v1alpha1

type NginxAccessControlSpec struct {
	// Allow is a list of CIDR blocks to allow access.
	// +optional
	Allow []string `json:"allow,omitempty"`

	// Deny is a list of CIDR blocks to deny access.
	// +optional
	Deny []string `json:"deny,omitempty"`
}

type NginxAutoscalingSpec struct {
	// Enabled enables horizontal pod autoscaling.
	// +kubebuilder:default=false
	// +optional
	Enabled bool `json:"enabled,omitempty"`

	// MinReplicas is the minimum number of replicas.
	// +kubebuilder:default=2
	// +kubebuilder:validation:Minimum=1
	// +optional
	MinReplicas *int32 `json:"minReplicas,omitempty"`

	// MaxReplicas is the maximum number of replicas.
	// +kubebuilder:default=10
	// +kubebuilder:validation:Minimum=1
	// +optional
	MaxReplicas int32 `json:"maxReplicas,omitempty"`

	// TargetCPUUtilizationPercentage is the target average CPU utilization.
	// +kubebuilder:default=80
	// +kubebuilder:validation:Minimum=1
	// +kubebuilder:validation:Maximum=100
	// +optional
	TargetCPUUtilizationPercentage *int32 `json:"targetCPUUtilizationPercentage,omitempty"`

	// TargetMemoryUtilizationPercentage is the target average memory utilization.
	// +kubebuilder:validation:Minimum=1
	// +kubebuilder:validation:Maximum=100
	// +optional
	TargetMemoryUtilizationPercentage *int32 `json:"targetMemoryUtilizationPercentage,omitempty"`
}

type NginxBackendSpec struct {
	// Address is the backend server address (IP or hostname).
	// +kubebuilder:validation:Required
	// +kubebuilder:validation:MinLength=1
	Address string `json:"address"`

	// Port is the backend server port.
	// +kubebuilder:validation:Required
	// +kubebuilder:validation:Minimum=1
	// +kubebuilder:validation:Maximum=65535
	Port int32 `json:"port"`

	// Weight sets the weight for weighted load balancing.
	// +kubebuilder:default=1
	// +kubebuilder:validation:Minimum=0
	// +kubebuilder:validation:Maximum=100
	// +optional
	Weight int32 `json:"weight,omitempty"`

	// MaxConnections limits the maximum number of simultaneous active connections.
	// +kubebuilder:default=0
	// +kubebuilder:validation:Minimum=0
	// +optional
	MaxConnections int32 `json:"maxConnections,omitempty"`

	// MaxFails sets the number of unsuccessful attempts before marking the server as unavailable.
	// +kubebuilder:default=3
	// +kubebuilder:validation:Minimum=0
	// +optional
	MaxFails int32 `json:"maxFails,omitempty"`

	// FailTimeout sets the time during which the specified number of unsuccessful attempts
	// should happen and the time the server is considered unavailable.
	// +kubebuilder:default="10s"
	// +optional
	FailTimeout string `json:"failTimeout,omitempty"`

	// Backup marks this server as a backup server.
	// It receives requests only when all primary servers are unavailable.
	// +kubebuilder:default=false
	// +optional
	Backup bool `json:"backup,omitempty"`

	// Down marks this server as permanently unavailable.
	// +kubebuilder:default=false
	// +optional
	Down bool `json:"down,omitempty"`
}

type NginxCORSSpec struct {
	// Enabled enables CORS handling.
	Enabled bool `json:"enabled"`

	// AllowOrigins defines allowed origins. Use "*" for any origin.
	// +optional
	AllowOrigins []string `json:"allowOrigins,omitempty"`

	// AllowMethods defines allowed HTTP methods.
	// +kubebuilder:default={"GET","POST","PUT","DELETE","OPTIONS"}
	// +optional
	AllowMethods []string `json:"allowMethods,omitempty"`

	// AllowHeaders defines allowed request headers.
	// +kubebuilder:default={"Content-Type","Authorization"}
	// +optional
	AllowHeaders []string `json:"allowHeaders,omitempty"`

	// ExposeHeaders defines response headers exposed to the browser.
	// +optional
	ExposeHeaders []string `json:"exposeHeaders,omitempty"`

	// MaxAge defines how long preflight results can be cached (in seconds).
	// +kubebuilder:default=86400
	// +optional
	MaxAge int32 `json:"maxAge,omitempty"`

