInfo holds the information about the user needed to implement the
+// user.Info interface.
+#UserInfo: {
+	// The name that uniquely identifies this user among all active users.
+	// +optional
+	username?: string @go(Username) @protobuf(1,bytes,opt)
+
+	// A unique value that identifies this user across time. If this user is
+	// deleted and another user by the same name is added, they will have
+	// different UIDs.
+	// +optional
+	uid?: string @go(UID) @protobuf(2,bytes,opt)
+
+	// The names of groups this user is a part of.
+	// +optional
+	groups?: [...string] @go(Groups,[]string) @protobuf(3,bytes,rep)
+
+	// Any additional information provided by the authenticator.
+	// +optional
+	extra?: {[string]: #ExtraValue} @go(Extra,map[string]ExtraValue) @protobuf(4,bytes,rep)
+}
+
+// ExtraValue masks the value so protobuf can generate
+// +protobuf.nullable=true
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+#ExtraValue: [...string]
+
+// TokenRequest requests a token for a given service account.
+#TokenRequest: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Spec holds information about the request being evaluated
+	spec: #TokenRequestSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// Status is filled in by the server and indicates whether the token can be authenticated.
+	// +optional
+	status?: #TokenRequestStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// TokenRequestSpec contains client provided parameters of a token request.
+#TokenRequestSpec: {
+	// Audiences are the intendend audiences of the token. A recipient of a
+	// token must identify themself with an identifier in the list of
+	// audiences of the token, and otherwise should reject the token. A
+	// token issued for multiple audiences may be used to authenticate
+	// against any of the audiences listed but implies a high degree of
+	// trust between the target audiences.
+	audiences: [...string] @go(Audiences,[]string) @protobuf(1,bytes,rep)
+
+	// ExpirationSeconds is the requested duration of validity of the request. The
+	// token issuer may return a token with a different validity duration so a
+	// client needs to check the 'expiration' field in a response.
+	// +optional
+	expirationSeconds?: null | int64 @go(ExpirationSeconds,*int64) @protobuf(4,varint,opt)
+
+	// BoundObjectRef is a reference to an object that the token will be bound to.
+	// The token will only be valid for as long as the bound object exists.
+	// NOTE: The API server's TokenReview endpoint will validate the
+	// BoundObjectRef, but other audiences may not. Keep ExpirationSeconds
+	// small if you want prompt revocation.
+	// +optional
+	boundObjectRef?: null | #BoundObjectReference @go(BoundObjectRef,*BoundObjectReference) @protobuf(3,bytes,opt)
+}
+
+// TokenRequestStatus is the result of a token request.
+#TokenRequestStatus: {
+	// Token is the opaque bearer token.
+	token: string @go(Token) @protobuf(1,bytes,opt)
+
+	// ExpirationTimestamp is the time of expiration of the returned token.
+	expirationTimestamp: metav1.#Time @go(ExpirationTimestamp) @protobuf(2,bytes,opt)
+}
+
+// BoundObjectReference is a reference to an object that a token is bound to.
+#BoundObjectReference: {
+	// Kind of the referent. Valid kinds are 'Pod' and 'Secret'.
+	// +optional
+	kind?: string @go(Kind) @protobuf(1,bytes,opt)
+
+	// API version of the referent.
+	// +optional
+	apiVersion?: string @go(APIVersion) @protobuf(2,bytes,opt)
+
+	// Name of the referent.
+	// +optional
+	name?: string @go(Name) @protobuf(3,bytes,opt)
+
+	// UID of the referent.
+	// +optional
+	uid?: types.#UID @go(UID) @protobuf(4,bytes,opt,name=uID,casttype=k8s.io/apimachinery/pkg/types.UID)
+}
+
+// SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request.
+// When using impersonation, users will receive the user info of the user being impersonated.  If impersonation or
+// request header authentication is used, any extra keys will have their case ignored and returned as lowercase.
+#SelfSubjectReview: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Status is filled in by the server with the user attributes.
+	status?: #SelfSubjectReviewStatus @go(Status) @protobuf(2,bytes,opt)
+}
+
+// SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user.
+#SelfSubjectReviewStatus: {
+	// User attributes of the user making this request.
+	// +optional
+	userInfo?: #UserInfo @go(UserInfo) @protobuf(1,bytes,opt)
+}

timoni/podinfo/cue.mod/gen/k8s.io/api/authorization/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/authorization/v1
+
+package v1
+
+#GroupName: "authorization.k8s.io"

timoni/podinfo/cue.mod/gen/k8s.io/api/authorization/v1/types_go_gen.cue

@@ -0,0 +1,262 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/authorization/v1
+
+package v1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// SubjectAccessReview checks whether or not a user or group can perform an action.
+#SubjectAccessReview: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Spec holds information about the request being evaluated
+	spec: #SubjectAccessReviewSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// Status is filled in by the server and indicates whether the request is allowed or not
+	// +optional
+	status?: #SubjectAccessReviewStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// SelfSubjectAccessReview checks whether or the current user can perform an action.  Not filling in a
+// spec.namespace means "in all namespaces".  Self is a special case, because users should always be able
+// to check whether they can perform an action
+#SelfSubjectAccessReview: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Spec holds information about the request being evaluated.  user and groups must be empty
+	spec: #SelfSubjectAccessReviewSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// Status is filled in by the server and indicates whether the request is allowed or not
+	// +optional
+	status?: #SubjectAccessReviewStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace.
+// Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions
+// checking.
+#LocalSubjectAccessReview: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Spec holds information about the request being evaluated.  spec.namespace must be equal to the namespace
+	// you made the request against.  If empty, it is defaulted.
+	spec: #SubjectAccessReviewSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// Status is filled in by the server and indicates whether the request is allowed or not
+	// +optional
+	status?: #SubjectAccessReviewStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface
+#ResourceAttributes: {
+	// Namespace is the namespace of the action being requested.  Currently, there is no distinction between no namespace and all namespaces
+	// "" (empty) is defaulted for LocalSubjectAccessReviews
+	// "" (empty) is empty for cluster-scoped resources
+	// "" (empty) means "all" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview
+	// +optional
+	namespace?: string @go(Namespace) @protobuf(1,bytes,opt)
+
+	// Verb is a kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy.  "*" means all.
+	// +optional
+	verb?: string @go(Verb) @protobuf(2,bytes,opt)
+
+	// Group is the API Group of the Resource.  "*" means all.
+	// +optional
+	group?: string @go(Group) @protobuf(3,bytes,opt)
+
+	// Version is the API Version of the Resource.  "*" means all.
+	// +optional
+	version?: string @go(Version) @protobuf(4,bytes,opt)
+
+	// Resource is one of the existing resource types.  "*" means all.
+	// +optional
+	resource?: string @go(Resource) @protobuf(5,bytes,opt)
+
+	// Subresource is one of the existing resource types.  "" means none.
+	// +optional
+	subresource?: string @go(Subresource) @protobuf(6,bytes,opt)
+
+	// Name is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all.
+	// +optional
+	name?: string @go(Name) @protobuf(7,bytes,opt)
+}
+
+// NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface
+#NonResourceAttributes: {
+	// Path is the URL path of the request
+	// +optional
+	path?: string @go(Path) @protobuf(1,bytes,opt)
+
+	// Verb is the standard HTTP verb
+	// +optional
+	verb?: string @go(Verb) @protobuf(2,bytes,opt)
+}
+
+// SubjectAccessReviewSpec is a description of the access request.  Exactly one of ResourceAuthorizationAttributes
+// and NonResourceAuthorizationAttributes must be set
+#SubjectAccessReviewSpec: {
+	// ResourceAuthorizationAttributes describes information for a resource access request
+	// +optional
+	resourceAttributes?: null | #ResourceAttributes @go(ResourceAttributes,*ResourceAttributes) @protobuf(1,bytes,opt)
+
+	// NonResourceAttributes describes information for a non-resource access request
+	// +optional
+	nonResourceAttributes?: null | #NonResourceAttributes @go(NonResourceAttributes,*NonResourceAttributes) @protobuf(2,bytes,opt)
+
+	// User is the user you're testing for.
+	// If you specify "User" but not "Groups", then is it interpreted as "What if User were not a member of any groups
+	// +optional
+	user?: string @go(User) @protobuf(3,bytes,opt)
+
+	// Groups is the groups you're testing for.
+	// +optional
+	groups?: [...string] @go(Groups,[]string) @protobuf(4,bytes,rep)
+
+	// Extra corresponds to the user.Info.GetExtra() method from the authenticator.  Since that is input to the authorizer
+	// it needs a reflection here.
+	// +optional
+	extra?: {[string]: #ExtraValue} @go(Extra,map[string]ExtraValue) @protobuf(5,bytes,rep)
+
+	// UID information about the requesting user.
+	// +optional
+	uid?: string @go(UID) @protobuf(6,bytes,opt)
+}
+
+// ExtraValue masks the value so protobuf can generate
+// +protobuf.nullable=true
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+#ExtraValue: [...string]
+
+// SelfSubjectAccessReviewSpec is a description of the access request.  Exactly one of ResourceAuthorizationAttributes
+// and NonResourceAuthorizationAttributes must be set
+#SelfSubjectAccessReviewSpec: {
+	// ResourceAuthorizationAttributes describes information for a resource access request
+	// +optional
+	resourceAttributes?: null | #ResourceAttributes @go(ResourceAttributes,*ResourceAttributes) @protobuf(1,bytes,opt)
+
+	// NonResourceAttributes describes information for a non-resource access request
+	// +optional
+	nonResourceAttributes?: null | #NonResourceAttributes @go(NonResourceAttributes,*NonResourceAttributes) @protobuf(2,bytes,opt)
+}
+
+// SubjectAccessReviewStatus
+#SubjectAccessReviewStatus: {
+	// Allowed is required. True if the action would be allowed, false otherwise.
+	allowed: bool @go(Allowed) @protobuf(1,varint,opt)
+
+	// Denied is optional. True if the action would be denied, otherwise
+	// false. If both allowed is false and denied is false, then the
+	// authorizer has no opinion on whether to authorize the action. Denied
+	// may not be true if Allowed is true.
+	// +optional
+	denied?: bool @go(Denied) @protobuf(4,varint,opt)
+
+	// Reason is optional.  It indicates why a request was allowed or denied.
+	// +optional
+	reason?: string @go(Reason) @protobuf(2,bytes,opt)
+
+	// EvaluationError is an indication that some error occurred during the authorization check.
+	// It is entirely possible to get an error and be able to continue determine authorization status in spite of it.
+	// For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request.
+	// +optional
+	evaluationError?: string @go(EvaluationError) @protobuf(3,bytes,opt)
+}
+
+// SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace.
+// The returned list of actions may be incomplete depending on the server's authorization mode,
+// and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions,
+// or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to
+// drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns.
+// SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server.
+#SelfSubjectRulesReview: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Spec holds information about the request being evaluated.
+	spec: #SelfSubjectRulesReviewSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// Status is filled in by the server and indicates the set of actions a user can perform.
+	// +optional
+	status?: #SubjectRulesReviewStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// SelfSubjectRulesReviewSpec defines the specification for SelfSubjectRulesReview.
+#SelfSubjectRulesReviewSpec: {
+	// Namespace to evaluate rules for. Required.
+	namespace?: string @go(Namespace) @protobuf(1,bytes,opt)
+}
+
+// SubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on
+// the set of authorizers the server is configured with and any errors experienced during evaluation.
+// Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission,
+// even if that list is incomplete.
+#SubjectRulesReviewStatus: {
+	// ResourceRules is the list of actions the subject is allowed to perform on resources.
+	// The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
+	resourceRules: [...#ResourceRule] @go(ResourceRules,[]ResourceRule) @protobuf(1,bytes,rep)
+
+	// NonResourceRules is the list of actions the subject is allowed to perform on non-resources.
+	// The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
+	nonResourceRules: [...#NonResourceRule] @go(NonResourceRules,[]NonResourceRule) @protobuf(2,bytes,rep)
+
+	// Incomplete is true when the rules returned by this call are incomplete. This is most commonly
+	// encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation.
+	incomplete: bool @go(Incomplete) @protobuf(3,bytes,rep)
+
+	// EvaluationError can appear in combination with Rules. It indicates an error occurred during
+	// rule evaluation, such as an authorizer that doesn't support rule evaluation, and that
+	// ResourceRules and/or NonResourceRules may be incomplete.
+	// +optional
+	evaluationError?: string @go(EvaluationError) @protobuf(4,bytes,opt)
+}
+
+// ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant,
+// may contain duplicates, and possibly be incomplete.
+#ResourceRule: {
+	// Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy.  "*" means all.
+	verbs: [...string] @go(Verbs,[]string) @protobuf(1,bytes,rep)
+
+	// APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of
+	// the enumerated resources in any API group will be allowed.  "*" means all.
+	// +optional
+	apiGroups?: [...string] @go(APIGroups,[]string) @protobuf(2,bytes,rep)
+
+	// Resources is a list of resources this rule applies to.  "*" means all in the specified apiGroups.
+	//  "*/foo" represents the subresource 'foo' for all resources in the specified apiGroups.
+	// +optional
+	resources?: [...string] @go(Resources,[]string) @protobuf(3,bytes,rep)
+
+	// ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.  "*" means all.
+	// +optional
+	resourceNames?: [...string] @go(ResourceNames,[]string) @protobuf(4,bytes,rep)
+}
+
+// NonResourceRule holds information that describes a rule for the non-resource
+#NonResourceRule: {
+	// Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options.  "*" means all.
+	verbs: [...string] @go(Verbs,[]string) @protobuf(1,bytes,rep)
+
+	// NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full,
+	// final step in the path.  "*" means all.
+	// +optional
+	nonResourceURLs?: [...string] @go(NonResourceURLs,[]string) @protobuf(2,bytes,rep)
+}

timoni/podinfo/cue.mod/gen/k8s.io/api/autoscaling/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/autoscaling/v1
+
+package v1
+
+#GroupName: "autoscaling"

timoni/podinfo/cue.mod/gen/k8s.io/api/autoscaling/v1/types_go_gen.cue

@@ -0,0 +1,542 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/autoscaling/v1
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/api/core/v1"
+)
+
+// CrossVersionObjectReference contains enough information to let you identify the referred resource.
+// +structType=atomic
+#CrossVersionObjectReference: {
+	// kind is the kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: string @go(Kind) @protobuf(1,bytes,opt)
+
+	// name is the name of the referent; More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+	name: string @go(Name) @protobuf(2,bytes,opt)
+
+	// apiVersion is the API version of the referent
+	// +optional
+	apiVersion?: string @go(APIVersion) @protobuf(3,bytes,opt)
+}
+
+// specification of a horizontal pod autoscaler.
+#HorizontalPodAutoscalerSpec: {
+	// reference to scaled resource; horizontal pod autoscaler will learn the current resource consumption
+	// and will set the desired number of pods by using its Scale subresource.
+	scaleTargetRef: #CrossVersionObjectReference @go(ScaleTargetRef) @protobuf(1,bytes,opt)
+
+	// minReplicas is the lower limit for the number of replicas to which the autoscaler
+	// can scale down.  It defaults to 1 pod.  minReplicas is allowed to be 0 if the
+	// alpha feature gate HPAScaleToZero is enabled and at least one Object or External
+	// metric is configured.  Scaling is active as long as at least one metric value is
+	// available.
+	// +optional
+	minReplicas?: null | int32 @go(MinReplicas,*int32) @protobuf(2,varint,opt)
+
+	// maxReplicas is the upper limit for the number of pods that can be set by the autoscaler; cannot be smaller than MinReplicas.
+	maxReplicas: int32 @go(MaxReplicas) @protobuf(3,varint,opt)
+
+	// targetCPUUtilizationPercentage is the target average CPU utilization (represented as a percentage of requested CPU) over all the pods;
+	// if not specified the default autoscaling policy will be used.
+	// +optional
+	targetCPUUtilizationPercentage?: null | int32 @go(TargetCPUUtilizationPercentage,*int32) @protobuf(4,varint,opt)
+}
+
+// current status of a horizontal pod autoscaler
+#HorizontalPodAutoscalerStatus: {
+	// observedGeneration is the most recent generation observed by this autoscaler.
+	// +optional
+	observedGeneration?: null | int64 @go(ObservedGeneration,*int64) @protobuf(1,varint,opt)
+
+	// lastScaleTime is the last time the HorizontalPodAutoscaler scaled the number of pods;
+	// used by the autoscaler to control how often the number of pods is changed.
+	// +optional
+	lastScaleTime?: null | metav1.#Time @go(LastScaleTime,*metav1.Time) @protobuf(2,bytes,opt)
+
+	// currentReplicas is the current number of replicas of pods managed by this autoscaler.
+	currentReplicas: int32 @go(CurrentReplicas) @protobuf(3,varint,opt)
+
+	// desiredReplicas is the  desired number of replicas of pods managed by this autoscaler.
+	desiredReplicas: int32 @go(DesiredReplicas) @protobuf(4,varint,opt)
+
+	// currentCPUUtilizationPercentage is the current average CPU utilization over all pods, represented as a percentage of requested CPU,
+	// e.g. 70 means that an average pod is using now 70% of its requested CPU.
+	// +optional
+	currentCPUUtilizationPercentage?: null | int32 @go(CurrentCPUUtilizationPercentage,*int32) @protobuf(5,varint,opt)
+}
+
+// configuration of a horizontal pod autoscaler.
+#HorizontalPodAutoscaler: {
+	metav1.#TypeMeta
+
+	// Standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// spec defines the behaviour of autoscaler. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.
+	// +optional
+	spec?: #HorizontalPodAutoscalerSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// status is the current information about the autoscaler.
+	// +optional
+	status?: #HorizontalPodAutoscalerStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// list of horizontal pod autoscaler objects.
+#HorizontalPodAutoscalerList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// items is the list of horizontal pod autoscaler objects.
+	items: [...#HorizontalPodAutoscaler] @go(Items,[]HorizontalPodAutoscaler) @protobuf(2,bytes,rep)
+}
+
+// Scale represents a scaling request for a resource.
+#Scale: {
+	metav1.#TypeMeta
+
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// spec defines the behavior of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.
+	// +optional
+	spec?: #ScaleSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// status is the current status of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. Read-only.
+	// +optional
+	status?: #ScaleStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// ScaleSpec describes the attributes of a scale subresource.
+#ScaleSpec: {
+	// replicas is the desired number of instances for the scaled object.
+	// +optional
+	replicas?: int32 @go(Replicas) @protobuf(1,varint,opt)
+}
+
+// ScaleStatus represents the current status of a scale subresource.
+#ScaleStatus: {
+	// replicas is the actual number of observed instances of the scaled object.
+	replicas: int32 @go(Replicas) @protobuf(1,varint,opt)
+
+	// selector is the label query over pods that should match the replicas count. This is same
+	// as the label selector but in the string format to avoid introspection
+	// by clients. The string will be in the same format as the query-param syntax.
+	// More info about label selectors: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+	// +optional
+	selector?: string @go(Selector) @protobuf(2,bytes,opt)
+}
+
+// MetricSourceType indicates the type of metric.
+// +enum
+#MetricSourceType: string // #enumMetricSourceType
+
+#enumMetricSourceType:
+	#ObjectMetricSourceType |
+	#PodsMetricSourceType |
+	#ResourceMetricSourceType |
+	#ContainerResourceMetricSourceType |
+	#ExternalMetricSourceType
+
+// ObjectMetricSourceType is a metric describing a kubernetes object
+// (for example, hits-per-second on an Ingress object).
+#ObjectMetricSourceType: #MetricSourceType & "Object"
+
+// PodsMetricSourceType is a metric describing each pod in the current scale
+// target (for example, transactions-processed-per-second).  The values
+// will be averaged together before being compared to the target value.
+#PodsMetricSourceType: #MetricSourceType & "Pods"
+
+// ResourceMetricSourceType is a resource metric known to Kubernetes, as
+// specified in requests and limits, describing each pod in the current
+// scale target (e.g. CPU or memory).  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available
+// to normal per-pod metrics (the "pods" source).
+#ResourceMetricSourceType: #MetricSourceType & "Resource"
+
+// ContainerResourceMetricSourceType is a resource metric known to Kubernetes, as
+// specified in requests and limits, describing a single container in each pod in the current
+// scale target (e.g. CPU or memory).  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available
+// to normal per-pod metrics (the "pods" source).
+#ContainerResourceMetricSourceType: #MetricSourceType & "ContainerResource"
+
+// ExternalMetricSourceType is a global metric that is not associated
+// with any Kubernetes object. It allows autoscaling based on information
+// coming from components running outside of cluster
+// (for example length of queue in cloud messaging service, or
+// QPS from loadbalancer running outside of cluster).
+#ExternalMetricSourceType: #MetricSourceType & "External"
+
+// MetricSpec specifies how to scale based on a single metric
+// (only `type` and one other matching field should be set at once).
+#MetricSpec: {
+	// type is the type of metric source.  It should be one of "ContainerResource",
+	// "External", "Object", "Pods" or "Resource", each mapping to a matching field in the object.
+	// Note: "ContainerResource" type is available on when the feature-gate
+	// HPAContainerMetrics is enabled
+	type: #MetricSourceType @go(Type) @protobuf(1,bytes)
+
+	// object refers to a metric describing a single kubernetes object
+	// (for example, hits-per-second on an Ingress object).
+	// +optional
+	object?: null | #ObjectMetricSource @go(Object,*ObjectMetricSource) @protobuf(2,bytes,opt)
+
+	// pods refers to a metric describing each pod in the current scale target
+	// (for example, transactions-processed-per-second).  The values will be
+	// averaged together before being compared to the target value.
+	// +optional
+	pods?: null | #PodsMetricSource @go(Pods,*PodsMetricSource) @protobuf(3,bytes,opt)
+
+	// resource refers to a resource metric (such as those specified in
+	// requests and limits) known to Kubernetes describing each pod in the
+	// current scale target (e.g. CPU or memory). Such metrics are built in to
+	// Kubernetes, and have special scaling options on top of those available
+	// to normal per-pod metrics using the "pods" source.
+	// +optional
+	resource?: null | #ResourceMetricSource @go(Resource,*ResourceMetricSource) @protobuf(4,bytes,opt)
+
+	// containerResource refers to a resource metric (such as those specified in
+	// requests and limits) known to Kubernetes describing a single container in each pod of the
+	// current scale target (e.g. CPU or memory). Such metrics are built in to
+	// Kubernetes, and have special scaling options on top of those available
+	// to normal per-pod metrics using the "pods" source.
+	// This is an alpha feature and can be enabled by the HPAContainerMetrics feature flag.
+	// +optional
+	containerResource?: null | #ContainerResourceMetricSource @go(ContainerResource,*ContainerResourceMetricSource) @protobuf(7,bytes,opt)
+
+	// external refers to a global metric that is not associated
+	// with any Kubernetes object. It allows autoscaling based on information
+	// coming from components running outside of cluster
+	// (for example length of queue in cloud messaging service, or
+	// QPS from loadbalancer running outside of cluster).
+	// +optional
+	external?: null | #ExternalMetricSource @go(External,*ExternalMetricSource) @protobuf(5,bytes,opt)
+}
+
+// ObjectMetricSource indicates how to scale on a metric describing a
+// kubernetes object (for example, hits-per-second on an Ingress object).
+#ObjectMetricSource: {
+	// target is the described Kubernetes object.
+	target: #CrossVersionObjectReference @go(Target) @protobuf(1,bytes)
+
+	// metricName is the name of the metric in question.
+	metricName: string @go(MetricName) @protobuf(2,bytes)
+
+	// targetValue is the target value of the metric (as a quantity).
+	targetValue: resource.#Quantity @go(TargetValue) @protobuf(3,bytes)
+
+	// selector is the string-encoded form of a standard kubernetes label selector for the given metric.
+	// When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping
+	// When unset, just the metricName will be used to gather metrics.
+	// +optional
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(4,bytes)
+
+	// averageValue is the target value of the average of the
+	// metric across all relevant pods (as a quantity)
+	// +optional
+	averageValue?: null | resource.#Quantity @go(AverageValue,*resource.Quantity) @protobuf(5,bytes)
+}
+
+// PodsMetricSource indicates how to scale on a metric describing each pod in
+// the current scale target (for example, transactions-processed-per-second).
+// The values will be averaged together before being compared to the target
+// value.
+#PodsMetricSource: {
+	// metricName is the name of the metric in question
+	metricName: string @go(MetricName) @protobuf(1,bytes)
+
+	// targetAverageValue is the target value of the average of the
+	// metric across all relevant pods (as a quantity)
+	targetAverageValue: resource.#Quantity @go(TargetAverageValue) @protobuf(2,bytes)
+
+	// selector is the string-encoded form of a standard kubernetes label selector for the given metric
+	// When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping
+	// When unset, just the metricName will be used to gather metrics.
+	// +optional
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(3,bytes)
+}
+
+// ResourceMetricSource indicates how to scale on a resource metric known to
+// Kubernetes, as specified in requests and limits, describing each pod in the
+// current scale target (e.g. CPU or memory).  The values will be averaged
+// together before being compared to the target.  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available to
+// normal per-pod metrics using the "pods" source.  Only one "target" type
+// should be set.
+#ResourceMetricSource: {
+	// name is the name of the resource in question.
+	name: v1.#ResourceName @go(Name) @protobuf(1,bytes)
+
+	// targetAverageUtilization is the target value of the average of the
+	// resource metric across all relevant pods, represented as a percentage of
+	// the requested value of the resource for the pods.
+	// +optional
+	targetAverageUtilization?: null | int32 @go(TargetAverageUtilization,*int32) @protobuf(2,varint,opt)
+
+	// targetAverageValue is the target value of the average of the
+	// resource metric across all relevant pods, as a raw value (instead of as
+	// a percentage of the request), similar to the "pods" metric source type.
+	// +optional
+	targetAverageValue?: null | resource.#Quantity @go(TargetAverageValue,*resource.Quantity) @protobuf(3,bytes,opt)
+}
+
+// ContainerResourceMetricSource indicates how to scale on a resource metric known to
+// Kubernetes, as specified in the requests and limits, describing a single container in
+// each of the pods of the current scale target(e.g. CPU or memory). The values will be
+// averaged together before being compared to the target. Such metrics are built into
+// Kubernetes, and have special scaling options on top of those available to
+// normal per-pod metrics using the "pods" source. Only one "target" type
+// should be set.
+#ContainerResourceMetricSource: {
+	// name is the name of the resource in question.
+	name: v1.#ResourceName @go(Name) @protobuf(1,bytes)
+
+	// targetAverageUtilization is the target value of the average of the
+	// resource metric across all relevant pods, represented as a percentage of
+	// the requested value of the resource for the pods.
+	// +optional
+	targetAverageUtilization?: null | int32 @go(TargetAverageUtilization,*int32) @protobuf(2,varint,opt)
+
+	// targetAverageValue is the target value of the average of the
+	// resource metric across all relevant pods, as a raw value (instead of as
+	// a percentage of the request), similar to the "pods" metric source type.
+	// +optional
+	targetAverageValue?: null | resource.#Quantity @go(TargetAverageValue,*resource.Quantity) @protobuf(3,bytes,opt)
+
+	// container is the name of the container in the pods of the scaling target.
+	container: string @go(Container) @protobuf(5,bytes,opt)
+}
+
+// ExternalMetricSource indicates how to scale on a metric not associated with
+// any Kubernetes object (for example length of queue in cloud
+// messaging service, or QPS from loadbalancer running outside of cluster).
+#ExternalMetricSource: {
+	// metricName is the name of the metric in question.
+	metricName: string @go(MetricName) @protobuf(1,bytes)
+
+	// metricSelector is used to identify a specific time series
+	// within a given metric.
+	// +optional
+	metricSelector?: null | metav1.#LabelSelector @go(MetricSelector,*metav1.LabelSelector) @protobuf(2,bytes,opt)
+
+	// targetValue is the target value of the metric (as a quantity).
+	// Mutually exclusive with TargetAverageValue.
+	// +optional
+	targetValue?: null | resource.#Quantity @go(TargetValue,*resource.Quantity) @protobuf(3,bytes,opt)
+
+	// targetAverageValue is the target per-pod value of global metric (as a quantity).
+	// Mutually exclusive with TargetValue.
+	// +optional
+	targetAverageValue?: null | resource.#Quantity @go(TargetAverageValue,*resource.Quantity) @protobuf(4,bytes,opt)
+}
+
+// MetricStatus describes the last-read state of a single metric.
+#MetricStatus: {
+	// type is the type of metric source.  It will be one of "ContainerResource",
+	// "External", "Object", "Pods" or "Resource", each corresponds to a matching field in the object.
+	// Note: "ContainerResource" type is available on when the feature-gate
+	// HPAContainerMetrics is enabled
+	type: #MetricSourceType @go(Type) @protobuf(1,bytes)
+
+	// object refers to a metric describing a single kubernetes object
+	// (for example, hits-per-second on an Ingress object).
+	// +optional
+	object?: null | #ObjectMetricStatus @go(Object,*ObjectMetricStatus) @protobuf(2,bytes,opt)
+
+	// pods refers to a metric describing each pod in the current scale target
+	// (for example, transactions-processed-per-second).  The values will be
+	// averaged together before being compared to the target value.
+	// +optional
+	pods?: null | #PodsMetricStatus @go(Pods,*PodsMetricStatus) @protobuf(3,bytes,opt)
+
+	// resource refers to a resource metric (such as those specified in
+	// requests and limits) known to Kubernetes describing each pod in the
+	// current scale target (e.g. CPU or memory). Such metrics are built in to
+	// Kubernetes, and have special scaling options on top of those available
+	// to normal per-pod metrics using the "pods" source.
+	// +optional
+	resource?: null | #ResourceMetricStatus @go(Resource,*ResourceMetricStatus) @protobuf(4,bytes,opt)
+
+	// containerResource refers to a resource metric (such as those specified in
+	// requests and limits) known to Kubernetes describing a single container in each pod in the
+	// current scale target (e.g. CPU or memory). Such metrics are built in to
+	// Kubernetes, and have special scaling options on top of those available
+	// to normal per-pod metrics using the "pods" source.
+	// +optional
+	containerResource?: null | #ContainerResourceMetricStatus @go(ContainerResource,*ContainerResourceMetricStatus) @protobuf(7,bytes,opt)
+
+	// external refers to a global metric that is not associated
+	// with any Kubernetes object. It allows autoscaling based on information
+	// coming from components running outside of cluster
+	// (for example length of queue in cloud messaging service, or
+	// QPS from loadbalancer running outside of cluster).
+	// +optional
+	external?: null | #ExternalMetricStatus @go(External,*ExternalMetricStatus) @protobuf(5,bytes,opt)
+}
+
+// HorizontalPodAutoscalerConditionType are the valid conditions of
+// a HorizontalPodAutoscaler.
+#HorizontalPodAutoscalerConditionType: string // #enumHorizontalPodAutoscalerConditionType
+
+#enumHorizontalPodAutoscalerConditionType:
+	#ScalingActive |
+	#AbleToScale |
+	#ScalingLimited
+
+// ScalingActive indicates that the HPA controller is able to scale if necessary:
+// it's correctly configured, can fetch the desired metrics, and isn't disabled.
+#ScalingActive: #HorizontalPodAutoscalerConditionType & "ScalingActive"
+
+// AbleToScale indicates a lack of transient issues which prevent scaling from occurring,
+// such as being in a backoff window, or being unable to access/update the target scale.
+#AbleToScale: #HorizontalPodAutoscalerConditionType & "AbleToScale"
+
+// ScalingLimited indicates that the calculated scale based on metrics would be above or
+// below the range for the HPA, and has thus been capped.
+#ScalingLimited: #HorizontalPodAutoscalerConditionType & "ScalingLimited"
+
+// HorizontalPodAutoscalerCondition describes the state of
+// a HorizontalPodAutoscaler at a certain point.
+#HorizontalPodAutoscalerCondition: {
+	// type describes the current condition
+	type: #HorizontalPodAutoscalerConditionType @go(Type) @protobuf(1,bytes)
+
+	// status is the status of the condition (True, False, Unknown)
+	status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes)
+
+	// lastTransitionTime is the last time the condition transitioned from
+	// one status to another
+	// +optional
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt)
+
+	// reason is the reason for the condition's last transition.
+	// +optional
+	reason?: string @go(Reason) @protobuf(4,bytes,opt)
+
+	// message is a human-readable explanation containing details about
+	// the transition
+	// +optional
+	message?: string @go(Message) @protobuf(5,bytes,opt)
+}
+
+// ObjectMetricStatus indicates the current value of a metric describing a
+// kubernetes object (for example, hits-per-second on an Ingress object).
+#ObjectMetricStatus: {
+	// target is the described Kubernetes object.
+	target: #CrossVersionObjectReference @go(Target) @protobuf(1,bytes)
+
+	// metricName is the name of the metric in question.
+	metricName: string @go(MetricName) @protobuf(2,bytes)
+
+	// currentValue is the current value of the metric (as a quantity).
+	currentValue: resource.#Quantity @go(CurrentValue) @protobuf(3,bytes)
+
+	// selector is the string-encoded form of a standard kubernetes label selector for the given metric
+	// When set in the ObjectMetricSource, it is passed as an additional parameter to the metrics server for more specific metrics scoping.
+	// When unset, just the metricName will be used to gather metrics.
+	// +optional
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(4,bytes)
+
+	// averageValue is the current value of the average of the
+	// metric across all relevant pods (as a quantity)
+	// +optional
+	averageValue?: null | resource.#Quantity @go(AverageValue,*resource.Quantity) @protobuf(5,bytes)
+}
+
+// PodsMetricStatus indicates the current value of a metric describing each pod in
+// the current scale target (for example, transactions-processed-per-second).
+#PodsMetricStatus: {
+	// metricName is the name of the metric in question
+	metricName: string @go(MetricName) @protobuf(1,bytes)
+
+	// currentAverageValue is the current value of the average of the
+	// metric across all relevant pods (as a quantity)
+	currentAverageValue: resource.#Quantity @go(CurrentAverageValue) @protobuf(2,bytes)
+
+	// selector is the string-encoded form of a standard kubernetes label selector for the given metric
+	// When set in the PodsMetricSource, it is passed as an additional parameter to the metrics server for more specific metrics scoping.
+	// When unset, just the metricName will be used to gather metrics.
+	// +optional
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(3,bytes)
+}
+
+// ResourceMetricStatus indicates the current value of a resource metric known to
+// Kubernetes, as specified in requests and limits, describing each pod in the
+// current scale target (e.g. CPU or memory).  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available to
+// normal per-pod metrics using the "pods" source.
+#ResourceMetricStatus: {
+	// name is the name of the resource in question.
+	name: v1.#ResourceName @go(Name) @protobuf(1,bytes)
+
+	// currentAverageUtilization is the current value of the average of the
+	// resource metric across all relevant pods, represented as a percentage of
+	// the requested value of the resource for the pods.  It will only be
+	// present if `targetAverageValue` was set in the corresponding metric
+	// specification.
+	// +optional
+	currentAverageUtilization?: null | int32 @go(CurrentAverageUtilization,*int32) @protobuf(2,bytes,opt)
+
+	// currentAverageValue is the current value of the average of the
+	// resource metric across all relevant pods, as a raw value (instead of as
+	// a percentage of the request), similar to the "pods" metric source type.
+	// It will always be set, regardless of the corresponding metric specification.
+	currentAverageValue: resource.#Quantity @go(CurrentAverageValue) @protobuf(3,bytes)
+}
+
+// ContainerResourceMetricStatus indicates the current value of a resource metric known to
+// Kubernetes, as specified in requests and limits, describing a single container in each pod in the
+// current scale target (e.g. CPU or memory).  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available to
+// normal per-pod metrics using the "pods" source.
+#ContainerResourceMetricStatus: {
+	// name is the name of the resource in question.
+	name: v1.#ResourceName @go(Name) @protobuf(1,bytes)
+
+	// currentAverageUtilization is the current value of the average of the
+	// resource metric across all relevant pods, represented as a percentage of
+	// the requested value of the resource for the pods.  It will only be
+	// present if `targetAverageValue` was set in the corresponding metric
+	// specification.
+	// +optional
+	currentAverageUtilization?: null | int32 @go(CurrentAverageUtilization,*int32) @protobuf(2,bytes,opt)
+
+	// currentAverageValue is the current value of the average of the
+	// resource metric across all relevant pods, as a raw value (instead of as
+	// a percentage of the request), similar to the "pods" metric source type.
+	// It will always be set, regardless of the corresponding metric specification.
+	currentAverageValue: resource.#Quantity @go(CurrentAverageValue) @protobuf(3,bytes)
+
+	// container is the name of the container in the pods of the scaling taget
+	container: string @go(Container) @protobuf(4,bytes,opt)
+}
+
+// ExternalMetricStatus indicates the current value of a global metric
+// not associated with any Kubernetes object.
+#ExternalMetricStatus: {
+	// metricName is the name of a metric used for autoscaling in
+	// metric system.
+	metricName: string @go(MetricName) @protobuf(1,bytes)
+
+	// metricSelector is used to identify a specific time series
+	// within a given metric.
+	// +optional
+	metricSelector?: null | metav1.#LabelSelector @go(MetricSelector,*metav1.LabelSelector) @protobuf(2,bytes,opt)
+
+	// currentValue is the current value of the metric (as a quantity)
+	currentValue: resource.#Quantity @go(CurrentValue) @protobuf(3,bytes)
+
+	// currentAverageValue is the current value of metric averaged over autoscaled pods.
+	// +optional
+	currentAverageValue?: null | resource.#Quantity @go(CurrentAverageValue,*resource.Quantity) @protobuf(4,bytes,opt)
+}

