v1alpha1

type AuthSpec struct {
	// jwt enables NATS decentralized authentication. When set, the operator
	// renders the `operator:`, `system_account:`, `resolver:` and
	// `resolver_preload:` directives into nats.conf from the typed fields
	// below, so users do not have to hand-write them into a Secret and
	// reference them via Config.Includes.
	// +optional
	JWT *JWTAuthSpec `json:"jwt,omitempty"`
}

type ClusterConfig struct {
	// port is the cluster route listener port. Defaults to 6222.
	// +kubebuilder:validation:Minimum=1
	// +kubebuilder:default=6222
	// +optional
	Port int32 `json:"port,omitempty"`
	// noAdvertise hides cluster route addresses from clients. Defaults to true.
	// +kubebuilder:default=true
	// +optional
	NoAdvertise *bool `json:"noAdvertise,omitempty"`
	// +optional
	RouteURLs RouteURLsConfig `json:"routeURLs,omitzero"`
	// +optional
	TLS TLSBlock `json:"tls,omitzero"`
}

type ConfigInclude struct {
	// name is the include filename. Must be unique within the includes list
	// and is used both as the file name under /etc/nats-extra/ and as the
	// VolumeMount name. Conventionally ends in .conf.
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:Pattern=`^[a-zA-Z0-9._-]+$`
	Name string `json:"name"`

	// secret selects a key in a Secret in the same namespace.
	// +optional
	Secret *corev1.SecretKeySelector `json:"secret,omitempty"`

	// configMap selects a key in a ConfigMap in the same namespace.
	// +optional
	ConfigMap *corev1.ConfigMapKeySelector `json:"configMap,omitempty"`
}

type ConfigMapSpec struct {
	// existingName, when set, tells the operator to skip generating a config
	// ConfigMap and mount the named one instead. The operator still validates
	// that it exists in the same namespace.
	// +optional
	ExistingName string `json:"existingName,omitempty"`
	// annotations are added to the generated ConfigMap.
	// +optional
	Annotations map[string]string `json:"annotations,omitempty"`
	// labels are added to the generated ConfigMap.
	// +optional
	Labels map[string]string `json:"labels,omitempty"`
}

type ContainerSpec struct {
	// env is the list of environment variables for the nats container.
	// +optional
	Env []corev1.EnvVar `json:"env,omitempty"`
	// envFrom is the standard list of envFrom sources.
	// +optional
	EnvFrom []corev1.EnvFromSource `json:"envFrom,omitempty"`
	// resources sets the nats container resource requests/limits.
	// +optional
	Resources corev1.ResourceRequirements `json:"resources,omitzero"`
	// securityContext sets the nats container security context.
	// +optional
	SecurityContext *corev1.SecurityContext `json:"securityContext,omitempty"`
	// livenessProbe overrides the default liveness probe.
	// +optional
	LivenessProbe *corev1.Probe `json:"livenessProbe,omitempty"`
	// readinessProbe overrides the default readiness probe.
	// +optional
	ReadinessProbe *corev1.Probe `json:"readinessProbe,omitempty"`
	// startupProbe overrides the default startup probe.
	// +optional
	StartupProbe *corev1.Probe `json:"startupProbe,omitempty"`
}

type FileStoreConfig struct {
	// enabled defaults to true when JetStream is enabled.
	// +optional
	Enabled *bool `json:"enabled,omitempty"`
	// pvc controls the JetStream volume claim template.
	// +optional
	PVC PVCConfig `json:"pvc,omitzero"`
	// maxSize bounds the file store. Defaults to the PVC size.
	// +optional
	MaxSize *resource.Quantity `json:"maxSize,omitempty"`
}

type GlobalSpec struct {
	// imagePullPolicy is the default image pull policy applied to every container.
	// +optional
	ImagePullPolicy corev1.PullPolicy `json:"imagePullPolicy,omitempty"`

	// imagePullSecrets are image pull secrets attached to every pod spec.
	// +optional
	ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"`

	// imageRegistry is the default registry prefix used for every image.
	// +optional
	ImageRegistry string `json:"imageRegistry,omitempty"`