	// AllowCredentials indicates whether credentials are supported.
	// +kubebuilder:default=false
	// +optional
	AllowCredentials bool `json:"allowCredentials,omitempty"`
}

type NginxGlobalConfig struct {
	// WorkerProcesses sets the number of NGINX worker processes.
	// Use "auto" to match CPU cores.
	// +kubebuilder:default="auto"
	// +optional
	WorkerProcesses string `json:"workerProcesses,omitempty"`

	// WorkerConnections sets the maximum number of simultaneous connections per worker.
	// +kubebuilder:default=1024
	// +kubebuilder:validation:Minimum=128
	// +kubebuilder:validation:Maximum=65535
	// +optional
	WorkerConnections int32 `json:"workerConnections,omitempty"`

	// KeepaliveTimeout defines the timeout for keep-alive connections.
	// +kubebuilder:default="65s"
	// +optional
	KeepaliveTimeout string `json:"keepaliveTimeout,omitempty"`

	// KeepaliveRequests sets the maximum number of requests per keep-alive connection.
	// +kubebuilder:default=100
	// +optional
	KeepaliveRequests int32 `json:"keepaliveRequests,omitempty"`

	// ClientMaxBodySize sets the maximum allowed size of the client request body.
	// +kubebuilder:default="1m"
	// +optional
	ClientMaxBodySize string `json:"clientMaxBodySize,omitempty"`

	// ServerTokens controls whether NGINX version is shown in error pages and headers.
	// +kubebuilder:default=false
	// +optional
	ServerTokens bool `json:"serverTokens,omitempty"`

	// ErrorLogLevel sets the error log verbosity level.
	// +kubebuilder:default="warn"
	// +kubebuilder:validation:Enum=debug;info;notice;warn;error;crit;alert;emerg
	// +optional
	ErrorLogLevel string `json:"errorLogLevel,omitempty"`

	// AccessLogFormat defines the format string for access logs.
	// Leave empty to use the default combined format.
	// +optional
	AccessLogFormat string `json:"accessLogFormat,omitempty"`

	// AccessLogEnabled controls whether access logging is enabled.
	// +kubebuilder:default=true
	// +optional
	AccessLogEnabled bool `json:"accessLogEnabled,omitempty"`

	// GzipEnabled enables gzip compression.
	// +kubebuilder:default=true
	// +optional
	GzipEnabled bool `json:"gzipEnabled,omitempty"`

	// GzipTypes defines MIME types to compress.
	// +kubebuilder:default={"text/plain","text/css","application/json","application/javascript","text/xml","application/xml","image/svg+xml"}
	// +optional
	GzipTypes []string `json:"gzipTypes,omitempty"`

	// GzipMinLength sets the minimum response length for gzip compression.
	// +kubebuilder:default=256
	// +optional
	GzipMinLength int32 `json:"gzipMinLength,omitempty"`

	// CustomMainSnippet allows injecting raw NGINX directives into the main context.
	// Use with caution — no validation is performed on custom snippets.
	// +optional
	CustomMainSnippet string `json:"customMainSnippet,omitempty"`

	// CustomHTTPSnippet allows injecting raw NGINX directives into the http context.
	// +optional
	CustomHTTPSnippet string `json:"customHTTPSnippet,omitempty"`
}

type NginxHeadersSpec struct {
	// Add defines headers to add to responses.
	// +optional
	Add map[string]string `json:"add,omitempty"`

	// Remove defines headers to remove from responses.
	// +optional
	Remove []string `json:"remove,omitempty"`

	// SecurityHeaders adds common security headers (X-Frame-Options, X-Content-Type-Options, etc.).
	// +kubebuilder:default=true
	// +optional
	SecurityHeaders bool `json:"securityHeaders,omitempty"`
}

type NginxHealthCheckSpec struct {
	// Enabled enables active health checking for upstream servers.
	// +kubebuilder:default=false
	// +optional
	Enabled bool `json:"enabled,omitempty"`

	// Path is the URI to request for health checks (HTTP only).
	// +kubebuilder:default="/"
	// +optional
	Path string `json:"path,omitempty"`

	// Interval defines how often health checks are performed.
	// +kubebuilder:default="30s"
	// +optional
	Interval string `json:"interval,omitempty"`

