v1alpha1

type APIServerCertificatesStatus struct {
	SecretName string      `json:"secretName,omitempty"`
	LastUpdate metav1.Time `json:"lastUpdate,omitempty"`
	Checksum   string      `json:"checksum,omitempty"`
}

type AdditionalMetadata struct {
	Labels      map[string]string `json:"labels,omitempty"`
	Annotations map[string]string `json:"annotations,omitempty"`
}

type AdditionalPort struct {
	// The name of this port within the Service created by Steward.
	// This must be a DNS_LABEL, must have unique names, and cannot be `kube-apiserver`, or `konnectivity-server`.
	Name string `json:"name"`
	// The IP protocol for this port. Supports "TCP", "UDP", and "SCTP".
	//+kubebuilder:validation:Enum=TCP;UDP;SCTP
	//+kubebuilder:default=TCP
	Protocol corev1.Protocol `json:"protocol,omitempty"`
	// The application protocol for this port.
	// This is used as a hint for implementations to offer richer behavior for protocols that they understand.
	// This field follows standard Kubernetes label syntax.
	// Valid values are either:
	//
	// * Un-prefixed protocol names - reserved for IANA standard service names (as per
	// RFC-6335 and https://www.iana.org/assignments/service-names).
	AppProtocol *string `json:"appProtocol,omitempty"`
	// The port that will be exposed by this service.
	Port int32 `json:"port"`
	// Number or name of the port to access on the pods of the Tenant Control Plane.
	// Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
	// If this is a string, it will be looked up as a named port in the
	// target Pod's container ports. If this is not specified, the value
	// of the 'port' field is used (an identity map).
	TargetPort intstr.IntOrString `json:"targetPort"`
}

type AdditionalVolumeMounts struct {
	APIServer         []corev1.VolumeMount `json:"apiServer,omitempty"`
	ControllerManager []corev1.VolumeMount `json:"controllerManager,omitempty"`
	Scheduler         []corev1.VolumeMount `json:"scheduler,omitempty"`
}

type AddonSpec struct {
	ImageOverrideTrait `json:",inline"`
}

type AddonStatus struct {
	Enabled    bool        `json:"enabled"`
	LastUpdate metav1.Time `json:"lastUpdate,omitempty"`
}

type AddonsSpec struct {
	// Enables the DNS addon in the Tenant Cluster.
	// The registry and the tag are configurable, the image is hard-coded to `coredns`.
	CoreDNS *AddonSpec `json:"coreDNS,omitempty"`
	// Enables the Konnectivity addon in the Tenant Cluster, required if the worker nodes are in a different network.
	Konnectivity *KonnectivitySpec `json:"konnectivity,omitempty"`
	// Enables the kube-proxy addon in the Tenant Cluster.
	// The registry and the tag are configurable, the image is hard-coded to `kube-proxy`.
	KubeProxy *AddonSpec `json:"kubeProxy,omitempty"`
	// TCPProxy enables the tcp-proxy addon in the tenant cluster.
	// When enabled, tcp-proxy rewrites the default kubernetes EndpointSlice
	// to route API server traffic through a local proxy, eliminating SNI
	// rewriting requirements for Ingress and Gateway API network modes.
	// +optional
	TCPProxy *TCPProxySpec `json:"tcpProxy,omitempty"`
	// WorkerBootstrap configures immutable OS worker node bootstrap.
	// +optional
	WorkerBootstrap *WorkerBootstrapSpec `json:"workerBootstrap,omitempty"`
}

type AddonsStatus struct {
	CoreDNS         AddonStatus           `json:"coreDNS,omitempty"`
	KubeProxy       AddonStatus           `json:"kubeProxy,omitempty"`
	Konnectivity    KonnectivityStatus    `json:"konnectivity,omitempty"`
	TCPProxy        TCPProxyStatus        `json:"tcpProxy,omitempty"`
	WorkerBootstrap WorkerBootstrapStatus `json:"workerBootstrap,omitempty"`
}

type AdmissionController string

type AdmissionControllers []AdmissionController

type BasicAuth struct {
	Username ContentRef `json:"username"`
	Password ContentRef `json:"password"`
}

type CGroupDriver string

type CSRApprovalSpec struct {
	// AutoApprove enables automatic approval of kubelet-serving CSRs from workers.
	// +kubebuilder:default=true
	AutoApprove bool `json:"autoApprove"`
}

type CertKeyPair struct {
	Certificate ContentRef  `json:"certificate"`
	PrivateKey  *ContentRef `json:"privateKey,omitempty"`
}

type CertificatePrivateKeyPairStatus struct {
	SecretName string      `json:"secretName,omitempty"`
	LastUpdate metav1.Time `json:"lastUpdate,omitempty"`
	Checksum   string      `json:"checksum,omitempty"`
}

type CertificatesStatus struct {
	CA                     CertificatePrivateKeyPairStatus `json:"ca,omitempty"`
	APIServer              CertificatePrivateKeyPairStatus `json:"apiServer,omitempty"`
	APIServerKubeletClient CertificatePrivateKeyPairStatus `json:"apiServerKubeletClient,omitempty"`
	FrontProxyCA           CertificatePrivateKeyPairStatus `json:"frontProxyCA,omitempty"`
	FrontProxyClient       CertificatePrivateKeyPairStatus `json:"frontProxyClient,omitempty"`
	SA                     PublicKeyPrivateKeyPairStatus   `json:"sa,omitempty"`
	ETCD                   *ETCDCertificatesStatus         `json:"etcd,omitempty"`
}