	// labels are added to every managed resource.
	// +optional
	Labels map[string]string `json:"labels,omitempty"`
}

type HeadlessServiceSpec struct {
	// annotations are added to the generated headless Service.
	// +optional
	Annotations map[string]string `json:"annotations,omitempty"`
	// labels are added to the generated headless Service.
	// +optional
	Labels map[string]string `json:"labels,omitempty"`
}

type ImageSpec struct {
	// +optional
	Repository string `json:"repository,omitempty"`
	// +optional
	Tag string `json:"tag,omitempty"`
	// +optional
	PullPolicy corev1.PullPolicy `json:"pullPolicy,omitempty"`
}

type JWTAccount struct {
	// name is a human-readable handle for this account. Used as the NACK
	// Account CR name suffix (`<natscluster-name>-<name>`). Must be a
	// DNS label.
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:MaxLength=63
	// +kubebuilder:validation:Pattern=`^[a-z0-9]([-a-z0-9]*[a-z0-9])?$`
	Name string `json:"name"`

	// publicKey is the account's public key (`nsc` account identifier).
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:MaxLength=64
	PublicKey string `json:"publicKey"`

	// jwt references a Secret key containing the account JWT signed by the
	// operator. Required.
	// +required
	JWT corev1.SecretKeySelector `json:"jwt"`

	// userCreds, when set, tells the operator to create a NACK
	// `jetstream.nats.io/v1beta2` Account CR for this account pointing at
	// the referenced user credentials Secret. That Account CR can then be
	// referenced by NACK Stream / Consumer / KV / ObjectStore CRs via
	// their `account: <natscluster-name>-<name>` field, so users do not
	// have to repeat URLs or credentials on every JetStream resource.
	//
	// The operator does not generate the user creds — they come from
	// `nsc generate creds` and live in a user-managed Secret.
	// +optional
	UserCreds *corev1.SecretKeySelector `json:"userCreds,omitempty"`
}

type JWTAuthSpec struct {
	// operator references a Secret key containing the operator JWT — the
	// root of trust for this cluster. Typically generated with `nsc` and
	// rotated out-of-band. Required.
	// +required
	Operator corev1.SecretKeySelector `json:"operator"`

	// systemAccount is the public key of the account with cluster-admin
	// privileges. Must match one of accounts[].publicKey. NATS account
	// public keys are 56-char base32 strings, so 64 is a comfortable cap
	// that also keeps the CEL cross-check rule's estimated cost bounded.
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:MaxLength=64
	// +required
	SystemAccount string `json:"systemAccount"`

	// accounts is the set of preloaded accounts. Each entry supplies the
	// account's public key, a reference to a Secret containing the signed
	// account JWT, and (optionally) a reference to a user creds Secret
	// that the operator uses to create a NACK `jetstream.nats.io/v1beta2`
	// Account CR for this account.
	//
	// MaxItems caps the list at 64 because apiserver CEL rule cost is
	// estimated quadratically against unbounded lists and the
	// systemAccount cross-check rule below otherwise exceeds the budget.
	// 64 is well above any realistic number of preloaded accounts — the
	// full resolver mode is the right answer once you have more.
	// +listType=map
	// +listMapKey=name
	// +kubebuilder:validation:MinItems=1
	// +kubebuilder:validation:MaxItems=64
	// +required
	Accounts []JWTAccount `json:"accounts"`

	// resolver configures how nats-server stores and looks up account JWTs
	// at runtime.
	// +optional
	Resolver JWTResolverSpec `json:"resolver,omitzero"`
}

type JWTResolverSpec struct {
	// type selects the resolver mode. Defaults to "memory".
	// +kubebuilder:default=memory
	// +optional
	Type JWTResolverType `json:"type,omitempty"`

	// storage is the PVC template used when type=full. The operator
	// mounts the volume at /data/resolver. Ignored for type=memory.
	// +optional
	Storage *corev1.PersistentVolumeClaimSpec `json:"storage,omitempty"`

	// allowDelete enables runtime account deletion via the system account.
	// Only honored when type=full. Defaults to false.
	// +optional
	AllowDelete *bool `json:"allowDelete,omitempty"`