	// Timeout defines the health check request timeout.
	// +kubebuilder:default="5s"
	// +optional
	Timeout string `json:"timeout,omitempty"`

	// HealthyThreshold is the number of consecutive successes before marking healthy.
	// +kubebuilder:default=2
	// +kubebuilder:validation:Minimum=1
	// +optional
	HealthyThreshold int32 `json:"healthyThreshold,omitempty"`

	// UnhealthyThreshold is the number of consecutive failures before marking unhealthy.
	// +kubebuilder:default=3
	// +kubebuilder:validation:Minimum=1
	// +optional
	UnhealthyThreshold int32 `json:"unhealthyThreshold,omitempty"`

	// ExpectedStatus defines the expected HTTP status code range for a healthy response.
	// +kubebuilder:default=200
	// +optional
	ExpectedStatus int32 `json:"expectedStatus,omitempty"`
}

type NginxListenSpec struct {
	// Port is the port to listen on for HTTP traffic.
	// +kubebuilder:default=80
	// +kubebuilder:validation:Minimum=1
	// +kubebuilder:validation:Maximum=65535
	// +optional
	Port int32 `json:"port,omitempty"`

	// HTTPSPort is the port to listen on for HTTPS traffic (when TLS is enabled).
	// +kubebuilder:default=443
	// +kubebuilder:validation:Minimum=1
	// +kubebuilder:validation:Maximum=65535
	// +optional
	HTTPSPort int32 `json:"httpsPort,omitempty"`

	// ProxyProtocol enables PROXY protocol support on the listen directive.
	// +kubebuilder:default=false
	// +optional
	ProxyProtocol bool `json:"proxyProtocol,omitempty"`
}

type NginxLoadBalancingSpec struct {
	// Algorithm defines the load balancing method.
	// - round_robin: Default, distributes requests evenly.
	// - least_conn: Sends to the server with the fewest active connections.
	// - ip_hash: Ensures requests from the same IP go to the same server.
	// - random: Selects a random server (with optional two-choice algorithm).
	// +kubebuilder:default="round_robin"
	// +kubebuilder:validation:Enum=round_robin;least_conn;ip_hash;random
	// +optional
	Algorithm string `json:"algorithm,omitempty"`

	// RandomTwoChoices enables the "two choices" variant for the random algorithm.
	// When enabled, picks two servers randomly and selects one using least_conn.
	// Only applies when Algorithm is "random".
	// +kubebuilder:default=false
	// +optional
	RandomTwoChoices bool `json:"randomTwoChoices,omitempty"`
}

type NginxLocationSpec struct {
	// Path is the location path (e.g., "/", "/api", "~ \.php$").
	// +kubebuilder:validation:Required
	// +kubebuilder:validation:MinLength=1
	Path string `json:"path"`

	// UpstreamRef references an NginxUpstream resource by name for proxy_pass.
	// Mutually exclusive with StaticContent and Return.
	// +optional
	UpstreamRef string `json:"upstreamRef,omitempty"`

	// ProxyPass sets a direct proxy_pass URL (alternative to UpstreamRef).
	// Mutually exclusive with UpstreamRef, StaticContent, and Return.
	// +optional
	ProxyPass string `json:"proxyPass,omitempty"`

	// StaticContent serves static files from the specified root directory.
	// Mutually exclusive with UpstreamRef, ProxyPass, and Return.
	// +optional
	StaticContent *NginxStaticContentSpec `json:"staticContent,omitempty"`

	// Return sends a fixed response (e.g., redirect, error page).
	// Mutually exclusive with UpstreamRef, ProxyPass, and StaticContent.
	// +optional
	Return *NginxReturnSpec `json:"return,omitempty"`

	// ProxySettings defines proxy_* directives for this location.
	// Only applies when UpstreamRef or ProxyPass is set.
	// +optional
	ProxySettings *NginxProxySettingsSpec `json:"proxySettings,omitempty"`

	// RateLimit defines per-location rate limiting (overrides server-level).
	// +optional
	RateLimit *NginxRateLimitSpec `json:"rateLimit,omitempty"`

	// Headers defines per-location custom headers.
	// +optional
	Headers *NginxHeadersSpec `json:"headers,omitempty"`

