Skip to content


A Timoni module contains a set of CUE definitions and constraints organised into a CUE module with an opinionated file structure.

File Structure

A module consists of a collection of CUE files inside a directory with the following structure:

├── cue.mod
│   ├── gen # Kubernetes APIs and CRDs schemas   ├── pkg # Timoni APIs schemas   └── module.cue # Module metadata
├── templates
│   ├── config.cue # Config schema and default values   ├── deployment.cue # Kubernetes Deployment template   └── service.cue # Kubernetes Service template
├── timoni.cue # Timoni entry point
├── timoni.ignore # Timoni ignore rules
└── values.cue # Timoni values placeholder

To create a new module in the current directory:

timoni mod init myapp .

Entry point

The timoni.cue file contains the definition of how Timoni should validate, build and deploy a module instance.

This file is generated by timoni mod init with the following content:

// source: myapp/timoni.cue

package main

import (
    templates ""

// Define the schema for the user-supplied values.
// At runtime, Timoni injects the supplied values
// and validates them according to the Config schema.
values: templates.#Config

// Define how Timoni should build, validate and
// apply the Kubernetes resources.
timoni: {
    apiVersion: "v1alpha1"

    // Define the instance that generates the Kubernetes resources.
    // At runtime, Timoni builds the instance and validates
    // the resulting resources according to their Kubernetes schema.
    instance: templates.#Instance & {
        // The user-supplied values are merged with the
        // default values at runtime by Timoni.
        config: values
        // These values are injected at runtime by Timoni.
        config: {
            metadata: {
                name:      string @tag(name)
                namespace: string @tag(namespace)
            moduleVersion: string @tag(mv, var=moduleVersion)
            kubeVersion:   string @tag(kv, var=kubeVersion)

    // Enforce minimum Kubernetes version.
    kubeMinorVersion: int & >=20
    kubeMinorVersion: strconv.Atoi(strings.Split(instance.config.kubeVersion, ".")[1])

    // Pass the generated Kubernetes resources
    // to Timoni's multi-step apply.
    apply: all: [ for obj in instance.objects {obj}]

Kubernetes min version

At apply-time, Timoni injects the Kubernetes version from the live cluster. To enforce a minimum supported version for your module, set a constraint for the minor version e.g. kubeMinorVersion: int & >=20.

To test the constraint, you can use the TIMONI_KUBE_VERSION env var with timoni mod vet and timoni build.

$ TIMONI_KUBE_VERSION=1.19.0 timoni mod vet ./myapp
validation failed: timoni.kubeMinorVersion: invalid value 19 (out of bound >=20)


The timoni.ignore file contains rules in the .gitignore pattern format. The paths matching the defined rules are excluded when publishing the module to a container registry.

The recommended ignore patterns are:


# Go



The values.cue file holds the default values. Note that this file must have no imports and all values must be concrete.

// source: myapp/values.cue

values: {
    message: "Hello World"
    image: {
        repository: ""
        digest:     "sha256:d2b0e52d7c2e5dd9fe5266b163e14d41ed97fd380deb55a36ff17efd145549cd"
        tag:        "1.25.1"

The values schema is set in the timoni.cue file:

// source: myapp/timoni.cue

values: templates.#Config

Note that the file should contain the config values schema documentation.


The templates directory is where module authors define Kubernetes resources and their configuration schema.


The schema and defaults for the user-supplied values are defined in templates/config.cue.

Example of a minimal config for an app deployment:

// source: myapp/templates/config.cue

#Config: {
    moduleVersion!: string
    kubeVersion!:   string

    metadata: timoniv1.#Metadata & {#Version: moduleVersion}
    selector: timoniv1.#Selector & {#Name:}

    image:           timoniv1.#Image
    imagePullPolicy: *"IfNotPresent" | string

    replicas: *1 | int & >0
    service: port: *80 | int & >0 & <=65535
    resources?: corev1.#ResourceRequirements

The user-supplied values can:

  • add annotations and labels to metadata
  • change the service port to a different value
  • set resource requirements requests and/or limits
  • set the image repository, tag and digest
// source: myapp-values/values.cue

values: {
    metadata: {
        labels: "": "frontend"
        annontations: "":        "web-team"
    service: port: 8080
    resources: limits: memory: "1Gi"

When creating an instance, Timoni unifies the user-supplied values with the defaults and sets the metadata for all Kubernetes resources to:

  name: "<instance-name>"
  namespace: "<instance-namespace>"
  labels: "<instance-name>" "<module-name>" "frontend"
  annotations: "web-team"

Note that and labels are automatically generated by timoniv1.#Metadata.