type ClientCertificate struct {
	Certificate ContentRef `json:"certificate"`
	PrivateKey  ContentRef `json:"privateKey"`
}

type CompoundValue struct {
	// StringValue is a static string value.
	StringValue string `json:"stringValue,omitempty"`
	// FromDefinition is used to generate a dynamic value,
	// it uses the dot notation to access fields from the referenced TenantControlPlane object:
	// e.g.: metadata.name
	FromDefinition string `json:"fromDefinition,omitempty"`
}

type ContentRef struct {
	// Bare content of the file, base64 encoded.
	// It has precedence over the SecretReference value.
	Content   []byte           `json:"content,omitempty"`
	SecretRef *SecretReference `json:"secretReference,omitempty"`
}

type ControlPlane struct {
	// Defining the options for the deployed Tenant Control Plane as Deployment resource.
	Deployment DeploymentSpec `json:"deployment,omitempty"`
	// Defining the options for the Tenant Control Plane Service resource.
	Service ServiceSpec `json:"service"`
	// Defining the options for an Optional Ingress which will expose API Server of the Tenant Control Plane
	Ingress *IngressSpec `json:"ingress,omitempty"`
	// Defining the options for an Optional Gateway which will expose API Server of the Tenant Control Plane
	Gateway *GatewaySpec `json:"gateway,omitempty"`
}

type ControlPlaneComponentsResources struct {
	APIServer         *corev1.ResourceRequirements `json:"apiServer,omitempty"`
	ControllerManager *corev1.ResourceRequirements `json:"controllerManager,omitempty"`
	Scheduler         *corev1.ResourceRequirements `json:"scheduler,omitempty"`
	// Define the kine container resources.
	// Available only if Steward is running using Kine as backing storage.
	Kine *corev1.ResourceRequirements `json:"kine,omitempty"`
}

type ControlPlaneExtraArgs struct {
	APIServer         []string `json:"apiServer,omitempty"`
	ControllerManager []string `json:"controllerManager,omitempty"`
	Scheduler         []string `json:"scheduler,omitempty"`
	// Available only if Steward is running using Kine as backing storage.
	Kine []string `json:"kine,omitempty"`
}

type DataStore struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   DataStoreSpec   `json:"spec,omitempty"`
	Status DataStoreStatus `json:"status,omitempty"`
}

type DataStoreCertificateStatus struct {
	SecretName string      `json:"secretName,omitempty"`
	Checksum   string      `json:"checksum,omitempty"`
	LastUpdate metav1.Time `json:"lastUpdate,omitempty"`
}

type DataStoreConfigStatus struct {
	SecretName string `json:"secretName,omitempty"`
	Checksum   string `json:"checksum,omitempty"`
}

type DataStoreList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []DataStore `json:"items"`
}

type DataStoreOverride struct {
	// Resource specifies which kubernetes resource to target.
	Resource string `json:"resource,omitempty"`
	// DataStore specifies the DataStore that should be used to store the Kubernetes data for the given Resource.
	DataStore string `json:"dataStore,omitempty"`
}

type DataStoreSetupStatus struct {
	Schema     string      `json:"schema,omitempty"`
	User       string      `json:"user,omitempty"`
	LastUpdate metav1.Time `json:"lastUpdate,omitempty"`
	Checksum   string      `json:"checksum,omitempty"`
}

type DataStoreSpec struct {
	// The driver to use to connect to the shared datastore.
	Driver Driver `json:"driver"`
	// List of the endpoints to connect to the shared datastore.
	// No need for protocol, just bare IP/FQDN and port.
	Endpoints Endpoints `json:"endpoints"`
	// In case of authentication enabled for the given data store, specifies the username and password pair.
	// This value is optional.
	BasicAuth *BasicAuth `json:"basicAuth,omitempty"`
	// Defines the TLS/SSL configuration required to connect to the data store in a secure way.
	// This value is optional.
	TLSConfig *TLSConfig `json:"tlsConfig,omitempty"`
}

type DataStoreStatus struct {
	// List of the Tenant Control Planes, namespaced named, using this data store.
	UsedBy []string `json:"usedBy,omitempty"`
}