	// interval is how often a `full` resolver checks for account updates.
	// Parseable by NATS server (e.g. "2m"). Only honored when type=full.
	// +optional
	Interval string `json:"interval,omitempty"`
}

type JWTResolverType string

type JetStreamConfig struct {
	// +optional
	Enabled bool `json:"enabled,omitempty"`
	// +optional
	FileStore FileStoreConfig `json:"fileStore,omitzero"`
	// +optional
	MemoryStore MemoryStoreConfig `json:"memoryStore,omitzero"`
}

type ListenerConfig struct {
	// +optional
	Enabled bool `json:"enabled,omitempty"`
	// +optional
	// +kubebuilder:validation:Minimum=1
	Port int32 `json:"port,omitempty"`
	// +optional
	TLS TLSBlock `json:"tls,omitzero"`
}

type MemoryStoreConfig struct {
	// +optional
	Enabled bool `json:"enabled,omitempty"`
	// maxSize must fit within the container memory limit.
	// +optional
	MaxSize *resource.Quantity `json:"maxSize,omitempty"`
}

type MonitorConfig struct {
	// enabled defaults to true.
	// +kubebuilder:default=true
	// +optional
	Enabled *bool `json:"enabled,omitempty"`
	// port is the monitor listener port. Defaults to 8222.
	// +kubebuilder:validation:Minimum=1
	// +kubebuilder:default=8222
	// +optional
	Port int32 `json:"port,omitempty"`
	// tlsEnabled switches the monitor port to HTTPS using the nats listener TLS.
	// Requires Config.Nats.TLS.Enabled to be true. When set together with
	// PromExporter.Enabled, PromExporter.MonitorDomain must be set to a
	// CN/SAN of the nats TLS certificate.
	// +optional
	TLSEnabled bool `json:"tlsEnabled,omitempty"`
}

type NatsBox struct {
	metav1.TypeMeta `json:",inline"`

	// metadata is a standard object metadata
	// +optional
	metav1.ObjectMeta `json:"metadata,omitzero"`

	// spec defines the desired state of NatsBox
	// +required
	Spec NatsBoxSpec `json:"spec"`

	// status defines the observed state of NatsBox
	// +optional
	Status NatsBoxStatus `json:"status,omitzero"`
}

type NatsBoxContext struct {
	// url overrides the default URL. When omitted and the parent NatsBox has
	// clusterRef set, the URL is derived from the referenced cluster's
	// headless Service.
	// +optional
	URL string `json:"url,omitempty"`

	// description is a human-readable description forwarded into the
	// rendered context JSON.
	// +optional
	Description string `json:"description,omitempty"`

	// creds references a Secret key holding a NATS user credentials (JWT) file.
	// +optional
	Creds *corev1.SecretKeySelector `json:"creds,omitempty"`

	// nkey references a Secret key holding an NKey file.
	// +optional
	NKey *corev1.SecretKeySelector `json:"nkey,omitempty"`

	// tls references a kubernetes.io/tls Secret used for mutual TLS.
	// +optional
	TLS *corev1.LocalObjectReference `json:"tls,omitempty"`

	// ca references a Secret or ConfigMap key holding a CA bundle to verify
	// the nats server certificate against.
	// +optional
	CA *TLSCASpec `json:"ca,omitempty"`
}

type NatsBoxList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitzero"`
	Items           []NatsBox `json:"items"`
}

type NatsBoxSpec struct {
	// replicas is the number of nats-box pods. Defaults to 1.
	// +kubebuilder:validation:Minimum=0
	// +kubebuilder:default=1
	// +optional
	Replicas *int32 `json:"replicas,omitempty"`

	// image is the nats-box container image. Defaults to natsio/nats-box.
	// +optional
	Image ImageSpec `json:"image,omitzero"`

	// resources sets the nats-box container resource requests/limits.
	// +optional
	Resources corev1.ResourceRequirements `json:"resources,omitzero"`

	// clusterRef references a NatsCluster in the same namespace. When set,
	// the operator auto-generates a context named "default" with its URL
	// derived from the cluster's headless Service. Combine with `contexts`
	// to add credentials / TLS material.
	// +optional
	ClusterRef *corev1.LocalObjectReference `json:"clusterRef,omitempty"`