	// CustomLocationSnippet allows injecting raw NGINX directives into this location block.
	// +optional
	CustomLocationSnippet string `json:"customLocationSnippet,omitempty"`
}

type NginxMonitoringSpec struct {
	// Enabled enables the NGINX stub_status module and Prometheus metrics endpoint.
	// +kubebuilder:default=true
	// +optional
	Enabled bool `json:"enabled,omitempty"`

	// Port is the port for the metrics endpoint.
	// +kubebuilder:default=9113
	// +kubebuilder:validation:Minimum=1
	// +kubebuilder:validation:Maximum=65535
	// +optional
	Port int32 `json:"port,omitempty"`

	// Path is the HTTP path for the metrics endpoint.
	// +kubebuilder:default="/metrics"
	// +optional
	Path string `json:"path,omitempty"`

	// ServiceMonitor enables creating a Prometheus ServiceMonitor resource.
	// +kubebuilder:default=false
	// +optional
	ServiceMonitor bool `json:"serviceMonitor,omitempty"`
}

type NginxPDBSpec struct {
	// Enabled enables PodDisruptionBudget creation.
	// +kubebuilder:default=true
	// +optional
	Enabled bool `json:"enabled,omitempty"`

	// MinAvailable is the minimum number of pods that must be available.
	// Cannot be set together with MaxUnavailable.
	// +optional
	MinAvailable *int32 `json:"minAvailable,omitempty"`

	// MaxUnavailable is the maximum number of pods that can be unavailable.
	// Cannot be set together with MinAvailable.
	// +optional
	MaxUnavailable *int32 `json:"maxUnavailable,omitempty"`
}

type NginxProxySettingsSpec struct {
	// ConnectTimeout is the timeout for establishing a connection to the upstream.
	// +kubebuilder:default="60s"
	// +optional
	ConnectTimeout string `json:"connectTimeout,omitempty"`

	// SendTimeout is the timeout for transmitting a request to the upstream.
	// +kubebuilder:default="60s"
	// +optional
	SendTimeout string `json:"sendTimeout,omitempty"`

	// ReadTimeout is the timeout for reading a response from the upstream.
	// +kubebuilder:default="60s"
	// +optional
	ReadTimeout string `json:"readTimeout,omitempty"`

	// BufferSize sets the proxy_buffer_size directive.
	// +kubebuilder:default="4k"
	// +optional
	BufferSize string `json:"bufferSize,omitempty"`

	// Buffers sets the proxy_buffers directive (number and size).
	// +kubebuilder:default="8 4k"
	// +optional
	Buffers string `json:"buffers,omitempty"`

	// SetHeaders defines headers to pass to the upstream.
	// +optional
	SetHeaders map[string]string `json:"setHeaders,omitempty"`

	// WebSocket enables WebSocket proxying (adds Upgrade and Connection headers).
	// +kubebuilder:default=false
	// +optional
	WebSocket bool `json:"webSocket,omitempty"`

	// NextUpstream defines conditions under which the request is passed to the next upstream server.
	// +kubebuilder:default="error timeout"
	// +optional
	NextUpstream string `json:"nextUpstream,omitempty"`

	// NextUpstreamTries limits the number of possible tries for passing a request to the next server.
	// +kubebuilder:default=3
	// +optional
	NextUpstreamTries int32 `json:"nextUpstreamTries,omitempty"`
}

type NginxRateLimitSpec struct {
	// Enabled enables rate limiting.
	Enabled bool `json:"enabled"`

	// Zone defines the shared memory zone name and size (e.g., "10m").
	// +kubebuilder:default="10m"
	// +optional
	Zone string `json:"zone,omitempty"`

	// Rate defines the request rate limit (e.g., "10r/s", "100r/m").
	// +kubebuilder:validation:Required
	// +kubebuilder:validation:Pattern=`^\d+r/[sm]$`
	Rate string `json:"rate"`

	// Burst allows bursting above the rate limit up to this many requests.
	// +kubebuilder:default=20
	// +optional
	Burst int32 `json:"burst,omitempty"`

	// NoDelay processes burst requests without delay.
	// +kubebuilder:default=true
	// +optional
	NoDelay bool `json:"noDelay,omitempty"`

	// Key defines what the rate limit is keyed on.
	// +kubebuilder:default="$binary_remote_addr"
	// +optional
	Key string `json:"key,omitempty"`
}

type NginxReturnSpec struct {
	// Code is the HTTP status code to return.
	// +kubebuilder:validation:Minimum=100
	// +kubebuilder:validation:Maximum=599
	Code int32 `json:"code"`