timoni/podinfo/cue.mod/gen/k8s.io/api/autoscaling/v2/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/autoscaling/v2
+
+package v2
+
+#GroupName: "autoscaling"

timoni/podinfo/cue.mod/gen/k8s.io/api/autoscaling/v2/types_go_gen.cue

@@ -0,0 +1,597 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/autoscaling/v2
+
+package v2
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
+)
+
+// HorizontalPodAutoscaler is the configuration for a horizontal pod
+// autoscaler, which automatically manages the replica count of any resource
+// implementing the scale subresource based on the metrics specified.
+#HorizontalPodAutoscaler: {
+	metav1.#TypeMeta
+
+	// metadata is the standard object metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// spec is the specification for the behaviour of the autoscaler.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.
+	// +optional
+	spec?: #HorizontalPodAutoscalerSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// status is the current information about the autoscaler.
+	// +optional
+	status?: #HorizontalPodAutoscalerStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// HorizontalPodAutoscalerSpec describes the desired functionality of the HorizontalPodAutoscaler.
+#HorizontalPodAutoscalerSpec: {
+	// scaleTargetRef points to the target resource to scale, and is used to the pods for which metrics
+	// should be collected, as well as to actually change the replica count.
+	scaleTargetRef: #CrossVersionObjectReference @go(ScaleTargetRef) @protobuf(1,bytes,opt)
+
+	// minReplicas is the lower limit for the number of replicas to which the autoscaler
+	// can scale down.  It defaults to 1 pod.  minReplicas is allowed to be 0 if the
+	// alpha feature gate HPAScaleToZero is enabled and at least one Object or External
+	// metric is configured.  Scaling is active as long as at least one metric value is
+	// available.
+	// +optional
+	minReplicas?: null | int32 @go(MinReplicas,*int32) @protobuf(2,varint,opt)
+
+	// maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up.
+	// It cannot be less that minReplicas.
+	maxReplicas: int32 @go(MaxReplicas) @protobuf(3,varint,opt)
+
+	// metrics contains the specifications for which to use to calculate the
+	// desired replica count (the maximum replica count across all metrics will
+	// be used).  The desired replica count is calculated multiplying the
+	// ratio between the target value and the current value by the current
+	// number of pods.  Ergo, metrics used must decrease as the pod count is
+	// increased, and vice-versa.  See the individual metric source types for
+	// more information about how each type of metric must respond.
+	// If not set, the default metric will be set to 80% average CPU utilization.
+	// +listType=atomic
+	// +optional
+	metrics?: [...#MetricSpec] @go(Metrics,[]MetricSpec) @protobuf(4,bytes,rep)
+
+	// behavior configures the scaling behavior of the target
+	// in both Up and Down directions (scaleUp and scaleDown fields respectively).
+	// If not set, the default HPAScalingRules for scale up and scale down are used.
+	// +optional
+	behavior?: null | #HorizontalPodAutoscalerBehavior @go(Behavior,*HorizontalPodAutoscalerBehavior) @protobuf(5,bytes,opt)
+}
+
+// CrossVersionObjectReference contains enough information to let you identify the referred resource.
+#CrossVersionObjectReference: {
+	// kind is the kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: string @go(Kind) @protobuf(1,bytes,opt)
+
+	// name is the name of the referent; More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+	name: string @go(Name) @protobuf(2,bytes,opt)
+
+	// apiVersion is the API version of the referent
+	// +optional
+	apiVersion?: string @go(APIVersion) @protobuf(3,bytes,opt)
+}
+
+// MetricSpec specifies how to scale based on a single metric
+// (only `type` and one other matching field should be set at once).
+#MetricSpec: {
+	// type is the type of metric source.  It should be one of "ContainerResource", "External",
+	// "Object", "Pods" or "Resource", each mapping to a matching field in the object.
+	// Note: "ContainerResource" type is available on when the feature-gate
+	// HPAContainerMetrics is enabled
+	type: #MetricSourceType @go(Type) @protobuf(1,bytes)
+
+	// object refers to a metric describing a single kubernetes object
+	// (for example, hits-per-second on an Ingress object).
+	// +optional
+	object?: null | #ObjectMetricSource @go(Object,*ObjectMetricSource) @protobuf(2,bytes,opt)
+
+	// pods refers to a metric describing each pod in the current scale target
+	// (for example, transactions-processed-per-second).  The values will be
+	// averaged together before being compared to the target value.
+	// +optional
+	pods?: null | #PodsMetricSource @go(Pods,*PodsMetricSource) @protobuf(3,bytes,opt)
+
+	// resource refers to a resource metric (such as those specified in
+	// requests and limits) known to Kubernetes describing each pod in the
+	// current scale target (e.g. CPU or memory). Such metrics are built in to
+	// Kubernetes, and have special scaling options on top of those available
+	// to normal per-pod metrics using the "pods" source.
+	// +optional
+	resource?: null | #ResourceMetricSource @go(Resource,*ResourceMetricSource) @protobuf(4,bytes,opt)
+
+	// containerResource refers to a resource metric (such as those specified in
+	// requests and limits) known to Kubernetes describing a single container in
+	// each pod of the current scale target (e.g. CPU or memory). Such metrics are
+	// built in to Kubernetes, and have special scaling options on top of those
+	// available to normal per-pod metrics using the "pods" source.
+	// This is an alpha feature and can be enabled by the HPAContainerMetrics feature flag.
+	// +optional
+	containerResource?: null | #ContainerResourceMetricSource @go(ContainerResource,*ContainerResourceMetricSource) @protobuf(7,bytes,opt)
+
+	// external refers to a global metric that is not associated
+	// with any Kubernetes object. It allows autoscaling based on information
+	// coming from components running outside of cluster
+	// (for example length of queue in cloud messaging service, or
+	// QPS from loadbalancer running outside of cluster).
+	// +optional
+	external?: null | #ExternalMetricSource @go(External,*ExternalMetricSource) @protobuf(5,bytes,opt)
+}
+
+// HorizontalPodAutoscalerBehavior configures the scaling behavior of the target
+// in both Up and Down directions (scaleUp and scaleDown fields respectively).
+#HorizontalPodAutoscalerBehavior: {
+	// scaleUp is scaling policy for scaling Up.
+	// If not set, the default value is the higher of:
+	//   * increase no more than 4 pods per 60 seconds
+	//   * double the number of pods per 60 seconds
+	// No stabilization is used.
+	// +optional
+	scaleUp?: null | #HPAScalingRules @go(ScaleUp,*HPAScalingRules) @protobuf(1,bytes,opt)
+
+	// scaleDown is scaling policy for scaling Down.
+	// If not set, the default value is to allow to scale down to minReplicas pods, with a
+	// 300 second stabilization window (i.e., the highest recommendation for
+	// the last 300sec is used).
+	// +optional
+	scaleDown?: null | #HPAScalingRules @go(ScaleDown,*HPAScalingRules) @protobuf(2,bytes,opt)
+}
+
+// ScalingPolicySelect is used to specify which policy should be used while scaling in a certain direction
+#ScalingPolicySelect: string // #enumScalingPolicySelect
+
+#enumScalingPolicySelect:
+	#MaxChangePolicySelect |
+	#MinChangePolicySelect |
+	#DisabledPolicySelect
+
+// MaxChangePolicySelect  selects the policy with the highest possible change.
+#MaxChangePolicySelect: #ScalingPolicySelect & "Max"
+
+// MinChangePolicySelect selects the policy with the lowest possible change.
+#MinChangePolicySelect: #ScalingPolicySelect & "Min"
+
+// DisabledPolicySelect disables the scaling in this direction.
+#DisabledPolicySelect: #ScalingPolicySelect & "Disabled"
+
+// HPAScalingRules configures the scaling behavior for one direction.
+// These Rules are applied after calculating DesiredReplicas from metrics for the HPA.
+// They can limit the scaling velocity by specifying scaling policies.
+// They can prevent flapping by specifying the stabilization window, so that the
+// number of replicas is not set instantly, instead, the safest value from the stabilization
+// window is chosen.
+#HPAScalingRules: {
+	// stabilizationWindowSeconds is the number of seconds for which past recommendations should be
+	// considered while scaling up or scaling down.
+	// StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour).
+	// If not set, use the default values:
+	// - For scale up: 0 (i.e. no stabilization is done).
+	// - For scale down: 300 (i.e. the stabilization window is 300 seconds long).
+	// +optional
+	stabilizationWindowSeconds?: null | int32 @go(StabilizationWindowSeconds,*int32) @protobuf(3,varint,opt)
+
+	// selectPolicy is used to specify which policy should be used.
+	// If not set, the default value Max is used.
+	// +optional
+	selectPolicy?: null | #ScalingPolicySelect @go(SelectPolicy,*ScalingPolicySelect) @protobuf(1,bytes,opt)
+
+	// policies is a list of potential scaling polices which can be used during scaling.
+	// At least one policy must be specified, otherwise the HPAScalingRules will be discarded as invalid
+	// +listType=atomic
+	// +optional
+	policies?: [...#HPAScalingPolicy] @go(Policies,[]HPAScalingPolicy) @protobuf(2,bytes,rep)
+}
+
+// HPAScalingPolicyType is the type of the policy which could be used while making scaling decisions.
+#HPAScalingPolicyType: string // #enumHPAScalingPolicyType
+
+#enumHPAScalingPolicyType:
+	#PodsScalingPolicy |
+	#PercentScalingPolicy
+
+// PodsScalingPolicy is a policy used to specify a change in absolute number of pods.
+#PodsScalingPolicy: #HPAScalingPolicyType & "Pods"
+
+// PercentScalingPolicy is a policy used to specify a relative amount of change with respect to
+// the current number of pods.
+#PercentScalingPolicy: #HPAScalingPolicyType & "Percent"
+
+// HPAScalingPolicy is a single policy which must hold true for a specified past interval.
+#HPAScalingPolicy: {
+	// type is used to specify the scaling policy.
+	type: #HPAScalingPolicyType @go(Type) @protobuf(1,bytes,opt,casttype=HPAScalingPolicyType)
+
+	// value contains the amount of change which is permitted by the policy.
+	// It must be greater than zero
+	value: int32 @go(Value) @protobuf(2,varint,opt)
+
+	// periodSeconds specifies the window of time for which the policy should hold true.
+	// PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min).
+	periodSeconds: int32 @go(PeriodSeconds) @protobuf(3,varint,opt)
+}
+
+// MetricSourceType indicates the type of metric.
+#MetricSourceType: string // #enumMetricSourceType
+
+#enumMetricSourceType:
+	#ObjectMetricSourceType |
+	#PodsMetricSourceType |
+	#ResourceMetricSourceType |
+	#ContainerResourceMetricSourceType |
+	#ExternalMetricSourceType
+
+// ObjectMetricSourceType is a metric describing a kubernetes object
+// (for example, hits-per-second on an Ingress object).
+#ObjectMetricSourceType: #MetricSourceType & "Object"
+
+// PodsMetricSourceType is a metric describing each pod in the current scale
+// target (for example, transactions-processed-per-second).  The values
+// will be averaged together before being compared to the target value.
+#PodsMetricSourceType: #MetricSourceType & "Pods"
+
+// ResourceMetricSourceType is a resource metric known to Kubernetes, as
+// specified in requests and limits, describing each pod in the current
+// scale target (e.g. CPU or memory).  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available
+// to normal per-pod metrics (the "pods" source).
+#ResourceMetricSourceType: #MetricSourceType & "Resource"
+
+// ContainerResourceMetricSourceType is a resource metric known to Kubernetes, as
+// specified in requests and limits, describing a single container in each pod in the current
+// scale target (e.g. CPU or memory).  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available
+// to normal per-pod metrics (the "pods" source).
+#ContainerResourceMetricSourceType: #MetricSourceType & "ContainerResource"
+
+// ExternalMetricSourceType is a global metric that is not associated
+// with any Kubernetes object. It allows autoscaling based on information
+// coming from components running outside of cluster
+// (for example length of queue in cloud messaging service, or
+// QPS from loadbalancer running outside of cluster).
+#ExternalMetricSourceType: #MetricSourceType & "External"
+
+// ObjectMetricSource indicates how to scale on a metric describing a
+// kubernetes object (for example, hits-per-second on an Ingress object).
+#ObjectMetricSource: {
+	// describedObject specifies the descriptions of a object,such as kind,name apiVersion
+	describedObject: #CrossVersionObjectReference @go(DescribedObject) @protobuf(1,bytes)
+
+	// target specifies the target value for the given metric
+	target: #MetricTarget @go(Target) @protobuf(2,bytes)
+
+	// metric identifies the target metric by name and selector
+	metric: #MetricIdentifier @go(Metric) @protobuf(3,bytes)
+}
+
+// PodsMetricSource indicates how to scale on a metric describing each pod in
+// the current scale target (for example, transactions-processed-per-second).
+// The values will be averaged together before being compared to the target
+// value.
+#PodsMetricSource: {
+	// metric identifies the target metric by name and selector
+	metric: #MetricIdentifier @go(Metric) @protobuf(1,bytes)
+
+	// target specifies the target value for the given metric
+	target: #MetricTarget @go(Target) @protobuf(2,bytes)
+}
+
+// ResourceMetricSource indicates how to scale on a resource metric known to
+// Kubernetes, as specified in requests and limits, describing each pod in the
+// current scale target (e.g. CPU or memory).  The values will be averaged
+// together before being compared to the target.  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available to
+// normal per-pod metrics using the "pods" source.  Only one "target" type
+// should be set.
+#ResourceMetricSource: {
+	// name is the name of the resource in question.
+	name: v1.#ResourceName @go(Name) @protobuf(1,bytes)
+
+	// target specifies the target value for the given metric
+	target: #MetricTarget @go(Target) @protobuf(2,bytes)
+}
+
+// ContainerResourceMetricSource indicates how to scale on a resource metric known to
+// Kubernetes, as specified in requests and limits, describing each pod in the
+// current scale target (e.g. CPU or memory).  The values will be averaged
+// together before being compared to the target.  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available to
+// normal per-pod metrics using the "pods" source.  Only one "target" type
+// should be set.
+#ContainerResourceMetricSource: {
+	// name is the name of the resource in question.
+	name: v1.#ResourceName @go(Name) @protobuf(1,bytes)
+
+	// target specifies the target value for the given metric
+	target: #MetricTarget @go(Target) @protobuf(2,bytes)
+
+	// container is the name of the container in the pods of the scaling target
+	container: string @go(Container) @protobuf(3,bytes,opt)
+}
+
+// ExternalMetricSource indicates how to scale on a metric not associated with
+// any Kubernetes object (for example length of queue in cloud
+// messaging service, or QPS from loadbalancer running outside of cluster).
+#ExternalMetricSource: {
+	// metric identifies the target metric by name and selector
+	metric: #MetricIdentifier @go(Metric) @protobuf(1,bytes)
+
+	// target specifies the target value for the given metric
+	target: #MetricTarget @go(Target) @protobuf(2,bytes)
+}
+
+// MetricIdentifier defines the name and optionally selector for a metric
+#MetricIdentifier: {
+	// name is the name of the given metric
+	name: string @go(Name) @protobuf(1,bytes)
+
+	// selector is the string-encoded form of a standard kubernetes label selector for the given metric
+	// When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping.
+	// When unset, just the metricName will be used to gather metrics.
+	// +optional
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes)
+}
+
+// MetricTarget defines the target value, average value, or average utilization of a specific metric
+#MetricTarget: {
+	// type represents whether the metric type is Utilization, Value, or AverageValue
+	type: #MetricTargetType @go(Type) @protobuf(1,bytes)
+
+	// value is the target value of the metric (as a quantity).
+	// +optional
+	value?: null | resource.#Quantity @go(Value,*resource.Quantity) @protobuf(2,bytes,opt)
+
+	// averageValue is the target value of the average of the
+	// metric across all relevant pods (as a quantity)
+	// +optional
+	averageValue?: null | resource.#Quantity @go(AverageValue,*resource.Quantity) @protobuf(3,bytes,opt)
+
+	// averageUtilization is the target value of the average of the
+	// resource metric across all relevant pods, represented as a percentage of
+	// the requested value of the resource for the pods.
+	// Currently only valid for Resource metric source type
+	// +optional
+	averageUtilization?: null | int32 @go(AverageUtilization,*int32) @protobuf(4,bytes,opt)
+}
+
+// MetricTargetType specifies the type of metric being targeted, and should be either
+// "Value", "AverageValue", or "Utilization"
+#MetricTargetType: string // #enumMetricTargetType
+
+#enumMetricTargetType:
+	#UtilizationMetricType |
+	#ValueMetricType |
+	#AverageValueMetricType
+
+// UtilizationMetricType declares a MetricTarget is an AverageUtilization value
+#UtilizationMetricType: #MetricTargetType & "Utilization"
+
+// ValueMetricType declares a MetricTarget is a raw value
+#ValueMetricType: #MetricTargetType & "Value"
+
+// AverageValueMetricType declares a MetricTarget is an
+#AverageValueMetricType: #MetricTargetType & "AverageValue"
+
+// HorizontalPodAutoscalerStatus describes the current status of a horizontal pod autoscaler.
+#HorizontalPodAutoscalerStatus: {
+	// observedGeneration is the most recent generation observed by this autoscaler.
+	// +optional
+	observedGeneration?: null | int64 @go(ObservedGeneration,*int64) @protobuf(1,varint,opt)
+
+	// lastScaleTime is the last time the HorizontalPodAutoscaler scaled the number of pods,
+	// used by the autoscaler to control how often the number of pods is changed.
+	// +optional
+	lastScaleTime?: null | metav1.#Time @go(LastScaleTime,*metav1.Time) @protobuf(2,bytes,opt)
+
+	// currentReplicas is current number of replicas of pods managed by this autoscaler,
+	// as last seen by the autoscaler.
+	// +optional
+	currentReplicas?: int32 @go(CurrentReplicas) @protobuf(3,varint,opt)
+
+	// desiredReplicas is the desired number of replicas of pods managed by this autoscaler,
+	// as last calculated by the autoscaler.
+	desiredReplicas: int32 @go(DesiredReplicas) @protobuf(4,varint,opt)
+
+	// currentMetrics is the last read state of the metrics used by this autoscaler.
+	// +listType=atomic
+	// +optional
+	currentMetrics: [...#MetricStatus] @go(CurrentMetrics,[]MetricStatus) @protobuf(5,bytes,rep)
+
+	// conditions is the set of conditions required for this autoscaler to scale its target,
+	// and indicates whether or not those conditions are met.
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=type
+	// +optional
+	conditions?: [...#HorizontalPodAutoscalerCondition] @go(Conditions,[]HorizontalPodAutoscalerCondition) @protobuf(6,bytes,rep)
+}
+
+// HorizontalPodAutoscalerConditionType are the valid conditions of
+// a HorizontalPodAutoscaler.
+#HorizontalPodAutoscalerConditionType: string // #enumHorizontalPodAutoscalerConditionType
+
+#enumHorizontalPodAutoscalerConditionType:
+	#ScalingActive |
+	#AbleToScale |
+	#ScalingLimited
+
+// ScalingActive indicates that the HPA controller is able to scale if necessary:
+// it's correctly configured, can fetch the desired metrics, and isn't disabled.
+#ScalingActive: #HorizontalPodAutoscalerConditionType & "ScalingActive"
+
+// AbleToScale indicates a lack of transient issues which prevent scaling from occurring,
+// such as being in a backoff window, or being unable to access/update the target scale.
+#AbleToScale: #HorizontalPodAutoscalerConditionType & "AbleToScale"
+
+// ScalingLimited indicates that the calculated scale based on metrics would be above or
+// below the range for the HPA, and has thus been capped.
+#ScalingLimited: #HorizontalPodAutoscalerConditionType & "ScalingLimited"
+
+// HorizontalPodAutoscalerCondition describes the state of
+// a HorizontalPodAutoscaler at a certain point.
+#HorizontalPodAutoscalerCondition: {
+	// type describes the current condition
+	type: #HorizontalPodAutoscalerConditionType @go(Type) @protobuf(1,bytes)
+
+	// status is the status of the condition (True, False, Unknown)
+	status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes)
+
+	// lastTransitionTime is the last time the condition transitioned from
+	// one status to another
+	// +optional
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt)
+
+	// reason is the reason for the condition's last transition.
+	// +optional
+	reason?: string @go(Reason) @protobuf(4,bytes,opt)
+
+	// message is a human-readable explanation containing details about
+	// the transition
+	// +optional
+	message?: string @go(Message) @protobuf(5,bytes,opt)
+}
+
+// MetricStatus describes the last-read state of a single metric.
+#MetricStatus: {
+	// type is the type of metric source.  It will be one of "ContainerResource", "External",
+	// "Object", "Pods" or "Resource", each corresponds to a matching field in the object.
+	// Note: "ContainerResource" type is available on when the feature-gate
+	// HPAContainerMetrics is enabled
+	type: #MetricSourceType @go(Type) @protobuf(1,bytes)
+
+	// object refers to a metric describing a single kubernetes object
+	// (for example, hits-per-second on an Ingress object).
+	// +optional
+	object?: null | #ObjectMetricStatus @go(Object,*ObjectMetricStatus) @protobuf(2,bytes,opt)
+
+	// pods refers to a metric describing each pod in the current scale target
+	// (for example, transactions-processed-per-second).  The values will be
+	// averaged together before being compared to the target value.
+	// +optional
+	pods?: null | #PodsMetricStatus @go(Pods,*PodsMetricStatus) @protobuf(3,bytes,opt)
+
+	// resource refers to a resource metric (such as those specified in
+	// requests and limits) known to Kubernetes describing each pod in the
+	// current scale target (e.g. CPU or memory). Such metrics are built in to
+	// Kubernetes, and have special scaling options on top of those available
+	// to normal per-pod metrics using the "pods" source.
+	// +optional
+	resource?: null | #ResourceMetricStatus @go(Resource,*ResourceMetricStatus) @protobuf(4,bytes,opt)
+
+	// container resource refers to a resource metric (such as those specified in
+	// requests and limits) known to Kubernetes describing a single container in each pod in the
+	// current scale target (e.g. CPU or memory). Such metrics are built in to
+	// Kubernetes, and have special scaling options on top of those available
+	// to normal per-pod metrics using the "pods" source.
+	// +optional
+	containerResource?: null | #ContainerResourceMetricStatus @go(ContainerResource,*ContainerResourceMetricStatus) @protobuf(7,bytes,opt)
+
+	// external refers to a global metric that is not associated
+	// with any Kubernetes object. It allows autoscaling based on information
+	// coming from components running outside of cluster
+	// (for example length of queue in cloud messaging service, or
+	// QPS from loadbalancer running outside of cluster).
+	// +optional
+	external?: null | #ExternalMetricStatus @go(External,*ExternalMetricStatus) @protobuf(5,bytes,opt)
+}
+
+// ObjectMetricStatus indicates the current value of a metric describing a
+// kubernetes object (for example, hits-per-second on an Ingress object).
+#ObjectMetricStatus: {
+	// metric identifies the target metric by name and selector
+	metric: #MetricIdentifier @go(Metric) @protobuf(1,bytes)
+
+	// current contains the current value for the given metric
+	current: #MetricValueStatus @go(Current) @protobuf(2,bytes)
+
+	// DescribedObject specifies the descriptions of a object,such as kind,name apiVersion
+	describedObject: #CrossVersionObjectReference @go(DescribedObject) @protobuf(3,bytes)
+}
+
+// PodsMetricStatus indicates the current value of a metric describing each pod in
+// the current scale target (for example, transactions-processed-per-second).
+#PodsMetricStatus: {
+	// metric identifies the target metric by name and selector
+	metric: #MetricIdentifier @go(Metric) @protobuf(1,bytes)
+
+	// current contains the current value for the given metric
+	current: #MetricValueStatus @go(Current) @protobuf(2,bytes)
+}
+
+// ResourceMetricStatus indicates the current value of a resource metric known to
+// Kubernetes, as specified in requests and limits, describing each pod in the
+// current scale target (e.g. CPU or memory).  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available to
+// normal per-pod metrics using the "pods" source.
+#ResourceMetricStatus: {
+	// name is the name of the resource in question.
+	name: v1.#ResourceName @go(Name) @protobuf(1,bytes)
+
+	// current contains the current value for the given metric
+	current: #MetricValueStatus @go(Current) @protobuf(2,bytes)
+}
+
+// ContainerResourceMetricStatus indicates the current value of a resource metric known to
+// Kubernetes, as specified in requests and limits, describing a single container in each pod in the
+// current scale target (e.g. CPU or memory).  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available to
+// normal per-pod metrics using the "pods" source.
+#ContainerResourceMetricStatus: {
+	// name is the name of the resource in question.
+	name: v1.#ResourceName @go(Name) @protobuf(1,bytes)
+
+	// current contains the current value for the given metric
+	current: #MetricValueStatus @go(Current) @protobuf(2,bytes)
+
+	// container is the name of the container in the pods of the scaling target
+	container: string @go(Container) @protobuf(3,bytes,opt)
+}
+
+// ExternalMetricStatus indicates the current value of a global metric
+// not associated with any Kubernetes object.
+#ExternalMetricStatus: {
+	// metric identifies the target metric by name and selector
+	metric: #MetricIdentifier @go(Metric) @protobuf(1,bytes)
+
+	// current contains the current value for the given metric
+	current: #MetricValueStatus @go(Current) @protobuf(2,bytes)
+}
+
+// MetricValueStatus holds the current value for a metric
+#MetricValueStatus: {
+	// value is the current value of the metric (as a quantity).
+	// +optional
+	value?: null | resource.#Quantity @go(Value,*resource.Quantity) @protobuf(1,bytes,opt)
+
+	// averageValue is the current value of the average of the
+	// metric across all relevant pods (as a quantity)
+	// +optional
+	averageValue?: null | resource.#Quantity @go(AverageValue,*resource.Quantity) @protobuf(2,bytes,opt)
+
+	// currentAverageUtilization is the current value of the average of the
+	// resource metric across all relevant pods, represented as a percentage of
+	// the requested value of the resource for the pods.
+	// +optional
+	averageUtilization?: null | int32 @go(AverageUtilization,*int32) @protobuf(3,bytes,opt)
+}
+
+// HorizontalPodAutoscalerList is a list of horizontal pod autoscaler objects.
+#HorizontalPodAutoscalerList: {
+	metav1.#TypeMeta
+
+	// metadata is the standard list metadata.
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// items is the list of horizontal pod autoscaler objects.
+	items: [...#HorizontalPodAutoscaler] @go(Items,[]HorizontalPodAutoscaler) @protobuf(2,bytes,rep)
+}

timoni/podinfo/cue.mod/gen/k8s.io/api/batch/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/batch/v1
+
+package v1
+
+#GroupName: "batch"