type DatastoreUsedSecret struct{}

type DeploymentSpec struct {
	// RegistrySettings allows to override the default images for the given Tenant Control Plane instance.
	// It could be used to point to a different container registry rather than the public one.
	//+kubebuilder:default={registry:"registry.k8s.io",apiServerImage:"kube-apiserver",controllerManagerImage:"kube-controller-manager",schedulerImage:"kube-scheduler"}
	RegistrySettings RegistrySettings `json:"registrySettings,omitempty"`
	//+kubebuilder:default=2
	Replicas *int32 `json:"replicas,omitempty"`
	// NodeSelector is a selector which must be true for the pod to fit on a node.
	// Selector which must match a node's labels for the pod to be scheduled on that node.
	// More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
	NodeSelector map[string]string `json:"nodeSelector,omitempty"`
	// RuntimeClassName refers to a RuntimeClass object in the node.k8s.io group, which should be used
	// to run the Tenant Control Plane pod. If no RuntimeClass resource matches the named class, the pod will not be run.
	// If unset or empty, the "legacy" RuntimeClass will be used, which is an implicit class with an
	// empty definition that uses the default runtime handler.
	// More info: https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class
	RuntimeClassName string `json:"runtimeClassName,omitempty"`
	// Strategy describes how to replace existing pods with new ones for the given Tenant Control Plane.
	// Default value is set to Rolling Update, with a blue/green strategy.
	//+kubebuilder:default={type:"RollingUpdate",rollingUpdate:{maxUnavailable:0,maxSurge:"100%"}}
	Strategy appsv1.DeploymentStrategy `json:"strategy,omitempty"`
	// If specified, the Tenant Control Plane pod's tolerations.
	// More info: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
	Tolerations []corev1.Toleration `json:"tolerations,omitempty"`
	// If specified, the Tenant Control Plane pod's scheduling constraints.
	// More info: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/
	Affinity *corev1.Affinity `json:"affinity,omitempty"`
	// TopologySpreadConstraints describes how the Tenant Control Plane pods ought to spread across topology
	// domains. Scheduler will schedule pods in a way which abides by the constraints.
	// In case of nil underlying LabelSelector, the Steward one for the given Tenant Control Plane will be used.
	// All topologySpreadConstraints are ANDed.
	TopologySpreadConstraints []corev1.TopologySpreadConstraint `json:"topologySpreadConstraints,omitempty"`
	// Resources defines the amount of memory and CPU to allocate to each component of the Control Plane
	// (kube-apiserver, controller-manager, and scheduler).
	Resources *ControlPlaneComponentsResources `json:"resources,omitempty"`
	// ExtraArgs allows adding additional arguments to the Control Plane components,
	// such as kube-apiserver, controller-manager, and scheduler. WARNING - This option
	// can override existing parameters and cause components to misbehave in unxpected ways.
	// Only modify if you know what you are doing.
	ExtraArgs             *ControlPlaneExtraArgs `json:"extraArgs,omitempty"`
	AdditionalMetadata    AdditionalMetadata     `json:"additionalMetadata,omitempty"`
	PodAdditionalMetadata AdditionalMetadata     `json:"podAdditionalMetadata,omitempty"`
	// AdditionalInitContainers allows adding additional init containers to the Control Plane deployment.
	AdditionalInitContainers []corev1.Container `json:"additionalInitContainers,omitempty"`
	// AdditionalContainers allows adding additional containers to the Control Plane deployment.
	AdditionalContainers []corev1.Container `json:"additionalContainers,omitempty"`
	// AdditionalVolumes allows to add additional volumes to the Control Plane deployment.
	AdditionalVolumes []corev1.Volume `json:"additionalVolumes,omitempty"`
	// AdditionalVolumeMounts allows to mount an additional volume into each component of the Control Plane
	// (kube-apiserver, controller-manager, and scheduler).
	AdditionalVolumeMounts *AdditionalVolumeMounts `json:"additionalVolumeMounts,omitempty"`
	//+kubebuilder:default="default"
	// ServiceAccountName allows to specify the service account to be mounted to the pods of the Control plane deployment
	ServiceAccountName string `json:"serviceAccountName,omitempty"`
}

type Driver string

type ETCDCertificateStatus struct {
	SecretName string      `json:"secretName,omitempty"`
	LastUpdate metav1.Time `json:"lastUpdate,omitempty"`
	Checksum   string      `json:"checksum,omitempty"`
}

type ETCDCertificatesStatus struct {
	APIServer APIServerCertificatesStatus `json:"apiServer,omitempty"`
	CA        ETCDCertificateStatus       `json:"ca,omitempty"`
}

type Endpoints []string

type ExternalKubernetesObjectStatus struct {
	Name      string `json:"name,omitempty"`
	Namespace string `json:"namespace,omitempty"`
	// Last time when k8s object was updated
	LastUpdate metav1.Time `json:"lastUpdate,omitempty"`
}

type ExtraArgs []string

type GatewayAccessPoint struct {
	Type  *gatewayv1.AddressType `json:"type"`
	Value string                 `json:"value"`
	Port  int32                  `json:"port"`
	URLs  []string               `json:"urls,omitempty"`
}

type GatewayListener struct{}

type GatewaySpec struct {
	// AdditionalMetadata to add Labels and Annotations support.
	AdditionalMetadata AdditionalMetadata `json:"additionalMetadata,omitempty"`
	// GatewayParentRefs is the class of the Gateway resource to use.
	GatewayParentRefs []gatewayv1.ParentReference `json:"parentRefs,omitempty"`
	// Hostname is an optional field which will be used as a route hostname.
	Hostname gatewayv1.Hostname `json:"hostname,omitempty"`
}

type ImageOverrideTrait struct {
	// ImageRepository sets the container registry to pull images from.
	// if not set, the default ImageRepository will be used instead.
	ImageRepository string `json:"imageRepository,omitempty"`
	// ImageTag allows to specify a tag for the image.
	// In case this value is set, kubeadm does not change automatically the version of the above components during upgrades.
	ImageTag string `json:"imageTag,omitempty"`
}

type IngressSpec struct {
	AdditionalMetadata AdditionalMetadata `json:"additionalMetadata,omitempty"`
	IngressClassName   string             `json:"ingressClassName,omitempty"`
	// Hostname is an optional field which will be used as Ingress's Host. If it is not defined,
	// Ingress's host will be "<tenant>.<namespace>.<domain>", where domain is specified under NetworkProfileSpec
	Hostname string `json:"hostname,omitempty"`
	// ControllerType specifies the ingress controller type for automatic TLS passthrough configuration.
	// Supported values: "haproxy", "nginx", "traefik", "generic"
	// - haproxy: Uses haproxy.org/ssl-passthrough annotation
	// - nginx: Uses nginx.ingress.kubernetes.io/ssl-passthrough annotation
	// - traefik: Creates IngressRouteTCP instead of standard Ingress (standard Ingress doesn't support TLS passthrough)
	// - generic: No automatic annotations, use additionalMetadata.annotations for custom configuration
	// If not specified, defaults to "generic".
	// +kubebuilder:validation:Enum=haproxy;nginx;traefik;generic
	// +optional
	ControllerType string `json:"controllerType,omitempty"`
}