	// contexts is a map of nats CLI contexts the operator renders into the
	// nats-box pod. The map key is the context name (used as the file name
	// under /etc/nats-config/nats/context/<name>.json). When clusterRef is
	// set and "default" is not present in this map, the operator auto-fills
	// it from the referenced cluster.
	// +optional
	Contexts map[string]NatsBoxContext `json:"contexts,omitempty"`

	// defaultContextName selects which context the nats CLI uses by default.
	// Must match a key in `contexts` or be "default" when clusterRef is set.
	// Defaults to "default".
	// +optional
	DefaultContextName string `json:"defaultContextName,omitempty"`

	// serviceAccountName, when set, is used as the Deployment pods'
	// ServiceAccount. The operator does not create or manage the
	// ServiceAccount — users bring their own.
	// +optional
	ServiceAccountName string `json:"serviceAccountName,omitempty"`

	// podTemplate customizes the Deployment pod template.
	// +optional
	PodTemplate PodTemplateSpec `json:"podTemplate,omitzero"`
}

type NatsBoxStatus struct {
	// observedGeneration is the .metadata.generation last reconciled.
	// +optional
	ObservedGeneration int64 `json:"observedGeneration,omitempty"`

	// replicas is the total number of nats-box pods.
	// +optional
	Replicas int32 `json:"replicas,omitempty"`

	// readyReplicas is the number of nats-box pods reported ready.
	// +optional
	ReadyReplicas int32 `json:"readyReplicas,omitempty"`

	// conditions represent the current state of the NatsBox resource.
	// +listType=map
	// +listMapKey=type
	// +optional
	Conditions []metav1.Condition `json:"conditions,omitempty"`
}

type NatsCluster struct {
	metav1.TypeMeta `json:",inline"`

	// metadata is a standard object metadata
	// +optional
	metav1.ObjectMeta `json:"metadata,omitzero"`

	// spec defines the desired state of NatsCluster
	// +required
	Spec NatsClusterSpec `json:"spec"`

	// status defines the observed state of NatsCluster
	// +optional
	Status NatsClusterStatus `json:"status,omitzero"`
}

type NatsClusterEndpoints struct {
	// client is the URL of the client-facing Service.
	// +optional
	Client string `json:"client,omitempty"`
	// headless is the URL of the headless Service used for pod DNS / cluster
	// routing. Useful when callers need to bypass the client Service.
	// +optional
	Headless string `json:"headless,omitempty"`
}

type NatsClusterList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitzero"`
	Items           []NatsCluster `json:"items"`
}

type NatsClusterSpec struct {
	// replicas is the number of nats pods. The operator wires this through to
	// the StatefulSet replica count and, when greater than 1, automatically
	// renders a NATS cluster routing block — there is no separate "enable
	// clustering" toggle.
	// +kubebuilder:validation:Minimum=1
	// +kubebuilder:default=1
	// +optional
	Replicas *int32 `json:"replicas,omitempty"`

	// image is the nats server container image. The reloader and prometheus
	// exporter sidecars carry their own image fields under their respective
	// blocks since they ship from different repositories.
	// +optional
	Image ImageSpec `json:"image,omitzero"`

	// global applies cross-cutting image and label settings to every resource.
	// +optional
	Global GlobalSpec `json:"global,omitzero"`

	// tlsCA references a CA bundle that gets mounted into every TLS block.
	// +optional
	TLSCA TLSCASpec `json:"tlsCA,omitzero"`

	// config holds the NATS server configuration the operator renders into
	// nats.conf — listeners, jetstream, cluster routing, monitor, etc.
	// +optional
	Config NatsConfigSpec `json:"config,omitzero"`

	// container customizes per-container knobs (env, resources, probes,
	// security context) for the nats server container.
	// +optional
	Container ContainerSpec `json:"container,omitzero"`

	// reloader customizes the nats config reloader sidecar.
	// +optional
	Reloader ReloaderSpec `json:"reloader,omitzero"`