timoni/podinfo/cue.mod/gen/k8s.io/api/batch/v1/types_go_gen.cue

@@ -0,0 +1,693 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/batch/v1
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+// All Kubernetes labels need to be prefixed with Kubernetes to distinguish them from end-user labels
+// More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#label-selector-and-annotation-conventions
+_#labelPrefix: "batch.kubernetes.io/"
+
+// CronJobScheduledTimestampAnnotation is the scheduled timestamp annotation for the Job.
+// It records the original/expected scheduled timestamp for the running job, represented in RFC3339.
+// The CronJob controller adds this annotation if the CronJobsScheduledAnnotation feature gate (beta in 1.28) is enabled.
+#CronJobScheduledTimestampAnnotation: "batch.kubernetes.io/cronjob-scheduled-timestamp"
+#JobCompletionIndexAnnotation:        "batch.kubernetes.io/job-completion-index"
+
+// JobTrackingFinalizer is a finalizer for Job's pods. It prevents them from
+// being deleted before being accounted in the Job status.
+//
+// Additionally, the apiserver and job controller use this string as a Job
+// annotation, to mark Jobs that are being tracked using pod finalizers.
+// However, this behavior is deprecated in kubernetes 1.26. This means that, in
+// 1.27+, one release after JobTrackingWithFinalizers graduates to GA, the
+// apiserver and job controller will ignore this annotation and they will
+// always track jobs using finalizers.
+#JobTrackingFinalizer: "batch.kubernetes.io/job-tracking"
+
+// The Job labels will use batch.kubernetes.io as a prefix for all labels
+// Historically the job controller uses unprefixed labels for job-name and controller-uid and
+// Kubernetes continutes to recognize those unprefixed labels for consistency.
+#JobNameLabel: "batch.kubernetes.io/job-name"
+
+// ControllerUid is used to programatically get pods corresponding to a Job.
+// There is a corresponding label without the batch.kubernetes.io that we support for legacy reasons.
+#ControllerUidLabel: "batch.kubernetes.io/controller-uid"
+
+// Annotation indicating the number of failures for the index corresponding
+// to the pod, which are counted towards the backoff limit.
+#JobIndexFailureCountAnnotation: "batch.kubernetes.io/job-index-failure-count"
+
+// Annotation indicating the number of failures for the index corresponding
+// to the pod, which don't count towards the backoff limit, according to the
+// pod failure policy. When the annotation is absent zero is implied.
+#JobIndexIgnoredFailureCountAnnotation: "batch.kubernetes.io/job-index-ignored-failure-count"
+
+// Job represents the configuration of a single job.
+#Job: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Specification of the desired behavior of a job.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	spec?: #JobSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// Current status of a job.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	status?: #JobStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// JobList is a collection of jobs.
+#JobList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// items is the list of Jobs.
+	items: [...#Job] @go(Items,[]Job) @protobuf(2,bytes,rep)
+}
+
+// CompletionMode specifies how Pod completions of a Job are tracked.
+// +enum
+#CompletionMode: string // #enumCompletionMode
+
+#enumCompletionMode:
+	#NonIndexedCompletion |
+	#IndexedCompletion
+
+// NonIndexedCompletion is a Job completion mode. In this mode, the Job is
+// considered complete when there have been .spec.completions
+// successfully completed Pods. Pod completions are homologous to each other.
+#NonIndexedCompletion: #CompletionMode & "NonIndexed"
+
+// IndexedCompletion is a Job completion mode. In this mode, the Pods of a
+// Job get an associated completion index from 0 to (.spec.completions - 1).
+// The Job is  considered complete when a Pod completes for each completion
+// index.
+#IndexedCompletion: #CompletionMode & "Indexed"
+
+// PodFailurePolicyAction specifies how a Pod failure is handled.
+// +enum
+#PodFailurePolicyAction: string // #enumPodFailurePolicyAction
+
+#enumPodFailurePolicyAction:
+	#PodFailurePolicyActionFailJob |
+	#PodFailurePolicyActionFailIndex |
+	#PodFailurePolicyActionIgnore |
+	#PodFailurePolicyActionCount
+
+// This is an action which might be taken on a pod failure - mark the
+// pod's job as Failed and terminate all running pods.
+#PodFailurePolicyActionFailJob: #PodFailurePolicyAction & "FailJob"
+
+// This is an action which might be taken on a pod failure - mark the
+// Job's index as failed to avoid restarts within this index. This action
+// can only be used when backoffLimitPerIndex is set.
+#PodFailurePolicyActionFailIndex: #PodFailurePolicyAction & "FailIndex"
+
+// This is an action which might be taken on a pod failure - the counter towards
+// .backoffLimit, represented by the job's .status.failed field, is not
+// incremented and a replacement pod is created.
+#PodFailurePolicyActionIgnore: #PodFailurePolicyAction & "Ignore"
+
+// This is an action which might be taken on a pod failure - the pod failure
+// is handled in the default way - the counter towards .backoffLimit,
+// represented by the job's .status.failed field, is incremented.
+#PodFailurePolicyActionCount: #PodFailurePolicyAction & "Count"
+
+// +enum
+#PodFailurePolicyOnExitCodesOperator: string // #enumPodFailurePolicyOnExitCodesOperator
+
+#enumPodFailurePolicyOnExitCodesOperator:
+	#PodFailurePolicyOnExitCodesOpIn |
+	#PodFailurePolicyOnExitCodesOpNotIn
+
+#PodFailurePolicyOnExitCodesOpIn:    #PodFailurePolicyOnExitCodesOperator & "In"
+#PodFailurePolicyOnExitCodesOpNotIn: #PodFailurePolicyOnExitCodesOperator & "NotIn"
+
+// PodReplacementPolicy specifies the policy for creating pod replacements.
+// +enum
+#PodReplacementPolicy: string // #enumPodReplacementPolicy
+
+#enumPodReplacementPolicy:
+	#TerminatingOrFailed |
+	#Failed
+
+// TerminatingOrFailed means that we recreate pods
+// when they are terminating (has a metadata.deletionTimestamp) or failed.
+#TerminatingOrFailed: #PodReplacementPolicy & "TerminatingOrFailed"
+
+// Failed means to wait until a previously created Pod is fully terminated (has phase
+// Failed or Succeeded) before creating a replacement Pod.
+#Failed: #PodReplacementPolicy & "Failed"
+
+// PodFailurePolicyOnExitCodesRequirement describes the requirement for handling
+// a failed pod based on its container exit codes. In particular, it lookups the
+// .state.terminated.exitCode for each app container and init container status,
+// represented by the .status.containerStatuses and .status.initContainerStatuses
+// fields in the Pod status, respectively. Containers completed with success
+// (exit code 0) are excluded from the requirement check.
+#PodFailurePolicyOnExitCodesRequirement: {
+	// Restricts the check for exit codes to the container with the
+	// specified name. When null, the rule applies to all containers.
+	// When specified, it should match one the container or initContainer
+	// names in the pod template.
+	// +optional
+	containerName?: null | string @go(ContainerName,*string) @protobuf(1,bytes,opt)
+
+	// Represents the relationship between the container exit code(s) and the
+	// specified values. Containers completed with success (exit code 0) are
+	// excluded from the requirement check. Possible values are:
+	//
+	// - In: the requirement is satisfied if at least one container exit code
+	//   (might be multiple if there are multiple containers not restricted
+	//   by the 'containerName' field) is in the set of specified values.
+	// - NotIn: the requirement is satisfied if at least one container exit code
+	//   (might be multiple if there are multiple containers not restricted
+	//   by the 'containerName' field) is not in the set of specified values.
+	// Additional values are considered to be added in the future. Clients should
+	// react to an unknown operator by assuming the requirement is not satisfied.
+	operator: #PodFailurePolicyOnExitCodesOperator @go(Operator) @protobuf(2,bytes,req)
+
+	// Specifies the set of values. Each returned container exit code (might be
+	// multiple in case of multiple containers) is checked against this set of
+	// values with respect to the operator. The list of values must be ordered
+	// and must not contain duplicates. Value '0' cannot be used for the In operator.
+	// At least one element is required. At most 255 elements are allowed.
+	// +listType=set
+	values: [...int32] @go(Values,[]int32) @protobuf(3,varint,rep)
+}
+
+// PodFailurePolicyOnPodConditionsPattern describes a pattern for matching
+// an actual pod condition type.
+#PodFailurePolicyOnPodConditionsPattern: {
+	// Specifies the required Pod condition type. To match a pod condition
+	// it is required that specified type equals the pod condition type.
+	type: corev1.#PodConditionType @go(Type) @protobuf(1,bytes,req)
+
+	// Specifies the required Pod condition status. To match a pod condition
+	// it is required that the specified status equals the pod condition status.
+	// Defaults to True.
+	status: corev1.#ConditionStatus @go(Status) @protobuf(2,bytes,req)
+}
+
+// PodFailurePolicyRule describes how a pod failure is handled when the requirements are met.
+// One of onExitCodes and onPodConditions, but not both, can be used in each rule.
+#PodFailurePolicyRule: {
+	// Specifies the action taken on a pod failure when the requirements are satisfied.
+	// Possible values are:
+	//
+	// - FailJob: indicates that the pod's job is marked as Failed and all
+	//   running pods are terminated.
+	// - FailIndex: indicates that the pod's index is marked as Failed and will
+	//   not be restarted.
+	//   This value is alpha-level. It can be used when the
+	//   `JobBackoffLimitPerIndex` feature gate is enabled (disabled by default).
+	// - Ignore: indicates that the counter towards the .backoffLimit is not
+	//   incremented and a replacement pod is created.
+	// - Count: indicates that the pod is handled in the default way - the
+	//   counter towards the .backoffLimit is incremented.
+	// Additional values are considered to be added in the future. Clients should
+	// react to an unknown action by skipping the rule.
+	action: #PodFailurePolicyAction @go(Action) @protobuf(1,bytes,req)
+
+	// Represents the requirement on the container exit codes.
+	// +optional
+	onExitCodes?: null | #PodFailurePolicyOnExitCodesRequirement @go(OnExitCodes,*PodFailurePolicyOnExitCodesRequirement) @protobuf(2,bytes,opt)
+
+	// Represents the requirement on the pod conditions. The requirement is represented
+	// as a list of pod condition patterns. The requirement is satisfied if at
+	// least one pattern matches an actual pod condition. At most 20 elements are allowed.
+	// +listType=atomic
+	// +optional
+	onPodConditions: [...#PodFailurePolicyOnPodConditionsPattern] @go(OnPodConditions,[]PodFailurePolicyOnPodConditionsPattern) @protobuf(3,bytes,opt)
+}
+
+// PodFailurePolicy describes how failed pods influence the backoffLimit.
+#PodFailurePolicy: {
+	// A list of pod failure policy rules. The rules are evaluated in order.
+	// Once a rule matches a Pod failure, the remaining of the rules are ignored.
+	// When no rule matches the Pod failure, the default handling applies - the
+	// counter of pod failures is incremented and it is checked against
+	// the backoffLimit. At most 20 elements are allowed.
+	// +listType=atomic
+	rules: [...#PodFailurePolicyRule] @go(Rules,[]PodFailurePolicyRule) @protobuf(1,bytes,opt)
+}
+
+// JobSpec describes how the job execution will look like.
+#JobSpec: {
+	// Specifies the maximum desired number of pods the job should
+	// run at any given time. The actual number of pods running in steady state will
+	// be less than this number when ((.spec.completions - .status.successful) < .spec.parallelism),
+	// i.e. when the work left to do is less than max parallelism.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/
+	// +optional
+	parallelism?: null | int32 @go(Parallelism,*int32) @protobuf(1,varint,opt)
+
+	// Specifies the desired number of successfully finished pods the
+	// job should be run with.  Setting to null means that the success of any
+	// pod signals the success of all pods, and allows parallelism to have any positive
+	// value.  Setting to 1 means that parallelism is limited to 1 and the success of that
+	// pod signals the success of the job.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/
+	// +optional
+	completions?: null | int32 @go(Completions,*int32) @protobuf(2,varint,opt)
+
+	// Specifies the duration in seconds relative to the startTime that the job
+	// may be continuously active before the system tries to terminate it; value
+	// must be positive integer. If a Job is suspended (at creation or through an
+	// update), this timer will effectively be stopped and reset when the Job is
+	// resumed again.
+	// +optional
+	activeDeadlineSeconds?: null | int64 @go(ActiveDeadlineSeconds,*int64) @protobuf(3,varint,opt)
+
+	// Specifies the policy of handling failed pods. In particular, it allows to
+	// specify the set of actions and conditions which need to be
+	// satisfied to take the associated action.
+	// If empty, the default behaviour applies - the counter of failed pods,
+	// represented by the jobs's .status.failed field, is incremented and it is
+	// checked against the backoffLimit. This field cannot be used in combination
+	// with restartPolicy=OnFailure.
+	//
+	// This field is beta-level. It can be used when the `JobPodFailurePolicy`
+	// feature gate is enabled (enabled by default).
+	// +optional
+	podFailurePolicy?: null | #PodFailurePolicy @go(PodFailurePolicy,*PodFailurePolicy) @protobuf(11,bytes,opt)
+
+	// Specifies the number of retries before marking this job failed.
+	// Defaults to 6
+	// +optional
+	backoffLimit?: null | int32 @go(BackoffLimit,*int32) @protobuf(7,varint,opt)
+
+	// Specifies the limit for the number of retries within an
+	// index before marking this index as failed. When enabled the number of
+	// failures per index is kept in the pod's
+	// batch.kubernetes.io/job-index-failure-count annotation. It can only
+	// be set when Job's completionMode=Indexed, and the Pod's restart
+	// policy is Never. The field is immutable.
+	// This field is alpha-level. It can be used when the `JobBackoffLimitPerIndex`
+	// feature gate is enabled (disabled by default).
+	// +optional
+	backoffLimitPerIndex?: null | int32 @go(BackoffLimitPerIndex,*int32) @protobuf(12,varint,opt)
+
+	// Specifies the maximal number of failed indexes before marking the Job as
+	// failed, when backoffLimitPerIndex is set. Once the number of failed
+	// indexes exceeds this number the entire Job is marked as Failed and its
+	// execution is terminated. When left as null the job continues execution of
+	// all of its indexes and is marked with the `Complete` Job condition.
+	// It can only be specified when backoffLimitPerIndex is set.
+	// It can be null or up to completions. It is required and must be
+	// less than or equal to 10^4 when is completions greater than 10^5.
+	// This field is alpha-level. It can be used when the `JobBackoffLimitPerIndex`
+	// feature gate is enabled (disabled by default).
+	// +optional
+	maxFailedIndexes?: null | int32 @go(MaxFailedIndexes,*int32) @protobuf(13,varint,opt)
+
+	// A label query over pods that should match the pod count.
+	// Normally, the system sets this field for you.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	// +optional
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(4,bytes,opt)
+
+	// manualSelector controls generation of pod labels and pod selectors.
+	// Leave `manualSelector` unset unless you are certain what you are doing.
+	// When false or unset, the system pick labels unique to this job
+	// and appends those labels to the pod template.  When true,
+	// the user is responsible for picking unique labels and specifying
+	// the selector.  Failure to pick a unique label may cause this
+	// and other jobs to not function correctly.  However, You may see
+	// `manualSelector=true` in jobs that were created with the old `extensions/v1beta1`
+	// API.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/#specifying-your-own-pod-selector
+	// +optional
+	manualSelector?: null | bool @go(ManualSelector,*bool) @protobuf(5,varint,opt)
+
+	// Describes the pod that will be created when executing a job.
+	// The only allowed template.spec.restartPolicy values are "Never" or "OnFailure".
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/
+	template: corev1.#PodTemplateSpec @go(Template) @protobuf(6,bytes,opt)
+
+	// ttlSecondsAfterFinished limits the lifetime of a Job that has finished
+	// execution (either Complete or Failed). If this field is set,
+	// ttlSecondsAfterFinished after the Job finishes, it is eligible to be
+	// automatically deleted. When the Job is being deleted, its lifecycle
+	// guarantees (e.g. finalizers) will be honored. If this field is unset,
+	// the Job won't be automatically deleted. If this field is set to zero,
+	// the Job becomes eligible to be deleted immediately after it finishes.
+	// +optional
+	ttlSecondsAfterFinished?: null | int32 @go(TTLSecondsAfterFinished,*int32) @protobuf(8,varint,opt)
+
+	// completionMode specifies how Pod completions are tracked. It can be
+	// `NonIndexed` (default) or `Indexed`.
+	//
+	// `NonIndexed` means that the Job is considered complete when there have
+	// been .spec.completions successfully completed Pods. Each Pod completion is
+	// homologous to each other.
+	//
+	// `Indexed` means that the Pods of a
+	// Job get an associated completion index from 0 to (.spec.completions - 1),
+	// available in the annotation batch.kubernetes.io/job-completion-index.
+	// The Job is considered complete when there is one successfully completed Pod
+	// for each index.
+	// When value is `Indexed`, .spec.completions must be specified and
+	// `.spec.parallelism` must be less than or equal to 10^5.
+	// In addition, The Pod name takes the form
+	// `$(job-name)-$(index)-$(random-string)`,
+	// the Pod hostname takes the form `$(job-name)-$(index)`.
+	//
+	// More completion modes can be added in the future.
+	// If the Job controller observes a mode that it doesn't recognize, which
+	// is possible during upgrades due to version skew, the controller
+	// skips updates for the Job.
+	// +optional
+	completionMode?: null | #CompletionMode @go(CompletionMode,*CompletionMode) @protobuf(9,bytes,opt,casttype=CompletionMode)
+
+	// suspend specifies whether the Job controller should create Pods or not. If
+	// a Job is created with suspend set to true, no Pods are created by the Job
+	// controller. If a Job is suspended after creation (i.e. the flag goes from
+	// false to true), the Job controller will delete all active Pods associated
+	// with this Job. Users must design their workload to gracefully handle this.
+	// Suspending a Job will reset the StartTime field of the Job, effectively
+	// resetting the ActiveDeadlineSeconds timer too. Defaults to false.
+	//
+	// +optional
+	suspend?: null | bool @go(Suspend,*bool) @protobuf(10,varint,opt)
+
+	// podReplacementPolicy specifies when to create replacement Pods.
+	// Possible values are:
+	// - TerminatingOrFailed means that we recreate pods
+	//   when they are terminating (has a metadata.deletionTimestamp) or failed.
+	// - Failed means to wait until a previously created Pod is fully terminated (has phase
+	//   Failed or Succeeded) before creating a replacement Pod.
+	//
+	// When using podFailurePolicy, Failed is the the only allowed value.
+	// TerminatingOrFailed and Failed are allowed values when podFailurePolicy is not in use.
+	// This is an alpha field. Enable JobPodReplacementPolicy to be able to use this field.
+	// +optional
+	podReplacementPolicy?: null | #PodReplacementPolicy @go(PodReplacementPolicy,*PodReplacementPolicy) @protobuf(14,bytes,opt,casttype=podReplacementPolicy)
+}
+
+// JobStatus represents the current state of a Job.
+#JobStatus: {
+	// The latest available observations of an object's current state. When a Job
+	// fails, one of the conditions will have type "Failed" and status true. When
+	// a Job is suspended, one of the conditions will have type "Suspended" and
+	// status true; when the Job is resumed, the status of this condition will
+	// become false. When a Job is completed, one of the conditions will have
+	// type "Complete" and status true.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/
+	// +optional
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	// +listType=atomic
+	conditions?: [...#JobCondition] @go(Conditions,[]JobCondition) @protobuf(1,bytes,rep)
+
+	// Represents time when the job controller started processing a job. When a
+	// Job is created in the suspended state, this field is not set until the
+	// first time it is resumed. This field is reset every time a Job is resumed
+	// from suspension. It is represented in RFC3339 form and is in UTC.
+	// +optional
+	startTime?: null | metav1.#Time @go(StartTime,*metav1.Time) @protobuf(2,bytes,opt)
+
+	// Represents time when the job was completed. It is not guaranteed to
+	// be set in happens-before order across separate operations.
+	// It is represented in RFC3339 form and is in UTC.
+	// The completion time is only set when the job finishes successfully.
+	// +optional
+	completionTime?: null | metav1.#Time @go(CompletionTime,*metav1.Time) @protobuf(3,bytes,opt)
+
+	// The number of pending and running pods.
+	// +optional
+	active?: int32 @go(Active) @protobuf(4,varint,opt)
+
+	// The number of pods which reached phase Succeeded.
+	// +optional
+	succeeded?: int32 @go(Succeeded) @protobuf(5,varint,opt)
+
+	// The number of pods which reached phase Failed.
+	// +optional
+	failed?: int32 @go(Failed) @protobuf(6,varint,opt)
+
+	// The number of pods which are terminating (in phase Pending or Running
+	// and have a deletionTimestamp).
+	//
+	// This field is alpha-level. The job controller populates the field when
+	// the feature gate JobPodReplacementPolicy is enabled (disabled by default).
+	// +optional
+	terminating?: null | int32 @go(Terminating,*int32) @protobuf(11,varint,opt)
+
+	// completedIndexes holds the completed indexes when .spec.completionMode =
+	// "Indexed" in a text format. The indexes are represented as decimal integers
+	// separated by commas. The numbers are listed in increasing order. Three or
+	// more consecutive numbers are compressed and represented by the first and
+	// last element of the series, separated by a hyphen.
+	// For example, if the completed indexes are 1, 3, 4, 5 and 7, they are
+	// represented as "1,3-5,7".
+	// +optional
+	completedIndexes?: string @go(CompletedIndexes) @protobuf(7,bytes,opt)
+
+	// FailedIndexes holds the failed indexes when backoffLimitPerIndex=true.
+	// The indexes are represented in the text format analogous as for the
+	// `completedIndexes` field, ie. they are kept as decimal integers
+	// separated by commas. The numbers are listed in increasing order. Three or
+	// more consecutive numbers are compressed and represented by the first and
+	// last element of the series, separated by a hyphen.
+	// For example, if the failed indexes are 1, 3, 4, 5 and 7, they are
+	// represented as "1,3-5,7".
+	// This field is alpha-level. It can be used when the `JobBackoffLimitPerIndex`
+	// feature gate is enabled (disabled by default).
+	// +optional
+	failedIndexes?: null | string @go(FailedIndexes,*string) @protobuf(10,bytes,opt)
+
+	// uncountedTerminatedPods holds the UIDs of Pods that have terminated but
+	// the job controller hasn't yet accounted for in the status counters.
+	//
+	// The job controller creates pods with a finalizer. When a pod terminates
+	// (succeeded or failed), the controller does three steps to account for it
+	// in the job status:
+	//
+	// 1. Add the pod UID to the arrays in this field.
+	// 2. Remove the pod finalizer.
+	// 3. Remove the pod UID from the arrays while increasing the corresponding
+	//     counter.
+	//
+	// Old jobs might not be tracked using this field, in which case the field
+	// remains null.
+	// +optional
+	uncountedTerminatedPods?: null | #UncountedTerminatedPods @go(UncountedTerminatedPods,*UncountedTerminatedPods) @protobuf(8,bytes,opt)
+
+	// The number of pods which have a Ready condition.
+	//
+	// This field is beta-level. The job controller populates the field when
+	// the feature gate JobReadyPods is enabled (enabled by default).
+	// +optional
+	ready?: null | int32 @go(Ready,*int32) @protobuf(9,varint,opt)
+}
+
+// UncountedTerminatedPods holds UIDs of Pods that have terminated but haven't
+// been accounted in Job status counters.
+#UncountedTerminatedPods: {
+	// succeeded holds UIDs of succeeded Pods.
+	// +listType=set
+	// +optional
+	succeeded?: [...types.#UID] @go(Succeeded,[]types.UID) @protobuf(1,bytes,rep,casttype=k8s.io/apimachinery/pkg/types.UID)
+
+	// failed holds UIDs of failed Pods.
+	// +listType=set
+	// +optional
+	failed?: [...types.#UID] @go(Failed,[]types.UID) @protobuf(2,bytes,rep,casttype=k8s.io/apimachinery/pkg/types.UID)
+}
+
+#JobConditionType: string // #enumJobConditionType
+
+#enumJobConditionType:
+	#JobSuspended |
+	#JobComplete |
+	#JobFailed |
+	#JobFailureTarget
+
+// JobSuspended means the job has been suspended.
+#JobSuspended: #JobConditionType & "Suspended"
+
+// JobComplete means the job has completed its execution.
+#JobComplete: #JobConditionType & "Complete"
+
+// JobFailed means the job has failed its execution.
+#JobFailed: #JobConditionType & "Failed"
+
+// FailureTarget means the job is about to fail its execution.
+#JobFailureTarget: #JobConditionType & "FailureTarget"
+
+// JobCondition describes current state of a job.
+#JobCondition: {
+	// Type of job condition, Complete or Failed.
+	type: #JobConditionType @go(Type) @protobuf(1,bytes,opt,casttype=JobConditionType)
+
+	// Status of the condition, one of True, False, Unknown.
+	status: corev1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus)
+
+	// Last time the condition was checked.
+	// +optional
+	lastProbeTime?: metav1.#Time @go(LastProbeTime) @protobuf(3,bytes,opt)
+
+	// Last time the condition transit from one status to another.
+	// +optional
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(4,bytes,opt)
+
+	// (brief) reason for the condition's last transition.
+	// +optional
+	reason?: string @go(Reason) @protobuf(5,bytes,opt)
+
+	// Human readable message indicating details about last transition.
+	// +optional
+	message?: string @go(Message) @protobuf(6,bytes,opt)
+}
+
+// JobTemplateSpec describes the data a Job should have when created from a template
+#JobTemplateSpec: {
+	// Standard object's metadata of the jobs created from this template.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Specification of the desired behavior of the job.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	spec?: #JobSpec @go(Spec) @protobuf(2,bytes,opt)
+}
+
+// CronJob represents the configuration of a single cron job.
+#CronJob: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Specification of the desired behavior of a cron job, including the schedule.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	spec?: #CronJobSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// Current status of a cron job.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	status?: #CronJobStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// CronJobList is a collection of cron jobs.
+#CronJobList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// items is the list of CronJobs.
+	items: [...#CronJob] @go(Items,[]CronJob) @protobuf(2,bytes,rep)
+}
+
+// CronJobSpec describes how the job execution will look like and when it will actually run.
+#CronJobSpec: {
+	// The schedule in Cron format, see https://en.wikipedia.org/wiki/Cron.
+	schedule: string @go(Schedule) @protobuf(1,bytes,opt)
+
+	// The time zone name for the given schedule, see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones.
+	// If not specified, this will default to the time zone of the kube-controller-manager process.
+	// The set of valid time zone names and the time zone offset is loaded from the system-wide time zone
+	// database by the API server during CronJob validation and the controller manager during execution.
+	// If no system-wide time zone database can be found a bundled version of the database is used instead.
+	// If the time zone name becomes invalid during the lifetime of a CronJob or due to a change in host
+	// configuration, the controller will stop creating new new Jobs and will create a system event with the
+	// reason UnknownTimeZone.
+	// More information can be found in https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#time-zones
+	// +optional
+	timeZone?: null | string @go(TimeZone,*string) @protobuf(8,bytes,opt)
+
+	// Optional deadline in seconds for starting the job if it misses scheduled
+	// time for any reason.  Missed jobs executions will be counted as failed ones.
+	// +optional
+	startingDeadlineSeconds?: null | int64 @go(StartingDeadlineSeconds,*int64) @protobuf(2,varint,opt)
+
+	// Specifies how to treat concurrent executions of a Job.
+	// Valid values are:
+	//
+	// - "Allow" (default): allows CronJobs to run concurrently;
+	// - "Forbid": forbids concurrent runs, skipping next run if previous run hasn't finished yet;
+	// - "Replace": cancels currently running job and replaces it with a new one
+	// +optional
+	concurrencyPolicy?: #ConcurrencyPolicy @go(ConcurrencyPolicy) @protobuf(3,bytes,opt,casttype=ConcurrencyPolicy)
+
+	// This flag tells the controller to suspend subsequent executions, it does
+	// not apply to already started executions.  Defaults to false.
+	// +optional
+	suspend?: null | bool @go(Suspend,*bool) @protobuf(4,varint,opt)
+
+	// Specifies the job that will be created when executing a CronJob.
+	jobTemplate: #JobTemplateSpec @go(JobTemplate) @protobuf(5,bytes,opt)
+
+	// The number of successful finished jobs to retain. Value must be non-negative integer.
+	// Defaults to 3.
+	// +optional
+	successfulJobsHistoryLimit?: null | int32 @go(SuccessfulJobsHistoryLimit,*int32) @protobuf(6,varint,opt)
+
+	// The number of failed finished jobs to retain. Value must be non-negative integer.
+	// Defaults to 1.
+	// +optional
+	failedJobsHistoryLimit?: null | int32 @go(FailedJobsHistoryLimit,*int32) @protobuf(7,varint,opt)
+}
+
+// ConcurrencyPolicy describes how the job will be handled.
+// Only one of the following concurrent policies may be specified.
+// If none of the following policies is specified, the default one
+// is AllowConcurrent.
+// +enum
+#ConcurrencyPolicy: string // #enumConcurrencyPolicy
+
+#enumConcurrencyPolicy:
+	#AllowConcurrent |
+	#ForbidConcurrent |
+	#ReplaceConcurrent
+
+// AllowConcurrent allows CronJobs to run concurrently.
+#AllowConcurrent: #ConcurrencyPolicy & "Allow"
+
+// ForbidConcurrent forbids concurrent runs, skipping next run if previous
+// hasn't finished yet.
+#ForbidConcurrent: #ConcurrencyPolicy & "Forbid"
+
+// ReplaceConcurrent cancels currently running job and replaces it with a new one.
+#ReplaceConcurrent: #ConcurrencyPolicy & "Replace"
+
+// CronJobStatus represents the current state of a cron job.
+#CronJobStatus: {
+	// A list of pointers to currently running jobs.
+	// +optional
+	// +listType=atomic
+	active?: [...corev1.#ObjectReference] @go(Active,[]corev1.ObjectReference) @protobuf(1,bytes,rep)
+
+	// Information when was the last time the job was successfully scheduled.
+	// +optional
+	lastScheduleTime?: null | metav1.#Time @go(LastScheduleTime,*metav1.Time) @protobuf(4,bytes,opt)
+
+	// Information when was the last time the job successfully completed.
+	// +optional
+	lastSuccessfulTime?: null | metav1.#Time @go(LastSuccessfulTime,*metav1.Time) @protobuf(5,bytes,opt)
+}

timoni/podinfo/cue.mod/gen/k8s.io/api/certificates/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/certificates/v1
+
+package v1
+
+#GroupName: "certificates.k8s.io"