type JSONPatch struct {
	// Op is the RFC 6902 JSON Patch operation.
	//+kubebuilder:validation:Enum=add;remove;replace;move;copy;test
	Op string `json:"op"`
	// Path specifies the target location in the JSON document. Use "/" to separate keys; "-" for appending to arrays.
	Path string `json:"path"`
	// From specifies the source location for move or copy operations.
	From string `json:"from,omitempty"`
	// Value is the operation value to be used when Op is add, replace, test.
	Value *apiextensionsv1.JSON `json:"value,omitempty"`
}

type JSONPatches []JSONPatch

type KonnectivityAgentMode string

type KonnectivityAgentSpec struct {
	// AgentImage defines the container image for Konnectivity's agent.
	//+kubebuilder:default=registry.k8s.io/kas-network-proxy/proxy-agent
	Image string `json:"image,omitempty"`
	// Version for Konnectivity agent.
	// If left empty, Steward will automatically inflect the version from the deployed Tenant Control Plane.
	//
	// WARNING: for last cut-off releases, the container image could be not available.
	Version string `json:"version,omitempty"`
	// Tolerations for the deployed agent.
	// Can be customized to start the konnectivity-agent even if the nodes are not ready or tainted.
	//+kubebuilder:default={{key: "CriticalAddonsOnly", operator: "Exists"}}
	Tolerations []corev1.Toleration `json:"tolerations,omitempty"`
	ExtraArgs   ExtraArgs           `json:"extraArgs,omitempty"`
	// HostNetwork enables the konnectivity agent to use the Host network namespace.
	// By enabling this mode, the Agent doesn't need to wait for the CNI initialisation,
	// enabling a sort of out-of-band access to nodes for troubleshooting scenarios,
	// or when the agent needs direct access to the host network.
	//+kubebuilder:default=false
	HostNetwork bool `json:"hostNetwork,omitempty"`
	// Mode allows specifying the Agent deployment mode: Deployment, or DaemonSet (default).
	//+kubebuilder:default="DaemonSet"
	//+kubebuilder:validation:Enum=DaemonSet;Deployment
	Mode KonnectivityAgentMode `json:"mode,omitempty"`
	// Replicas defines the number of replicas when Mode is Deployment.
	// Must be 0 if Mode is DaemonSet.
	//+kubebuilder:validation:Optional
	Replicas *int32 `json:"replicas,omitempty"`
}

type KonnectivityAgentStatus struct {
	ExternalKubernetesObjectStatus `json:",inline"`

	Mode KonnectivityAgentMode `json:"mode,omitempty"`
}

type KonnectivityConfigMap struct {
	Name     string `json:"name,omitempty"`
	Checksum string `json:"checksum,omitempty"`
}

type KonnectivityServerSpec struct {
	// The port which Konnectivity server is listening to.
	Port int32 `json:"port"`
	// Container image version of the Konnectivity server.
	// If left empty, Steward will automatically inflect the version from the deployed Tenant Control Plane.
	//
	// WARNING: for last cut-off releases, the container image could be not available.
	Version string `json:"version,omitempty"`
	// Container image used by the Konnectivity server.
	//+kubebuilder:default=registry.k8s.io/kas-network-proxy/proxy-server
	Image string `json:"image,omitempty"`
	// Resources define the amount of CPU and memory to allocate to the Konnectivity server.
	Resources *corev1.ResourceRequirements `json:"resources,omitempty"`
	ExtraArgs ExtraArgs                    `json:"extraArgs,omitempty"`
}

type KonnectivitySpec struct {
	//+kubebuilder:default={image:"registry.k8s.io/kas-network-proxy/proxy-server",port:8132}
	KonnectivityServerSpec KonnectivityServerSpec `json:"server,omitempty"`
	//+kubebuilder:default={image:"registry.k8s.io/kas-network-proxy/proxy-agent",mode:"DaemonSet"}
	KonnectivityAgentSpec KonnectivityAgentSpec `json:"agent,omitempty"`
}

type KonnectivityStatus struct {
	Enabled            bool                            `json:"enabled"`
	ConfigMap          KonnectivityConfigMap           `json:"configMap,omitempty"`
	Certificate        CertificatePrivateKeyPairStatus `json:"certificate,omitempty"`
	Kubeconfig         KubeconfigStatus                `json:"kubeconfig,omitempty"`
	ServiceAccount     ExternalKubernetesObjectStatus  `json:"sa,omitempty"`
	ClusterRoleBinding ExternalKubernetesObjectStatus  `json:"clusterrolebinding,omitempty"`
	Agent              KonnectivityAgentStatus         `json:"agent,omitempty"`
	Service            KubernetesServiceStatus         `json:"service,omitempty"`
	Gateway            *KubernetesGatewayStatus        `json:"gateway,omitempty"`
}

type KubeadmConfigChecksumDependant interface {
	GetChecksum() string
	SetChecksum(checksum string)
}

type KubeadmConfigStatus struct {
	ConfigmapName string      `json:"configmapName,omitempty"`
	LastUpdate    metav1.Time `json:"lastUpdate,omitempty"`
	// Checksum of the kubeadm configuration to detect changes
	Checksum string `json:"checksum,omitempty"`
}

type KubeadmPhaseStatus struct {
	Checksum   string      `json:"checksum,omitempty"`
	LastUpdate metav1.Time `json:"lastUpdate,omitempty"`
}