	// promExporter customizes the prometheus nats exporter sidecar.
	// +optional
	PromExporter PromExporterSpec `json:"promExporter,omitzero"`

	// service customizes the client-facing Service.
	// +optional
	Service ServiceSpec `json:"service,omitzero"`

	// statefulSet customizes the underlying StatefulSet.
	// +optional
	StatefulSet StatefulSetSpec `json:"statefulSet,omitzero"`

	// podTemplate customizes the StatefulSet pod template.
	// +optional
	PodTemplate PodTemplateSpec `json:"podTemplate,omitzero"`

	// headlessService customizes the headless Service used for pod DNS.
	// +optional
	HeadlessService HeadlessServiceSpec `json:"headlessService,omitzero"`

	// configMap customizes (or replaces) the generated nats config ConfigMap.
	// Set existingName to point at a ConfigMap you manage yourself; the operator
	// will mount it instead of generating one.
	// +optional
	ConfigMap ConfigMapSpec `json:"configMap,omitzero"`

	// podDisruptionBudget customizes the PDB.
	// +optional
	PodDisruptionBudget PodDisruptionBudgetSpec `json:"podDisruptionBudget,omitzero"`

	// serviceAccount customizes the ServiceAccount used by the StatefulSet pods.
	// +optional
	ServiceAccount ServiceAccountSpec `json:"serviceAccount,omitzero"`

	// auth configures the cluster's authentication. When unset, the cluster
	// runs without authentication (only suitable for fully-isolated workloads).
	// +optional
	Auth AuthSpec `json:"auth,omitzero"`
}

type NatsClusterStatus struct {
	// observedGeneration is the .metadata.generation last reconciled.
	// +optional
	ObservedGeneration int64 `json:"observedGeneration,omitempty"`

	// replicas is the total number of nats pods belonging to the StatefulSet.
	// +optional
	Replicas int32 `json:"replicas,omitempty"`

	// readyReplicas is the number of nats pods reported ready by the StatefulSet.
	// +optional
	ReadyReplicas int32 `json:"readyReplicas,omitempty"`

	// configMapName is the ConfigMap currently mounted as /etc/nats-config.
	// +optional
	ConfigMapName string `json:"configMapName,omitempty"`

	// endpoints exposes the canonical connection URLs the operator generates
	// for this NatsCluster. NACK wrapper CRs and external clients use these
	// instead of guessing the Service name pattern.
	// +optional
	Endpoints NatsClusterEndpoints `json:"endpoints,omitzero"`

	// conditions represent the current state of the NatsCluster resource.
	//
	// Standard condition types include:
	// - "Available": the cluster is fully functional
	// - "Progressing": the cluster is being created or updated
	// - "Degraded": the cluster failed to reach or maintain its desired state
	// +listType=map
	// +listMapKey=type
	// +optional
	Conditions []metav1.Condition `json:"conditions,omitempty"`
}

type NatsConfigSpec struct {
	// +optional
	Cluster ClusterConfig `json:"cluster,omitzero"`
	// +optional
	JetStream JetStreamConfig `json:"jetstream,omitzero"`
	// +optional
	Nats NatsListenerConfig `json:"nats,omitzero"`
	// +optional
	LeafNodes ListenerConfig `json:"leafnodes,omitzero"`
	// +optional
	WebSocket WebSocketConfig `json:"websocket,omitzero"`
	// +optional
	MQTT ListenerConfig `json:"mqtt,omitzero"`
	// +optional
	Gateway ListenerConfig `json:"gateway,omitzero"`
	// +optional
	Monitor MonitorConfig `json:"monitor,omitzero"`
	// +optional
	Profiling SimpleListenerConfig `json:"profiling,omitzero"`

	// serverNamePrefix is prepended to each pod's server name. Helpful for
	// keeping server names unique across a super-cluster.
	// +optional
	ServerNamePrefix string `json:"serverNamePrefix,omitempty"`