	// Body is the response body or redirect URL.
	// +optional
	Body string `json:"body,omitempty"`
}

type NginxRoute struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   NginxRouteSpec   `json:"spec,omitempty"`
	Status NginxRouteStatus `json:"status,omitempty"`
}

type NginxRouteList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []NginxRoute `json:"items"`
}

type NginxRouteSpec struct {
	// ServerRef is the name of the NginxServer resource this route belongs to.
	// The NginxServer must exist in the same namespace.
	// +kubebuilder:validation:Required
	// +kubebuilder:validation:MinLength=1
	ServerRef string `json:"serverRef"`

	// ServerName defines the server_name directive (e.g., "example.com", "*.example.com").
	// Multiple hostnames can be specified as a space-separated string.
	// +kubebuilder:validation:Required
	// +kubebuilder:validation:MinLength=1
	ServerName string `json:"serverName"`

	// Listen defines the listen directive configuration.
	// +optional
	Listen *NginxListenSpec `json:"listen,omitempty"`

	// TLS defines per-route TLS settings. Overrides the NginxServer global TLS if set.
	// +optional
	TLS *NginxRouteTLSSpec `json:"tls,omitempty"`

	// Locations defines the location blocks within this server block.
	// +kubebuilder:validation:Required
	// +kubebuilder:validation:MinItems=1
	Locations []NginxLocationSpec `json:"locations"`

	// RateLimit defines rate limiting settings for this virtual host.
	// +optional
	RateLimit *NginxRateLimitSpec `json:"rateLimit,omitempty"`

	// AccessControl defines IP-based access control for this virtual host.
	// +optional
	AccessControl *NginxAccessControlSpec `json:"accessControl,omitempty"`

	// Headers defines custom HTTP headers to add or remove.
	// +optional
	Headers *NginxHeadersSpec `json:"headers,omitempty"`

	// CORS defines Cross-Origin Resource Sharing settings.
	// +optional
	CORS *NginxCORSSpec `json:"cors,omitempty"`

	// CustomServerSnippet allows injecting raw NGINX directives into the server block.
	// Use with caution — no validation is performed on custom snippets.
	// +optional
	CustomServerSnippet string `json:"customServerSnippet,omitempty"`

	// Priority determines the order of server blocks in the NGINX configuration.
	// Lower values are processed first. Default is 100.
	// +kubebuilder:default=100
	// +kubebuilder:validation:Minimum=0
	// +kubebuilder:validation:Maximum=9999
	// +optional
	Priority int32 `json:"priority,omitempty"`
}

type NginxRouteStatus struct {
	// Conditions represent the latest available observations of the NginxRoute's state.
	// +optional
	Conditions []metav1.Condition `json:"conditions,omitempty"`

	// ConfigHash is the SHA-256 hash of the generated config for this route.
	// +optional
	ConfigHash string `json:"configHash,omitempty"`

	// LastAppliedTime is the timestamp when the config was last applied.
	// +optional
	LastAppliedTime *metav1.Time `json:"lastAppliedTime,omitempty"`

	// ObservedGeneration is the most recent generation observed by the controller.
	// +optional
	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
}

type NginxRouteTLSSpec struct {
	// Enabled enables TLS for this route.
	Enabled bool `json:"enabled"`

	// SecretName references a Kubernetes TLS Secret for this route.
	// +optional
	SecretName string `json:"secretName,omitempty"`

	// RedirectHTTP automatically redirects HTTP to HTTPS when true.
	// +kubebuilder:default=true
	// +optional
	RedirectHTTP bool `json:"redirectHTTP,omitempty"`
}

type NginxServer struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   NginxServerSpec   `json:"spec,omitempty"`
	Status NginxServerStatus `json:"status,omitempty"`
}

type NginxServerList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []NginxServer `json:"items"`
}

type NginxServerSpec struct {
	// Replicas is the desired number of NGINX pod replicas.
	// Ignored when autoscaling is enabled.
	// +kubebuilder:default=1
	// +kubebuilder:validation:Minimum=0
	// +kubebuilder:validation:Maximum=100
	// +optional
	Replicas *int32 `json:"replicas,omitempty"`

	// Image specifies the NGINX container image to use.
	// +kubebuilder:default="nginx:1.27-alpine"
	// +optional
	Image string `json:"image,omitempty"`