type KubeadmPhasesStatus struct {
	BootstrapToken KubeadmPhaseStatus `json:"bootstrapToken"`
}

type KubeconfigGenerator struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   KubeconfigGeneratorSpec   `json:"spec,omitempty"`
	Status KubeconfigGeneratorStatus `json:"status,omitempty"`
}

type KubeconfigGeneratorList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []KubeconfigGenerator `json:"items"`
}

type KubeconfigGeneratorSpec struct {
	// NamespaceSelector is used to filter Namespaces from which the generator should extract TenantControlPlane objects.
	NamespaceSelector metav1.LabelSelector `json:"namespaceSelector,omitempty"`
	// TenantControlPlaneSelector is used to filter the TenantControlPlane objects that should be address by the generator.
	TenantControlPlaneSelector metav1.LabelSelector `json:"tenantControlPlaneSelector,omitempty"`
	// Groups is resolved a set of strings used to assign the x509 organisations field.
	// It will be recognised by Kubernetes as user groups.
	Groups []CompoundValue `json:"groups,omitempty"`
	// User resolves to a string to identify the client, assigned to the x509 Common Name field.
	User CompoundValue `json:"user"`
	// ControlPlaneEndpointFrom is the key used to extract the Tenant Control Plane endpoint that must be used by the generator.
	// The targeted Secret is the `${TCP}-admin-kubeconfig` one, default to `admin.svc`.
	//+kubebuilder:default="admin.svc"
	ControlPlaneEndpointFrom string `json:"controlPlaneEndpointFrom,omitempty"`
}

type KubeconfigGeneratorStatus struct {
	// Resources is the sum of targeted TenantControlPlane objects.
	//+kubebuilder:default=0
	Resources int `json:"resources"`
	// AvailableResources is the sum of successfully generated resources.
	// In case of a different value compared to Resources, check the field errors.
	//+kubebuilder:default=0
	AvailableResources int `json:"availableResources"`
	// Errors is the list of failed kubeconfig generations.
	Errors []KubeconfigGeneratorStatusError `json:"errors,omitempty"`
}

type KubeconfigGeneratorStatusError struct {
	// Resource is the Namespaced name of the errored resource.
	//+kubebuilder:validation:Required
	Resource string `json:"resource"`
	// Message is the error message recorded upon the last generator run.
	//+kubebuilder:validation:Required
	Message string `json:"message"`
}

type KubeconfigStatus struct {
	SecretName string      `json:"secretName,omitempty"`
	LastUpdate metav1.Time `json:"lastUpdate,omitempty"`
	Checksum   string      `json:"checksum,omitempty"`
}

type KubeconfigsStatus struct {
	Admin             KubeconfigStatus `json:"admin,omitempty"`
	ControllerManager KubeconfigStatus `json:"controllerManager,omitempty"`
	Scheduler         KubeconfigStatus `json:"scheduler,omitempty"`
}

type KubeletPreferredAddressType string

type KubeletSpec struct {
	// ConfigurationJSONPatches contains the RFC 6902 JSON patches to customise the kubeadm generate configuration,
	// useful to customise and mangling the configuration according to your needs;
	// e.g.: configuring the cgroup driver used by Kubelet is possible via the following patch:
	//
	// [{"op": "replace", "path": "/cgroupDriver", "value": "systemd"}]
	ConfigurationJSONPatches JSONPatches `json:"configurationJSONPatches,omitempty"`
	// Ordered list of the preferred NodeAddressTypes to use for kubelet connections.
	// Default to InternalIP, ExternalIP, Hostname.
	//+kubebuilder:default={"InternalIP","ExternalIP","Hostname"}
	//+kubebuilder:validation:MinItems=1
	//+listType=set
	PreferredAddressTypes []KubeletPreferredAddressType `json:"preferredAddressTypes,omitempty"`
	// CGroupFS defines the cgroup driver for Kubelet
	// https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/configure-cgroup-driver/
	//
	// Deprecated: use ConfigurationJSONPatches.
	CGroupFS CGroupDriver `json:"cgroupfs,omitempty"`
}

type KubernetesDeploymentStatus struct {
	appsv1.DeploymentStatus `json:",inline"`
	// Selector is the label selector used to group the Tenant Control Plane Pods used by the scale subresource.
	Selector string `json:"selector"`
	// The name of the Deployment for the given cluster.
	Name string `json:"name"`
	// The namespace which the Deployment for the given cluster is deployed.
	Namespace string `json:"namespace"`
	// Last time when deployment was updated
	LastUpdate metav1.Time `json:"lastUpdate,omitempty"`
}

type KubernetesGatewayStatus struct {
	// The TLSRoute status as resported by the gateway controllers.
	RouteStatus `json:",inline"`

	// Reference to the route created for this tenant.
	RouteRef corev1.LocalObjectReference `json:"routeRef,omitempty"`

	// A list of valid access points that the route exposes.
	AccessPoints []GatewayAccessPoint `json:"accessPoints,omitempty"`
}

type KubernetesIngressStatus struct {
	networkingv1.IngressStatus `json:",inline"`
	// The name of the Ingress for the given cluster.
	Name string `json:"name"`
	// The namespace which the Ingress for the given cluster is deployed.
	Namespace string `json:"namespace"`
}

type KubernetesServiceStatus struct {
	corev1.ServiceStatus `json:",inline"`
	// The name of the Service for the given cluster.
	Name string `json:"name"`
	// The namespace which the Service for the given cluster is deployed.
	Namespace string `json:"namespace"`
	// The port where the service is running
	Port int32 `json:"port"`
}

type KubernetesSpec struct {
	// Kubernetes Version for the tenant control plane
	Version string      `json:"version"`
	Kubelet KubeletSpec `json:"kubelet"`