timoni/podinfo/cue.mod/gen/k8s.io/api/certificates/v1/types_go_gen.cue

@@ -0,0 +1,318 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/certificates/v1
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/api/core/v1"
+)
+
+// CertificateSigningRequest objects provide a mechanism to obtain x509 certificates
+// by submitting a certificate signing request, and having it asynchronously approved and issued.
+//
+// Kubelets use this API to obtain:
+//  1. client certificates to authenticate to kube-apiserver (with the "kubernetes.io/kube-apiserver-client-kubelet" signerName).
+//  2. serving certificates for TLS endpoints kube-apiserver can connect to securely (with the "kubernetes.io/kubelet-serving" signerName).
+//
+// This API can be used to request client certificates to authenticate to kube-apiserver
+// (with the "kubernetes.io/kube-apiserver-client" signerName),
+// or to obtain certificates from custom non-Kubernetes signers.
+#CertificateSigningRequest: {
+	metav1.#TypeMeta
+
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// spec contains the certificate request, and is immutable after creation.
+	// Only the request, signerName, expirationSeconds, and usages fields can be set on creation.
+	// Other fields are derived by Kubernetes and cannot be modified by users.
+	spec: #CertificateSigningRequestSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// status contains information about whether the request is approved or denied,
+	// and the certificate issued by the signer, or the failure condition indicating signer failure.
+	// +optional
+	status?: #CertificateSigningRequestStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// CertificateSigningRequestSpec contains the certificate request.
+#CertificateSigningRequestSpec: {
+	// request contains an x509 certificate signing request encoded in a "CERTIFICATE REQUEST" PEM block.
+	// When serialized as JSON or YAML, the data is additionally base64-encoded.
+	// +listType=atomic
+	request: bytes @go(Request,[]byte) @protobuf(1,bytes,opt)
+
+	// signerName indicates the requested signer, and is a qualified name.
+	//
+	// List/watch requests for CertificateSigningRequests can filter on this field using a "spec.signerName=NAME" fieldSelector.
+	//
+	// Well-known Kubernetes signers are:
+	//  1. "kubernetes.io/kube-apiserver-client": issues client certificates that can be used to authenticate to kube-apiserver.
+	//   Requests for this signer are never auto-approved by kube-controller-manager, can be issued by the "csrsigning" controller in kube-controller-manager.
+	//  2. "kubernetes.io/kube-apiserver-client-kubelet": issues client certificates that kubelets use to authenticate to kube-apiserver.
+	//   Requests for this signer can be auto-approved by the "csrapproving" controller in kube-controller-manager, and can be issued by the "csrsigning" controller in kube-controller-manager.
+	//  3. "kubernetes.io/kubelet-serving" issues serving certificates that kubelets use to serve TLS endpoints, which kube-apiserver can connect to securely.
+	//   Requests for this signer are never auto-approved by kube-controller-manager, and can be issued by the "csrsigning" controller in kube-controller-manager.
+	//
+	// More details are available at https://k8s.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers
+	//
+	// Custom signerNames can also be specified. The signer defines:
+	//  1. Trust distribution: how trust (CA bundles) are distributed.
+	//  2. Permitted subjects: and behavior when a disallowed subject is requested.
+	//  3. Required, permitted, or forbidden x509 extensions in the request (including whether subjectAltNames are allowed, which types, restrictions on allowed values) and behavior when a disallowed extension is requested.
+	//  4. Required, permitted, or forbidden key usages / extended key usages.
+	//  5. Expiration/certificate lifetime: whether it is fixed by the signer, configurable by the admin.
+	//  6. Whether or not requests for CA certificates are allowed.
+	signerName: string @go(SignerName) @protobuf(7,bytes,opt)
+
+	// expirationSeconds is the requested duration of validity of the issued
+	// certificate. The certificate signer may issue a certificate with a different
+	// validity duration so a client must check the delta between the notBefore and
+	// and notAfter fields in the issued certificate to determine the actual duration.
+	//
+	// The v1.22+ in-tree implementations of the well-known Kubernetes signers will
+	// honor this field as long as the requested duration is not greater than the
+	// maximum duration they will honor per the --cluster-signing-duration CLI
+	// flag to the Kubernetes controller manager.
+	//
+	// Certificate signers may not honor this field for various reasons:
+	//
+	//   1. Old signer that is unaware of the field (such as the in-tree
+	//      implementations prior to v1.22)
+	//   2. Signer whose configured maximum is shorter than the requested duration
+	//   3. Signer whose configured minimum is longer than the requested duration
+	//
+	// The minimum valid value for expirationSeconds is 600, i.e. 10 minutes.
+	//
+	// +optional
+	expirationSeconds?: null | int32 @go(ExpirationSeconds,*int32) @protobuf(8,varint,opt)
+
+	// usages specifies a set of key usages requested in the issued certificate.
+	//
+	// Requests for TLS client certificates typically request: "digital signature", "key encipherment", "client auth".
+	//
+	// Requests for TLS serving certificates typically request: "key encipherment", "digital signature", "server auth".
+	//
+	// Valid values are:
+	//  "signing", "digital signature", "content commitment",
+	//  "key encipherment", "key agreement", "data encipherment",
+	//  "cert sign", "crl sign", "encipher only", "decipher only", "any",
+	//  "server auth", "client auth",
+	//  "code signing", "email protection", "s/mime",
+	//  "ipsec end system", "ipsec tunnel", "ipsec user",
+	//  "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"
+	// +listType=atomic
+	usages?: [...#KeyUsage] @go(Usages,[]KeyUsage) @protobuf(5,bytes,opt)
+
+	// username contains the name of the user that created the CertificateSigningRequest.
+	// Populated by the API server on creation and immutable.
+	// +optional
+	username?: string @go(Username) @protobuf(2,bytes,opt)
+
+	// uid contains the uid of the user that created the CertificateSigningRequest.
+	// Populated by the API server on creation and immutable.
+	// +optional
+	uid?: string @go(UID) @protobuf(3,bytes,opt)
+
+	// groups contains group membership of the user that created the CertificateSigningRequest.
+	// Populated by the API server on creation and immutable.
+	// +listType=atomic
+	// +optional
+	groups?: [...string] @go(Groups,[]string) @protobuf(4,bytes,rep)
+
+	// extra contains extra attributes of the user that created the CertificateSigningRequest.
+	// Populated by the API server on creation and immutable.
+	// +optional
+	extra?: {[string]: #ExtraValue} @go(Extra,map[string]ExtraValue) @protobuf(6,bytes,rep)
+}
+
+// "kubernetes.io/kube-apiserver-client" signer issues client certificates that can be used to authenticate to kube-apiserver.
+// Never auto-approved by kube-controller-manager.
+// Can be issued by the "csrsigning" controller in kube-controller-manager.
+#KubeAPIServerClientSignerName: "kubernetes.io/kube-apiserver-client"
+
+// "kubernetes.io/kube-apiserver-client-kubelet" issues client certificates that kubelets use to authenticate to kube-apiserver.
+// Can be auto-approved by the "csrapproving" controller in kube-controller-manager.
+// Can be issued by the "csrsigning" controller in kube-controller-manager.
+#KubeAPIServerClientKubeletSignerName: "kubernetes.io/kube-apiserver-client-kubelet"
+
+// "kubernetes.io/kubelet-serving" issues serving certificates that kubelets use to serve TLS endpoints,
+// which kube-apiserver can connect to securely.
+// Never auto-approved by kube-controller-manager.
+// Can be issued by the "csrsigning" controller in kube-controller-manager.
+#KubeletServingSignerName: "kubernetes.io/kubelet-serving"
+
+// ExtraValue masks the value so protobuf can generate
+// +protobuf.nullable=true
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+#ExtraValue: [...string]
+
+// CertificateSigningRequestStatus contains conditions used to indicate
+// approved/denied/failed status of the request, and the issued certificate.
+#CertificateSigningRequestStatus: {
+	// conditions applied to the request. Known conditions are "Approved", "Denied", and "Failed".
+	// +listType=map
+	// +listMapKey=type
+	// +optional
+	conditions?: [...#CertificateSigningRequestCondition] @go(Conditions,[]CertificateSigningRequestCondition) @protobuf(1,bytes,rep)
+
+	// certificate is populated with an issued certificate by the signer after an Approved condition is present.
+	// This field is set via the /status subresource. Once populated, this field is immutable.
+	//
+	// If the certificate signing request is denied, a condition of type "Denied" is added and this field remains empty.
+	// If the signer cannot issue the certificate, a condition of type "Failed" is added and this field remains empty.
+	//
+	// Validation requirements:
+	//  1. certificate must contain one or more PEM blocks.
+	//  2. All PEM blocks must have the "CERTIFICATE" label, contain no headers, and the encoded data
+	//   must be a BER-encoded ASN.1 Certificate structure as described in section 4 of RFC5280.
+	//  3. Non-PEM content may appear before or after the "CERTIFICATE" PEM blocks and is unvalidated,
+	//   to allow for explanatory text as described in section 5.2 of RFC7468.
+	//
+	// If more than one PEM block is present, and the definition of the requested spec.signerName
+	// does not indicate otherwise, the first block is the issued certificate,
+	// and subsequent blocks should be treated as intermediate certificates and presented in TLS handshakes.
+	//
+	// The certificate is encoded in PEM format.
+	//
+	// When serialized as JSON or YAML, the data is additionally base64-encoded, so it consists of:
+	//
+	//     base64(
+	//     -----BEGIN CERTIFICATE-----
+	//     ...
+	//     -----END CERTIFICATE-----
+	//     )
+	//
+	// +listType=atomic
+	// +optional
+	certificate?: bytes @go(Certificate,[]byte) @protobuf(2,bytes,opt)
+}
+
+// RequestConditionType is the type of a CertificateSigningRequestCondition
+#RequestConditionType: string // #enumRequestConditionType
+
+#enumRequestConditionType:
+	#CertificateApproved |
+	#CertificateDenied |
+	#CertificateFailed
+
+// Approved indicates the request was approved and should be issued by the signer.
+#CertificateApproved: #RequestConditionType & "Approved"
+
+// Denied indicates the request was denied and should not be issued by the signer.
+#CertificateDenied: #RequestConditionType & "Denied"
+
+// Failed indicates the signer failed to issue the certificate.
+#CertificateFailed: #RequestConditionType & "Failed"
+
+// CertificateSigningRequestCondition describes a condition of a CertificateSigningRequest object
+#CertificateSigningRequestCondition: {
+	// type of the condition. Known conditions are "Approved", "Denied", and "Failed".
+	//
+	// An "Approved" condition is added via the /approval subresource,
+	// indicating the request was approved and should be issued by the signer.
+	//
+	// A "Denied" condition is added via the /approval subresource,
+	// indicating the request was denied and should not be issued by the signer.
+	//
+	// A "Failed" condition is added via the /status subresource,
+	// indicating the signer failed to issue the certificate.
+	//
+	// Approved and Denied conditions are mutually exclusive.
+	// Approved, Denied, and Failed conditions cannot be removed once added.
+	//
+	// Only one condition of a given type is allowed.
+	type: #RequestConditionType @go(Type) @protobuf(1,bytes,opt,casttype=RequestConditionType)
+
+	// status of the condition, one of True, False, Unknown.
+	// Approved, Denied, and Failed conditions may not be "False" or "Unknown".
+	status: v1.#ConditionStatus @go(Status) @protobuf(6,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus)
+
+	// reason indicates a brief reason for the request state
+	// +optional
+	reason?: string @go(Reason) @protobuf(2,bytes,opt)
+
+	// message contains a human readable message with details about the request state
+	// +optional
+	message?: string @go(Message) @protobuf(3,bytes,opt)
+
+	// lastUpdateTime is the time of the last update to this condition
+	// +optional
+	lastUpdateTime?: metav1.#Time @go(LastUpdateTime) @protobuf(4,bytes,opt)
+
+	// lastTransitionTime is the time the condition last transitioned from one status to another.
+	// If unset, when a new condition type is added or an existing condition's status is changed,
+	// the server defaults this to the current time.
+	// +optional
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(5,bytes,opt)
+}
+
+// CertificateSigningRequestList is a collection of CertificateSigningRequest objects
+#CertificateSigningRequestList: {
+	metav1.#TypeMeta
+
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// items is a collection of CertificateSigningRequest objects
+	items: [...#CertificateSigningRequest] @go(Items,[]CertificateSigningRequest) @protobuf(2,bytes,rep)
+}
+
+// KeyUsage specifies valid usage contexts for keys.
+// See:
+//
+//	https://tools.ietf.org/html/rfc5280#section-4.2.1.3
+//	https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+//
+// +enum
+#KeyUsage: string // #enumKeyUsage
+
+#enumKeyUsage:
+	#UsageSigning |
+	#UsageDigitalSignature |
+	#UsageContentCommitment |
+	#UsageKeyEncipherment |
+	#UsageKeyAgreement |
+	#UsageDataEncipherment |
+	#UsageCertSign |
+	#UsageCRLSign |
+	#UsageEncipherOnly |
+	#UsageDecipherOnly |
+	#UsageAny |
+	#UsageServerAuth |
+	#UsageClientAuth |
+	#UsageCodeSigning |
+	#UsageEmailProtection |
+	#UsageSMIME |
+	#UsageIPsecEndSystem |
+	#UsageIPsecTunnel |
+	#UsageIPsecUser |
+	#UsageTimestamping |
+	#UsageOCSPSigning |
+	#UsageMicrosoftSGC |
+	#UsageNetscapeSGC
+
+#UsageSigning:           #KeyUsage & "signing"
+#UsageDigitalSignature:  #KeyUsage & "digital signature"
+#UsageContentCommitment: #KeyUsage & "content commitment"
+#UsageKeyEncipherment:   #KeyUsage & "key encipherment"
+#UsageKeyAgreement:      #KeyUsage & "key agreement"
+#UsageDataEncipherment:  #KeyUsage & "data encipherment"
+#UsageCertSign:          #KeyUsage & "cert sign"
+#UsageCRLSign:           #KeyUsage & "crl sign"
+#UsageEncipherOnly:      #KeyUsage & "encipher only"
+#UsageDecipherOnly:      #KeyUsage & "decipher only"
+#UsageAny:               #KeyUsage & "any"
+#UsageServerAuth:        #KeyUsage & "server auth"
+#UsageClientAuth:        #KeyUsage & "client auth"
+#UsageCodeSigning:       #KeyUsage & "code signing"
+#UsageEmailProtection:   #KeyUsage & "email protection"
+#UsageSMIME:             #KeyUsage & "s/mime"
+#UsageIPsecEndSystem:    #KeyUsage & "ipsec end system"
+#UsageIPsecTunnel:       #KeyUsage & "ipsec tunnel"
+#UsageIPsecUser:         #KeyUsage & "ipsec user"
+#UsageTimestamping:      #KeyUsage & "timestamping"
+#UsageOCSPSigning:       #KeyUsage & "ocsp signing"
+#UsageMicrosoftSGC:      #KeyUsage & "microsoft sgc"
+#UsageNetscapeSGC:       #KeyUsage & "netscape sgc"

timoni/podinfo/cue.mod/gen/k8s.io/api/coordination/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/coordination/v1
+
+package v1
+
+#GroupName: "coordination.k8s.io"

timoni/podinfo/cue.mod/gen/k8s.io/api/coordination/v1/types_go_gen.cue

@@ -0,0 +1,61 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/coordination/v1
+
+package v1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// Lease defines a lease concept.
+#Lease: {
+	metav1.#TypeMeta
+
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// spec contains the specification of the Lease.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	spec?: #LeaseSpec @go(Spec) @protobuf(2,bytes,opt)
+}
+
+// LeaseSpec is a specification of a Lease.
+#LeaseSpec: {
+	// holderIdentity contains the identity of the holder of a current lease.
+	// +optional
+	holderIdentity?: null | string @go(HolderIdentity,*string) @protobuf(1,bytes,opt)
+
+	// leaseDurationSeconds is a duration that candidates for a lease need
+	// to wait to force acquire it. This is measure against time of last
+	// observed renewTime.
+	// +optional
+	leaseDurationSeconds?: null | int32 @go(LeaseDurationSeconds,*int32) @protobuf(2,varint,opt)
+
+	// acquireTime is a time when the current lease was acquired.
+	// +optional
+	acquireTime?: null | metav1.#MicroTime @go(AcquireTime,*metav1.MicroTime) @protobuf(3,bytes,opt)
+
+	// renewTime is a time when the current holder of a lease has last
+	// updated the lease.
+	// +optional
+	renewTime?: null | metav1.#MicroTime @go(RenewTime,*metav1.MicroTime) @protobuf(4,bytes,opt)
+
+	// leaseTransitions is the number of transitions of a lease between
+	// holders.
+	// +optional
+	leaseTransitions?: null | int32 @go(LeaseTransitions,*int32) @protobuf(5,varint,opt)
+}
+
+// LeaseList is a list of Lease objects.
+#LeaseList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// items is a list of schema objects.
+	items: [...#Lease] @go(Items,[]Lease) @protobuf(2,bytes,rep)
+}

timoni/podinfo/cue.mod/gen/k8s.io/api/core/v1/annotation_key_constants_go_gen.cue

@@ -0,0 +1,147 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/core/v1
+
+package v1
+
+// ImagePolicyFailedOpenKey is added to pods created by failing open when the image policy
+// webhook backend fails.
+#ImagePolicyFailedOpenKey: "alpha.image-policy.k8s.io/failed-open"
+
+// MirrorAnnotationKey represents the annotation key set by kubelets when creating mirror pods
+#MirrorPodAnnotationKey: "kubernetes.io/config.mirror"
+
+// TolerationsAnnotationKey represents the key of tolerations data (json serialized)
+// in the Annotations of a Pod.
+#TolerationsAnnotationKey: "scheduler.alpha.kubernetes.io/tolerations"
+
+// TaintsAnnotationKey represents the key of taints data (json serialized)
+// in the Annotations of a Node.
+#TaintsAnnotationKey: "scheduler.alpha.kubernetes.io/taints"
+
+// SeccompPodAnnotationKey represents the key of a seccomp profile applied
+// to all containers of a pod.
+// Deprecated: set a pod security context `seccompProfile` field.
+#SeccompPodAnnotationKey: "seccomp.security.alpha.kubernetes.io/pod"
+
+// SeccompContainerAnnotationKeyPrefix represents the key of a seccomp profile applied
+// to one container of a pod.
+// Deprecated: set a container security context `seccompProfile` field.
+#SeccompContainerAnnotationKeyPrefix: "container.seccomp.security.alpha.kubernetes.io/"
+
+// SeccompProfileRuntimeDefault represents the default seccomp profile used by container runtime.
+// Deprecated: set a pod or container security context `seccompProfile` of type "RuntimeDefault" instead.
+#SeccompProfileRuntimeDefault: "runtime/default"
+
+// SeccompProfileNameUnconfined is the unconfined seccomp profile.
+#SeccompProfileNameUnconfined: "unconfined"
+
+// SeccompLocalhostProfileNamePrefix is the prefix for specifying profiles loaded from the node's disk.
+#SeccompLocalhostProfileNamePrefix: "localhost/"
+
+// AppArmorBetaContainerAnnotationKeyPrefix is the prefix to an annotation key specifying a container's apparmor profile.
+#AppArmorBetaContainerAnnotationKeyPrefix: "container.apparmor.security.beta.kubernetes.io/"
+
+// AppArmorBetaDefaultProfileAnnotationKey is the annotation key specifying the default AppArmor profile.
+#AppArmorBetaDefaultProfileAnnotationKey: "apparmor.security.beta.kubernetes.io/defaultProfileName"
+
+// AppArmorBetaAllowedProfilesAnnotationKey is the annotation key specifying the allowed AppArmor profiles.
+#AppArmorBetaAllowedProfilesAnnotationKey: "apparmor.security.beta.kubernetes.io/allowedProfileNames"
+
+// AppArmorBetaProfileRuntimeDefault is the profile specifying the runtime default.
+#AppArmorBetaProfileRuntimeDefault: "runtime/default"
+
+// AppArmorBetaProfileNamePrefix is the prefix for specifying profiles loaded on the node.
+#AppArmorBetaProfileNamePrefix: "localhost/"
+
+// AppArmorBetaProfileNameUnconfined is the Unconfined AppArmor profile
+#AppArmorBetaProfileNameUnconfined: "unconfined"
+
+// DeprecatedSeccompProfileDockerDefault represents the default seccomp profile used by docker.
+// Deprecated: set a pod or container security context `seccompProfile` of type "RuntimeDefault" instead.
+#DeprecatedSeccompProfileDockerDefault: "docker/default"
+
+// PreferAvoidPodsAnnotationKey represents the key of preferAvoidPods data (json serialized)
+// in the Annotations of a Node.
+#PreferAvoidPodsAnnotationKey: "scheduler.alpha.kubernetes.io/preferAvoidPods"
+
+// ObjectTTLAnnotationKey represents a suggestion for kubelet for how long it can cache
+// an object (e.g. secret, config map) before fetching it again from apiserver.
+// This annotation can be attached to node.
+#ObjectTTLAnnotationKey: "node.alpha.kubernetes.io/ttl"
+
+// annotation key prefix used to identify non-convertible json paths.
+#NonConvertibleAnnotationPrefix: "non-convertible.kubernetes.io"
+_#kubectlPrefix:                 "kubectl.kubernetes.io/"
+
+// LastAppliedConfigAnnotation is the annotation used to store the previous
+// configuration of a resource for use in a three way diff by UpdateApplyAnnotation.
+#LastAppliedConfigAnnotation: "kubectl.kubernetes.io/last-applied-configuration"
+
+// AnnotationLoadBalancerSourceRangesKey is the key of the annotation on a service to set allowed ingress ranges on their LoadBalancers
+//
+// It should be a comma-separated list of CIDRs, e.g. `0.0.0.0/0` to
+// allow full access (the default) or `18.0.0.0/8,56.0.0.0/8` to allow
+// access only from the CIDRs currently allocated to MIT & the USPS.
+//
+// Not all cloud providers support this annotation, though AWS & GCE do.
+#AnnotationLoadBalancerSourceRangesKey: "service.beta.kubernetes.io/load-balancer-source-ranges"
+
+// EndpointsLastChangeTriggerTime is the annotation key, set for endpoints objects, that
+// represents the timestamp (stored as RFC 3339 date-time string, e.g. '2018-10-22T19:32:52.1Z')
+// of the last change, of some Pod or Service object, that triggered the endpoints object change.
+// In other words, if a Pod / Service changed at time T0, that change was observed by endpoints
+// controller at T1, and the Endpoints object was changed at T2, the
+// EndpointsLastChangeTriggerTime would be set to T0.
+//
+// The "endpoints change trigger" here means any Pod or Service change that resulted in the
+// Endpoints object change.
+//
+// Given the definition of the "endpoints change trigger", please note that this annotation will
+// be set ONLY for endpoints object changes triggered by either Pod or Service change. If the
+// Endpoints object changes due to other reasons, this annotation won't be set (or updated if it's
+// already set).
+//
+// This annotation will be used to compute the in-cluster network programming latency SLI, see
+// https://github.com/kubernetes/community/blob/master/sig-scalability/slos/network_programming_latency.md
+#EndpointsLastChangeTriggerTime: "endpoints.kubernetes.io/last-change-trigger-time"
+
+// EndpointsOverCapacity will be set on an Endpoints resource when it
+// exceeds the maximum capacity of 1000 addresses. Initially the Endpoints
+// controller will set this annotation with a value of "warning". In a
+// future release, the controller may set this annotation with a value of
+// "truncated" to indicate that any addresses exceeding the limit of 1000
+// have been truncated from the Endpoints resource.
+#EndpointsOverCapacity: "endpoints.kubernetes.io/over-capacity"
+
+// MigratedPluginsAnnotationKey is the annotation key, set for CSINode objects, that is a comma-separated
+// list of in-tree plugins that will be serviced by the CSI backend on the Node represented by CSINode.
+// This annotation is used by the Attach Detach Controller to determine whether to use the in-tree or
+// CSI Backend for a volume plugin on a specific node.
+#MigratedPluginsAnnotationKey: "storage.alpha.kubernetes.io/migrated-plugins"
+
+// PodDeletionCost can be used to set to an int32 that represent the cost of deleting
+// a pod compared to other pods belonging to the same ReplicaSet. Pods with lower
+// deletion cost are preferred to be deleted before pods with higher deletion cost.
+// Note that this is honored on a best-effort basis, and so it does not offer guarantees on
+// pod deletion order.
+// The implicit deletion cost for pods that don't set the annotation is 0, negative values are permitted.
+//
+// This annotation is beta-level and is only honored when PodDeletionCost feature is enabled.
+#PodDeletionCost: "controller.kubernetes.io/pod-deletion-cost"
+
+// DeprecatedAnnotationTopologyAwareHints can be used to enable or disable
+// Topology Aware Hints for a Service. This may be set to "Auto" or
+// "Disabled". Any other value is treated as "Disabled". This annotation has
+// been deprecated in favor of the "service.kubernetes.io/topology-mode"
+// annotation.
+#DeprecatedAnnotationTopologyAwareHints: "service.kubernetes.io/topology-aware-hints"
+
+// AnnotationTopologyMode can be used to enable or disable Topology Aware
+// Routing for a Service. Well known values are "Auto" and "Disabled".
+// Implementations may choose to develop new topology approaches, exposing
+// them with domain-prefixed values. For example, "example.com/lowest-rtt"
+// could be a valid implementation-specific value for this annotation. These
+// heuristics will often populate topology hints on EndpointSlices, but that
+// is not a requirement.
+#AnnotationTopologyMode: "service.kubernetes.io/topology-mode"

timoni/podinfo/cue.mod/gen/k8s.io/api/core/v1/doc_go_gen.cue

@@ -0,0 +1,6 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/core/v1
+
+// Package v1 is the v1 version of the core API.
+package v1

timoni/podinfo/cue.mod/gen/k8s.io/api/core/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/core/v1
+
+package v1
+
+#GroupName: ""

timoni/podinfo/cue.mod/gen/k8s.io/api/core/v1/well_known_labels_go_gen.cue

@@ -0,0 +1,59 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/core/v1
+
+package v1
+
+#LabelHostname: "kubernetes.io/hostname"
+
+// Label value is the network location of kube-apiserver stored as <ip:port>
+// Stored in APIServer Identity lease objects to view what address is used for peer proxy
+#AnnotationPeerAdvertiseAddress: "kubernetes.io/peer-advertise-address"
+#LabelTopologyZone:              "topology.kubernetes.io/zone"
+#LabelTopologyRegion:            "topology.kubernetes.io/region"
+
+// These label have been deprecated since 1.17, but will be supported for
+// the foreseeable future, to accommodate things like long-lived PVs that
+// use them.  New users should prefer the "topology.kubernetes.io/*"
+// equivalents.
+#LabelFailureDomainBetaZone:   "failure-domain.beta.kubernetes.io/zone"
+#LabelFailureDomainBetaRegion: "failure-domain.beta.kubernetes.io/region"
+
+// Retained for compat when vendored.  Do not use these consts in new code.
+#LabelZoneFailureDomain:       "failure-domain.beta.kubernetes.io/zone"
+#LabelZoneRegion:              "failure-domain.beta.kubernetes.io/region"
+#LabelZoneFailureDomainStable: "topology.kubernetes.io/zone"
+#LabelZoneRegionStable:        "topology.kubernetes.io/region"
+#LabelInstanceType:            "beta.kubernetes.io/instance-type"
+#LabelInstanceTypeStable:      "node.kubernetes.io/instance-type"
+#LabelOSStable:                "kubernetes.io/os"
+#LabelArchStable:              "kubernetes.io/arch"
+
+// LabelWindowsBuild is used on Windows nodes to specify the Windows build number starting with v1.17.0.
+// It's in the format MajorVersion.MinorVersion.BuildNumber (for ex: 10.0.17763)
+#LabelWindowsBuild: "node.kubernetes.io/windows-build"
+
+// LabelNamespaceSuffixKubelet is an allowed label namespace suffix kubelets can self-set ([*.]kubelet.kubernetes.io/*)
+#LabelNamespaceSuffixKubelet: "kubelet.kubernetes.io"
+
+// LabelNamespaceSuffixNode is an allowed label namespace suffix kubelets can self-set ([*.]node.kubernetes.io/*)
+#LabelNamespaceSuffixNode: "node.kubernetes.io"
+
+// LabelNamespaceNodeRestriction is a forbidden label namespace that kubelets may not self-set when the NodeRestriction admission plugin is enabled
+#LabelNamespaceNodeRestriction: "node-restriction.kubernetes.io"
+
+// IsHeadlessService is added by Controller to an Endpoint denoting if its parent
+// Service is Headless. The existence of this label can be used further by other
+// controllers and kube-proxy to check if the Endpoint objects should be replicated when
+// using Headless Services
+#IsHeadlessService: "service.kubernetes.io/headless"
+
+// LabelNodeExcludeBalancers specifies that the node should not be considered as a target
+// for external load-balancers which use nodes as a second hop (e.g. many cloud LBs which only
+// understand nodes). For services that use externalTrafficPolicy=Local, this may mean that
+// any backends on excluded nodes are not reachable by those external load-balancers.
+// Implementations of this exclusion may vary based on provider.
+#LabelNodeExcludeBalancers: "node.kubernetes.io/exclude-from-external-load-balancers"
+
+// LabelMetadataName is the label name which, in-tree, is used to automatically label namespaces, so they can be selected easily by tools which require definitive labels
+#LabelMetadataName: "kubernetes.io/metadata.name"

timoni/podinfo/cue.mod/gen/k8s.io/api/core/v1/well_known_taints_go_gen.cue

@@ -0,0 +1,38 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/core/v1
+
+package v1
+
+// TaintNodeNotReady will be added when node is not ready
+// and removed when node becomes ready.
+#TaintNodeNotReady: "node.kubernetes.io/not-ready"
+
+// TaintNodeUnreachable will be added when node becomes unreachable
+// (corresponding to NodeReady status ConditionUnknown)
+// and removed when node becomes reachable (NodeReady status ConditionTrue).
+#TaintNodeUnreachable: "node.kubernetes.io/unreachable"
+
+// TaintNodeUnschedulable will be added when node becomes unschedulable
+// and removed when node becomes schedulable.
+#TaintNodeUnschedulable: "node.kubernetes.io/unschedulable"
+
+// TaintNodeMemoryPressure will be added when node has memory pressure
+// and removed when node has enough memory.
+#TaintNodeMemoryPressure: "node.kubernetes.io/memory-pressure"
+
+// TaintNodeDiskPressure will be added when node has disk pressure
+// and removed when node has enough disk.
+#TaintNodeDiskPressure: "node.kubernetes.io/disk-pressure"
+
+// TaintNodeNetworkUnavailable will be added when node's network is unavailable
+// and removed when network becomes ready.
+#TaintNodeNetworkUnavailable: "node.kubernetes.io/network-unavailable"
+
+// TaintNodePIDPressure will be added when node has pid pressure
+// and removed when node has enough pid.
+#TaintNodePIDPressure: "node.kubernetes.io/pid-pressure"
+
+// TaintNodeOutOfService can be added when node is out of service in case of
+// a non-graceful shutdown
+#TaintNodeOutOfService: "node.kubernetes.io/out-of-service"

timoni/podinfo/cue.mod/gen/k8s.io/api/discovery/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/discovery/v1
+
+package v1
+
+#GroupName: "discovery.k8s.io"

timoni/podinfo/cue.mod/gen/k8s.io/api/discovery/v1/types_go_gen.cue

@@ -0,0 +1,206 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/discovery/v1
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/api/core/v1"
+)
+
+// EndpointSlice represents a subset of the endpoints that implement a service.
+// For a given service there may be multiple EndpointSlice objects, selected by
+// labels, which must be joined to produce the full set of endpoints.
+#EndpointSlice: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// addressType specifies the type of address carried by this EndpointSlice.
+	// All addresses in this slice must be the same type. This field is
+	// immutable after creation. The following address types are currently
+	// supported:
+	// * IPv4: Represents an IPv4 Address.
+	// * IPv6: Represents an IPv6 Address.
+	// * FQDN: Represents a Fully Qualified Domain Name.
+	addressType: #AddressType @go(AddressType) @protobuf(4,bytes,rep)
+
+	// endpoints is a list of unique endpoints in this slice. Each slice may
+	// include a maximum of 1000 endpoints.
+	// +listType=atomic
+	endpoints: [...#Endpoint] @go(Endpoints,[]Endpoint) @protobuf(2,bytes,rep)
+
+	// ports specifies the list of network ports exposed by each endpoint in
+	// this slice. Each port must have a unique name. When ports is empty, it
+	// indicates that there are no defined ports. When a port is defined with a
+	// nil port value, it indicates "all ports". Each slice may include a
+	// maximum of 100 ports.
+	// +optional
+	// +listType=atomic
+	ports: [...#EndpointPort] @go(Ports,[]EndpointPort) @protobuf(3,bytes,rep)
+}
+
+// AddressType represents the type of address referred to by an endpoint.
+// +enum
+#AddressType: string // #enumAddressType
+
+#enumAddressType:
+	#AddressTypeIPv4 |
+	#AddressTypeIPv6 |
+	#AddressTypeFQDN
+
+// AddressTypeIPv4 represents an IPv4 Address.
+#AddressTypeIPv4: #AddressType & "IPv4"
+
+// AddressTypeIPv6 represents an IPv6 Address.
+#AddressTypeIPv6: #AddressType & "IPv6"
+
+// AddressTypeFQDN represents a FQDN.
+#AddressTypeFQDN: #AddressType & "FQDN"
+
+// Endpoint represents a single logical "backend" implementing a service.
+#Endpoint: {
+	// addresses of this endpoint. The contents of this field are interpreted
+	// according to the corresponding EndpointSlice addressType field. Consumers
+	// must handle different types of addresses in the context of their own
+	// capabilities. This must contain at least one address but no more than
+	// 100. These are all assumed to be fungible and clients may choose to only
+	// use the first element. Refer to: https://issue.k8s.io/106267
+	// +listType=set
+	addresses: [...string] @go(Addresses,[]string) @protobuf(1,bytes,rep)
+
+	// conditions contains information about the current status of the endpoint.
+	conditions?: #EndpointConditions @go(Conditions) @protobuf(2,bytes,opt)
+
+	// hostname of this endpoint. This field may be used by consumers of
+	// endpoints to distinguish endpoints from each other (e.g. in DNS names).
+	// Multiple endpoints which use the same hostname should be considered
+	// fungible (e.g. multiple A values in DNS). Must be lowercase and pass DNS
+	// Label (RFC 1123) validation.
+	// +optional
+	hostname?: null | string @go(Hostname,*string) @protobuf(3,bytes,opt)
+
+	// targetRef is a reference to a Kubernetes object that represents this
+	// endpoint.
+	// +optional
+	targetRef?: null | v1.#ObjectReference @go(TargetRef,*v1.ObjectReference) @protobuf(4,bytes,opt)
+
+	// deprecatedTopology contains topology information part of the v1beta1
+	// API. This field is deprecated, and will be removed when the v1beta1
+	// API is removed (no sooner than kubernetes v1.24).  While this field can
+	// hold values, it is not writable through the v1 API, and any attempts to
+	// write to it will be silently ignored. Topology information can be found
+	// in the zone and nodeName fields instead.
+	// +optional
+	deprecatedTopology?: {[string]: string} @go(DeprecatedTopology,map[string]string) @protobuf(5,bytes,opt)
+
+	// nodeName represents the name of the Node hosting this endpoint. This can
+	// be used to determine endpoints local to a Node.
+	// +optional
+	nodeName?: null | string @go(NodeName,*string) @protobuf(6,bytes,opt)
+
+	// zone is the name of the Zone this endpoint exists in.
+	// +optional
+	zone?: null | string @go(Zone,*string) @protobuf(7,bytes,opt)
+
+	// hints contains information associated with how an endpoint should be
+	// consumed.
+	// +optional
+	hints?: null | #EndpointHints @go(Hints,*EndpointHints) @protobuf(8,bytes,opt)
+}
+
+// EndpointConditions represents the current condition of an endpoint.
+#EndpointConditions: {
+	// ready indicates that this endpoint is prepared to receive traffic,
+	// according to whatever system is managing the endpoint. A nil value
+	// indicates an unknown state. In most cases consumers should interpret this
+	// unknown state as ready. For compatibility reasons, ready should never be
+	// "true" for terminating endpoints, except when the normal readiness
+	// behavior is being explicitly overridden, for example when the associated
+	// Service has set the publishNotReadyAddresses flag.
+	// +optional
+	ready?: null | bool @go(Ready,*bool) @protobuf(1,bytes)
+
+	// serving is identical to ready except that it is set regardless of the
+	// terminating state of endpoints. This condition should be set to true for
+	// a ready endpoint that is terminating. If nil, consumers should defer to
+	// the ready condition.
+	// +optional
+	serving?: null | bool @go(Serving,*bool) @protobuf(2,bytes)
+
+	// terminating indicates that this endpoint is terminating. A nil value
+	// indicates an unknown state. Consumers should interpret this unknown state
+	// to mean that the endpoint is not terminating.
+	// +optional
+	terminating?: null | bool @go(Terminating,*bool) @protobuf(3,bytes)
+}
+
+// EndpointHints provides hints describing how an endpoint should be consumed.
+#EndpointHints: {
+	// forZones indicates the zone(s) this endpoint should be consumed by to
+	// enable topology aware routing.
+	// +listType=atomic
+	forZones?: [...#ForZone] @go(ForZones,[]ForZone) @protobuf(1,bytes)
+}
+
+// ForZone provides information about which zones should consume this endpoint.
+#ForZone: {
+	// name represents the name of the zone.
+	name: string @go(Name) @protobuf(1,bytes)
+}
+
+// EndpointPort represents a Port used by an EndpointSlice
+// +structType=atomic
+#EndpointPort: {
+	// name represents the name of this port. All ports in an EndpointSlice must have a unique name.
+	// If the EndpointSlice is dervied from a Kubernetes service, this corresponds to the Service.ports[].name.
+	// Name must either be an empty string or pass DNS_LABEL validation:
+	// * must be no more than 63 characters long.
+	// * must consist of lower case alphanumeric characters or '-'.
+	// * must start and end with an alphanumeric character.
+	// Default is empty string.
+	name?: null | string @go(Name,*string) @protobuf(1,bytes)
+
+	// protocol represents the IP protocol for this port.
+	// Must be UDP, TCP, or SCTP.
+	// Default is TCP.
+	protocol?: null | v1.#Protocol @go(Protocol,*v1.Protocol) @protobuf(2,bytes)
+
+	// port represents the port number of the endpoint.
+	// If this is not specified, ports are not restricted and must be
+	// interpreted in the context of the specific consumer.
+	port?: null | int32 @go(Port,*int32) @protobuf(3,bytes,opt)
+
+	// The application protocol for this port.
+	// This is used as a hint for implementations to offer richer behavior for protocols that they understand.
+	// This field follows standard Kubernetes label syntax.
+	// Valid values are either:
+	//
+	// * Un-prefixed protocol names - reserved for IANA standard service names (as per
+	// RFC-6335 and https://www.iana.org/assignments/service-names).
+	//
+	// * Kubernetes-defined prefixed names:
+	//   * 'kubernetes.io/h2c' - HTTP/2 over cleartext as described in https://www.rfc-editor.org/rfc/rfc7540
+	//   * 'kubernetes.io/ws'  - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455
+	//   * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455
+	//
+	// * Other protocols should use implementation-defined prefixed names such as
+	// mycompany.com/my-custom-protocol.
+	// +optional
+	appProtocol?: null | string @go(AppProtocol,*string) @protobuf(4,bytes)
+}
+
+// EndpointSliceList represents a list of endpoint slices
+#EndpointSliceList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// items is the list of endpoint slices
+	items: [...#EndpointSlice] @go(Items,[]EndpointSlice) @protobuf(2,bytes,rep)
+}