	// includes references user-managed Secrets or ConfigMaps whose contents
	// are mounted into the nats container and pulled into nats.conf via the
	// native `include` directive. Use this for free-form server config the
	// typed spec does not (yet) cover — JWT operator/account/user blocks,
	// custom resolvers, complex permission trees, etc.
	//
	// Each entry produces a single included file. The mount path is fixed at
	// /etc/nats-extra/<name> and the rendered nats.conf gets a corresponding
	// `include "/etc/nats-extra/<name>";` line in slice order.
	// +optional
	// +listType=map
	// +listMapKey=name
	Includes []ConfigInclude `json:"includes,omitempty"`
}

type NatsListenerConfig struct {
	// port is the client listener port. Defaults to 4222.
	// +kubebuilder:validation:Minimum=1
	// +kubebuilder:default=4222
	// +optional
	Port int32 `json:"port,omitempty"`
	// +optional
	TLS TLSBlock `json:"tls,omitzero"`
}

type PVCConfig struct {
	// enabled, when explicitly set to false, falls back to an emptyDir volume.
	// Defaults to true.
	// +optional
	Enabled *bool `json:"enabled,omitempty"`
	// PersistentVolumeClaimSpec is the standard PVC spec. Use the resources,
	// storageClassName, accessModes, dataSource(Ref), volumeMode, etc. fields
	// just as you would on a free-standing PVC.
	// +optional
	corev1.PersistentVolumeClaimSpec `json:",inline"`
}

type PodDisruptionBudgetSpec struct {
	// enabled defaults to true.
	// +kubebuilder:default=true
	// +optional
	Enabled *bool `json:"enabled,omitempty"`
	// annotations are added to the generated PDB.
	// +optional
	Annotations map[string]string `json:"annotations,omitempty"`
	// labels are added to the generated PDB.
	// +optional
	Labels map[string]string `json:"labels,omitempty"`
	// PodDisruptionBudgetSpec is the standard policyv1 PDB spec. The selector
	// field is overwritten by the operator and any user-supplied value is ignored.
	// +optional
	policyv1.PodDisruptionBudgetSpec `json:",inline"`
}

type PodMonitorSpec struct {
	// +optional
	Enabled bool `json:"enabled,omitempty"`
	// labels are added to the generated PodMonitor.
	// +optional
	Labels map[string]string `json:"labels,omitempty"`
	// interval is the prometheus scrape interval.
	// +optional
	Interval string `json:"interval,omitempty"`
	// scrapeTimeout is the prometheus scrape timeout.
	// +optional
	ScrapeTimeout string `json:"scrapeTimeout,omitempty"`
}

type PodTemplateSpec struct {
	// configChecksumAnnotation rolls the StatefulSet on config changes by
	// stamping a hash on the pod spec instead of relying on the reloader.
	// +optional
	ConfigChecksumAnnotation bool `json:"configChecksumAnnotation,omitempty"`

	// annotations are added to the rendered pod template.
	// +optional
	Annotations map[string]string `json:"annotations,omitempty"`
	// labels are added to the rendered pod template.
	// +optional
	Labels map[string]string `json:"labels,omitempty"`

	// nodeSelector is the standard pod nodeSelector.
	// +optional
	NodeSelector map[string]string `json:"nodeSelector,omitempty"`
	// tolerations is the standard pod tolerations list.
	// +optional
	Tolerations []corev1.Toleration `json:"tolerations,omitempty"`
	// affinity is the standard pod affinity rules.
	// +optional
	Affinity *corev1.Affinity `json:"affinity,omitempty"`

	// topologySpreadConstraints is the standard pod topologySpreadConstraints
	// list. The labelSelector field is overwritten by the operator at reconcile
	// time to match the StatefulSet pods, so any user-supplied selector is
	// ignored — set the rest of the constraint and leave labelSelector nil.
	// +optional
	TopologySpreadConstraints []corev1.TopologySpreadConstraint `json:"topologySpreadConstraints,omitempty"`