	// List of enabled Admission Controllers for the Tenant cluster.
	// Full reference available here: https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers
	//+kubebuilder:default=CertificateApproval;CertificateSigning;CertificateSubjectRestriction;DefaultIngressClass;DefaultStorageClass;DefaultTolerationSeconds;LimitRanger;MutatingAdmissionWebhook;NamespaceLifecycle;PersistentVolumeClaimResize;Priority;ResourceQuota;RuntimeClass;ServiceAccount;StorageObjectInUseProtection;TaintNodesByCondition;ValidatingAdmissionWebhook
	AdmissionControllers AdmissionControllers `json:"admissionControllers,omitempty"`
}

type KubernetesStatus struct {
	// KubernetesVersion contains the information regarding the running Kubernetes version, and its upgrade status.
	Version    KubernetesVersion          `json:"version,omitempty"`
	Deployment KubernetesDeploymentStatus `json:"deployment,omitempty"`
	Service    KubernetesServiceStatus    `json:"service,omitempty"`
	Ingress    *KubernetesIngressStatus   `json:"ingress,omitempty"`
	Gateway    *KubernetesGatewayStatus   `json:"gateway,omitempty"`
}

type KubernetesVersion struct {
	// Version is the running Kubernetes version of the Tenant Control Plane.
	Version string `json:"version,omitempty"`
	//+kubebuilder:default=Provisioning
	// Status returns the current status of the Kubernetes version, such as its provisioning state, or completed upgrade.
	Status *KubernetesVersionStatus `json:"status,omitempty"`
}

type KubernetesVersionStatus string

type NetworkProfileSpec struct {
	// LoadBalancerSourceRanges restricts the IP ranges that can access
	// the LoadBalancer type Service. This field defines a list of IP
	// address ranges (in CIDR format) that are allowed to access the service.
	// If left empty, the service will allow traffic from all IP ranges (0.0.0.0/0).
	// This feature is useful for restricting access to API servers or services
	// to specific networks for security purposes.
	// Example: {"192.168.1.0/24", "10.0.0.0/8"}
	LoadBalancerSourceRanges []string `json:"loadBalancerSourceRanges,omitempty"`
	// Specify the LoadBalancer class in case of multiple load balancer implementations.
	// Field supported only for Tenant Control Plane instances exposed using a LoadBalancer Service.
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="LoadBalancerClass is immutable"
	LoadBalancerClass *string `json:"loadBalancerClass,omitempty"`
	// Address where API server of will be exposed.
	// In case of LoadBalancer Service, this can be empty in order to use the exposed IP provided by the cloud controller manager.
	Address string `json:"address,omitempty"`
	// The default domain name used for DNS resolution within the cluster.
	//+kubebuilder:default="cluster.local"
	//+kubebuilder:validation:XValidation:rule="self == oldSelf",message="changing the cluster domain is not supported"
	//+kubebuilder:validation:Pattern=.*\..*
	ClusterDomain string `json:"clusterDomain,omitempty"`
	// AllowAddressAsExternalIP will include tenantControlPlane.Spec.NetworkProfile.Address in the section of
	// ExternalIPs of the Kubernetes Service (only ClusterIP or NodePort)
	AllowAddressAsExternalIP bool `json:"allowAddressAsExternalIP,omitempty"`
	// Port where API server of will be exposed
	//+kubebuilder:default=6443
	Port int32 `json:"port,omitempty"`
	// CertSANs sets extra Subject Alternative Names (SANs) for the API Server signing certificate.
	// Use this field to add additional hostnames when exposing the Tenant Control Plane with third solutions.
	CertSANs []string `json:"certSANs,omitempty"`
	// CIDR for Kubernetes Services: if empty, defaulted to 10.96.0.0/16.
	//+kubebuilder:default="10.96.0.0/16"
	ServiceCIDR string `json:"serviceCidr,omitempty"`
	// CIDR for Kubernetes Pods: if empty, defaulted to 10.244.0.0/16.
	//+kubebuilder:default="10.244.0.0/16"
	PodCIDR string `json:"podCidr,omitempty"`
	// The DNS Service for internal resolution, it must match the Service CIDR.
	// In case of an empty value, it is automatically computed according to the Service CIDR, e.g.:
	// Service CIDR 10.96.0.0/16, the resulting DNS Service IP will be 10.96.0.10 for IPv4,
	// for IPv6 from the CIDR 2001:db8:abcd::/64 the resulting DNS Service IP will be 2001:db8:abcd::10.
	DNSServiceIPs []string `json:"dnsServiceIPs,omitempty"`
}

type Permissions struct {
	BlockCreate bool `json:"blockCreation,omitempty"`
	BlockUpdate bool `json:"blockUpdate,omitempty"`
	BlockDelete bool `json:"blockDeletion,omitempty"`
}

type PublicKeyPrivateKeyPairStatus struct {
	SecretName string      `json:"secretName,omitempty"`
	LastUpdate metav1.Time `json:"lastUpdate,omitempty"`
	Checksum   string      `json:"checksum,omitempty"`
}