	// ImagePullPolicy defines the pull policy for the NGINX image.
	// +kubebuilder:default="IfNotPresent"
	// +kubebuilder:validation:Enum=Always;Never;IfNotPresent
	// +optional
	ImagePullPolicy corev1.PullPolicy `json:"imagePullPolicy,omitempty"`

	// ImagePullSecrets is a list of references to secrets for pulling the NGINX image.
	// +optional
	ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"`

	// Resources defines CPU/memory resource requests and limits for the NGINX container.
	// +optional
	Resources corev1.ResourceRequirements `json:"resources,omitempty"`

	// ReloaderResources defines CPU/memory resource requests and limits for the config reloader sidecar.
	// +optional
	ReloaderResources corev1.ResourceRequirements `json:"reloaderResources,omitempty"`

	// Service defines the Service configuration for exposing NGINX.
	// +optional
	Service *NginxServiceSpec `json:"service,omitempty"`

	// TLS defines global TLS settings for this NGINX instance.
	// +optional
	TLS *NginxTLSSpec `json:"tls,omitempty"`

	// GlobalConfig provides global NGINX directives applied to the main nginx.conf context.
	// +optional
	GlobalConfig *NginxGlobalConfig `json:"globalConfig,omitempty"`

	// Monitoring defines Prometheus metrics exposure settings.
	// +optional
	Monitoring *NginxMonitoringSpec `json:"monitoring,omitempty"`

	// Autoscaling defines HorizontalPodAutoscaler settings.
	// When enabled, the replicas field is ignored.
	// +optional
	Autoscaling *NginxAutoscalingSpec `json:"autoscaling,omitempty"`

	// PodDisruptionBudget defines PDB settings for high availability.
	// +optional
	PodDisruptionBudget *NginxPDBSpec `json:"podDisruptionBudget,omitempty"`

	// NodeSelector is a selector which must be true for the pod to fit on a node.
	// +optional
	NodeSelector map[string]string `json:"nodeSelector,omitempty"`

	// Tolerations are applied to the NGINX pods for scheduling.
	// +optional
	Tolerations []corev1.Toleration `json:"tolerations,omitempty"`

	// Affinity defines scheduling affinity rules for the NGINX pods.
	// +optional
	Affinity *corev1.Affinity `json:"affinity,omitempty"`

	// TopologySpreadConstraints describes how pods should spread across topology domains.
	// +optional
	TopologySpreadConstraints []corev1.TopologySpreadConstraint `json:"topologySpreadConstraints,omitempty"`

	// ExtraVolumes allows mounting additional volumes into the NGINX pods.
	// +optional
	ExtraVolumes []corev1.Volume `json:"extraVolumes,omitempty"`

	// ExtraVolumeMounts allows mounting additional volume mounts into the NGINX container.
	// +optional
	ExtraVolumeMounts []corev1.VolumeMount `json:"extraVolumeMounts,omitempty"`

	// ExtraEnvVars allows setting additional environment variables on the NGINX container.
	// +optional
	ExtraEnvVars []corev1.EnvVar `json:"extraEnvVars,omitempty"`

	// PodAnnotations are additional annotations to set on the NGINX pods.
	// +optional
	PodAnnotations map[string]string `json:"podAnnotations,omitempty"`

	// PodLabels are additional labels to set on the NGINX pods.
	// +optional
	PodLabels map[string]string `json:"podLabels,omitempty"`

	// SecurityContext defines the security context for the NGINX pods.
	// +optional
	SecurityContext *corev1.PodSecurityContext `json:"securityContext,omitempty"`

	// ContainerSecurityContext defines the security context for the NGINX container.
	// +optional
	ContainerSecurityContext *corev1.SecurityContext `json:"containerSecurityContext,omitempty"`
}

type NginxServerStatus struct {
	// Conditions represent the latest available observations of the NginxServer's state.
	// +optional
	Conditions []metav1.Condition `json:"conditions,omitempty"`

	// ReadyReplicas is the number of NGINX pods that are ready.
	// +optional
	ReadyReplicas int32 `json:"readyReplicas,omitempty"`

	// AvailableReplicas is the number of available NGINX pods.
	// +optional
	AvailableReplicas int32 `json:"availableReplicas,omitempty"`

