core

type BootstrapClusterArgs struct {
	*CreateDevEnvArgs
	SkipClusterctlMove bool
}

type CreateDevEnvArgs struct {
	ManagementClusterName string

	SkipMonitoringSetup,
	SkipPRWorkflow,

	IsPartOfDisasterRecovery bool
}

type ProvisionAndSetupMainClusterArgs struct {
	*BootstrapClusterArgs
	GitAuthMethod transport.AuthMethod
}

type SetupClusterArgs struct {
	*CreateDevEnvArgs

	ClusterType   string
	ClusterClient client.Client

	GitAuthMethod transport.AuthMethod
}

type SetupKubeAidConfigArgs struct {
	*CreateDevEnvArgs
	GitAuthMethod transport.AuthMethod
}

type TemplateValues struct {
	GeneralConfigFileContents string

	config.GitConfig
	config.ForksConfig

	config.ClusterConfig
	*config.KubePrometheusConfig
	CAPIClusterNamespace string

	AWSConfig      *config.AWSConfig
	AWSCredentials *config.AWSCredentials
	AWSB64EncodedCredentials,
	AWSAccountID string

	AzureConfig      *config.AzureConfig
	AzureCredentials *config.AzureCredentials
	CAPIUAMIClientID,
	VeleroUAMIClientID,
	AzureStorageAccountAccessKey,
	ServiceAccountIssuerURL string

	HetznerConfig      *config.HetznerConfig
	HetznerCredentials *config.HetznerCredentials

	BareMetalConfig *config.BareMetalConfig

	/*
		There are scenarios when we know the control-plane endpoint before the cluster is provisioned :

		  (1) When provisioning an HCloud / Hetzner hybrid cluster, and we have a VPN cluster.

		  (2) When provisioning a Bare Metal / Hetzner Bare Metal cluster; the user specifies it.

		For Hetzner HCloud / hybrid VPN clusters, the endpoint is either the pre-provisioned
		LB private IP, or a configured hostname. When a hostname is configured, kubeaid-cli
		renders the hostname and manages bootstrap/private DNS mapping separately.

		Otherwise, we need to wait until the cluster has been provisioned. Once the cluster is
		provisioned, we get the control-plane endpoint from the Cluster resource. And then it's
		specified to Cilium.

		NOTE : Initially Cilium is installed using the postKubeadm hook in the KubeadmControlPlane
		       resource. The control-plane endpoint is determined from the kubeconfig file in the node.
	*/
	ControlPlaneEndpoint string

	// ControlPlaneLBPrivateIP and ControlPlaneLBBootstrapPublicIP
	// are the HCloud load-balancer's private (steady-state) and
	// bootstrap-only public IPs. Populated only on HCloud-VPN
	// clusters where a control-plane endpoint FQDN is configured;
	// the CoreDNS ConfigMap renders both as A records for the
	// endpoint so resolution works during the bootstrap window
	// (public IP) and after NetBird is up (private IP through the
	// mesh).
	ControlPlaneLBPrivateIP         string
	ControlPlaneLBBootstrapPublicIP string

	// ControlPlaneExtraCertSANs are extra DNS names rendered into
	// the chart's values so kubeadm includes them in the apiserver
	// TLS cert SAN list (alongside the primary endpoint). Used for
	// mesh-side hostnames like a NetBird-form name.
	ControlPlaneExtraCertSANs []string

	ExtraKnownHosts []string

	*config.DisasterRecoveryConfig

	*config.ObmondoConfig
	*config.ObmondoCredentials

	// Subject CN of the Obmondo-issued mTLS cert (ObmondoConfig.CertPath),
	// populated when Obmondo.Monitoring is true. Used in
	// cluster-vars.jsonnet.tmpl as the required `certname` field.
	ObmondoCertCN string

	// Raw file contents of ObmondoConfig.CertPath / KeyPath, populated when
	// Obmondo.Monitoring is true. Base64-encoded into the obmondo-clientcert
	// sealed-secret templates (one per consuming namespace). Stored as strings
	// because go-sprout's base64Encode takes a string, not []byte.
	ObmondoCertFileContents string
	ObmondoKeyFileContents  string

	// KeycloakAdminPassword is the plaintext password templated into
	// the keycloak-admin SealedSecret. Populated only when
	// managedKeycloakEnabled.
	KeycloakAdminPassword string

	// NetBirdBackendClientSecret is the pre-generated OIDC client
	// secret for the `netbird-backend` confidential client. The
	// same value is templated into the netbird SealedSecret AND
	// passed through to ReconcileClient as spec.Secret so Keycloak
	// stores what NetBird's chart already expects in the cluster
	// Secret — single git push, single sync.
	NetBirdBackendClientSecret string

	// Random keys read-or-generated for the netbird Secret on
	// managed-Keycloak VPN clusters. Each is persisted in the
	// in-cluster Secret so re-runs converge to the same value.
	//   DatastoreKey  base64(32 bytes) -> NetBird Mgmt's AES key
	//   RelayPassword alphanumeric     -> Relay shared secret
	//   TurnPassword  alphanumeric     -> matches TURN auth on
	//                                     both Mgmt and Coturn
	NetBirdDatastoreKey  string
	NetBirdRelayPassword string
	NetBirdTurnPassword  string

	// Constant client IDs the gocloak reconciler creates in the
	// realm. Surfaced to templates so the netbird Secret renders
	// the same identifiers without hardcoding strings in YAML.
	NetBirdClientID        string
	NetBirdBackendClientID string

	// NetBirdPostgresDSN is the libpq URI Mgmt uses to connect to
	// the CNPG-managed Postgres. Empty on the very first render
	// (CNPG hasn't generated the password yet); patched into the
	// in-cluster Secret post-sync, then read-back here on
	// subsequent runs so the SealedSecret in git stays correct.
	NetBirdPostgresDSN string
}

type UpgradeClusterArgs struct {
	NewKubernetesVersion string
	CloudSpecificUpdates any

	SkipPRWorkflow bool
}