timoni/podinfo/cue.mod/gen/k8s.io/api/discovery/v1/well_known_labels_go_gen.cue

@@ -0,0 +1,20 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/discovery/v1
+
+package v1
+
+// LabelServiceName is used to indicate the name of a Kubernetes service.
+#LabelServiceName: "kubernetes.io/service-name"
+
+// LabelManagedBy is used to indicate the controller or entity that manages
+// an EndpointSlice. This label aims to enable different EndpointSlice
+// objects to be managed by different controllers or entities within the
+// same cluster. It is highly recommended to configure this label for all
+// EndpointSlices.
+#LabelManagedBy: "endpointslice.kubernetes.io/managed-by"
+
+// LabelSkipMirror can be set to true on an Endpoints resource to indicate
+// that the EndpointSliceMirroring controller should not mirror this
+// resource with EndpointSlices.
+#LabelSkipMirror: "endpointslice.kubernetes.io/skip-mirror"

timoni/podinfo/cue.mod/gen/k8s.io/api/events/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/events/v1
+
+package v1
+
+#GroupName: "events.k8s.io"

timoni/podinfo/cue.mod/gen/k8s.io/api/events/v1/types_go_gen.cue

@@ -0,0 +1,111 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/events/v1
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	corev1 "k8s.io/api/core/v1"
+)
+
+// Event is a report of an event somewhere in the cluster. It generally denotes some state change in the system.
+// Events have a limited retention time and triggers and messages may evolve
+// with time.  Event consumers should not rely on the timing of an event
+// with a given Reason reflecting a consistent underlying trigger, or the
+// continued existence of events with that Reason.  Events should be
+// treated as informative, best-effort, supplemental data.
+#Event: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// eventTime is the time when this Event was first observed. It is required.
+	eventTime: metav1.#MicroTime @go(EventTime) @protobuf(2,bytes,opt)
+
+	// series is data about the Event series this event represents or nil if it's a singleton Event.
+	// +optional
+	series?: null | #EventSeries @go(Series,*EventSeries) @protobuf(3,bytes,opt)
+
+	// reportingController is the name of the controller that emitted this Event, e.g. `kubernetes.io/kubelet`.
+	// This field cannot be empty for new Events.
+	reportingController?: string @go(ReportingController) @protobuf(4,bytes,opt)
+
+	// reportingInstance is the ID of the controller instance, e.g. `kubelet-xyzf`.
+	// This field cannot be empty for new Events and it can have at most 128 characters.
+	reportingInstance?: string @go(ReportingInstance) @protobuf(5,bytes,opt)
+
+	// action is what action was taken/failed regarding to the regarding object. It is machine-readable.
+	// This field cannot be empty for new Events and it can have at most 128 characters.
+	action?: string @go(Action) @protobuf(6,bytes)
+
+	// reason is why the action was taken. It is human-readable.
+	// This field cannot be empty for new Events and it can have at most 128 characters.
+	reason?: string @go(Reason) @protobuf(7,bytes)
+
+	// regarding contains the object this Event is about. In most cases it's an Object reporting controller
+	// implements, e.g. ReplicaSetController implements ReplicaSets and this event is emitted because
+	// it acts on some changes in a ReplicaSet object.
+	// +optional
+	regarding?: corev1.#ObjectReference @go(Regarding) @protobuf(8,bytes,opt)
+
+	// related is the optional secondary object for more complex actions. E.g. when regarding object triggers
+	// a creation or deletion of related object.
+	// +optional
+	related?: null | corev1.#ObjectReference @go(Related,*corev1.ObjectReference) @protobuf(9,bytes,opt)
+
+	// note is a human-readable description of the status of this operation.
+	// Maximal length of the note is 1kB, but libraries should be prepared to
+	// handle values up to 64kB.
+	// +optional
+	note?: string @go(Note) @protobuf(10,bytes,opt)
+
+	// type is the type of this event (Normal, Warning), new types could be added in the future.
+	// It is machine-readable.
+	// This field cannot be empty for new Events.
+	type?: string @go(Type) @protobuf(11,bytes,opt)
+
+	// deprecatedSource is the deprecated field assuring backward compatibility with core.v1 Event type.
+	// +optional
+	deprecatedSource?: corev1.#EventSource @go(DeprecatedSource) @protobuf(12,bytes,opt)
+
+	// deprecatedFirstTimestamp is the deprecated field assuring backward compatibility with core.v1 Event type.
+	// +optional
+	deprecatedFirstTimestamp?: metav1.#Time @go(DeprecatedFirstTimestamp) @protobuf(13,bytes,opt)
+
+	// deprecatedLastTimestamp is the deprecated field assuring backward compatibility with core.v1 Event type.
+	// +optional
+	deprecatedLastTimestamp?: metav1.#Time @go(DeprecatedLastTimestamp) @protobuf(14,bytes,opt)
+
+	// deprecatedCount is the deprecated field assuring backward compatibility with core.v1 Event type.
+	// +optional
+	deprecatedCount?: int32 @go(DeprecatedCount) @protobuf(15,varint,opt)
+}
+
+// EventSeries contain information on series of events, i.e. thing that was/is happening
+// continuously for some time. How often to update the EventSeries is up to the event reporters.
+// The default event reporter in "k8s.io/client-go/tools/events/event_broadcaster.go" shows
+// how this struct is updated on heartbeats and can guide customized reporter implementations.
+#EventSeries: {
+	// count is the number of occurrences in this series up to the last heartbeat time.
+	count: int32 @go(Count) @protobuf(1,varint,opt)
+
+	// lastObservedTime is the time when last Event from the series was seen before last heartbeat.
+	lastObservedTime: metav1.#MicroTime @go(LastObservedTime) @protobuf(2,bytes,opt)
+}
+
+// EventList is a list of Event objects.
+#EventList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// items is a list of schema objects.
+	items: [...#Event] @go(Items,[]Event) @protobuf(2,bytes,rep)
+}

timoni/podinfo/cue.mod/gen/k8s.io/api/networking/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/networking/v1
+
+package v1
+
+#GroupName: "networking.k8s.io"

timoni/podinfo/cue.mod/gen/k8s.io/api/networking/v1/types_go_gen.cue

@@ -0,0 +1,588 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/networking/v1
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+)
+
+// NetworkPolicy describes what network traffic is allowed for a set of Pods
+#NetworkPolicy: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// spec represents the specification of the desired behavior for this NetworkPolicy.
+	// +optional
+	spec?: #NetworkPolicySpec @go(Spec) @protobuf(2,bytes,opt)
+}
+
+// PolicyType string describes the NetworkPolicy type
+// This type is beta-level in 1.8
+// +enum
+#PolicyType: string // #enumPolicyType
+
+#enumPolicyType:
+	#PolicyTypeIngress |
+	#PolicyTypeEgress
+
+// PolicyTypeIngress is a NetworkPolicy that affects ingress traffic on selected pods
+#PolicyTypeIngress: #PolicyType & "Ingress"
+
+// PolicyTypeEgress is a NetworkPolicy that affects egress traffic on selected pods
+#PolicyTypeEgress: #PolicyType & "Egress"
+
+// NetworkPolicySpec provides the specification of a NetworkPolicy
+#NetworkPolicySpec: {
+	// podSelector selects the pods to which this NetworkPolicy object applies.
+	// The array of ingress rules is applied to any pods selected by this field.
+	// Multiple network policies can select the same set of pods. In this case,
+	// the ingress rules for each are combined additively.
+	// This field is NOT optional and follows standard label selector semantics.
+	// An empty podSelector matches all pods in this namespace.
+	podSelector: metav1.#LabelSelector @go(PodSelector) @protobuf(1,bytes,opt)
+
+	// ingress is a list of ingress rules to be applied to the selected pods.
+	// Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod
+	// (and cluster policy otherwise allows the traffic), OR if the traffic source is
+	// the pod's local node, OR if the traffic matches at least one ingress rule
+	// across all of the NetworkPolicy objects whose podSelector matches the pod. If
+	// this field is empty then this NetworkPolicy does not allow any traffic (and serves
+	// solely to ensure that the pods it selects are isolated by default)
+	// +optional
+	ingress?: [...#NetworkPolicyIngressRule] @go(Ingress,[]NetworkPolicyIngressRule) @protobuf(2,bytes,rep)
+
+	// egress is a list of egress rules to be applied to the selected pods. Outgoing traffic
+	// is allowed if there are no NetworkPolicies selecting the pod (and cluster policy
+	// otherwise allows the traffic), OR if the traffic matches at least one egress rule
+	// across all of the NetworkPolicy objects whose podSelector matches the pod. If
+	// this field is empty then this NetworkPolicy limits all outgoing traffic (and serves
+	// solely to ensure that the pods it selects are isolated by default).
+	// This field is beta-level in 1.8
+	// +optional
+	egress?: [...#NetworkPolicyEgressRule] @go(Egress,[]NetworkPolicyEgressRule) @protobuf(3,bytes,rep)
+
+	// policyTypes is a list of rule types that the NetworkPolicy relates to.
+	// Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"].
+	// If this field is not specified, it will default based on the existence of ingress or egress rules;
+	// policies that contain an egress section are assumed to affect egress, and all policies
+	// (whether or not they contain an ingress section) are assumed to affect ingress.
+	// If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ].
+	// Likewise, if you want to write a policy that specifies that no egress is allowed,
+	// you must specify a policyTypes value that include "Egress" (since such a policy would not include
+	// an egress section and would otherwise default to just [ "Ingress" ]).
+	// This field is beta-level in 1.8
+	// +optional
+	policyTypes?: [...#PolicyType] @go(PolicyTypes,[]PolicyType) @protobuf(4,bytes,rep,casttype=PolicyType)
+}
+
+// NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods
+// matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.
+#NetworkPolicyIngressRule: {
+	// ports is a list of ports which should be made accessible on the pods selected for
+	// this rule. Each item in this list is combined using a logical OR. If this field is
+	// empty or missing, this rule matches all ports (traffic not restricted by port).
+	// If this field is present and contains at least one item, then this rule allows
+	// traffic only if the traffic matches at least one port in the list.
+	// +optional
+	ports?: [...#NetworkPolicyPort] @go(Ports,[]NetworkPolicyPort) @protobuf(1,bytes,rep)
+
+	// from is a list of sources which should be able to access the pods selected for this rule.
+	// Items in this list are combined using a logical OR operation. If this field is
+	// empty or missing, this rule matches all sources (traffic not restricted by
+	// source). If this field is present and contains at least one item, this rule
+	// allows traffic only if the traffic matches at least one item in the from list.
+	// +optional
+	from?: [...#NetworkPolicyPeer] @go(From,[]NetworkPolicyPeer) @protobuf(2,bytes,rep)
+}
+
+// NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods
+// matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to.
+// This type is beta-level in 1.8
+#NetworkPolicyEgressRule: {
+	// ports is a list of destination ports for outgoing traffic.
+	// Each item in this list is combined using a logical OR. If this field is
+	// empty or missing, this rule matches all ports (traffic not restricted by port).
+	// If this field is present and contains at least one item, then this rule allows
+	// traffic only if the traffic matches at least one port in the list.
+	// +optional
+	ports?: [...#NetworkPolicyPort] @go(Ports,[]NetworkPolicyPort) @protobuf(1,bytes,rep)
+
+	// to is a list of destinations for outgoing traffic of pods selected for this rule.
+	// Items in this list are combined using a logical OR operation. If this field is
+	// empty or missing, this rule matches all destinations (traffic not restricted by
+	// destination). If this field is present and contains at least one item, this rule
+	// allows traffic only if the traffic matches at least one item in the to list.
+	// +optional
+	to?: [...#NetworkPolicyPeer] @go(To,[]NetworkPolicyPeer) @protobuf(2,bytes,rep)
+}
+
+// NetworkPolicyPort describes a port to allow traffic on
+#NetworkPolicyPort: {
+	// protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
+	// If not specified, this field defaults to TCP.
+	// +optional
+	protocol?: null | v1.#Protocol @go(Protocol,*v1.Protocol) @protobuf(1,bytes,opt,casttype=k8s.io/api/core/v1.Protocol)
+
+	// port represents the port on the given protocol. This can either be a numerical or named
+	// port on a pod. If this field is not provided, this matches all port names and
+	// numbers.
+	// If present, only traffic on the specified protocol AND port will be matched.
+	// +optional
+	port?: null | intstr.#IntOrString @go(Port,*intstr.IntOrString) @protobuf(2,bytes,opt)
+
+	// endPort indicates that the range of ports from port to endPort if set, inclusive,
+	// should be allowed by the policy. This field cannot be defined if the port field
+	// is not defined or if the port field is defined as a named (string) port.
+	// The endPort must be equal or greater than port.
+	// +optional
+	endPort?: null | int32 @go(EndPort,*int32) @protobuf(3,bytes,opt)
+}
+
+// IPBlock describes a particular CIDR (Ex. "192.168.1.0/24","2001:db8::/64") that is allowed
+// to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs
+// that should not be included within this rule.
+#IPBlock: {
+	// cidr is a string representing the IPBlock
+	// Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+	cidr: string @go(CIDR) @protobuf(1,bytes)
+
+	// except is a slice of CIDRs that should not be included within an IPBlock
+	// Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+	// Except values will be rejected if they are outside the cidr range
+	// +optional
+	except?: [...string] @go(Except,[]string) @protobuf(2,bytes,rep)
+}
+
+// NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+// fields are allowed
+#NetworkPolicyPeer: {
+	// podSelector is a label selector which selects pods. This field follows standard label
+	// selector semantics; if present but empty, it selects all pods.
+	//
+	// If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+	// the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+	// Otherwise it selects the pods matching podSelector in the policy's own namespace.
+	// +optional
+	podSelector?: null | metav1.#LabelSelector @go(PodSelector,*metav1.LabelSelector) @protobuf(1,bytes,opt)
+
+	// namespaceSelector selects namespaces using cluster-scoped labels. This field follows
+	// standard label selector semantics; if present but empty, it selects all namespaces.
+	//
+	// If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+	// the pods matching podSelector in the namespaces selected by namespaceSelector.
+	// Otherwise it selects all pods in the namespaces selected by namespaceSelector.
+	// +optional
+	namespaceSelector?: null | metav1.#LabelSelector @go(NamespaceSelector,*metav1.LabelSelector) @protobuf(2,bytes,opt)
+
+	// ipBlock defines policy on a particular IPBlock. If this field is set then
+	// neither of the other fields can be.
+	// +optional
+	ipBlock?: null | #IPBlock @go(IPBlock,*IPBlock) @protobuf(3,bytes,rep)
+}
+
+// NetworkPolicyList is a list of NetworkPolicy objects.
+#NetworkPolicyList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// items is a list of schema objects.
+	items: [...#NetworkPolicy] @go(Items,[]NetworkPolicy) @protobuf(2,bytes,rep)
+}
+
+// Ingress is a collection of rules that allow inbound connections to reach the
+// endpoints defined by a backend. An Ingress can be configured to give services
+// externally-reachable urls, load balance traffic, terminate SSL, offer name
+// based virtual hosting etc.
+#Ingress: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// spec is the desired state of the Ingress.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	spec?: #IngressSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// status is the current state of the Ingress.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	status?: #IngressStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// IngressList is a collection of Ingress.
+#IngressList: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// items is the list of Ingress.
+	items: [...#Ingress] @go(Items,[]Ingress) @protobuf(2,bytes,rep)
+}
+
+// IngressSpec describes the Ingress the user wishes to exist.
+#IngressSpec: {
+	// ingressClassName is the name of an IngressClass cluster resource. Ingress
+	// controller implementations use this field to know whether they should be
+	// serving this Ingress resource, by a transitive connection
+	// (controller -> IngressClass -> Ingress resource). Although the
+	// `kubernetes.io/ingress.class` annotation (simple constant name) was never
+	// formally defined, it was widely supported by Ingress controllers to create
+	// a direct binding between Ingress controller and Ingress resources. Newly
+	// created Ingress resources should prefer using the field. However, even
+	// though the annotation is officially deprecated, for backwards compatibility
+	// reasons, ingress controllers should still honor that annotation if present.
+	// +optional
+	ingressClassName?: null | string @go(IngressClassName,*string) @protobuf(4,bytes,opt)
+
+	// defaultBackend is the backend that should handle requests that don't
+	// match any rule. If Rules are not specified, DefaultBackend must be specified.
+	// If DefaultBackend is not set, the handling of requests that do not match any
+	// of the rules will be up to the Ingress controller.
+	// +optional
+	defaultBackend?: null | #IngressBackend @go(DefaultBackend,*IngressBackend) @protobuf(1,bytes,opt)
+
+	// tls represents the TLS configuration. Currently the Ingress only supports a
+	// single TLS port, 443. If multiple members of this list specify different hosts,
+	// they will be multiplexed on the same port according to the hostname specified
+	// through the SNI TLS extension, if the ingress controller fulfilling the
+	// ingress supports SNI.
+	// +listType=atomic
+	// +optional
+	tls?: [...#IngressTLS] @go(TLS,[]IngressTLS) @protobuf(2,bytes,rep)
+
+	// rules is a list of host rules used to configure the Ingress. If unspecified,
+	// or no rule matches, all traffic is sent to the default backend.
+	// +listType=atomic
+	// +optional
+	rules?: [...#IngressRule] @go(Rules,[]IngressRule) @protobuf(3,bytes,rep)
+}
+
+// IngressTLS describes the transport layer security associated with an ingress.
+#IngressTLS: {
+	// hosts is a list of hosts included in the TLS certificate. The values in
+	// this list must match the name/s used in the tlsSecret. Defaults to the
+	// wildcard host setting for the loadbalancer controller fulfilling this
+	// Ingress, if left unspecified.
+	// +listType=atomic
+	// +optional
+	hosts?: [...string] @go(Hosts,[]string) @protobuf(1,bytes,rep)
+
+	// secretName is the name of the secret used to terminate TLS traffic on
+	// port 443. Field is left optional to allow TLS routing based on SNI
+	// hostname alone. If the SNI host in a listener conflicts with the "Host"
+	// header field used by an IngressRule, the SNI host is used for termination
+	// and value of the "Host" header is used for routing.
+	// +optional
+	secretName?: string @go(SecretName) @protobuf(2,bytes,opt)
+}
+
+// IngressStatus describe the current state of the Ingress.
+#IngressStatus: {
+	// loadBalancer contains the current status of the load-balancer.
+	// +optional
+	loadBalancer?: #IngressLoadBalancerStatus @go(LoadBalancer) @protobuf(1,bytes,opt)
+}
+
+// IngressLoadBalancerStatus represents the status of a load-balancer.
+#IngressLoadBalancerStatus: {
+	// ingress is a list containing ingress points for the load-balancer.
+	// +optional
+	ingress?: [...#IngressLoadBalancerIngress] @go(Ingress,[]IngressLoadBalancerIngress) @protobuf(1,bytes,rep)
+}
+
+// IngressLoadBalancerIngress represents the status of a load-balancer ingress point.
+#IngressLoadBalancerIngress: {
+	// ip is set for load-balancer ingress points that are IP based.
+	// +optional
+	ip?: string @go(IP) @protobuf(1,bytes,opt)
+
+	// hostname is set for load-balancer ingress points that are DNS based.
+	// +optional
+	hostname?: string @go(Hostname) @protobuf(2,bytes,opt)
+
+	// ports provides information about the ports exposed by this LoadBalancer.
+	// +listType=atomic
+	// +optional
+	ports?: [...#IngressPortStatus] @go(Ports,[]IngressPortStatus) @protobuf(4,bytes,rep)
+}
+
+// IngressPortStatus represents the error condition of a service port
+#IngressPortStatus: {
+	// port is the port number of the ingress port.
+	port: int32 @go(Port) @protobuf(1,varint,opt)
+
+	// protocol is the protocol of the ingress port.
+	// The supported values are: "TCP", "UDP", "SCTP"
+	protocol: v1.#Protocol @go(Protocol) @protobuf(2,bytes,opt,casttype=Protocol)
+
+	// error is to record the problem with the service port
+	// The format of the error shall comply with the following rules:
+	// - built-in error values shall be specified in this file and those shall use
+	//   CamelCase names
+	// - cloud provider specific error values must have names that comply with the
+	//   format foo.example.com/CamelCase.
+	// ---
+	// The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+	// +optional
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$`
+	// +kubebuilder:validation:MaxLength=316
+	error?: null | string @go(Error,*string) @protobuf(3,bytes,opt)
+}
+
+// IngressRule represents the rules mapping the paths under a specified host to
+// the related backend services. Incoming requests are first evaluated for a host
+// match, then routed to the backend associated with the matching IngressRuleValue.
+#IngressRule: {
+	// host is the fully qualified domain name of a network host, as defined by RFC 3986.
+	// Note the following deviations from the "host" part of the
+	// URI as defined in RFC 3986:
+	// 1. IPs are not allowed. Currently an IngressRuleValue can only apply to
+	//    the IP in the Spec of the parent Ingress.
+	// 2. The `:` delimiter is not respected because ports are not allowed.
+	//	  Currently the port of an Ingress is implicitly :80 for http and
+	//	  :443 for https.
+	// Both these may change in the future.
+	// Incoming requests are matched against the host before the
+	// IngressRuleValue. If the host is unspecified, the Ingress routes all
+	// traffic based on the specified IngressRuleValue.
+	//
+	// host can be "precise" which is a domain name without the terminating dot of
+	// a network host (e.g. "foo.bar.com") or "wildcard", which is a domain name
+	// prefixed with a single wildcard label (e.g. "*.foo.com").
+	// The wildcard character '*' must appear by itself as the first DNS label and
+	// matches only a single label. You cannot have a wildcard label by itself (e.g. Host == "*").
+	// Requests will be matched against the Host field in the following way:
+	// 1. If host is precise, the request matches this rule if the http host header is equal to Host.
+	// 2. If host is a wildcard, then the request matches this rule if the http host header
+	// is to equal to the suffix (removing the first label) of the wildcard rule.
+	// +optional
+	host?: string @go(Host) @protobuf(1,bytes,opt)
+
+	#IngressRuleValue
+}
+
+// IngressRuleValue represents a rule to apply against incoming requests. If the
+// rule is satisfied, the request is routed to the specified backend. Currently
+// mixing different types of rules in a single Ingress is disallowed, so exactly
+// one of the following must be set.
+#IngressRuleValue: {
+	// +optional
+	http?: null | #HTTPIngressRuleValue @go(HTTP,*HTTPIngressRuleValue) @protobuf(1,bytes,opt)
+}
+
+// HTTPIngressRuleValue is a list of http selectors pointing to backends.
+// In the example: http://<host>/<path>?<searchpart> -> backend where
+// where parts of the url correspond to RFC 3986, this resource will be used
+// to match against everything after the last '/' and before the first '?'
+// or '#'.
+#HTTPIngressRuleValue: {
+	// paths is a collection of paths that map requests to backends.
+	// +listType=atomic
+	paths: [...#HTTPIngressPath] @go(Paths,[]HTTPIngressPath) @protobuf(1,bytes,rep)
+}
+
+// PathType represents the type of path referred to by a HTTPIngressPath.
+// +enum
+#PathType: string // #enumPathType
+
+#enumPathType:
+	#PathTypeExact |
+	#PathTypePrefix |
+	#PathTypeImplementationSpecific
+
+// PathTypeExact matches the URL path exactly and with case sensitivity.
+#PathTypeExact: #PathType & "Exact"
+
+// PathTypePrefix matches based on a URL path prefix split by '/'. Matching
+// is case sensitive and done on a path element by element basis. A path
+// element refers to the list of labels in the path split by the '/'
+// separator. A request is a match for path p if every p is an element-wise
+// prefix of p of the request path. Note that if the last element of the
+// path is a substring of the last element in request path, it is not a
+// match (e.g. /foo/bar matches /foo/bar/baz, but does not match
+// /foo/barbaz). If multiple matching paths exist in an Ingress spec, the
+// longest matching path is given priority.
+// Examples:
+// - /foo/bar does not match requests to /foo/barbaz
+// - /foo/bar matches request to /foo/bar and /foo/bar/baz
+// - /foo and /foo/ both match requests to /foo and /foo/. If both paths are
+//   present in an Ingress spec, the longest matching path (/foo/) is given
+//   priority.
+#PathTypePrefix: #PathType & "Prefix"
+
+// PathTypeImplementationSpecific matching is up to the IngressClass.
+// Implementations can treat this as a separate PathType or treat it
+// identically to Prefix or Exact path types.
+#PathTypeImplementationSpecific: #PathType & "ImplementationSpecific"
+
+// HTTPIngressPath associates a path with a backend. Incoming urls matching the
+// path are forwarded to the backend.
+#HTTPIngressPath: {
+	// path is matched against the path of an incoming request. Currently it can
+	// contain characters disallowed from the conventional "path" part of a URL
+	// as defined by RFC 3986. Paths must begin with a '/' and must be present
+	// when using PathType with value "Exact" or "Prefix".
+	// +optional
+	path?: string @go(Path) @protobuf(1,bytes,opt)
+
+	// pathType determines the interpretation of the path matching. PathType can
+	// be one of the following values:
+	// * Exact: Matches the URL path exactly.
+	// * Prefix: Matches based on a URL path prefix split by '/'. Matching is
+	//   done on a path element by element basis. A path element refers is the
+	//   list of labels in the path split by the '/' separator. A request is a
+	//   match for path p if every p is an element-wise prefix of p of the
+	//   request path. Note that if the last element of the path is a substring
+	//   of the last element in request path, it is not a match (e.g. /foo/bar
+	//   matches /foo/bar/baz, but does not match /foo/barbaz).
+	// * ImplementationSpecific: Interpretation of the Path matching is up to
+	//   the IngressClass. Implementations can treat this as a separate PathType
+	//   or treat it identically to Prefix or Exact path types.
+	// Implementations are required to support all path types.
+	pathType?: null | #PathType @go(PathType,*PathType) @protobuf(3,bytes,opt)
+
+	// backend defines the referenced service endpoint to which the traffic
+	// will be forwarded to.
+	backend: #IngressBackend @go(Backend) @protobuf(2,bytes,opt)
+}
+
+// IngressBackend describes all endpoints for a given service and port.
+#IngressBackend: {
+	// service references a service as a backend.
+	// This is a mutually exclusive setting with "Resource".
+	// +optional
+	service?: null | #IngressServiceBackend @go(Service,*IngressServiceBackend) @protobuf(4,bytes,opt)
+
+	// resource is an ObjectRef to another Kubernetes resource in the namespace
+	// of the Ingress object. If resource is specified, a service.Name and
+	// service.Port must not be specified.
+	// This is a mutually exclusive setting with "Service".
+	// +optional
+	resource?: null | v1.#TypedLocalObjectReference @go(Resource,*v1.TypedLocalObjectReference) @protobuf(3,bytes,opt)
+}
+
+// IngressServiceBackend references a Kubernetes Service as a Backend.
+#IngressServiceBackend: {
+	// name is the referenced service. The service must exist in
+	// the same namespace as the Ingress object.
+	name: string @go(Name) @protobuf(1,bytes,opt)
+
+	// port of the referenced service. A port name or port number
+	// is required for a IngressServiceBackend.
+	port?: #ServiceBackendPort @go(Port) @protobuf(2,bytes,opt)
+}
+
+// ServiceBackendPort is the service port being referenced.
+#ServiceBackendPort: {
+	// name is the name of the port on the Service.
+	// This is a mutually exclusive setting with "Number".
+	// +optional
+	name?: string @go(Name) @protobuf(1,bytes,opt)
+
+	// number is the numerical port number (e.g. 80) on the Service.
+	// This is a mutually exclusive setting with "Name".
+	// +optional
+	number?: int32 @go(Number) @protobuf(2,bytes,opt)
+}
+
+// IngressClass represents the class of the Ingress, referenced by the Ingress
+// Spec. The `ingressclass.kubernetes.io/is-default-class` annotation can be
+// used to indicate that an IngressClass should be considered default. When a
+// single IngressClass resource has this annotation set to true, new Ingress
+// resources without a class specified will be assigned this default class.
+#IngressClass: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// spec is the desired state of the IngressClass.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	spec?: #IngressClassSpec @go(Spec) @protobuf(2,bytes,opt)
+}
+
+// IngressClassSpec provides information about the class of an Ingress.
+#IngressClassSpec: {
+	// controller refers to the name of the controller that should handle this
+	// class. This allows for different "flavors" that are controlled by the
+	// same controller. For example, you may have different parameters for the
+	// same implementing controller. This should be specified as a
+	// domain-prefixed path no more than 250 characters in length, e.g.
+	// "acme.io/ingress-controller". This field is immutable.
+	controller?: string @go(Controller) @protobuf(1,bytes,opt)
+
+	// parameters is a link to a custom resource containing additional
+	// configuration for the controller. This is optional if the controller does
+	// not require extra parameters.
+	// +optional
+	parameters?: null | #IngressClassParametersReference @go(Parameters,*IngressClassParametersReference) @protobuf(2,bytes,opt)
+}
+
+// IngressClassParametersReferenceScopeNamespace indicates that the
+// referenced Parameters resource is namespace-scoped.
+#IngressClassParametersReferenceScopeNamespace: "Namespace"
+
+// IngressClassParametersReferenceScopeCluster indicates that the
+// referenced Parameters resource is cluster-scoped.
+#IngressClassParametersReferenceScopeCluster: "Cluster"
+
+// IngressClassParametersReference identifies an API object. This can be used
+// to specify a cluster or namespace-scoped resource.
+#IngressClassParametersReference: {
+	// apiGroup is the group for the resource being referenced. If APIGroup is
+	// not specified, the specified Kind must be in the core API group. For any
+	// other third-party types, APIGroup is required.
+	// +optional
+	apiGroup?: null | string @go(APIGroup,*string) @protobuf(1,bytes,opt,name=aPIGroup)
+
+	// kind is the type of resource being referenced.
+	kind: string @go(Kind) @protobuf(2,bytes,opt)
+
+	// name is the name of resource being referenced.
+	name: string @go(Name) @protobuf(3,bytes,opt)
+
+	// scope represents if this refers to a cluster or namespace scoped resource.
+	// This may be set to "Cluster" (default) or "Namespace".
+	// +optional
+	scope?: null | string @go(Scope,*string) @protobuf(4,bytes,opt)
+
+	// namespace is the namespace of the resource being referenced. This field is
+	// required when scope is set to "Namespace" and must be unset when scope is set to
+	// "Cluster".
+	// +optional
+	namespace?: null | string @go(Namespace,*string) @protobuf(5,bytes,opt)
+}
+
+// IngressClassList is a collection of IngressClasses.
+#IngressClassList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// items is the list of IngressClasses.
+	items: [...#IngressClass] @go(Items,[]IngressClass) @protobuf(2,bytes,rep)
+}

timoni/podinfo/cue.mod/gen/k8s.io/api/networking/v1/well_known_annotations_go_gen.cue