	// ConfigHash is the SHA-256 hash of the current applied NGINX configuration.
	// +optional
	ConfigHash string `json:"configHash,omitempty"`

	// LastReloadTime is the timestamp of the last successful NGINX configuration reload.
	// +optional
	LastReloadTime *metav1.Time `json:"lastReloadTime,omitempty"`

	// ObservedGeneration is the most recent generation observed by the controller.
	// +optional
	ObservedGeneration int64 `json:"observedGeneration,omitempty"`

	// RouteCount is the number of NginxRoute resources associated with this server.
	// +optional
	RouteCount int32 `json:"routeCount,omitempty"`

	// UpstreamCount is the number of NginxUpstream resources associated with this server.
	// +optional
	UpstreamCount int32 `json:"upstreamCount,omitempty"`
}

type NginxServiceDiscoverySpec struct {
	// Enabled enables service discovery.
	Enabled bool `json:"enabled"`

	// ServiceName is the name of the Kubernetes Service to discover endpoints from.
	// +kubebuilder:validation:Required
	// +kubebuilder:validation:MinLength=1
	ServiceName string `json:"serviceName"`

	// ServicePort is the port on the Service to use for upstream backends.
	// +kubebuilder:validation:Required
	// +kubebuilder:validation:Minimum=1
	// +kubebuilder:validation:Maximum=65535
	ServicePort int32 `json:"servicePort"`

	// Namespace is the namespace of the Service. Defaults to the NginxUpstream's namespace.
	// +optional
	Namespace string `json:"namespace,omitempty"`
}

type NginxServicePort struct {
	// Name is the name of the port.
	Name string `json:"name"`

	// Port is the port number exposed by the Service.
	// +kubebuilder:validation:Minimum=1
	// +kubebuilder:validation:Maximum=65535
	Port int32 `json:"port"`

	// TargetPort is the port on the NGINX container to route traffic to.
	// +kubebuilder:validation:Minimum=1
	// +kubebuilder:validation:Maximum=65535
	// +optional
	TargetPort int32 `json:"targetPort,omitempty"`

	// Protocol is the protocol for this port (TCP or UDP).
	// +kubebuilder:default="TCP"
	// +kubebuilder:validation:Enum=TCP;UDP
	// +optional
	Protocol corev1.Protocol `json:"protocol,omitempty"`
}

type NginxServiceSpec struct {
	// Type is the Kubernetes Service type.
	// +kubebuilder:default="ClusterIP"
	// +kubebuilder:validation:Enum=ClusterIP;NodePort;LoadBalancer
	// +optional
	Type corev1.ServiceType `json:"type,omitempty"`

	// Ports defines the ports exposed by the Service.
	// +optional
	Ports []NginxServicePort `json:"ports,omitempty"`

	// Annotations are additional annotations for the Service.
	// Useful for cloud provider load balancer configuration.
	// +optional
	Annotations map[string]string `json:"annotations,omitempty"`

	// LoadBalancerIP specifies a fixed IP for LoadBalancer-type services.
	// +optional
	LoadBalancerIP string `json:"loadBalancerIP,omitempty"`

	// ExternalTrafficPolicy specifies whether to route external traffic to node-local or cluster-wide endpoints.
	// +kubebuilder:validation:Enum=Cluster;Local
	// +optional
	ExternalTrafficPolicy corev1.ServiceExternalTrafficPolicy `json:"externalTrafficPolicy,omitempty"`
}

type NginxStaticContentSpec struct {
	// Root is the root directory for serving static files.
	// +kubebuilder:validation:Required
	Root string `json:"root"`

	// Index defines index file names.
	// +kubebuilder:default={"index.html"}
	// +optional
	Index []string `json:"index,omitempty"`

	// TryFiles defines the try_files directive.
	// +optional
	TryFiles string `json:"tryFiles,omitempty"`

	// Autoindex enables directory listing.
	// +kubebuilder:default=false
	// +optional
	Autoindex bool `json:"autoindex,omitempty"`
}

type NginxTLSSpec struct {
	// Enabled enables TLS on the NGINX instance.
	// +kubebuilder:default=false
	// +optional
	Enabled bool `json:"enabled,omitempty"`

	// SecretName references a Kubernetes Secret containing the TLS certificate and key.
	// The secret must contain tls.crt and tls.key entries.
	// +optional
	SecretName string `json:"secretName,omitempty"`