type RegistrySettings struct {
	//+kubebuilder:default="registry.k8s.io"
	Registry string `json:"registry,omitempty"`
	// The tag to append to all the Control Plane container images.
	// Optional.
	TagSuffix string `json:"tagSuffix,omitempty"`
	//+kubebuilder:default="kube-apiserver"
	APIServerImage string `json:"apiServerImage,omitempty"`
	//+kubebuilder:default="kube-controller-manager"
	ControllerManagerImage string `json:"controllerManagerImage,omitempty"`
	//+kubebuilder:default="kube-scheduler"
	SchedulerImage string `json:"schedulerImage,omitempty"`
}

type RouteStatus = gatewayv1.RouteStatus

type SecretReference struct {
	corev1.SecretReference `json:",inline"`
	// Name of the key for the given Secret reference where the content is stored.
	// This value is mandatory.
	KeyPath secretReferKeyPath `json:"keyPath"`
}

type ServiceSpec struct {
	AdditionalMetadata AdditionalMetadata `json:"additionalMetadata,omitempty"`
	// AdditionalPorts allows adding additional ports to the Service generated Steward
	// which targets the Tenant Control Plane pods.
	AdditionalPorts []AdditionalPort `json:"additionalPorts,omitempty"`
	// ServiceType allows specifying how to expose the Tenant Control Plane.
	ServiceType ServiceType `json:"serviceType"`
}

type ServiceType corev1.ServiceType

type StorageStatus struct {
	Driver        string                     `json:"driver,omitempty"`
	DataStoreName string                     `json:"dataStoreName,omitempty"`
	Config        DataStoreConfigStatus      `json:"config,omitempty"`
	Setup         DataStoreSetupStatus       `json:"setup,omitempty"`
	Certificate   DataStoreCertificateStatus `json:"certificate,omitempty"`
}

type TCPProxyHostAlias struct {
	// IP address of the host entry.
	IP string `json:"ip"`
	// Hostnames for the IP address.
	Hostnames []string `json:"hostnames"`
}

type TCPProxySpec struct {
	// Image is the container image for the tcp-proxy.
	// Defaults to ghcr.io/butlerdotdev/steward-tcp-proxy:<steward-version>
	// +optional
	Image string `json:"image,omitempty"`

	// Resources defines the compute resources for the tcp-proxy container.
	// +optional
	Resources *corev1.ResourceRequirements `json:"resources,omitempty"`

	// HostAliases provides hostname-to-IP mappings for /etc/hosts injection.
	// Required for Ingress/Gateway modes where the API server hostname must be
	// resolved before CoreDNS is available. The tcp-proxy uses hostNetwork,
	// so it needs these entries to connect to the upstream API server.
	// +optional
	HostAliases []TCPProxyHostAlias `json:"hostAliases,omitempty"`

	// InternalEndpoint is the direct endpoint for tcp-proxy to reach the API server.
	// For Ingress/Gateway modes, this should be a management cluster node IP that
	// is reachable from tenant worker nodes (e.g., "10.40.0.201"). The NodePort
	// is automatically appended by Steward based on the service configuration.
	// If not specified, Steward attempts to use the service's LoadBalancer IP.
	// +optional
	InternalEndpoint string `json:"internalEndpoint,omitempty"`
}

type TCPProxyStatus struct {
	// Enabled indicates whether the tcp-proxy addon is currently active.
	Enabled bool `json:"enabled"`

	// Deployment contains the status of the tcp-proxy Deployment in the tenant cluster.
	Deployment ExternalKubernetesObjectStatus `json:"deployment,omitempty"`

	// Service contains the status of the tcp-proxy Service in the tenant cluster.
	Service ExternalKubernetesObjectStatus `json:"service,omitempty"`

	// ServiceAccount contains the status of the tcp-proxy ServiceAccount.
	ServiceAccount ExternalKubernetesObjectStatus `json:"serviceAccount,omitempty"`

	// ClusterRole contains the status of the tcp-proxy ClusterRole.
	ClusterRole ExternalKubernetesObjectStatus `json:"clusterRole,omitempty"`

	// ClusterRoleBinding contains the status of the tcp-proxy ClusterRoleBinding.
	ClusterRoleBinding ExternalKubernetesObjectStatus `json:"clusterRoleBinding,omitempty"`
}

type TLSConfig struct {
	// Retrieve the Certificate Authority certificate and private key, such as bare content of the file, or a SecretReference.
	// The key reference is required since etcd authentication is based on certificates, and Steward is responsible in creating this.
	CertificateAuthority CertKeyPair `json:"certificateAuthority"`
	// Specifies the SSL/TLS key and private key pair used to connect to the data store.
	ClientCertificate *ClientCertificate `json:"clientCertificate,omitempty"`
}

type TalosBootstrapSpec struct {
	// Image is the container image for steward-trustd.
	// +kubebuilder:default="ghcr.io/butlerdotdev/steward-trustd"
	Image string `json:"image,omitempty"`

	// ImageTag is the image tag for steward-trustd.
	// +optional
	ImageTag string `json:"imageTag,omitempty"`

	// Port for the trustd gRPC service.
	// +kubebuilder:default=50001
	Port int32 `json:"port,omitempty"`

	// Resources for the trustd container.
	// +optional
	Resources *corev1.ResourceRequirements `json:"resources,omitempty"`