@@ -0,0 +1,11 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/networking/v1
+
+package v1
+
+// AnnotationIsDefaultIngressClass can be used to indicate that an
+// IngressClass should be considered default. When a single IngressClass
+// resource has this annotation set to true, new Ingress resources without a
+// class specified will be assigned this default class.
+#AnnotationIsDefaultIngressClass: "ingressclass.kubernetes.io/is-default-class"

timoni/podinfo/cue.mod/gen/k8s.io/api/node/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/node/v1
+
+package v1
+
+#GroupName: "node.k8s.io"

timoni/podinfo/cue.mod/gen/k8s.io/api/node/v1/types_go_gen.cue

@@ -0,0 +1,90 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/node/v1
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	corev1 "k8s.io/api/core/v1"
+)
+
+// RuntimeClass defines a class of container runtime supported in the cluster.
+// The RuntimeClass is used to determine which container runtime is used to run
+// all containers in a pod. RuntimeClasses are manually defined by a
+// user or cluster provisioner, and referenced in the PodSpec. The Kubelet is
+// responsible for resolving the RuntimeClassName reference before running the
+// pod.  For more details, see
+// https://kubernetes.io/docs/concepts/containers/runtime-class/
+#RuntimeClass: {
+	metav1.#TypeMeta
+
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// handler specifies the underlying runtime and configuration that the CRI
+	// implementation will use to handle pods of this class. The possible values
+	// are specific to the node & CRI configuration.  It is assumed that all
+	// handlers are available on every node, and handlers of the same name are
+	// equivalent on every node.
+	// For example, a handler called "runc" might specify that the runc OCI
+	// runtime (using native Linux containers) will be used to run the containers
+	// in a pod.
+	// The Handler must be lowercase, conform to the DNS Label (RFC 1123) requirements,
+	// and is immutable.
+	handler: string @go(Handler) @protobuf(2,bytes,opt)
+
+	// overhead represents the resource overhead associated with running a pod for a
+	// given RuntimeClass. For more details, see
+	//  https://kubernetes.io/docs/concepts/scheduling-eviction/pod-overhead/
+	// +optional
+	overhead?: null | #Overhead @go(Overhead,*Overhead) @protobuf(3,bytes,opt)
+
+	// scheduling holds the scheduling constraints to ensure that pods running
+	// with this RuntimeClass are scheduled to nodes that support it.
+	// If scheduling is nil, this RuntimeClass is assumed to be supported by all
+	// nodes.
+	// +optional
+	scheduling?: null | #Scheduling @go(Scheduling,*Scheduling) @protobuf(4,bytes,opt)
+}
+
+// Overhead structure represents the resource overhead associated with running a pod.
+#Overhead: {
+	// podFixed represents the fixed resource overhead associated with running a pod.
+	// +optional
+	podFixed?: corev1.#ResourceList @go(PodFixed) @protobuf(1,bytes,opt,casttype=k8s.io/api/core/v1.ResourceList,castkey=k8s.io/api/core/v1.ResourceName,castvalue=k8s.io/apimachinery/pkg/api/resource.Quantity)
+}
+
+// Scheduling specifies the scheduling constraints for nodes supporting a
+// RuntimeClass.
+#Scheduling: {
+	// nodeSelector lists labels that must be present on nodes that support this
+	// RuntimeClass. Pods using this RuntimeClass can only be scheduled to a
+	// node matched by this selector. The RuntimeClass nodeSelector is merged
+	// with a pod's existing nodeSelector. Any conflicts will cause the pod to
+	// be rejected in admission.
+	// +optional
+	// +mapType=atomic
+	nodeSelector?: {[string]: string} @go(NodeSelector,map[string]string) @protobuf(1,bytes,opt)
+
+	// tolerations are appended (excluding duplicates) to pods running with this
+	// RuntimeClass during admission, effectively unioning the set of nodes
+	// tolerated by the pod and the RuntimeClass.
+	// +optional
+	// +listType=atomic
+	tolerations?: [...corev1.#Toleration] @go(Tolerations,[]corev1.Toleration) @protobuf(2,bytes,rep)
+}
+
+// RuntimeClassList is a list of RuntimeClass objects.
+#RuntimeClassList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// items is a list of schema objects.
+	items: [...#RuntimeClass] @go(Items,[]RuntimeClass) @protobuf(2,bytes,rep)
+}

timoni/podinfo/cue.mod/gen/k8s.io/api/policy/v1/doc_go_gen.cue

@@ -0,0 +1,8 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/policy/v1
+
+// Package policy is for any kind of policy object.  Suitable examples, even if
+// they aren't all here, are PodDisruptionBudget, PodSecurityPolicy,
+// NetworkPolicy, etc.
+package v1

timoni/podinfo/cue.mod/gen/k8s.io/api/policy/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/policy/v1
+
+package v1
+
+#GroupName: "policy"

timoni/podinfo/cue.mod/gen/k8s.io/api/policy/v1/types_go_gen.cue

@@ -0,0 +1,204 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/policy/v1
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+)
+
+#DisruptionBudgetCause: metav1.#CauseType & "DisruptionBudget"
+
+// PodDisruptionBudgetSpec is a description of a PodDisruptionBudget.
+#PodDisruptionBudgetSpec: {
+	// An eviction is allowed if at least "minAvailable" pods selected by
+	// "selector" will still be available after the eviction, i.e. even in the
+	// absence of the evicted pod.  So for example you can prevent all voluntary
+	// evictions by specifying "100%".
+	// +optional
+	minAvailable?: null | intstr.#IntOrString @go(MinAvailable,*intstr.IntOrString) @protobuf(1,bytes,opt)
+
+	// Label query over pods whose evictions are managed by the disruption
+	// budget.
+	// A null selector will match no pods, while an empty ({}) selector will select
+	// all pods within the namespace.
+	// +patchStrategy=replace
+	// +optional
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes,opt)
+
+	// An eviction is allowed if at most "maxUnavailable" pods selected by
+	// "selector" are unavailable after the eviction, i.e. even in absence of
+	// the evicted pod. For example, one can prevent all voluntary evictions
+	// by specifying 0. This is a mutually exclusive setting with "minAvailable".
+	// +optional
+	maxUnavailable?: null | intstr.#IntOrString @go(MaxUnavailable,*intstr.IntOrString) @protobuf(3,bytes,opt)
+
+	// UnhealthyPodEvictionPolicy defines the criteria for when unhealthy pods
+	// should be considered for eviction. Current implementation considers healthy pods,
+	// as pods that have status.conditions item with type="Ready",status="True".
+	//
+	// Valid policies are IfHealthyBudget and AlwaysAllow.
+	// If no policy is specified, the default behavior will be used,
+	// which corresponds to the IfHealthyBudget policy.
+	//
+	// IfHealthyBudget policy means that running pods (status.phase="Running"),
+	// but not yet healthy can be evicted only if the guarded application is not
+	// disrupted (status.currentHealthy is at least equal to status.desiredHealthy).
+	// Healthy pods will be subject to the PDB for eviction.
+	//
+	// AlwaysAllow policy means that all running pods (status.phase="Running"),
+	// but not yet healthy are considered disrupted and can be evicted regardless
+	// of whether the criteria in a PDB is met. This means perspective running
+	// pods of a disrupted application might not get a chance to become healthy.
+	// Healthy pods will be subject to the PDB for eviction.
+	//
+	// Additional policies may be added in the future.
+	// Clients making eviction decisions should disallow eviction of unhealthy pods
+	// if they encounter an unrecognized policy in this field.
+	//
+	// This field is beta-level. The eviction API uses this field when
+	// the feature gate PDBUnhealthyPodEvictionPolicy is enabled (enabled by default).
+	// +optional
+	unhealthyPodEvictionPolicy?: null | #UnhealthyPodEvictionPolicyType @go(UnhealthyPodEvictionPolicy,*UnhealthyPodEvictionPolicyType) @protobuf(4,bytes,opt)
+}
+
+// UnhealthyPodEvictionPolicyType defines the criteria for when unhealthy pods
+// should be considered for eviction.
+// +enum
+#UnhealthyPodEvictionPolicyType: string // #enumUnhealthyPodEvictionPolicyType
+
+#enumUnhealthyPodEvictionPolicyType:
+	#IfHealthyBudget |
+	#AlwaysAllow
+
+// IfHealthyBudget policy means that running pods (status.phase="Running"),
+// but not yet healthy can be evicted only if the guarded application is not
+// disrupted (status.currentHealthy is at least equal to status.desiredHealthy).
+// Healthy pods will be subject to the PDB for eviction.
+#IfHealthyBudget: #UnhealthyPodEvictionPolicyType & "IfHealthyBudget"
+
+// AlwaysAllow policy means that all running pods (status.phase="Running"),
+// but not yet healthy are considered disrupted and can be evicted regardless
+// of whether the criteria in a PDB is met. This means perspective running
+// pods of a disrupted application might not get a chance to become healthy.
+// Healthy pods will be subject to the PDB for eviction.
+#AlwaysAllow: #UnhealthyPodEvictionPolicyType & "AlwaysAllow"
+
+// PodDisruptionBudgetStatus represents information about the status of a
+// PodDisruptionBudget. Status may trail the actual state of a system.
+#PodDisruptionBudgetStatus: {
+	// Most recent generation observed when updating this PDB status. DisruptionsAllowed and other
+	// status information is valid only if observedGeneration equals to PDB's object generation.
+	// +optional
+	observedGeneration?: int64 @go(ObservedGeneration) @protobuf(1,varint,opt)
+
+	// DisruptedPods contains information about pods whose eviction was
+	// processed by the API server eviction subresource handler but has not
+	// yet been observed by the PodDisruptionBudget controller.
+	// A pod will be in this map from the time when the API server processed the
+	// eviction request to the time when the pod is seen by PDB controller
+	// as having been marked for deletion (or after a timeout). The key in the map is the name of the pod
+	// and the value is the time when the API server processed the eviction request. If
+	// the deletion didn't occur and a pod is still there it will be removed from
+	// the list automatically by PodDisruptionBudget controller after some time.
+	// If everything goes smooth this map should be empty for the most of the time.
+	// Large number of entries in the map may indicate problems with pod deletions.
+	// +optional
+	disruptedPods?: {[string]: metav1.#Time} @go(DisruptedPods,map[string]metav1.Time) @protobuf(2,bytes,rep)
+
+	// Number of pod disruptions that are currently allowed.
+	disruptionsAllowed: int32 @go(DisruptionsAllowed) @protobuf(3,varint,opt)
+
+	// current number of healthy pods
+	currentHealthy: int32 @go(CurrentHealthy) @protobuf(4,varint,opt)
+
+	// minimum desired number of healthy pods
+	desiredHealthy: int32 @go(DesiredHealthy) @protobuf(5,varint,opt)
+
+	// total number of pods counted by this disruption budget
+	expectedPods: int32 @go(ExpectedPods) @protobuf(6,varint,opt)
+
+	// Conditions contain conditions for PDB. The disruption controller sets the
+	// DisruptionAllowed condition. The following are known values for the reason field
+	// (additional reasons could be added in the future):
+	// - SyncFailed: The controller encountered an error and wasn't able to compute
+	//               the number of allowed disruptions. Therefore no disruptions are
+	//               allowed and the status of the condition will be False.
+	// - InsufficientPods: The number of pods are either at or below the number
+	//                     required by the PodDisruptionBudget. No disruptions are
+	//                     allowed and the status of the condition will be False.
+	// - SufficientPods: There are more pods than required by the PodDisruptionBudget.
+	//                   The condition will be True, and the number of allowed
+	//                   disruptions are provided by the disruptionsAllowed property.
+	//
+	// +optional
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=type
+	conditions?: [...metav1.#Condition] @go(Conditions,[]metav1.Condition) @protobuf(7,bytes,rep)
+}
+
+// DisruptionAllowedCondition is a condition set by the disruption controller
+// that signal whether any of the pods covered by the PDB can be disrupted.
+#DisruptionAllowedCondition: "DisruptionAllowed"
+
+// SyncFailedReason is set on the DisruptionAllowed condition if reconcile
+// of the PDB failed and therefore disruption of pods are not allowed.
+#SyncFailedReason: "SyncFailed"
+
+// SufficientPodsReason is set on the DisruptionAllowed condition if there are
+// more pods covered by the PDB than required and at least one can be disrupted.
+#SufficientPodsReason: "SufficientPods"
+
+// InsufficientPodsReason is set on the DisruptionAllowed condition if the number
+// of pods are equal to or fewer than required by the PDB.
+#InsufficientPodsReason: "InsufficientPods"
+
+// PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods
+#PodDisruptionBudget: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Specification of the desired behavior of the PodDisruptionBudget.
+	// +optional
+	spec?: #PodDisruptionBudgetSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// Most recently observed status of the PodDisruptionBudget.
+	// +optional
+	status?: #PodDisruptionBudgetStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// PodDisruptionBudgetList is a collection of PodDisruptionBudgets.
+#PodDisruptionBudgetList: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// Items is a list of PodDisruptionBudgets
+	items: [...#PodDisruptionBudget] @go(Items,[]PodDisruptionBudget) @protobuf(2,bytes,rep)
+}
+
+// Eviction evicts a pod from its node subject to certain policies and safety constraints.
+// This is a subresource of Pod.  A request to cause such an eviction is
+// created by POSTing to .../pods/<pod name>/evictions.
+#Eviction: {
+	metav1.#TypeMeta
+
+	// ObjectMeta describes the pod that is being evicted.
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// DeleteOptions may be provided
+	// +optional
+	deleteOptions?: null | metav1.#DeleteOptions @go(DeleteOptions,*metav1.DeleteOptions) @protobuf(2,bytes,opt)
+}

timoni/podinfo/cue.mod/gen/k8s.io/api/rbac/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/rbac/v1
+
+package v1
+
+#GroupName: "rbac.authorization.k8s.io"

timoni/podinfo/cue.mod/gen/k8s.io/api/rbac/v1/types_go_gen.cue

@@ -0,0 +1,207 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/rbac/v1
+
+package v1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+#APIGroupAll:        "*"
+#ResourceAll:        "*"
+#VerbAll:            "*"
+#NonResourceAll:     "*"
+#GroupKind:          "Group"
+#ServiceAccountKind: "ServiceAccount"
+#UserKind:           "User"
+
+// AutoUpdateAnnotationKey is the name of an annotation which prevents reconciliation if set to "false"
+#AutoUpdateAnnotationKey: "rbac.authorization.kubernetes.io/autoupdate"
+
+// PolicyRule holds information that describes a policy rule, but does not contain information
+// about who the rule applies to or which namespace the rule applies to.
+#PolicyRule: {
+	// Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.
+	verbs: [...string] @go(Verbs,[]string) @protobuf(1,bytes,rep)
+
+	// APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of
+	// the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups.
+	// +optional
+	apiGroups?: [...string] @go(APIGroups,[]string) @protobuf(2,bytes,rep)
+
+	// Resources is a list of resources this rule applies to. '*' represents all resources.
+	// +optional
+	resources?: [...string] @go(Resources,[]string) @protobuf(3,bytes,rep)
+
+	// ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
+	// +optional
+	resourceNames?: [...string] @go(ResourceNames,[]string) @protobuf(4,bytes,rep)
+
+	// NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path
+	// Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
+	// Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"),  but not both.
+	// +optional
+	nonResourceURLs?: [...string] @go(NonResourceURLs,[]string) @protobuf(5,bytes,rep)
+}
+
+// Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+// or a value for non-objects such as user and group names.
+// +structType=atomic
+#Subject: {
+	// Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+	// If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+	kind: string @go(Kind) @protobuf(1,bytes,opt)
+
+	// APIGroup holds the API group of the referenced subject.
+	// Defaults to "" for ServiceAccount subjects.
+	// Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+	// +optional
+	apiGroup?: string @go(APIGroup) @protobuf(2,bytes,opt.name=apiGroup)
+
+	// Name of the object being referenced.
+	name: string @go(Name) @protobuf(3,bytes,opt)
+
+	// Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+	// the Authorizer should report an error.
+	// +optional
+	namespace?: string @go(Namespace) @protobuf(4,bytes,opt)
+}
+
+// RoleRef contains information that points to the role being used
+// +structType=atomic
+#RoleRef: {
+	// APIGroup is the group for the resource being referenced
+	apiGroup: string @go(APIGroup) @protobuf(1,bytes,opt)
+
+	// Kind is the type of resource being referenced
+	kind: string @go(Kind) @protobuf(2,bytes,opt)
+
+	// Name is the name of resource being referenced
+	name: string @go(Name) @protobuf(3,bytes,opt)
+}
+
+// Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.
+#Role: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Rules holds all the PolicyRules for this Role
+	// +optional
+	rules: [...#PolicyRule] @go(Rules,[]PolicyRule) @protobuf(2,bytes,rep)
+}
+
+// RoleBinding references a role, but does not contain it.  It can reference a Role in the same namespace or a ClusterRole in the global namespace.
+// It adds who information via Subjects and namespace information by which namespace it exists in.  RoleBindings in a given
+// namespace only have effect in that namespace.
+#RoleBinding: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Subjects holds references to the objects the role applies to.
+	// +optional
+	subjects?: [...#Subject] @go(Subjects,[]Subject) @protobuf(2,bytes,rep)
+
+	// RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace.
+	// If the RoleRef cannot be resolved, the Authorizer must return an error.
+	// This field is immutable.
+	roleRef: #RoleRef @go(RoleRef) @protobuf(3,bytes,opt)
+}
+
+// RoleBindingList is a collection of RoleBindings
+#RoleBindingList: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// Items is a list of RoleBindings
+	items: [...#RoleBinding] @go(Items,[]RoleBinding) @protobuf(2,bytes,rep)
+}
+
+// RoleList is a collection of Roles
+#RoleList: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// Items is a list of Roles
+	items: [...#Role] @go(Items,[]Role) @protobuf(2,bytes,rep)
+}
+
+// ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.
+#ClusterRole: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Rules holds all the PolicyRules for this ClusterRole
+	// +optional
+	rules: [...#PolicyRule] @go(Rules,[]PolicyRule) @protobuf(2,bytes,rep)
+
+	// AggregationRule is an optional field that describes how to build the Rules for this ClusterRole.
+	// If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be
+	// stomped by the controller.
+	// +optional
+	aggregationRule?: null | #AggregationRule @go(AggregationRule,*AggregationRule) @protobuf(3,bytes,opt)
+}
+
+// AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole
+#AggregationRule: {
+	// ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules.
+	// If any of the selectors match, then the ClusterRole's permissions will be added
+	// +optional
+	clusterRoleSelectors?: [...metav1.#LabelSelector] @go(ClusterRoleSelectors,[]metav1.LabelSelector) @protobuf(1,bytes,rep)
+}
+
+// ClusterRoleBinding references a ClusterRole, but not contain it.  It can reference a ClusterRole in the global namespace,
+// and adds who information via Subject.
+#ClusterRoleBinding: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Subjects holds references to the objects the role applies to.
+	// +optional
+	subjects?: [...#Subject] @go(Subjects,[]Subject) @protobuf(2,bytes,rep)
+
+	// RoleRef can only reference a ClusterRole in the global namespace.
+	// If the RoleRef cannot be resolved, the Authorizer must return an error.
+	// This field is immutable.
+	roleRef: #RoleRef @go(RoleRef) @protobuf(3,bytes,opt)
+}
+
+// ClusterRoleBindingList is a collection of ClusterRoleBindings
+#ClusterRoleBindingList: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// Items is a list of ClusterRoleBindings
+	items: [...#ClusterRoleBinding] @go(Items,[]ClusterRoleBinding) @protobuf(2,bytes,rep)
+}
+
+// ClusterRoleList is a collection of ClusterRoles
+#ClusterRoleList: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// Items is a list of ClusterRoles
+	items: [...#ClusterRole] @go(Items,[]ClusterRole) @protobuf(2,bytes,rep)
+}

timoni/podinfo/cue.mod/gen/k8s.io/api/scheduling/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/scheduling/v1
+
+package v1
+
+#GroupName: "scheduling.k8s.io"

timoni/podinfo/cue.mod/gen/k8s.io/api/scheduling/v1/types_go_gen.cue

@@ -0,0 +1,57 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/scheduling/v1
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	apiv1 "k8s.io/api/core/v1"
+)
+
+// PriorityClass defines mapping from a priority class name to the priority
+// integer value. The value can be any valid integer.
+#PriorityClass: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// value represents the integer value of this priority class. This is the actual priority that pods
+	// receive when they have the name of this class in their pod spec.
+	value: int32 @go(Value) @protobuf(2,bytes,opt)
+
+	// globalDefault specifies whether this PriorityClass should be considered as
+	// the default priority for pods that do not have any priority class.
+	// Only one PriorityClass can be marked as `globalDefault`. However, if more than
+	// one PriorityClasses exists with their `globalDefault` field set to true,
+	// the smallest value of such global default PriorityClasses will be used as the default priority.
+	// +optional
+	globalDefault?: bool @go(GlobalDefault) @protobuf(3,bytes,opt)
+
+	// description is an arbitrary string that usually provides guidelines on
+	// when this priority class should be used.
+	// +optional
+	description?: string @go(Description) @protobuf(4,bytes,opt)
+
+	// preemptionPolicy is the Policy for preempting pods with lower priority.
+	// One of Never, PreemptLowerPriority.
+	// Defaults to PreemptLowerPriority if unset.
+	// +optional
+	preemptionPolicy?: null | apiv1.#PreemptionPolicy @go(PreemptionPolicy,*apiv1.PreemptionPolicy) @protobuf(5,bytes,opt)
+}
+
+// PriorityClassList is a collection of priority classes.
+#PriorityClassList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// items is the list of PriorityClasses
+	items: [...#PriorityClass] @go(Items,[]PriorityClass) @protobuf(2,bytes,rep)
+}

timoni/podinfo/cue.mod/gen/k8s.io/api/storage/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/storage/v1
+
+package v1
+
+#GroupName: "storage.k8s.io"