	// Protocols defines allowed TLS protocols.
	// +kubebuilder:default={"TLSv1.2","TLSv1.3"}
	// +optional
	Protocols []string `json:"protocols,omitempty"`

	// Ciphers defines the allowed TLS cipher suites.
	// +optional
	Ciphers string `json:"ciphers,omitempty"`

	// PreferServerCiphers enables server cipher preference.
	// +kubebuilder:default=true
	// +optional
	PreferServerCiphers bool `json:"preferServerCiphers,omitempty"`

	// SessionCache configures TLS session caching.
	// +kubebuilder:default="shared:SSL:10m"
	// +optional
	SessionCache string `json:"sessionCache,omitempty"`

	// SessionTimeout defines TLS session timeout.
	// +kubebuilder:default="1d"
	// +optional
	SessionTimeout string `json:"sessionTimeout,omitempty"`
}

type NginxUpstream struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   NginxUpstreamSpec   `json:"spec,omitempty"`
	Status NginxUpstreamStatus `json:"status,omitempty"`
}

type NginxUpstreamList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []NginxUpstream `json:"items"`
}

type NginxUpstreamSpec struct {
	// ServerRef is the name of the NginxServer resource this upstream belongs to.
	// The NginxServer must exist in the same namespace.
	// +kubebuilder:validation:Required
	// +kubebuilder:validation:MinLength=1
	ServerRef string `json:"serverRef"`

	// Backends defines the list of upstream backend servers.
	// At least one backend must be specified.
	// +kubebuilder:validation:Required
	// +kubebuilder:validation:MinItems=1
	Backends []NginxBackendSpec `json:"backends"`

	// LoadBalancing defines the load balancing algorithm.
	// +optional
	LoadBalancing *NginxLoadBalancingSpec `json:"loadBalancing,omitempty"`

	// HealthCheck defines active health checking for upstream servers.
	// +optional
	HealthCheck *NginxHealthCheckSpec `json:"healthCheck,omitempty"`

	// Keepalive sets the maximum number of idle keepalive connections to upstream servers.
	// +kubebuilder:default=32
	// +kubebuilder:validation:Minimum=0
	// +optional
	Keepalive int32 `json:"keepalive,omitempty"`

	// KeepaliveTimeout is the timeout during which an idle keepalive connection will stay open.
	// +kubebuilder:default="60s"
	// +optional
	KeepaliveTimeout string `json:"keepaliveTimeout,omitempty"`

	// KeepaliveRequests sets the maximum number of requests through one keepalive connection.
	// +kubebuilder:default=100
	// +optional
	KeepaliveRequests int32 `json:"keepaliveRequests,omitempty"`

	// ServiceDiscovery enables automatic backend discovery from a Kubernetes Service.
	// When enabled, Backends field is ignored and endpoints are auto-populated.
	// +optional
	ServiceDiscovery *NginxServiceDiscoverySpec `json:"serviceDiscovery,omitempty"`

	// CustomUpstreamSnippet allows injecting raw NGINX directives into the upstream block.
	// +optional
	CustomUpstreamSnippet string `json:"customUpstreamSnippet,omitempty"`
}

type NginxUpstreamStatus struct {
	// Conditions represent the latest available observations of the NginxUpstream's state.
	// +optional
	Conditions []metav1.Condition `json:"conditions,omitempty"`

	// ActiveBackends is the number of backends currently active (not down or failed).
	// +optional
	ActiveBackends int32 `json:"activeBackends,omitempty"`

	// TotalBackends is the total number of configured backends.
	// +optional
	TotalBackends int32 `json:"totalBackends,omitempty"`

	// ConfigHash is the SHA-256 hash of the generated upstream config.
	// +optional
	ConfigHash string `json:"configHash,omitempty"`

	// LastAppliedTime is the timestamp when the config was last applied.
	// +optional
	LastAppliedTime *metav1.Time `json:"lastAppliedTime,omitempty"`

	// ObservedGeneration is the most recent generation observed by the controller.
	// +optional
	ObservedGeneration int64 `json:"observedGeneration,omitempty"`

	// DiscoveredEndpoints lists the endpoints discovered via service discovery.
	// Only populated when ServiceDiscovery is enabled.
	// +optional
	DiscoveredEndpoints []string `json:"discoveredEndpoints,omitempty"`
}