	// CertSANs adds extra Subject Alternative Names to the trustd server certificate.
	// +optional
	CertSANs []string `json:"certSANs,omitempty"`
}

type TenantControlPlane struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   TenantControlPlaneSpec   `json:"spec,omitempty"`
	Status TenantControlPlaneStatus `json:"status,omitempty"`
}

type TenantControlPlaneList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []TenantControlPlane `json:"items"`
}

type TenantControlPlaneSpec struct {
	// WritePermissions allows to select which operations (create, delete, update) must be blocked:
	// by default, all actions are allowed, and API Server can write to its Datastore.
	//
	// By blocking all actions, the Tenant Control Plane can enter in a Read Only mode:
	// this phase can be used to prevent Datastore quota exhaustion or for your own business logic
	// (e.g.: blocking creation and update, but allowing deletion to "clean up" space).
	WritePermissions Permissions `json:"writePermissions,omitempty"`
	// DataStore specifies the DataStore that should be used to store the Kubernetes data for the given Tenant Control Plane.
	// When Steward runs with the default DataStore flag, all empty values will inherit the default value.
	// By leaving it empty and running Steward with no default DataStore flag, it is possible to achieve automatic assignment to a specific DataStore object.
	//
	// Migration from one DataStore to another backed by the same Driver is possible. See: https://steward.butlerlabs.dev/guides/datastore-migration/
	// Migration from one DataStore to another backed by a different Driver is not supported.
	DataStore string `json:"dataStore,omitempty"`
	// DataStoreSchema allows to specify the name of the database (for relational DataStores) or the key prefix (for etcd). This
	// value is optional and immutable. Note that Steward currently doesn't ensure that DataStoreSchema values are unique. It's up
	// to the user to avoid clashes between different TenantControlPlanes. If not set upon creation, Steward will default the
	// DataStoreSchema by concatenating the namespace and name of the TenantControlPlane.
	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="changing the dataStoreSchema is not supported"
	DataStoreSchema string `json:"dataStoreSchema,omitempty"`
	// DataStoreUsername allows to specify the username of the database (for relational DataStores). This
	// value is optional and immutable. Note that Steward currently doesn't ensure that DataStoreUsername values are unique. It's up
	// to the user to avoid clashes between different TenantControlPlanes. If not set upon creation, Steward will default the
	// DataStoreUsername by concatenating the namespace and name of the TenantControlPlane.
	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="changing the dataStoreUsername is not supported"
	DataStoreUsername string `json:"dataStoreUsername,omitempty"`
	// DataStoreOverride defines which kubernetes resources will be stored in dedicated datastores.
	DataStoreOverrides []DataStoreOverride `json:"dataStoreOverrides,omitempty"`
	ControlPlane       ControlPlane        `json:"controlPlane"`
	// Kubernetes specification for tenant control plane
	Kubernetes KubernetesSpec `json:"kubernetes"`
	// NetworkProfile specifies how the network is
	NetworkProfile NetworkProfileSpec `json:"networkProfile,omitempty"`
	// Addons contain which addons are enabled
	Addons AddonsSpec `json:"addons,omitempty"`
}

type TenantControlPlaneStatus struct {
	// Storage Status contains information about Kubernetes storage system
	Storage StorageStatus `json:"storage,omitempty"`
	// Certificates contains information about the different certificates
	// that are necessary to run a kubernetes control plane
	Certificates CertificatesStatus `json:"certificates,omitempty"`
	// KubeConfig contains information about the kubenconfigs that control plane pieces need
	KubeConfig KubeconfigsStatus `json:"kubeconfig,omitempty"`
	// Kubernetes contains information about the reconciliation of the required Kubernetes resources deployed in the admin cluster
	Kubernetes KubernetesStatus `json:"kubernetesResources,omitempty"`
	// KubeadmConfig contains the status of the configuration required by kubeadm
	KubeadmConfig KubeadmConfigStatus `json:"kubeadmconfig,omitempty"`
	// KubeadmPhase contains the status of the kubeadm phases action
	KubeadmPhase KubeadmPhasesStatus `json:"kubeadmPhase,omitempty"`
	// ControlPlaneEndpoint contains the status of the kubernetes control plane
	ControlPlaneEndpoint string `json:"controlPlaneEndpoint,omitempty"`
	// Addons contains the status of the different Addons
	Addons AddonsStatus `json:"addons,omitempty"`
}

type TenantControlPlaneStatusDataStore struct{}

type WorkerBootstrapProvider string

type WorkerBootstrapSpec struct {
	// Provider specifies the immutable OS bootstrap provider.
	// +kubebuilder:validation:Enum=talos
	Provider WorkerBootstrapProvider `json:"provider"`

	// Talos-specific configuration. Required when provider is "talos".
	// +optional
	Talos *TalosBootstrapSpec `json:"talos,omitempty"`

	// CSRApproval configures automatic CSR approval for worker kubelet-serving certs.
	// +kubebuilder:default={autoApprove: true}
	CSRApproval CSRApprovalSpec `json:"csrApproval,omitempty"`

	// AllowedSubnets restricts which worker IP ranges are valid for CSR approval.
	// CIDR format (e.g., "10.40.0.0/22"). If empty, all IPs are allowed.
	// +optional
	AllowedSubnets []string `json:"allowedSubnets,omitempty"`
}

type WorkerBootstrapStatus struct {
	// Enabled indicates whether worker bootstrap is currently active.
	Enabled bool `json:"enabled"`

	// Provider is the active bootstrap provider.
	Provider WorkerBootstrapProvider `json:"provider,omitempty"`

	// Credentials tracks the OS credential Secret.
	Credentials CertificatePrivateKeyPairStatus `json:"credentials,omitempty"`

	// Endpoint is the trustd endpoint for worker nodes (ip:port or hostname:port).
	Endpoint string `json:"endpoint,omitempty"`

	// Service tracks the trustd port on the TCP Service.
	Service KubernetesServiceStatus `json:"service,omitempty"`
}