Example of defining an instance containing a Kubernetes Service and Deployment:

// source: myapp/templates/config.cue

#Instance: {
    config: #Config

    objects: {
        svc:    #Service & {_config:        config}
        deploy: #Deployment & {_config:     config}

Kubernetes resources

Example of a Kubernetes Service template:

// source: myapp/templates/service.cue

package templates

import (
    corev1 ""

#Service: corev1.#Service & {
    _config:    #Config
    apiVersion: "v1"
    kind:       "Service"
    metadata:   _config.metadata
    spec:       corev1.#ServiceSpec & {
        type:     corev1.#ServiceTypeClusterIP
        selector: _config.selector.labels
        ports: [
                port:       _config.service.port
                protocol:   "TCP"
                name:       "http"
                targetPort: name

Note that the service pod selector is automatically set to <instance-name> by timoniv1.#Selector.

End-users can add their own custom labels to the selector e.g.:

// source: myapp-values/values.cue

values: {
    selector: labels: {
        "": "auth"
        "":   "frontend"

Timoni will add the custom labels to the Deployment selector, PodSpec labels and Service selector.

Controlling the apply behaviour

Timoni allows module authors to change the default apply behaviour of Kubernetes resources using the following annotations:

Annotation Values - enabled
- disabled - enabled
- disabled - enabled
- disabled

To recreate immutable resources such as Kubernetes Jobs, these resources can be annotated with "enabled".

To apply resources only if they don't exist on the cluster, these resources can be annotated with "enabled".

To prevent Timoni's garbage collector from deleting certain resources such as Kubernetes Persistent Volumes, these resources can be annotated with "disabled".

Running tests with Kubernetes Jobs

Module authors can write end-to-end tests that are run by Timoni, after the app workloads are deployed on a cluster. Tests are defined as Kubernetes Jobs that can be placed inside the templates directory.

Example of a test that verifies that an app is accessible from inside the cluster:

// source: myapp/templates/job.cue

#TestJob: batchv1.#Job & {
    _config:    #Config
    apiVersion: "batch/v1"
    kind:       "Job"
    metadata:   _config.metadata
    metadata: annotations: timoniv1.action.force
    spec: batchv1.#JobSpec & {
        template: corev1.#PodTemplateSpec & {
            metadata: labels: _config.metadata.labels
            let _checksum = uuid.SHA1(uuid.ns.DNS, yaml.Marshal(_config))
            metadata: annotations: "": "\(_checksum)"
            spec: {
                containers: [{
                    name:            "curl"
                    image:           _config.test.image.reference
                    imagePullPolicy: _config.imagePullPolicy
                    command: [
                restartPolicy: "Never"

After the app workloads are installed and become ready, Timoni will apply the Kubernetes Jobs and wait for the created pods to run to completion. On upgrades, Timoni will delete the previous test pods and will recreate the Jobs for the current module values and version.

Test runs are idempotent, if the values or the module version doesn't change, Timoni will not create new test pods, tests are run only when a drift is detected in desired state.

A complete example of defining end-to-end tests can be found in modules created with timoni mod init.

Kubernetes schemas

To ensure that the Kubernetes resources defined in a module are in conformance with their OpenAPI schema, Timoni offers commands for vendoring CUE definitions generated from the Kubernetes builtin APIs and CRDs.

Kubernetes builtin APIs

The cue.mod/gen/ directory contains the Kubernetes GA API types and their schema. These files are automatically generated by CUE from the Kubernetes API Go packages.

    ├── api
    │   ├── admission
    │   ├── admissionregistration
    │   ├── apps
    │   ├── authentication
    │   ├── authorization
    │   ├── autoscaling
    │   ├── batch
    │   ├── certificates
    │   ├── coordination
    │   ├── core
    │   ├── discovery
    │   ├── events
    │   ├── networking
    │   ├── node
    │   ├── policy
    │   ├── rbac
    │   ├── scheduling
    │   └── storage
    ├── apiextensions-apiserver
    └── apimachinery

To update the schemas to a specific Kubernetes version, run the following command from within the module root directory:

timoni mod vendor k8s -v 1.28

Kubernetes CRDs

To use 3rd-party Kubernetes APIs e.g. Prometheus Operator, you can point Timoni to a YAML file which contains the Kubernetes CRDs:

timoni mod vendor crds -f

Timoni generates the CUE schemas corresponding to the Kubernetes CRDs inside the cue.mod/gen directory:

    ├── alertmanager
    ├── alertmanagerconfig
    ├── podmonitor
    ├── probe
    ├── prometheus
    ├── prometheusagent
    ├── prometheusrule
    ├── scrapeconfig
    ├── servicemonitor
    └── thanosruler

Example of a ServiceMonitor custom resource:

// source: myapp/templates/servicemonitor.cue

package templates

import (
    promv1 ""

#ServiceMonitor: promv1.#ServiceMonitor & {
    _config:    #Config
    metadata:   _config.metadata
    spec: {
        endpoints: [{
            path:     "/metrics"
            port:     "http-metrics"
            interval: "\(_config.monitoring.interval)s"
        namespaceSelector: matchNames: [_config.metadata.namespace]
        selector: matchLabels: _config.selector.labels

Note that for Kubernetes custom resources, you don't need to specify the apiVersion and kind, these fields are set by Timoni in the generated schema.