	// priorityClassName is the standard pod priorityClassName.
	// +optional
	PriorityClassName string `json:"priorityClassName,omitempty"`
	// runtimeClassName is the standard pod runtimeClassName.
	// +optional
	RuntimeClassName *string `json:"runtimeClassName,omitempty"`
	// terminationGracePeriodSeconds overrides the default termination grace period.
	// +optional
	TerminationGracePeriodSeconds *int64 `json:"terminationGracePeriodSeconds,omitempty"`
	// dnsPolicy is the standard pod dnsPolicy.
	// +optional
	DNSPolicy corev1.DNSPolicy `json:"dnsPolicy,omitempty"`
	// dnsConfig is the standard pod dnsConfig.
	// +optional
	DNSConfig *corev1.PodDNSConfig `json:"dnsConfig,omitempty"`
	// hostAliases is the standard pod hostAliases list.
	// +optional
	HostAliases []corev1.HostAlias `json:"hostAliases,omitempty"`
	// securityContext sets the pod-level security context.
	// +optional
	SecurityContext *corev1.PodSecurityContext `json:"securityContext,omitempty"`
	// imagePullSecrets is added on top of global.imagePullSecrets.
	// +optional
	ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
}

type PromExporterSpec struct {
	// +optional
	Enabled bool `json:"enabled,omitempty"`
	// +optional
	Image ImageSpec `json:"image,omitzero"`
	// port is the exporter listener port. Defaults to 7777.
	// +kubebuilder:validation:Minimum=1
	// +kubebuilder:default=7777
	// +optional
	Port int32 `json:"port,omitempty"`
	// monitorDomain must match a CN/SAN on the nats TLS cert when monitor TLS
	// is enabled.
	// +optional
	MonitorDomain string `json:"monitorDomain,omitempty"`
	// +optional
	Env []corev1.EnvVar `json:"env,omitempty"`
	// resources sets the exporter container resource requests/limits.
	// +optional
	Resources corev1.ResourceRequirements `json:"resources,omitzero"`
	// securityContext sets the exporter container security context.
	// +optional
	SecurityContext *corev1.SecurityContext `json:"securityContext,omitempty"`
	// +optional
	PodMonitor PodMonitorSpec `json:"podMonitor,omitzero"`
}

type ReloaderSpec struct {
	// enabled defaults to true.
	// +kubebuilder:default=true
	// +optional
	Enabled *bool `json:"enabled,omitempty"`
	// +optional
	Image ImageSpec `json:"image,omitzero"`
	// +optional
	Env []corev1.EnvVar `json:"env,omitempty"`
	// resources sets the reloader container resource requests/limits.
	// +optional
	Resources corev1.ResourceRequirements `json:"resources,omitzero"`
	// securityContext sets the reloader container security context.
	// +optional
	SecurityContext *corev1.SecurityContext `json:"securityContext,omitempty"`
}

type RouteURLsConfig struct {
	// authSecretRef references a Secret holding the cluster route user/password.
	// The Secret must contain `user` and `password` keys. When set, the operator
	// adds the credentials to route URLs and the cluster authorization block.
	// +optional
	AuthSecretRef *corev1.LocalObjectReference `json:"authSecretRef,omitempty"`
	// k8sClusterDomain overrides the cluster DNS suffix appended to every
	// route URL. Defaults to cluster.local, which covers every stock
	// Kubernetes install — only change it when the cluster was brought up
	// with a custom --cluster-domain.
	// +kubebuilder:default=cluster.local
	// +optional
	K8sClusterDomain string `json:"k8sClusterDomain,omitempty"`
}

type ServiceAccountSpec struct {
	// enabled defaults to false. When false the StatefulSet uses the namespace
	// default ServiceAccount.
	// +optional
	Enabled *bool `json:"enabled,omitempty"`
	// annotations are added to the generated ServiceAccount.
	// +optional
	Annotations map[string]string `json:"annotations,omitempty"`
	// imagePullSecrets is the standard ServiceAccount imagePullSecrets list.
	// +optional
	ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
}