timoni/podinfo/cue.mod/gen/k8s.io/api/storage/v1/types_go_gen.cue

@@ -0,0 +1,652 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/storage/v1
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
+)
+
+// StorageClass describes the parameters for a class of storage for
+// which PersistentVolumes can be dynamically provisioned.
+//
+// StorageClasses are non-namespaced; the name of the storage class
+// according to etcd is in ObjectMeta.Name.
+#StorageClass: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// provisioner indicates the type of the provisioner.
+	provisioner: string @go(Provisioner) @protobuf(2,bytes,opt)
+
+	// parameters holds the parameters for the provisioner that should
+	// create volumes of this storage class.
+	// +optional
+	parameters?: {[string]: string} @go(Parameters,map[string]string) @protobuf(3,bytes,rep)
+
+	// reclaimPolicy controls the reclaimPolicy for dynamically provisioned PersistentVolumes of this storage class.
+	// Defaults to Delete.
+	// +optional
+	reclaimPolicy?: null | v1.#PersistentVolumeReclaimPolicy @go(ReclaimPolicy,*v1.PersistentVolumeReclaimPolicy) @protobuf(4,bytes,opt,casttype=k8s.io/api/core/v1.PersistentVolumeReclaimPolicy)
+
+	// mountOptions controls the mountOptions for dynamically provisioned PersistentVolumes of this storage class.
+	// e.g. ["ro", "soft"]. Not validated -
+	// mount of the PVs will simply fail if one is invalid.
+	// +optional
+	mountOptions?: [...string] @go(MountOptions,[]string) @protobuf(5,bytes,opt)
+
+	// allowVolumeExpansion shows whether the storage class allow volume expand.
+	// +optional
+	allowVolumeExpansion?: null | bool @go(AllowVolumeExpansion,*bool) @protobuf(6,varint,opt)
+
+	// volumeBindingMode indicates how PersistentVolumeClaims should be
+	// provisioned and bound.  When unset, VolumeBindingImmediate is used.
+	// This field is only honored by servers that enable the VolumeScheduling feature.
+	// +optional
+	volumeBindingMode?: null | #VolumeBindingMode @go(VolumeBindingMode,*VolumeBindingMode) @protobuf(7,bytes,opt)
+
+	// allowedTopologies restrict the node topologies where volumes can be dynamically provisioned.
+	// Each volume plugin defines its own supported topology specifications.
+	// An empty TopologySelectorTerm list means there is no topology restriction.
+	// This field is only honored by servers that enable the VolumeScheduling feature.
+	// +optional
+	// +listType=atomic
+	allowedTopologies?: [...v1.#TopologySelectorTerm] @go(AllowedTopologies,[]v1.TopologySelectorTerm) @protobuf(8,bytes,rep)
+}
+
+// StorageClassList is a collection of storage classes.
+#StorageClassList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// items is the list of StorageClasses
+	items: [...#StorageClass] @go(Items,[]StorageClass) @protobuf(2,bytes,rep)
+}
+
+// VolumeBindingMode indicates how PersistentVolumeClaims should be bound.
+// +enum
+#VolumeBindingMode: string // #enumVolumeBindingMode
+
+#enumVolumeBindingMode:
+	#VolumeBindingImmediate |
+	#VolumeBindingWaitForFirstConsumer
+
+// VolumeBindingImmediate indicates that PersistentVolumeClaims should be
+// immediately provisioned and bound.  This is the default mode.
+#VolumeBindingImmediate: #VolumeBindingMode & "Immediate"
+
+// VolumeBindingWaitForFirstConsumer indicates that PersistentVolumeClaims
+// should not be provisioned and bound until the first Pod is created that
+// references the PeristentVolumeClaim.  The volume provisioning and
+// binding will occur during Pod scheduing.
+#VolumeBindingWaitForFirstConsumer: #VolumeBindingMode & "WaitForFirstConsumer"
+
+// VolumeAttachment captures the intent to attach or detach the specified volume
+// to/from the specified node.
+//
+// VolumeAttachment objects are non-namespaced.
+#VolumeAttachment: {
+	metav1.#TypeMeta
+
+	// Standard object metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// spec represents specification of the desired attach/detach volume behavior.
+	// Populated by the Kubernetes system.
+	spec: #VolumeAttachmentSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// status represents status of the VolumeAttachment request.
+	// Populated by the entity completing the attach or detach
+	// operation, i.e. the external-attacher.
+	// +optional
+	status?: #VolumeAttachmentStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// VolumeAttachmentList is a collection of VolumeAttachment objects.
+#VolumeAttachmentList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// items is the list of VolumeAttachments
+	items: [...#VolumeAttachment] @go(Items,[]VolumeAttachment) @protobuf(2,bytes,rep)
+}
+
+// VolumeAttachmentSpec is the specification of a VolumeAttachment request.
+#VolumeAttachmentSpec: {
+	// attacher indicates the name of the volume driver that MUST handle this
+	// request. This is the name returned by GetPluginName().
+	attacher: string @go(Attacher) @protobuf(1,bytes,opt)
+
+	// source represents the volume that should be attached.
+	source: #VolumeAttachmentSource @go(Source) @protobuf(2,bytes,opt)
+
+	// nodeName represents the node that the volume should be attached to.
+	nodeName: string @go(NodeName) @protobuf(3,bytes,opt)
+}
+
+// VolumeAttachmentSource represents a volume that should be attached.
+// Right now only PersistenVolumes can be attached via external attacher,
+// in future we may allow also inline volumes in pods.
+// Exactly one member can be set.
+#VolumeAttachmentSource: {
+	// persistentVolumeName represents the name of the persistent volume to attach.
+	// +optional
+	persistentVolumeName?: null | string @go(PersistentVolumeName,*string) @protobuf(1,bytes,opt)
+
+	// inlineVolumeSpec contains all the information necessary to attach
+	// a persistent volume defined by a pod's inline VolumeSource. This field
+	// is populated only for the CSIMigration feature. It contains
+	// translated fields from a pod's inline VolumeSource to a
+	// PersistentVolumeSpec. This field is beta-level and is only
+	// honored by servers that enabled the CSIMigration feature.
+	// +optional
+	inlineVolumeSpec?: null | v1.#PersistentVolumeSpec @go(InlineVolumeSpec,*v1.PersistentVolumeSpec) @protobuf(2,bytes,opt)
+}
+
+// VolumeAttachmentStatus is the status of a VolumeAttachment request.
+#VolumeAttachmentStatus: {
+	// attached indicates the volume is successfully attached.
+	// This field must only be set by the entity completing the attach
+	// operation, i.e. the external-attacher.
+	attached: bool @go(Attached) @protobuf(1,varint,opt)
+
+	// attachmentMetadata is populated with any
+	// information returned by the attach operation, upon successful attach, that must be passed
+	// into subsequent WaitForAttach or Mount calls.
+	// This field must only be set by the entity completing the attach
+	// operation, i.e. the external-attacher.
+	// +optional
+	attachmentMetadata?: {[string]: string} @go(AttachmentMetadata,map[string]string) @protobuf(2,bytes,rep)
+
+	// attachError represents the last error encountered during attach operation, if any.
+	// This field must only be set by the entity completing the attach
+	// operation, i.e. the external-attacher.
+	// +optional
+	attachError?: null | #VolumeError @go(AttachError,*VolumeError) @protobuf(3,bytes,opt,casttype=VolumeError)
+
+	// detachError represents the last error encountered during detach operation, if any.
+	// This field must only be set by the entity completing the detach
+	// operation, i.e. the external-attacher.
+	// +optional
+	detachError?: null | #VolumeError @go(DetachError,*VolumeError) @protobuf(4,bytes,opt,casttype=VolumeError)
+}
+
+// VolumeError captures an error encountered during a volume operation.
+#VolumeError: {
+	// time represents the time the error was encountered.
+	// +optional
+	time?: metav1.#Time @go(Time) @protobuf(1,bytes,opt)
+
+	// message represents the error encountered during Attach or Detach operation.
+	// This string may be logged, so it should not contain sensitive
+	// information.
+	// +optional
+	message?: string @go(Message) @protobuf(2,bytes,opt)
+}
+
+// CSIDriver captures information about a Container Storage Interface (CSI)
+// volume driver deployed on the cluster.
+// Kubernetes attach detach controller uses this object to determine whether attach is required.
+// Kubelet uses this object to determine whether pod information needs to be passed on mount.
+// CSIDriver objects are non-namespaced.
+#CSIDriver: {
+	metav1.#TypeMeta
+
+	// Standard object metadata.
+	// metadata.Name indicates the name of the CSI driver that this object
+	// refers to; it MUST be the same name returned by the CSI GetPluginName()
+	// call for that driver.
+	// The driver name must be 63 characters or less, beginning and ending with
+	// an alphanumeric character ([a-z0-9A-Z]) with dashes (-), dots (.), and
+	// alphanumerics between.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// spec represents the specification of the CSI Driver.
+	spec: #CSIDriverSpec @go(Spec) @protobuf(2,bytes,opt)
+}
+
+// CSIDriverList is a collection of CSIDriver objects.
+#CSIDriverList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// items is the list of CSIDriver
+	items: [...#CSIDriver] @go(Items,[]CSIDriver) @protobuf(2,bytes,rep)
+}
+
+// CSIDriverSpec is the specification of a CSIDriver.
+#CSIDriverSpec: {
+	// attachRequired indicates this CSI volume driver requires an attach
+	// operation (because it implements the CSI ControllerPublishVolume()
+	// method), and that the Kubernetes attach detach controller should call
+	// the attach volume interface which checks the volumeattachment status
+	// and waits until the volume is attached before proceeding to mounting.
+	// The CSI external-attacher coordinates with CSI volume driver and updates
+	// the volumeattachment status when the attach operation is complete.
+	// If the CSIDriverRegistry feature gate is enabled and the value is
+	// specified to false, the attach operation will be skipped.
+	// Otherwise the attach operation will be called.
+	//
+	// This field is immutable.
+	//
+	// +optional
+	attachRequired?: null | bool @go(AttachRequired,*bool) @protobuf(1,varint,opt)
+
+	// podInfoOnMount indicates this CSI volume driver requires additional pod information (like podName, podUID, etc.)
+	// during mount operations, if set to true.
+	// If set to false, pod information will not be passed on mount.
+	// Default is false.
+	//
+	// The CSI driver specifies podInfoOnMount as part of driver deployment.
+	// If true, Kubelet will pass pod information as VolumeContext in the CSI NodePublishVolume() calls.
+	// The CSI driver is responsible for parsing and validating the information passed in as VolumeContext.
+	//
+	// The following VolumeConext will be passed if podInfoOnMount is set to true.
+	// This list might grow, but the prefix will be used.
+	// "csi.storage.k8s.io/pod.name": pod.Name
+	// "csi.storage.k8s.io/pod.namespace": pod.Namespace
+	// "csi.storage.k8s.io/pod.uid": string(pod.UID)
+	// "csi.storage.k8s.io/ephemeral": "true" if the volume is an ephemeral inline volume
+	//                                 defined by a CSIVolumeSource, otherwise "false"
+	//
+	// "csi.storage.k8s.io/ephemeral" is a new feature in Kubernetes 1.16. It is only
+	// required for drivers which support both the "Persistent" and "Ephemeral" VolumeLifecycleMode.
+	// Other drivers can leave pod info disabled and/or ignore this field.
+	// As Kubernetes 1.15 doesn't support this field, drivers can only support one mode when
+	// deployed on such a cluster and the deployment determines which mode that is, for example
+	// via a command line parameter of the driver.
+	//
+	// This field is immutable.
+	//
+	// +optional
+	podInfoOnMount?: null | bool @go(PodInfoOnMount,*bool) @protobuf(2,bytes,opt)
+
+	// volumeLifecycleModes defines what kind of volumes this CSI volume driver supports.
+	// The default if the list is empty is "Persistent", which is the usage defined by the
+	// CSI specification and implemented in Kubernetes via the usual PV/PVC mechanism.
+	//
+	// The other mode is "Ephemeral". In this mode, volumes are defined inline inside the pod spec
+	// with CSIVolumeSource and their lifecycle is tied to the lifecycle of that pod.
+	// A driver has to be aware of this because it is only going to get a NodePublishVolume call for such a volume.
+	//
+	// For more information about implementing this mode, see
+	// https://kubernetes-csi.github.io/docs/ephemeral-local-volumes.html
+	// A driver can support one or more of these modes and more modes may be added in the future.
+	//
+	// This field is beta.
+	// This field is immutable.
+	//
+	// +optional
+	// +listType=set
+	volumeLifecycleModes?: [...#VolumeLifecycleMode] @go(VolumeLifecycleModes,[]VolumeLifecycleMode) @protobuf(3,bytes,opt)
+
+	// storageCapacity indicates that the CSI volume driver wants pod scheduling to consider the storage
+	// capacity that the driver deployment will report by creating
+	// CSIStorageCapacity objects with capacity information, if set to true.
+	//
+	// The check can be enabled immediately when deploying a driver.
+	// In that case, provisioning new volumes with late binding
+	// will pause until the driver deployment has published
+	// some suitable CSIStorageCapacity object.
+	//
+	// Alternatively, the driver can be deployed with the field
+	// unset or false and it can be flipped later when storage
+	// capacity information has been published.
+	//
+	// This field was immutable in Kubernetes <= 1.22 and now is mutable.
+	//
+	// +optional
+	// +featureGate=CSIStorageCapacity
+	storageCapacity?: null | bool @go(StorageCapacity,*bool) @protobuf(4,bytes,opt)
+
+	// fsGroupPolicy defines if the underlying volume supports changing ownership and
+	// permission of the volume before being mounted.
+	// Refer to the specific FSGroupPolicy values for additional details.
+	//
+	// This field is immutable.
+	//
+	// Defaults to ReadWriteOnceWithFSType, which will examine each volume
+	// to determine if Kubernetes should modify ownership and permissions of the volume.
+	// With the default policy the defined fsGroup will only be applied
+	// if a fstype is defined and the volume's access mode contains ReadWriteOnce.
+	//
+	// +optional
+	fsGroupPolicy?: null | #FSGroupPolicy @go(FSGroupPolicy,*FSGroupPolicy) @protobuf(5,bytes,opt)
+
+	// tokenRequests indicates the CSI driver needs pods' service account
+	// tokens it is mounting volume for to do necessary authentication. Kubelet
+	// will pass the tokens in VolumeContext in the CSI NodePublishVolume calls.
+	// The CSI driver should parse and validate the following VolumeContext:
+	// "csi.storage.k8s.io/serviceAccount.tokens": {
+	//   "<audience>": {
+	//     "token": <token>,
+	//     "expirationTimestamp": <expiration timestamp in RFC3339>,
+	//   },
+	//   ...
+	// }
+	//
+	// Note: Audience in each TokenRequest should be different and at
+	// most one token is empty string. To receive a new token after expiry,
+	// RequiresRepublish can be used to trigger NodePublishVolume periodically.
+	//
+	// +optional
+	// +listType=atomic
+	tokenRequests?: [...#TokenRequest] @go(TokenRequests,[]TokenRequest) @protobuf(6,bytes,opt)
+
+	// requiresRepublish indicates the CSI driver wants `NodePublishVolume`
+	// being periodically called to reflect any possible change in the mounted
+	// volume. This field defaults to false.
+	//
+	// Note: After a successful initial NodePublishVolume call, subsequent calls
+	// to NodePublishVolume should only update the contents of the volume. New
+	// mount points will not be seen by a running container.
+	//
+	// +optional
+	requiresRepublish?: null | bool @go(RequiresRepublish,*bool) @protobuf(7,varint,opt)
+
+	// seLinuxMount specifies if the CSI driver supports "-o context"
+	// mount option.
+	//
+	// When "true", the CSI driver must ensure that all volumes provided by this CSI
+	// driver can be mounted separately with different `-o context` options. This is
+	// typical for storage backends that provide volumes as filesystems on block
+	// devices or as independent shared volumes.
+	// Kubernetes will call NodeStage / NodePublish with "-o context=xyz" mount
+	// option when mounting a ReadWriteOncePod volume used in Pod that has
+	// explicitly set SELinux context. In the future, it may be expanded to other
+	// volume AccessModes. In any case, Kubernetes will ensure that the volume is
+	// mounted only with a single SELinux context.
+	//
+	// When "false", Kubernetes won't pass any special SELinux mount options to the driver.
+	// This is typical for volumes that represent subdirectories of a bigger shared filesystem.
+	//
+	// Default is "false".
+	//
+	// +featureGate=SELinuxMountReadWriteOncePod
+	// +optional
+	seLinuxMount?: null | bool @go(SELinuxMount,*bool) @protobuf(8,varint,opt)
+}
+
+// FSGroupPolicy specifies if a CSI Driver supports modifying
+// volume ownership and permissions of the volume to be mounted.
+// More modes may be added in the future.
+#FSGroupPolicy: string // #enumFSGroupPolicy
+
+#enumFSGroupPolicy:
+	#ReadWriteOnceWithFSTypeFSGroupPolicy |
+	#FileFSGroupPolicy |
+	#NoneFSGroupPolicy
+
+// ReadWriteOnceWithFSTypeFSGroupPolicy indicates that each volume will be examined
+// to determine if the volume ownership and permissions
+// should be modified. If a fstype is defined and the volume's access mode
+// contains ReadWriteOnce, then the defined fsGroup will be applied.
+// This mode should be defined if it's expected that the
+// fsGroup may need to be modified depending on the pod's SecurityPolicy.
+// This is the default behavior if no other FSGroupPolicy is defined.
+#ReadWriteOnceWithFSTypeFSGroupPolicy: #FSGroupPolicy & "ReadWriteOnceWithFSType"
+
+// FileFSGroupPolicy indicates that CSI driver supports volume ownership
+// and permission change via fsGroup, and Kubernetes will change the permissions
+// and ownership of every file in the volume to match the user requested fsGroup in
+// the pod's SecurityPolicy regardless of fstype or access mode.
+// Use this mode if Kubernetes should modify the permissions and ownership
+// of the volume.
+#FileFSGroupPolicy: #FSGroupPolicy & "File"
+
+// NoneFSGroupPolicy indicates that volumes will be mounted without performing
+// any ownership or permission modifications, as the CSIDriver does not support
+// these operations.
+// This mode should be selected if the CSIDriver does not support fsGroup modifications,
+// for example when Kubernetes cannot change ownership and permissions on a volume due
+// to root-squash settings on a NFS volume.
+#NoneFSGroupPolicy: #FSGroupPolicy & "None"
+
+// VolumeLifecycleMode is an enumeration of possible usage modes for a volume
+// provided by a CSI driver. More modes may be added in the future.
+#VolumeLifecycleMode: string // #enumVolumeLifecycleMode
+
+#enumVolumeLifecycleMode:
+	#VolumeLifecyclePersistent |
+	#VolumeLifecycleEphemeral
+
+// TokenRequest contains parameters of a service account token.
+#TokenRequest: {
+	// audience is the intended audience of the token in "TokenRequestSpec".
+	// It will default to the audiences of kube apiserver.
+	audience: string @go(Audience) @protobuf(1,bytes,opt)
+
+	// expirationSeconds is the duration of validity of the token in "TokenRequestSpec".
+	// It has the same default value of "ExpirationSeconds" in "TokenRequestSpec".
+	//
+	// +optional
+	expirationSeconds?: null | int64 @go(ExpirationSeconds,*int64) @protobuf(2,varint,opt)
+}
+
+// VolumeLifecyclePersistent explicitly confirms that the driver implements
+// the full CSI spec. It is the default when CSIDriverSpec.VolumeLifecycleModes is not
+// set. Such volumes are managed in Kubernetes via the persistent volume
+// claim mechanism and have a lifecycle that is independent of the pods which
+// use them.
+#VolumeLifecyclePersistent: #VolumeLifecycleMode & "Persistent"
+
+// VolumeLifecycleEphemeral indicates that the driver can be used for
+// ephemeral inline volumes. Such volumes are specified inside the pod
+// spec with a CSIVolumeSource and, as far as Kubernetes is concerned, have
+// a lifecycle that is tied to the lifecycle of the pod. For example, such
+// a volume might contain data that gets created specifically for that pod,
+// like secrets.
+// But how the volume actually gets created and managed is entirely up to
+// the driver. It might also use reference counting to share the same volume
+// instance among different pods if the CSIVolumeSource of those pods is
+// identical.
+#VolumeLifecycleEphemeral: #VolumeLifecycleMode & "Ephemeral"
+
+// CSINode holds information about all CSI drivers installed on a node.
+// CSI drivers do not need to create the CSINode object directly. As long as
+// they use the node-driver-registrar sidecar container, the kubelet will
+// automatically populate the CSINode object for the CSI driver as part of
+// kubelet plugin registration.
+// CSINode has the same name as a node. If the object is missing, it means either
+// there are no CSI Drivers available on the node, or the Kubelet version is low
+// enough that it doesn't create this object.
+// CSINode has an OwnerReference that points to the corresponding node object.
+#CSINode: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// metadata.name must be the Kubernetes node name.
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// spec is the specification of CSINode
+	spec: #CSINodeSpec @go(Spec) @protobuf(2,bytes,opt)
+}
+
+// CSINodeSpec holds information about the specification of all CSI drivers installed on a node
+#CSINodeSpec: {
+	// drivers is a list of information of all CSI Drivers existing on a node.
+	// If all drivers in the list are uninstalled, this can become empty.
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	drivers: [...#CSINodeDriver] @go(Drivers,[]CSINodeDriver) @protobuf(1,bytes,rep)
+}
+
+// CSINodeDriver holds information about the specification of one CSI driver installed on a node
+#CSINodeDriver: {
+	// name represents the name of the CSI driver that this object refers to.
+	// This MUST be the same name returned by the CSI GetPluginName() call for
+	// that driver.
+	name: string @go(Name) @protobuf(1,bytes,opt)
+
+	// nodeID of the node from the driver point of view.
+	// This field enables Kubernetes to communicate with storage systems that do
+	// not share the same nomenclature for nodes. For example, Kubernetes may
+	// refer to a given node as "node1", but the storage system may refer to
+	// the same node as "nodeA". When Kubernetes issues a command to the storage
+	// system to attach a volume to a specific node, it can use this field to
+	// refer to the node name using the ID that the storage system will
+	// understand, e.g. "nodeA" instead of "node1". This field is required.
+	nodeID: string @go(NodeID) @protobuf(2,bytes,opt)
+
+	// topologyKeys is the list of keys supported by the driver.
+	// When a driver is initialized on a cluster, it provides a set of topology
+	// keys that it understands (e.g. "company.com/zone", "company.com/region").
+	// When a driver is initialized on a node, it provides the same topology keys
+	// along with values. Kubelet will expose these topology keys as labels
+	// on its own node object.
+	// When Kubernetes does topology aware provisioning, it can use this list to
+	// determine which labels it should retrieve from the node object and pass
+	// back to the driver.
+	// It is possible for different nodes to use different topology keys.
+	// This can be empty if driver does not support topology.
+	// +optional
+	topologyKeys: [...string] @go(TopologyKeys,[]string) @protobuf(3,bytes,rep)
+
+	// allocatable represents the volume resources of a node that are available for scheduling.
+	// This field is beta.
+	// +optional
+	allocatable?: null | #VolumeNodeResources @go(Allocatable,*VolumeNodeResources) @protobuf(4,bytes,opt)
+}
+
+// VolumeNodeResources is a set of resource limits for scheduling of volumes.
+#VolumeNodeResources: {
+	// count indicates the maximum number of unique volumes managed by the CSI driver that can be used on a node.
+	// A volume that is both attached and mounted on a node is considered to be used once, not twice.
+	// The same rule applies for a unique volume that is shared among multiple pods on the same node.
+	// If this field is not specified, then the supported number of volumes on this node is unbounded.
+	// +optional
+	count?: null | int32 @go(Count,*int32) @protobuf(1,varint,opt)
+}
+
+// CSINodeList is a collection of CSINode objects.
+#CSINodeList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// items is the list of CSINode
+	items: [...#CSINode] @go(Items,[]CSINode) @protobuf(2,bytes,rep)
+}
+
+// CSIStorageCapacity stores the result of one CSI GetCapacity call.
+// For a given StorageClass, this describes the available capacity in a
+// particular topology segment.  This can be used when considering where to
+// instantiate new PersistentVolumes.
+//
+// For example this can express things like:
+// - StorageClass "standard" has "1234 GiB" available in "topology.kubernetes.io/zone=us-east1"
+// - StorageClass "localssd" has "10 GiB" available in "kubernetes.io/hostname=knode-abc123"
+//
+// The following three cases all imply that no capacity is available for
+// a certain combination:
+// - no object exists with suitable topology and storage class name
+// - such an object exists, but the capacity is unset
+// - such an object exists, but the capacity is zero
+//
+// The producer of these objects can decide which approach is more suitable.
+//
+// They are consumed by the kube-scheduler when a CSI driver opts into
+// capacity-aware scheduling with CSIDriverSpec.StorageCapacity. The scheduler
+// compares the MaximumVolumeSize against the requested size of pending volumes
+// to filter out unsuitable nodes. If MaximumVolumeSize is unset, it falls back
+// to a comparison against the less precise Capacity. If that is also unset,
+// the scheduler assumes that capacity is insufficient and tries some other
+// node.
+#CSIStorageCapacity: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// The name has no particular meaning. It must be a DNS subdomain (dots allowed, 253 characters).
+	// To ensure that there are no conflicts with other CSI drivers on the cluster,
+	// the recommendation is to use csisc-<uuid>, a generated name, or a reverse-domain name
+	// which ends with the unique CSI driver name.
+	//
+	// Objects are namespaced.
+	//
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// nodeTopology defines which nodes have access to the storage
+	// for which capacity was reported. If not set, the storage is
+	// not accessible from any node in the cluster. If empty, the
+	// storage is accessible from all nodes. This field is
+	// immutable.
+	//
+	// +optional
+	nodeTopology?: null | metav1.#LabelSelector @go(NodeTopology,*metav1.LabelSelector) @protobuf(2,bytes,opt)
+
+	// storageClassName represents the name of the StorageClass that the reported capacity applies to.
+	// It must meet the same requirements as the name of a StorageClass
+	// object (non-empty, DNS subdomain). If that object no longer exists,
+	// the CSIStorageCapacity object is obsolete and should be removed by its
+	// creator.
+	// This field is immutable.
+	storageClassName: string @go(StorageClassName) @protobuf(3,bytes)
+
+	// capacity is the value reported by the CSI driver in its GetCapacityResponse
+	// for a GetCapacityRequest with topology and parameters that match the
+	// previous fields.
+	//
+	// The semantic is currently (CSI spec 1.2) defined as:
+	// The available capacity, in bytes, of the storage that can be used
+	// to provision volumes. If not set, that information is currently
+	// unavailable.
+	//
+	// +optional
+	capacity?: null | resource.#Quantity @go(Capacity,*resource.Quantity) @protobuf(4,bytes,opt)
+
+	// maximumVolumeSize is the value reported by the CSI driver in its GetCapacityResponse
+	// for a GetCapacityRequest with topology and parameters that match the
+	// previous fields.
+	//
+	// This is defined since CSI spec 1.4.0 as the largest size
+	// that may be used in a
+	// CreateVolumeRequest.capacity_range.required_bytes field to
+	// create a volume with the same parameters as those in
+	// GetCapacityRequest. The corresponding value in the Kubernetes
+	// API is ResourceRequirements.Requests in a volume claim.
+	//
+	// +optional
+	maximumVolumeSize?: null | resource.#Quantity @go(MaximumVolumeSize,*resource.Quantity) @protobuf(5,bytes,opt)
+}
+
+// CSIStorageCapacityList is a collection of CSIStorageCapacity objects.
+#CSIStorageCapacityList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// items is the list of CSIStorageCapacity objects.
+	// +listType=map
+	// +listMapKey=name
+	items: [...#CSIStorageCapacity] @go(Items,[]CSIStorageCapacity) @protobuf(2,bytes,rep)
+}

timoni/podinfo/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/doc_go_gen.cue

@@ -0,0 +1,6 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1
+
+// Package v1 is the v1 version of the API.
+package v1

timoni/podinfo/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1
+
+package v1
+
+#GroupName: "apiextensions.k8s.io"

timoni/podinfo/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types_go_gen.cue

@@ -0,0 +1,513 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// ConversionStrategyType describes different conversion types.
+#ConversionStrategyType: string // #enumConversionStrategyType
+
+#enumConversionStrategyType:
+	#NoneConverter |
+	#WebhookConverter
+
+// KubeAPIApprovedAnnotation is an annotation that must be set to create a CRD for the k8s.io, *.k8s.io, kubernetes.io, or *.kubernetes.io namespaces.
+// The value should be a link to a URL where the current spec was approved, so updates to the spec should also update the URL.
+// If the API is unapproved, you may set the annotation to a string starting with `"unapproved"`.  For instance, `"unapproved, temporarily squatting"` or `"unapproved, experimental-only"`.  This is discouraged.
+#KubeAPIApprovedAnnotation: "api-approved.kubernetes.io"
+
+// NoneConverter is a converter that only sets apiversion of the CR and leave everything else unchanged.
+#NoneConverter: #ConversionStrategyType & "None"
+
+// WebhookConverter is a converter that calls to an external webhook to convert the CR.
+#WebhookConverter: #ConversionStrategyType & "Webhook"
+
+// CustomResourceDefinitionSpec describes how a user wants their resource to appear
+#CustomResourceDefinitionSpec: {
+	// group is the API group of the defined custom resource.
+	// The custom resources are served under `/apis/<group>/...`.
+	// Must match the name of the CustomResourceDefinition (in the form `<names.plural>.<group>`).
+	group: string @go(Group) @protobuf(1,bytes,opt)
+
+	// names specify the resource and kind names for the custom resource.
+	names: #CustomResourceDefinitionNames @go(Names) @protobuf(3,bytes,opt)
+
+	// scope indicates whether the defined custom resource is cluster- or namespace-scoped.
+	// Allowed values are `Cluster` and `Namespaced`.
+	scope: #ResourceScope @go(Scope) @protobuf(4,bytes,opt,casttype=ResourceScope)
+
+	// versions is the list of all API versions of the defined custom resource.
+	// Version names are used to compute the order in which served versions are listed in API discovery.
+	// If the version string is "kube-like", it will sort above non "kube-like" version strings, which are ordered
+	// lexicographically. "Kube-like" versions start with a "v", then are followed by a number (the major version),
+	// then optionally the string "alpha" or "beta" and another number (the minor version). These are sorted first
+	// by GA > beta > alpha (where GA is a version with no suffix such as beta or alpha), and then by comparing
+	// major version, then minor version. An example sorted list of versions:
+	// v10, v2, v1, v11beta2, v10beta3, v3beta1, v12alpha1, v11alpha2, foo1, foo10.
+	versions: [...#CustomResourceDefinitionVersion] @go(Versions,[]CustomResourceDefinitionVersion) @protobuf(7,bytes,rep)
+
+	// conversion defines conversion settings for the CRD.
+	// +optional
+	conversion?: null | #CustomResourceConversion @go(Conversion,*CustomResourceConversion) @protobuf(9,bytes,opt)
+
+	// preserveUnknownFields indicates that object fields which are not specified
+	// in the OpenAPI schema should be preserved when persisting to storage.
+	// apiVersion, kind, metadata and known fields inside metadata are always preserved.
+	// This field is deprecated in favor of setting `x-preserve-unknown-fields` to true in `spec.versions[*].schema.openAPIV3Schema`.
+	// See https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#field-pruning for details.
+	// +optional
+	preserveUnknownFields?: bool @go(PreserveUnknownFields) @protobuf(10,varint,opt)
+}
+
+// CustomResourceConversion describes how to convert different versions of a CR.
+#CustomResourceConversion: {
+	// strategy specifies how custom resources are converted between versions. Allowed values are:
+	// - `"None"`: The converter only change the apiVersion and would not touch any other field in the custom resource.
+	// - `"Webhook"`: API Server will call to an external webhook to do the conversion. Additional information
+	//   is needed for this option. This requires spec.preserveUnknownFields to be false, and spec.conversion.webhook to be set.
+	strategy: #ConversionStrategyType @go(Strategy) @protobuf(1,bytes)
+
+	// webhook describes how to call the conversion webhook. Required when `strategy` is set to `"Webhook"`.
+	// +optional
+	webhook?: null | #WebhookConversion @go(Webhook,*WebhookConversion) @protobuf(2,bytes,opt)
+}
+
+// WebhookConversion describes how to call a conversion webhook
+#WebhookConversion: {
+	// clientConfig is the instructions for how to call the webhook if strategy is `Webhook`.
+	// +optional
+	clientConfig?: null | #WebhookClientConfig @go(ClientConfig,*WebhookClientConfig) @protobuf(2,bytes)
+
+	// conversionReviewVersions is an ordered list of preferred `ConversionReview`
+	// versions the Webhook expects. The API server will use the first version in
+	// the list which it supports. If none of the versions specified in this list
+	// are supported by API server, conversion will fail for the custom resource.
+	// If a persisted Webhook configuration specifies allowed versions and does not
+	// include any versions known to the API Server, calls to the webhook will fail.
+	conversionReviewVersions: [...string] @go(ConversionReviewVersions,[]string) @protobuf(3,bytes,rep)
+}
+
+// WebhookClientConfig contains the information to make a TLS connection with the webhook.
+#WebhookClientConfig: {
+	// url gives the location of the webhook, in standard URL form
+	// (`scheme://host:port/path`). Exactly one of `url` or `service`
+	// must be specified.
+	//
+	// The `host` should not refer to a service running in the cluster; use
+	// the `service` field instead. The host might be resolved via external
+	// DNS in some apiservers (e.g., `kube-apiserver` cannot resolve
+	// in-cluster DNS as that would be a layering violation). `host` may
+	// also be an IP address.
+	//
+	// Please note that using `localhost` or `127.0.0.1` as a `host` is
+	// risky unless you take great care to run this webhook on all hosts
+	// which run an apiserver which might need to make calls to this
+	// webhook. Such installs are likely to be non-portable, i.e., not easy
+	// to turn up in a new cluster.
+	//
+	// The scheme must be "https"; the URL must begin with "https://".
+	//
+	// A path is optional, and if present may be any string permissible in
+	// a URL. You may use the path to pass an arbitrary string to the
+	// webhook, for example, a cluster identifier.
+	//
+	// Attempting to use a user or basic auth e.g. "user:password@" is not
+	// allowed. Fragments ("#...") and query parameters ("?...") are not
+	// allowed, either.
+	//
+	// +optional
+	url?: null | string @go(URL,*string) @protobuf(3,bytes,opt)
+
+	// service is a reference to the service for this webhook. Either
+	// service or url must be specified.
+	//
+	// If the webhook is running within the cluster, then you should use `service`.
+	//
+	// +optional
+	service?: null | #ServiceReference @go(Service,*ServiceReference) @protobuf(1,bytes,opt)
+
+	// caBundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
+	// If unspecified, system trust roots on the apiserver are used.
+	// +optional
+	caBundle?: bytes @go(CABundle,[]byte) @protobuf(2,bytes,opt)
+}
+
+// ServiceReference holds a reference to Service.legacy.k8s.io
+#ServiceReference: {
+	// namespace is the namespace of the service.
+	// Required
+	namespace: string @go(Namespace) @protobuf(1,bytes,opt)
+
+	// name is the name of the service.
+	// Required
+	name: string @go(Name) @protobuf(2,bytes,opt)
+
+	// path is an optional URL path at which the webhook will be contacted.
+	// +optional
+	path?: null | string @go(Path,*string) @protobuf(3,bytes,opt)
+
+	// port is an optional service port at which the webhook will be contacted.
+	// `port` should be a valid port number (1-65535, inclusive).
+	// Defaults to 443 for backward compatibility.
+	// +optional
+	port?: null | int32 @go(Port,*int32) @protobuf(4,varint,opt)
+}
+
+// CustomResourceDefinitionVersion describes a version for CRD.
+#CustomResourceDefinitionVersion: {
+	// name is the version name, e.g. “v1”, “v2beta1”, etc.
+	// The custom resources are served under this version at `/apis/<group>/<version>/...` if `served` is true.
+	name: string @go(Name) @protobuf(1,bytes,opt)
+
+	// served is a flag enabling/disabling this version from being served via REST APIs
+	served: bool @go(Served) @protobuf(2,varint,opt)
+
+	// storage indicates this version should be used when persisting custom resources to storage.
+	// There must be exactly one version with storage=true.
+	storage: bool @go(Storage) @protobuf(3,varint,opt)
+
+	// deprecated indicates this version of the custom resource API is deprecated.
+	// When set to true, API requests to this version receive a warning header in the server response.
+	// Defaults to false.
+	// +optional
+	deprecated?: bool @go(Deprecated) @protobuf(7,varint,opt)
+
+	// deprecationWarning overrides the default warning returned to API clients.
+	// May only be set when `deprecated` is true.
+	// The default warning indicates this version is deprecated and recommends use
+	// of the newest served version of equal or greater stability, if one exists.
+	// +optional
+	deprecationWarning?: null | string @go(DeprecationWarning,*string) @protobuf(8,bytes,opt)
+
+	// schema describes the schema used for validation, pruning, and defaulting of this version of the custom resource.
+	// +optional
+	schema?: null | #CustomResourceValidation @go(Schema,*CustomResourceValidation) @protobuf(4,bytes,opt)
+
+	// subresources specify what subresources this version of the defined custom resource have.
+	// +optional
+	subresources?: null | #CustomResourceSubresources @go(Subresources,*CustomResourceSubresources) @protobuf(5,bytes,opt)
+
+	// additionalPrinterColumns specifies additional columns returned in Table output.
+	// See https://kubernetes.io/docs/reference/using-api/api-concepts/#receiving-resources-as-tables for details.
+	// If no columns are specified, a single column displaying the age of the custom resource is used.
+	// +optional
+	additionalPrinterColumns?: [...#CustomResourceColumnDefinition] @go(AdditionalPrinterColumns,[]CustomResourceColumnDefinition) @protobuf(6,bytes,rep)
+}
+
+// CustomResourceColumnDefinition specifies a column for server side printing.
+#CustomResourceColumnDefinition: {
+	// name is a human readable name for the column.
+	name: string @go(Name) @protobuf(1,bytes,opt)
+
+	// type is an OpenAPI type definition for this column.
+	// See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details.
+	type: string @go(Type) @protobuf(2,bytes,opt)
+
+	// format is an optional OpenAPI type definition for this column. The 'name' format is applied
+	// to the primary identifier column to assist in clients identifying column is the resource name.
+	// See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details.
+	// +optional
+	format?: string @go(Format) @protobuf(3,bytes,opt)
+
+	// description is a human readable description of this column.
+	// +optional
+	description?: string @go(Description) @protobuf(4,bytes,opt)
+
+	// priority is an integer defining the relative importance of this column compared to others. Lower
+	// numbers are considered higher priority. Columns that may be omitted in limited space scenarios
+	// should be given a priority greater than 0.
+	// +optional
+	priority?: int32 @go(Priority) @protobuf(5,bytes,opt)
+
+	// jsonPath is a simple JSON path (i.e. with array notation) which is evaluated against
+	// each custom resource to produce the value for this column.
+	jsonPath: string @go(JSONPath) @protobuf(6,bytes,opt)
+}
+
+// CustomResourceDefinitionNames indicates the names to serve this CustomResourceDefinition
+#CustomResourceDefinitionNames: {
+	// plural is the plural name of the resource to serve.
+	// The custom resources are served under `/apis/<group>/<version>/.../<plural>`.
+	// Must match the name of the CustomResourceDefinition (in the form `<names.plural>.<group>`).
+	// Must be all lowercase.
+	plural: string @go(Plural) @protobuf(1,bytes,opt)
+
+	// singular is the singular name of the resource. It must be all lowercase. Defaults to lowercased `kind`.
+	// +optional
+	singular?: string @go(Singular) @protobuf(2,bytes,opt)
+
+	// shortNames are short names for the resource, exposed in API discovery documents,
+	// and used by clients to support invocations like `kubectl get <shortname>`.
+	// It must be all lowercase.
+	// +optional
+	shortNames?: [...string] @go(ShortNames,[]string) @protobuf(3,bytes,opt)
+
+	// kind is the serialized kind of the resource. It is normally CamelCase and singular.
+	// Custom resource instances will use this value as the `kind` attribute in API calls.
+	kind: string @go(Kind) @protobuf(4,bytes,opt)
+
+	// listKind is the serialized kind of the list for this resource. Defaults to "`kind`List".
+	// +optional
+	listKind?: string @go(ListKind) @protobuf(5,bytes,opt)
+
+	// categories is a list of grouped resources this custom resource belongs to (e.g. 'all').
+	// This is published in API discovery documents, and used by clients to support invocations like
+	// `kubectl get all`.
+	// +optional
+	categories?: [...string] @go(Categories,[]string) @protobuf(6,bytes,rep)
+}
+
+// ResourceScope is an enum defining the different scopes available to a custom resource
+#ResourceScope: string // #enumResourceScope
+
+#enumResourceScope:
+	#ClusterScoped |
+	#NamespaceScoped
+
+#ClusterScoped:   #ResourceScope & "Cluster"
+#NamespaceScoped: #ResourceScope & "Namespaced"
+
+#ConditionStatus: string // #enumConditionStatus
+
+#enumConditionStatus:
+	#ConditionTrue |
+	#ConditionFalse |
+	#ConditionUnknown
+
+#ConditionTrue:    #ConditionStatus & "True"
+#ConditionFalse:   #ConditionStatus & "False"
+#ConditionUnknown: #ConditionStatus & "Unknown"
+
+// CustomResourceDefinitionConditionType is a valid value for CustomResourceDefinitionCondition.Type
+#CustomResourceDefinitionConditionType: string // #enumCustomResourceDefinitionConditionType
+
+#enumCustomResourceDefinitionConditionType:
+	#Established |
+	#NamesAccepted |
+	#NonStructuralSchema |
+	#Terminating |
+	#KubernetesAPIApprovalPolicyConformant
+
+// Established means that the resource has become active. A resource is established when all names are
+// accepted without a conflict for the first time. A resource stays established until deleted, even during
+// a later NamesAccepted due to changed names. Note that not all names can be changed.
+#Established: #CustomResourceDefinitionConditionType & "Established"
+
+// NamesAccepted means the names chosen for this CustomResourceDefinition do not conflict with others in
+// the group and are therefore accepted.
+#NamesAccepted: #CustomResourceDefinitionConditionType & "NamesAccepted"
+
+// NonStructuralSchema means that one or more OpenAPI schema is not structural.
+//
+// A schema is structural if it specifies types for all values, with the only exceptions of those with
+// - x-kubernetes-int-or-string: true — for fields which can be integer or string
+// - x-kubernetes-preserve-unknown-fields: true — for raw, unspecified JSON values
+// and there is no type, additionalProperties, default, nullable or x-kubernetes-* vendor extenions
+// specified under allOf, anyOf, oneOf or not.
+//
+// Non-structural schemas will not be allowed anymore in v1 API groups. Moreover, new features will not be
+// available for non-structural CRDs:
+// - pruning
+// - defaulting
+// - read-only
+// - OpenAPI publishing
+// - webhook conversion
+#NonStructuralSchema: #CustomResourceDefinitionConditionType & "NonStructuralSchema"
+
+// Terminating means that the CustomResourceDefinition has been deleted and is cleaning up.
+#Terminating: #CustomResourceDefinitionConditionType & "Terminating"
+
+// KubernetesAPIApprovalPolicyConformant indicates that an API in *.k8s.io or *.kubernetes.io is or is not approved.  For CRDs
+// outside those groups, this condition will not be set.  For CRDs inside those groups, the condition will
+// be true if .metadata.annotations["api-approved.kubernetes.io"] is set to a URL, otherwise it will be false.
+// See https://github.com/kubernetes/enhancements/pull/1111 for more details.
+#KubernetesAPIApprovalPolicyConformant: #CustomResourceDefinitionConditionType & "KubernetesAPIApprovalPolicyConformant"
+
+// CustomResourceDefinitionCondition contains details for the current condition of this pod.
+#CustomResourceDefinitionCondition: {
+	// type is the type of the condition. Types include Established, NamesAccepted and Terminating.
+	type: #CustomResourceDefinitionConditionType @go(Type) @protobuf(1,bytes,opt,casttype=CustomResourceDefinitionConditionType)
+
+	// status is the status of the condition.
+	// Can be True, False, Unknown.
+	status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=ConditionStatus)
+
+	// lastTransitionTime last time the condition transitioned from one status to another.
+	// +optional
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt)
+
+	// reason is a unique, one-word, CamelCase reason for the condition's last transition.
+	// +optional
+	reason?: string @go(Reason) @protobuf(4,bytes,opt)
+
+	// message is a human-readable message indicating details about last transition.
+	// +optional
+	message?: string @go(Message) @protobuf(5,bytes,opt)
+}
+
+// CustomResourceDefinitionStatus indicates the state of the CustomResourceDefinition
+#CustomResourceDefinitionStatus: {
+	// conditions indicate state for particular aspects of a CustomResourceDefinition
+	// +optional
+	// +listType=map
+	// +listMapKey=type
+	conditions: [...#CustomResourceDefinitionCondition] @go(Conditions,[]CustomResourceDefinitionCondition) @protobuf(1,bytes,opt)
+
+	// acceptedNames are the names that are actually being used to serve discovery.
+	// They may be different than the names in spec.
+	// +optional
+	acceptedNames: #CustomResourceDefinitionNames @go(AcceptedNames) @protobuf(2,bytes,opt)
+
+	// storedVersions lists all versions of CustomResources that were ever persisted. Tracking these
+	// versions allows a migration path for stored versions in etcd. The field is mutable
+	// so a migration controller can finish a migration to another version (ensuring
+	// no old objects are left in storage), and then remove the rest of the
+	// versions from this list.
+	// Versions may not be removed from `spec.versions` while they exist in this list.
+	// +optional
+	storedVersions: [...string] @go(StoredVersions,[]string) @protobuf(3,bytes,rep)
+}
+
+#CustomResourceCleanupFinalizer: "customresourcecleanup.apiextensions.k8s.io"
+
+// CustomResourceDefinition represents a resource that should be exposed on the API server.  Its name MUST be in the format
+// <.spec.name>.<.spec.group>.
+#CustomResourceDefinition: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// spec describes how the user wants the resources to appear
+	spec: #CustomResourceDefinitionSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// status indicates the actual state of the CustomResourceDefinition
+	// +optional
+	status?: #CustomResourceDefinitionStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// CustomResourceDefinitionList is a list of CustomResourceDefinition objects.
+#CustomResourceDefinitionList: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// items list individual CustomResourceDefinition objects
+	items: [...#CustomResourceDefinition] @go(Items,[]CustomResourceDefinition) @protobuf(2,bytes,rep)
+}
+
+// CustomResourceValidation is a list of validation methods for CustomResources.
+#CustomResourceValidation: {
+	// openAPIV3Schema is the OpenAPI v3 schema to use for validation and pruning.
+	// +optional
+	openAPIV3Schema?: null | #JSONSchemaProps @go(OpenAPIV3Schema,*JSONSchemaProps) @protobuf(1,bytes,opt)
+}
+
+// CustomResourceSubresources defines the status and scale subresources for CustomResources.
+#CustomResourceSubresources: {
+	// status indicates the custom resource should serve a `/status` subresource.
+	// When enabled:
+	// 1. requests to the custom resource primary endpoint ignore changes to the `status` stanza of the object.
+	// 2. requests to the custom resource `/status` subresource ignore changes to anything other than the `status` stanza of the object.
+	// +optional
+	status?: null | #CustomResourceSubresourceStatus @go(Status,*CustomResourceSubresourceStatus) @protobuf(1,bytes,opt)
+
+	// scale indicates the custom resource should serve a `/scale` subresource that returns an `autoscaling/v1` Scale object.
+	// +optional
+	scale?: null | #CustomResourceSubresourceScale @go(Scale,*CustomResourceSubresourceScale) @protobuf(2,bytes,opt)
+}
+
+// CustomResourceSubresourceStatus defines how to serve the status subresource for CustomResources.
+// Status is represented by the `.status` JSON path inside of a CustomResource. When set,
+// * exposes a /status subresource for the custom resource
+// * PUT requests to the /status subresource take a custom resource object, and ignore changes to anything except the status stanza
+// * PUT/POST/PATCH requests to the custom resource ignore changes to the status stanza
+#CustomResourceSubresourceStatus: {
+}
+
+// CustomResourceSubresourceScale defines how to serve the scale subresource for CustomResources.
+#CustomResourceSubresourceScale: {
+	// specReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale `spec.replicas`.
+	// Only JSON paths without the array notation are allowed.
+	// Must be a JSON Path under `.spec`.
+	// If there is no value under the given path in the custom resource, the `/scale` subresource will return an error on GET.
+	specReplicasPath: string @go(SpecReplicasPath) @protobuf(1,bytes)
+
+	// statusReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale `status.replicas`.
+	// Only JSON paths without the array notation are allowed.
+	// Must be a JSON Path under `.status`.
+	// If there is no value under the given path in the custom resource, the `status.replicas` value in the `/scale` subresource
+	// will default to 0.
+	statusReplicasPath: string @go(StatusReplicasPath) @protobuf(2,bytes,opt)
+
+	// labelSelectorPath defines the JSON path inside of a custom resource that corresponds to Scale `status.selector`.
+	// Only JSON paths without the array notation are allowed.
+	// Must be a JSON Path under `.status` or `.spec`.
+	// Must be set to work with HorizontalPodAutoscaler.
+	// The field pointed by this JSON path must be a string field (not a complex selector struct)
+	// which contains a serialized label selector in string form.
+	// More info: https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions#scale-subresource
+	// If there is no value under the given path in the custom resource, the `status.selector` value in the `/scale`
+	// subresource will default to the empty string.
+	// +optional
+	labelSelectorPath?: null | string @go(LabelSelectorPath,*string) @protobuf(3,bytes,opt)
+}
+
+// ConversionReview describes a conversion request/response.
+#ConversionReview: {
+	metav1.#TypeMeta
+
+	// request describes the attributes for the conversion request.
+	// +optional
+	request?: null | #ConversionRequest @go(Request,*ConversionRequest) @protobuf(1,bytes,opt)
+
+	// response describes the attributes for the conversion response.
+	// +optional
+	response?: null | #ConversionResponse @go(Response,*ConversionResponse) @protobuf(2,bytes,opt)
+}
+
+// ConversionRequest describes the conversion request parameters.
+#ConversionRequest: {
+	// uid is an identifier for the individual request/response. It allows distinguishing instances of requests which are
+	// otherwise identical (parallel requests, etc).
+	// The UID is meant to track the round trip (request/response) between the Kubernetes API server and the webhook, not the user request.
+	// It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
+	uid: types.#UID @go(UID) @protobuf(1,bytes)
+
+	// desiredAPIVersion is the version to convert given objects to. e.g. "myapi.example.com/v1"
+	desiredAPIVersion: string @go(DesiredAPIVersion) @protobuf(2,bytes)
+
+	// objects is the list of custom resource objects to be converted.
+	objects: [...runtime.#RawExtension] @go(Objects,[]runtime.RawExtension) @protobuf(3,bytes,rep)
+}
+
+// ConversionResponse describes a conversion response.
+#ConversionResponse: {
+	// uid is an identifier for the individual request/response.
+	// This should be copied over from the corresponding `request.uid`.
+	uid: types.#UID @go(UID) @protobuf(1,bytes)
+
+	// convertedObjects is the list of converted version of `request.objects` if the `result` is successful, otherwise empty.
+	// The webhook is expected to set `apiVersion` of these objects to the `request.desiredAPIVersion`. The list
+	// must also have the same size as the input list with the same objects in the same order (equal kind, metadata.uid, metadata.name and metadata.namespace).
+	// The webhook is allowed to mutate labels and annotations. Any other change to the metadata is silently ignored.
+	convertedObjects: [...runtime.#RawExtension] @go(ConvertedObjects,[]runtime.RawExtension) @protobuf(2,bytes,rep)
+
+	// result contains the result of conversion with extra details if the conversion failed. `result.status` determines if
+	// the conversion failed or succeeded. The `result.status` field is required and represents the success or failure of the
+	// conversion. A successful conversion must set `result.status` to `Success`. A failed conversion must set
+	// `result.status` to `Failure` and provide more details in `result.message` and return http status 200. The `result.message`
+	// will be used to construct an error message for the end user.
+	result: metav1.#Status @go(Result) @protobuf(3,bytes)
+}