type ServiceSpec struct {
	// enabled defaults to true.
	// +kubebuilder:default=true
	// +optional
	Enabled *bool `json:"enabled,omitempty"`
	// nodePorts assigns a stable NodePort number to a listener, keyed by
	// listener name (nats, leafnodes, websocket, mqtt, gateway). Only
	// meaningful when Type is NodePort or LoadBalancer. Listeners not present
	// in this map get a NodePort allocated by the apiserver.
	// +optional
	NodePorts map[string]int32 `json:"nodePorts,omitempty"`
	// type is the Service type. Defaults to ClusterIP.
	// +optional
	Type corev1.ServiceType `json:"type,omitempty"`
	// loadBalancerClass is the LoadBalancer class for type=LoadBalancer.
	// +optional
	LoadBalancerClass *string `json:"loadBalancerClass,omitempty"`
	// externalTrafficPolicy is the externalTrafficPolicy for type=LoadBalancer/NodePort.
	// +optional
	ExternalTrafficPolicy corev1.ServiceExternalTrafficPolicy `json:"externalTrafficPolicy,omitempty"`
	// annotations are added to the generated Service.
	// +optional
	Annotations map[string]string `json:"annotations,omitempty"`
	// labels are added to the generated Service.
	// +optional
	Labels map[string]string `json:"labels,omitempty"`
}

type SimpleListenerConfig struct {
	// +optional
	Enabled bool `json:"enabled,omitempty"`
	// +optional
	// +kubebuilder:validation:Minimum=1
	Port int32 `json:"port,omitempty"`
}

type StatefulSetSpec struct {
	// annotations are added to the generated StatefulSet.
	// +optional
	Annotations map[string]string `json:"annotations,omitempty"`
	// labels are added to the generated StatefulSet.
	// +optional
	Labels map[string]string `json:"labels,omitempty"`
	// podManagementPolicy overrides the default Parallel pod management policy.
	// +optional
	PodManagementPolicy appsv1.PodManagementPolicyType `json:"podManagementPolicy,omitempty"`
	// minReadySeconds is the standard StatefulSet minReadySeconds field.
	// +optional
	MinReadySeconds *int32 `json:"minReadySeconds,omitempty"`
}

type TLSBlock struct {
	// +optional
	Enabled bool `json:"enabled,omitempty"`
	// secretName mounts an existing TLS secret.
	// +optional
	SecretName string `json:"secretName,omitempty"`
	// cert is the certificate file name within the secret. Defaults to tls.crt.
	// +kubebuilder:default=tls.crt
	// +optional
	Cert string `json:"cert,omitempty"`
	// key is the private key file name within the secret. Defaults to tls.key.
	// +kubebuilder:default=tls.key
	// +optional
	Key string `json:"key,omitempty"`
	// verify enables mutual TLS — clients must present a certificate.
	// +optional
	Verify *bool `json:"verify,omitempty"`
	// timeout is the TLS handshake timeout in seconds.
	// +optional
	Timeout *int32 `json:"timeout,omitempty"`
}

type TLSCASpec struct {
	// configMap selects a key in a ConfigMap holding the CA bundle.
	// +optional
	ConfigMap *corev1.ConfigMapKeySelector `json:"configMap,omitempty"`
	// secret selects a key in a Secret holding the CA bundle.
	// +optional
	Secret *corev1.SecretKeySelector `json:"secret,omitempty"`
}

type WebSocketConfig struct {
	// +optional
	Enabled bool `json:"enabled,omitempty"`
	// port is the websocket listener port. Defaults to 8080.
	// +kubebuilder:validation:Minimum=1
	// +kubebuilder:default=8080
	// +optional
	Port int32 `json:"port,omitempty"`
	// +optional
	TLS TLSBlock `json:"tls,omitzero"`
	// +optional
	Ingress WebSocketIngress `json:"ingress,omitzero"`
}

type WebSocketIngress struct {
	// +optional
	Enabled bool `json:"enabled,omitempty"`
	// hosts must contain at least one entry to actually create the Ingress.
	// +optional
	Hosts []string `json:"hosts,omitempty"`
	// +optional
	Path string `json:"path,omitempty"`
	// +optional
	PathType string `json:"pathType,omitempty"`
	// +optional
	ClassName string `json:"className,omitempty"`
	// tlsSecretName enables TLS for every host on the Ingress.
	// +optional
	TLSSecretName string `json:"tlsSecretName,omitempty"`
	// annotations are added to the generated Ingress.
	// +optional
	Annotations map[string]string `json:"annotations,omitempty"`
}