timoni/podinfo/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types_jsonschema_go_gen.cue

@@ -0,0 +1,317 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1
+
+package v1
+
+// FieldValueErrorReason is a machine-readable value providing more detail about why a field failed the validation.
+// +enum
+#FieldValueErrorReason: string // #enumFieldValueErrorReason
+
+#enumFieldValueErrorReason:
+	#FieldValueRequired |
+	#FieldValueDuplicate |
+	#FieldValueInvalid |
+	#FieldValueForbidden
+
+// FieldValueRequired is used to report required values that are not
+// provided (e.g. empty strings, null values, or empty arrays).
+#FieldValueRequired: #FieldValueErrorReason & "FieldValueRequired"
+
+// FieldValueDuplicate is used to report collisions of values that must be
+// unique (e.g. unique IDs).
+#FieldValueDuplicate: #FieldValueErrorReason & "FieldValueDuplicate"
+
+// FieldValueInvalid is used to report malformed values (e.g. failed regex
+// match, too long, out of bounds).
+#FieldValueInvalid: #FieldValueErrorReason & "FieldValueInvalid"
+
+// FieldValueForbidden is used to report valid (as per formatting rules)
+// values which would be accepted under some conditions, but which are not
+// permitted by the current conditions (such as security policy).
+#FieldValueForbidden: #FieldValueErrorReason & "FieldValueForbidden"
+
+// JSONSchemaProps is a JSON-Schema following Specification Draft 4 (http://json-schema.org/).
+#JSONSchemaProps: {
+	id?:          string         @go(ID) @protobuf(1,bytes,opt)
+	$schema?:     #JSONSchemaURL @go(Schema) @protobuf(2,bytes,opt,name=schema)
+	$ref?:        null | string  @go(Ref,*string) @protobuf(3,bytes,opt,name=ref)
+	description?: string         @go(Description) @protobuf(4,bytes,opt)
+	type?:        string         @go(Type) @protobuf(5,bytes,opt)
+
+	// format is an OpenAPI v3 format string. Unknown formats are ignored. The following formats are validated:
+	//
+	// - bsonobjectid: a bson object ID, i.e. a 24 characters hex string
+	// - uri: an URI as parsed by Golang net/url.ParseRequestURI
+	// - email: an email address as parsed by Golang net/mail.ParseAddress
+	// - hostname: a valid representation for an Internet host name, as defined by RFC 1034, section 3.1 [RFC1034].
+	// - ipv4: an IPv4 IP as parsed by Golang net.ParseIP
+	// - ipv6: an IPv6 IP as parsed by Golang net.ParseIP
+	// - cidr: a CIDR as parsed by Golang net.ParseCIDR
+	// - mac: a MAC address as parsed by Golang net.ParseMAC
+	// - uuid: an UUID that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{12}$
+	// - uuid3: an UUID3 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?3[0-9a-f]{3}-?[0-9a-f]{4}-?[0-9a-f]{12}$
+	// - uuid4: an UUID4 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?4[0-9a-f]{3}-?[89ab][0-9a-f]{3}-?[0-9a-f]{12}$
+	// - uuid5: an UUID5 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?5[0-9a-f]{3}-?[89ab][0-9a-f]{3}-?[0-9a-f]{12}$
+	// - isbn: an ISBN10 or ISBN13 number string like "0321751043" or "978-0321751041"
+	// - isbn10: an ISBN10 number string like "0321751043"
+	// - isbn13: an ISBN13 number string like "978-0321751041"
+	// - creditcard: a credit card number defined by the regex ^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\\d{3})\\d{11})$ with any non digit characters mixed in
+	// - ssn: a U.S. social security number following the regex ^\\d{3}[- ]?\\d{2}[- ]?\\d{4}$
+	// - hexcolor: an hexadecimal color code like "#FFFFFF: following the regex ^#?([0-9a-fA-F]{3}|[0-9a-fA-F]{6})$
+	// - rgbcolor: an RGB color code like rgb like "rgb(255,255,2559"
+	// - byte: base64 encoded binary data
+	// - password: any kind of string
+	// - date: a date string like "2006-01-02" as defined by full-date in RFC3339
+	// - duration: a duration string like "22 ns" as parsed by Golang time.ParseDuration or compatible with Scala duration format
+	// - datetime: a date time string like "2014-12-15T19:30:20.000Z" as defined by date-time in RFC3339.
+	format?: string @go(Format) @protobuf(6,bytes,opt)
+	title?:  string @go(Title) @protobuf(7,bytes,opt)
+
+	// default is a default value for undefined object fields.
+	// Defaulting is a beta feature under the CustomResourceDefaulting feature gate.
+	// Defaulting requires spec.preserveUnknownFields to be false.
+	default?:          null | #JSON   @go(Default,*JSON) @protobuf(8,bytes,opt)
+	maximum?:          null | float64 @go(Maximum,*float64) @protobuf(9,bytes,opt)
+	exclusiveMaximum?: bool           @go(ExclusiveMaximum) @protobuf(10,bytes,opt)
+	minimum?:          null | float64 @go(Minimum,*float64) @protobuf(11,bytes,opt)
+	exclusiveMinimum?: bool           @go(ExclusiveMinimum) @protobuf(12,bytes,opt)
+	maxLength?:        null | int64   @go(MaxLength,*int64) @protobuf(13,bytes,opt)
+	minLength?:        null | int64   @go(MinLength,*int64) @protobuf(14,bytes,opt)
+	pattern?:          string         @go(Pattern) @protobuf(15,bytes,opt)
+	maxItems?:         null | int64   @go(MaxItems,*int64) @protobuf(16,bytes,opt)
+	minItems?:         null | int64   @go(MinItems,*int64) @protobuf(17,bytes,opt)
+	uniqueItems?:      bool           @go(UniqueItems) @protobuf(18,bytes,opt)
+	multipleOf?:       null | float64 @go(MultipleOf,*float64) @protobuf(19,bytes,opt)
+	enum?: [...#JSON] @go(Enum,[]JSON) @protobuf(20,bytes,rep)
+	maxProperties?: null | int64 @go(MaxProperties,*int64) @protobuf(21,bytes,opt)
+	minProperties?: null | int64 @go(MinProperties,*int64) @protobuf(22,bytes,opt)
+	required?: [...string] @go(Required,[]string) @protobuf(23,bytes,rep)
+	items?: null | #JSONSchemaPropsOrArray @go(Items,*JSONSchemaPropsOrArray) @protobuf(24,bytes,opt)
+	allOf?: [...#JSONSchemaProps] @go(AllOf,[]JSONSchemaProps) @protobuf(25,bytes,rep)
+	oneOf?: [...#JSONSchemaProps] @go(OneOf,[]JSONSchemaProps) @protobuf(26,bytes,rep)
+	anyOf?: [...#JSONSchemaProps] @go(AnyOf,[]JSONSchemaProps) @protobuf(27,bytes,rep)
+	not?: null | #JSONSchemaProps @go(Not,*JSONSchemaProps) @protobuf(28,bytes,opt)
+	properties?: {[string]: #JSONSchemaProps} @go(Properties,map[string]JSONSchemaProps) @protobuf(29,bytes,rep)
+	additionalProperties?: null | #JSONSchemaPropsOrBool @go(AdditionalProperties,*JSONSchemaPropsOrBool) @protobuf(30,bytes,opt)
+	patternProperties?: {[string]: #JSONSchemaProps} @go(PatternProperties,map[string]JSONSchemaProps) @protobuf(31,bytes,rep)
+	dependencies?:    #JSONSchemaDependencies       @go(Dependencies) @protobuf(32,bytes,opt)
+	additionalItems?: null | #JSONSchemaPropsOrBool @go(AdditionalItems,*JSONSchemaPropsOrBool) @protobuf(33,bytes,opt)
+	definitions?:     #JSONSchemaDefinitions        @go(Definitions) @protobuf(34,bytes,opt)
+	externalDocs?:    null | #ExternalDocumentation @go(ExternalDocs,*ExternalDocumentation) @protobuf(35,bytes,opt)
+	example?:         null | #JSON                  @go(Example,*JSON) @protobuf(36,bytes,opt)
+	nullable?:        bool                          @go(Nullable) @protobuf(37,bytes,opt)
+
+	// x-kubernetes-preserve-unknown-fields stops the API server
+	// decoding step from pruning fields which are not specified
+	// in the validation schema. This affects fields recursively,
+	// but switches back to normal pruning behaviour if nested
+	// properties or additionalProperties are specified in the schema.
+	// This can either be true or undefined. False is forbidden.
+	"x-kubernetes-preserve-unknown-fields"?: null | bool @go(XPreserveUnknownFields,*bool) @protobuf(38,bytes,opt,name=xKubernetesPreserveUnknownFields)
+
+	// x-kubernetes-embedded-resource defines that the value is an
+	// embedded Kubernetes runtime.Object, with TypeMeta and
+	// ObjectMeta. The type must be object. It is allowed to further
+	// restrict the embedded object. kind, apiVersion and metadata
+	// are validated automatically. x-kubernetes-preserve-unknown-fields
+	// is allowed to be true, but does not have to be if the object
+	// is fully specified (up to kind, apiVersion, metadata).
+	"x-kubernetes-embedded-resource"?: bool @go(XEmbeddedResource) @protobuf(39,bytes,opt,name=xKubernetesEmbeddedResource)
+
+	// x-kubernetes-int-or-string specifies that this value is
+	// either an integer or a string. If this is true, an empty
+	// type is allowed and type as child of anyOf is permitted
+	// if following one of the following patterns:
+	//
+	// 1) anyOf:
+	//    - type: integer
+	//    - type: string
+	// 2) allOf:
+	//    - anyOf:
+	//      - type: integer
+	//      - type: string
+	//    - ... zero or more
+	"x-kubernetes-int-or-string"?: bool @go(XIntOrString) @protobuf(40,bytes,opt,name=xKubernetesIntOrString)
+
+	// x-kubernetes-list-map-keys annotates an array with the x-kubernetes-list-type `map` by specifying the keys used
+	// as the index of the map.
+	//
+	// This tag MUST only be used on lists that have the "x-kubernetes-list-type"
+	// extension set to "map". Also, the values specified for this attribute must
+	// be a scalar typed field of the child structure (no nesting is supported).
+	//
+	// The properties specified must either be required or have a default value,
+	// to ensure those properties are present for all list items.
+	//
+	// +optional
+	"x-kubernetes-list-map-keys"?: [...string] @go(XListMapKeys,[]string) @protobuf(41,bytes,rep,name=xKubernetesListMapKeys)
+
+	// x-kubernetes-list-type annotates an array to further describe its topology.
+	// This extension must only be used on lists and may have 3 possible values:
+	//
+	// 1) `atomic`: the list is treated as a single entity, like a scalar.
+	//      Atomic lists will be entirely replaced when updated. This extension
+	//      may be used on any type of list (struct, scalar, ...).
+	// 2) `set`:
+	//      Sets are lists that must not have multiple items with the same value. Each
+	//      value must be a scalar, an object with x-kubernetes-map-type `atomic` or an
+	//      array with x-kubernetes-list-type `atomic`.
+	// 3) `map`:
+	//      These lists are like maps in that their elements have a non-index key
+	//      used to identify them. Order is preserved upon merge. The map tag
+	//      must only be used on a list with elements of type object.
+	// Defaults to atomic for arrays.
+	// +optional
+	"x-kubernetes-list-type"?: null | string @go(XListType,*string) @protobuf(42,bytes,opt,name=xKubernetesListType)
+
+	// x-kubernetes-map-type annotates an object to further describe its topology.
+	// This extension must only be used when type is object and may have 2 possible values:
+	//
+	// 1) `granular`:
+	//      These maps are actual maps (key-value pairs) and each fields are independent
+	//      from each other (they can each be manipulated by separate actors). This is
+	//      the default behaviour for all maps.
+	// 2) `atomic`: the list is treated as a single entity, like a scalar.
+	//      Atomic maps will be entirely replaced when updated.
+	// +optional
+	"x-kubernetes-map-type"?: null | string @go(XMapType,*string) @protobuf(43,bytes,opt,name=xKubernetesMapType)
+
+	// x-kubernetes-validations describes a list of validation rules written in the CEL expression language.
+	// This field is an alpha-level. Using this field requires the feature gate `CustomResourceValidationExpressions` to be enabled.
+	// +patchMergeKey=rule
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=rule
+	"x-kubernetes-validations"?: #ValidationRules @go(XValidations) @protobuf(44,bytes,rep,name=xKubernetesValidations)
+}
+
+// ValidationRules describes a list of validation rules written in the CEL expression language.
+#ValidationRules: [...#ValidationRule]
+
+// ValidationRule describes a validation rule written in the CEL expression language.
+#ValidationRule: {
+	// Rule represents the expression which will be evaluated by CEL.
+	// ref: https://github.com/google/cel-spec
+	// The Rule is scoped to the location of the x-kubernetes-validations extension in the schema.
+	// The `self` variable in the CEL expression is bound to the scoped value.
+	// Example:
+	// - Rule scoped to the root of a resource with a status subresource: {"rule": "self.status.actual <= self.spec.maxDesired"}
+	//
+	// If the Rule is scoped to an object with properties, the accessible properties of the object are field selectable
+	// via `self.field` and field presence can be checked via `has(self.field)`. Null valued fields are treated as
+	// absent fields in CEL expressions.
+	// If the Rule is scoped to an object with additionalProperties (i.e. a map) the value of the map
+	// are accessible via `self[mapKey]`, map containment can be checked via `mapKey in self` and all entries of the map
+	// are accessible via CEL macros and functions such as `self.all(...)`.
+	// If the Rule is scoped to an array, the elements of the array are accessible via `self[i]` and also by macros and
+	// functions.
+	// If the Rule is scoped to a scalar, `self` is bound to the scalar value.
+	// Examples:
+	// - Rule scoped to a map of objects: {"rule": "self.components['Widget'].priority < 10"}
+	// - Rule scoped to a list of integers: {"rule": "self.values.all(value, value >= 0 && value < 100)"}
+	// - Rule scoped to a string value: {"rule": "self.startsWith('kube')"}
+	//
+	// The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the
+	// object and from any x-kubernetes-embedded-resource annotated objects. No other metadata properties are accessible.
+	//
+	// Unknown data preserved in custom resources via x-kubernetes-preserve-unknown-fields is not accessible in CEL
+	// expressions. This includes:
+	// - Unknown field values that are preserved by object schemas with x-kubernetes-preserve-unknown-fields.
+	// - Object properties where the property schema is of an "unknown type". An "unknown type" is recursively defined as:
+	//   - A schema with no type and x-kubernetes-preserve-unknown-fields set to true
+	//   - An array where the items schema is of an "unknown type"
+	//   - An object where the additionalProperties schema is of an "unknown type"
+	//
+	// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.
+	// Accessible property names are escaped according to the following rules when accessed in the expression:
+	// - '__' escapes to '__underscores__'
+	// - '.' escapes to '__dot__'
+	// - '-' escapes to '__dash__'
+	// - '/' escapes to '__slash__'
+	// - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:
+	//	  "true", "false", "null", "in", "as", "break", "const", "continue", "else", "for", "function", "if",
+	//	  "import", "let", "loop", "package", "namespace", "return".
+	// Examples:
+	//   - Rule accessing a property named "namespace": {"rule": "self.__namespace__ > 0"}
+	//   - Rule accessing a property named "x-prop": {"rule": "self.x__dash__prop > 0"}
+	//   - Rule accessing a property named "redact__d": {"rule": "self.redact__underscores__d > 0"}
+	//
+	// Equality on arrays with x-kubernetes-list-type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].
+	// Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:
+	//   - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and
+	//     non-intersecting elements in `Y` are appended, retaining their partial order.
+	//   - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values
+	//     are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with
+	//     non-intersecting keys are appended, retaining their partial order.
+	rule: string @go(Rule) @protobuf(1,bytes,opt)
+
+	// Message represents the message displayed when validation fails. The message is required if the Rule contains
+	// line breaks. The message must not contain line breaks.
+	// If unset, the message is "failed rule: {Rule}".
+	// e.g. "must be a URL with the host matching spec.host"
+	message?: string @go(Message) @protobuf(2,bytes,opt)
+
+	// MessageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+	// Since messageExpression is used as a failure message, it must evaluate to a string.
+	// If both message and messageExpression are present on a rule, then messageExpression will be used if validation
+	// fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+	// as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+	// that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+	// the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+	// messageExpression has access to all the same variables as the rule; the only difference is the return type.
+	// Example:
+	// "x must be less than max ("+string(self.max)+")"
+	// +optional
+	messageExpression?: string @go(MessageExpression) @protobuf(3,bytes,opt)
+
+	// reason provides a machine-readable validation failure reason that is returned to the caller when a request fails this validation rule.
+	// The HTTP status code returned to the caller will match the reason of the reason of the first failed validation rule.
+	// The currently supported reasons are: "FieldValueInvalid", "FieldValueForbidden", "FieldValueRequired", "FieldValueDuplicate".
+	// If not set, default to use "FieldValueInvalid".
+	// All future added reasons must be accepted by clients when reading this value and unknown reasons should be treated as FieldValueInvalid.
+	// +optional
+	reason?: null | #FieldValueErrorReason @go(Reason,*FieldValueErrorReason) @protobuf(4,bytes,opt)
+
+	// fieldPath represents the field path returned when the validation fails.
+	// It must be a relative JSON path (i.e. with array notation) scoped to the location of this x-kubernetes-validations extension in the schema and refer to an existing field.
+	// e.g. when validation checks if a specific attribute `foo` under a map `testMap`, the fieldPath could be set to `.testMap.foo`
+	// If the validation checks two lists must have unique attributes, the fieldPath could be set to either of the list: e.g. `.testList`
+	// It does not support list numeric index.
+	// It supports child operation to refer to an existing field currently. Refer to [JSONPath support in Kubernetes](https://kubernetes.io/docs/reference/kubectl/jsonpath/) for more info.
+	// Numeric index of array is not supported.
+	// For field name which contains special characters, use `['specialName']` to refer the field name.
+	// e.g. for attribute `foo.34$` appears in a list `testList`, the fieldPath could be set to `.testList['foo.34$']`
+	// +optional
+	fieldPath?: string @go(FieldPath) @protobuf(5,bytes,opt)
+}
+
+// JSON represents any valid JSON value.
+// These types are supported: bool, int64, float64, string, []interface{}, map[string]interface{} and nil.
+#JSON: _
+
+// JSONSchemaURL represents a schema url.
+#JSONSchemaURL: string
+
+// JSONSchemaPropsOrArray represents a value that can either be a JSONSchemaProps
+// or an array of JSONSchemaProps. Mainly here for serialization purposes.
+#JSONSchemaPropsOrArray: _
+
+// JSONSchemaPropsOrBool represents JSONSchemaProps or a boolean value.
+// Defaults to true for the boolean property.
+#JSONSchemaPropsOrBool: _
+
+// JSONSchemaDependencies represent a dependencies property.
+#JSONSchemaDependencies: {[string]: #JSONSchemaPropsOrStringArray}
+
+// JSONSchemaPropsOrStringArray represents a JSONSchemaProps or a string array.
+#JSONSchemaPropsOrStringArray: _
+
+// JSONSchemaDefinitions contains the models explicitly defined in this spec.
+#JSONSchemaDefinitions: {[string]: #JSONSchemaProps}
+
+// ExternalDocumentation allows referencing an external resource for extended documentation.
+#ExternalDocumentation: {
+	description?: string @go(Description) @protobuf(1,bytes,opt)
+	url?:         string @go(URL) @protobuf(2,bytes,opt)
+}

timoni/podinfo/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/amount_go_gen.cue

@@ -0,0 +1,47 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/api/resource
+
+package resource
+
+// Scale is used for getting and setting the base-10 scaled value.
+// Base-2 scales are omitted for mathematical simplicity.
+// See Quantity.ScaledValue for more details.
+#Scale: int32 // #enumScale
+
+#enumScale:
+	#Nano |
+	#Micro |
+	#Milli |
+	#Kilo |
+	#Mega |
+	#Giga |
+	#Tera |
+	#Peta |
+	#Exa
+
+#values_Scale: {
+	Nano:  #Nano
+	Micro: #Micro
+	Milli: #Milli
+	Kilo:  #Kilo
+	Mega:  #Mega
+	Giga:  #Giga
+	Tera:  #Tera
+	Peta:  #Peta
+	Exa:   #Exa
+}
+
+#Nano:  #Scale & -9
+#Micro: #Scale & -6
+#Milli: #Scale & -3
+#Kilo:  #Scale & 3
+#Mega:  #Scale & 6
+#Giga:  #Scale & 9
+#Tera:  #Scale & 12
+#Peta:  #Scale & 15
+#Exa:   #Scale & 18
+
+// infDecAmount implements common operations over an inf.Dec that are specific to the quantity
+// representation.
+_#infDecAmount: string

timoni/podinfo/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/math_go_gen.cue

@@ -0,0 +1,13 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/api/resource
+
+package resource
+
+// maxInt64Factors is the highest value that will be checked when removing factors of 10 from an int64.
+// It is also the maximum decimal digits that can be represented with an int64.
+_#maxInt64Factors: 18
+
+_#mostNegative: -9223372036854775808
+
+_#mostPositive: 9223372036854775807

timoni/podinfo/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/quantity_go_gen.cue

@@ -0,0 +1,107 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/api/resource
+
+package resource
+
+// Quantity is a fixed-point representation of a number.
+// It provides convenient marshaling/unmarshaling in JSON and YAML,
+// in addition to String() and AsInt64() accessors.
+//
+// The serialization format is:
+//
+// ```
+// <quantity>        ::= <signedNumber><suffix>
+//
+//	(Note that <suffix> may be empty, from the "" case in <decimalSI>.)
+//
+// <digit>           ::= 0 | 1 | ... | 9
+// <digits>          ::= <digit> | <digit><digits>
+// <number>          ::= <digits> | <digits>.<digits> | <digits>. | .<digits>
+// <sign>            ::= "+" | "-"
+// <signedNumber>    ::= <number> | <sign><number>
+// <suffix>          ::= <binarySI> | <decimalExponent> | <decimalSI>
+// <binarySI>        ::= Ki | Mi | Gi | Ti | Pi | Ei
+//
+//	(International System of units; See: http://physics.nist.gov/cuu/Units/binary.html)
+//
+// <decimalSI>       ::= m | "" | k | M | G | T | P | E
+//
+//	(Note that 1024 = 1Ki but 1000 = 1k; I didn't choose the capitalization.)
+//
+// <decimalExponent> ::= "e" <signedNumber> | "E" <signedNumber>
+// ```
+//
+// No matter which of the three exponent forms is used, no quantity may represent
+// a number greater than 2^63-1 in magnitude, nor may it have more than 3 decimal
+// places. Numbers larger or more precise will be capped or rounded up.
+// (E.g.: 0.1m will rounded up to 1m.)
+// This may be extended in the future if we require larger or smaller quantities.
+//
+// When a Quantity is parsed from a string, it will remember the type of suffix
+// it had, and will use the same type again when it is serialized.
+//
+// Before serializing, Quantity will be put in "canonical form".
+// This means that Exponent/suffix will be adjusted up or down (with a
+// corresponding increase or decrease in Mantissa) such that:
+//
+// - No precision is lost
+// - No fractional digits will be emitted
+// - The exponent (or suffix) is as large as possible.
+//
+// The sign will be omitted unless the number is negative.
+//
+// Examples:
+//
+// - 1.5 will be serialized as "1500m"
+// - 1.5Gi will be serialized as "1536Mi"
+//
+// Note that the quantity will NEVER be internally represented by a
+// floating point number. That is the whole point of this exercise.
+//
+// Non-canonical values will still parse as long as they are well formed,
+// but will be re-emitted in their canonical form. (So always use canonical
+// form, or don't diff.)
+//
+// This format is intended to make it difficult to use these numbers without
+// writing some sort of special handling code in the hopes that that will
+// cause implementors to also use a fixed point implementation.
+//
+// +protobuf=true
+// +protobuf.embed=string
+// +protobuf.options.marshal=false
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+// +k8s:deepcopy-gen=true
+// +k8s:openapi-gen=true
+#Quantity: _
+
+// CanonicalValue allows a quantity amount to be converted to a string.
+#CanonicalValue: _
+
+// Format lists the three possible formattings of a quantity.
+#Format: string // #enumFormat
+
+#enumFormat:
+	#DecimalExponent |
+	#BinarySI |
+	#DecimalSI
+
+#DecimalExponent: #Format & "DecimalExponent"
+#BinarySI:        #Format & "BinarySI"
+#DecimalSI:       #Format & "DecimalSI"
+
+// splitREString is used to separate a number from its suffix; as such,
+// this is overly permissive, but that's OK-- it will be checked later.
+_#splitREString: "^([+-]?[0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$"
+
+_#int64QuantityExpectedBytes: 18
+
+// QuantityValue makes it possible to use a Quantity as value for a command
+// line parameter.
+//
+// +protobuf=true
+// +protobuf.embed=string
+// +protobuf.options.marshal=false
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+// +k8s:deepcopy-gen=true
+#QuantityValue: _

timoni/podinfo/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/suffix_go_gen.cue

@@ -0,0 +1,10 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/api/resource
+
+package resource
+
+_#suffix: string
+
+// suffixer can interpret and construct suffixes.
+_#suffixer: _