v1alpha1

type Destination struct {
	// Name of the Secret
	Name string `json:"name"`
	// Create the destination Secret.
	// If the Secret already exists this should be set to false.
	Create bool `json:"create,omitempty"`
	// Labels to apply to the Secret. Requires Create to be set to true.
	Labels map[string]string `json:"labels,omitempty"`
	// Annotations to apply to the Secret. Requires Create to be set to true.
	Annotations map[string]string `json:"annotations,omitempty"`
	// Type of Kubernetes Secret. Requires Create to be set to true.
	// Defaults to Opaque.
	Type v1.SecretType `json:"type,omitempty"`
}

type RolloutRestartTarget struct {
	// +kubebuilder:validation:Enum={Deployment,DaemonSet,StatefulSet}
	Kind string `json:"kind"`
	Name string `json:"name"`
}

type StorageEncryption struct {
	// Mount path of the Transit engine in Vault.
	Mount string `json:"mount"`
	// KeyName to use for encrypt/decrypt operations via Vault Transit.
	KeyName string `json:"keyName"`
}

type VaultAuth struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   VaultAuthSpec   `json:"spec,omitempty"`
	Status VaultAuthStatus `json:"status,omitempty"`
}

type VaultAuthConfigKubernetes struct {
	// Role to use for authenticating to Vault.
	Role string `json:"role"`
	// ServiceAccount to use when authenticating to Vault's kubernetes
	// authentication backend.
	ServiceAccount string `json:"serviceAccount"`
	// TokenAudiences to include in the ServiceAccount token.
	TokenAudiences []string `json:"audiences,omitempty"`
	// TokenExpirationSeconds to set the ServiceAccount token.
	// +kubebuilder:default=600
	// +kubebuilder:validation:Minimum=600
	TokenExpirationSeconds int64 `json:"tokenExpirationSeconds,omitempty"`
}

type VaultAuthList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []VaultAuth `json:"items"`
}

type VaultAuthSpec struct {
	// VaultConnectionRef of the corresponding VaultConnection CustomResource.
	// If no value is specified the Operator will default to the `default` VaultConnection,
	// configured in its own Kubernetes namespace.
	VaultConnectionRef string `json:"vaultConnectionRef,omitempty"`
	// Namespace to auth to in Vault
	Namespace string `json:"namespace,omitempty"`
	// Method to use when authenticating to Vault.
	// +kubebuilder:validation:Enum=kubernetes
	Method string `json:"method"`
	// Mount to use when authenticating to auth method.
	Mount string `json:"mount"`
	// Params to use when authenticating to Vault
	Params map[string]string `json:"params,omitempty"`
	// Headers to be included in all Vault requests.
	Headers map[string]string `json:"headers,omitempty"`
	// Kubernetes specific auth configuration, requires that the Method be set to kubernetes.
	Kubernetes *VaultAuthConfigKubernetes `json:"kubernetes,omitempty"`
	// StorageEncryption provides the necessary configuration to encrypt the client storage cache.
	// This should only be configured when client cache persistence with encryption is enabled.
	// This is done by passing setting the manager's commandline argument --client-cache-persistence-model=direct-encrypted
	// Typically there should only ever be one VaultAuth configured with StorageEncryption in the Cluster, and it should have the
	// the label: cacheStorageEncryption=true
	StorageEncryption *StorageEncryption `json:"storageEncryption,omitempty"`
}

type VaultAuthStatus struct {
	// Valid auth mechanism.
	Valid bool   `json:"valid"`
	Error string `json:"error"`
}

type VaultConnection struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   VaultConnectionSpec   `json:"spec,omitempty"`
	Status VaultConnectionStatus `json:"status,omitempty"`
}

type VaultConnectionList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []VaultConnection `json:"items"`
}

type VaultConnectionSpec struct {
	// Address of the Vault server
	Address string `json:"address"`
	// Headers to be included in all Vault requests.
	Headers map[string]string `json:"headers,omitempty"`
	// TLSServerName to use as the SNI host for TLS connections.
	TLSServerName string `json:"tlsServerName,omitempty"`
	// CACertSecretRef containing the trusted PEM encoded CA certificate chain.
	CACertSecretRef string `json:"caCertSecretRef,omitempty"`
	// SkipTLSVerify for TLS connections.
	SkipTLSVerify bool `json:"skipTLSVerify,omitempty"`
}

type VaultConnectionStatus struct {
	// Valid auth mechanism.
	Valid bool `json:"valid"`
}

type VaultDynamicSecret struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   VaultDynamicSecretSpec   `json:"spec,omitempty"`
	Status VaultDynamicSecretStatus `json:"status,omitempty"`
}

type VaultDynamicSecretList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []VaultDynamicSecret `json:"items"`
}

type VaultDynamicSecretSpec struct {
	// VaultAuthRef to the VaultAuth resource
	// If no value is specified the Operator will default to the `default` VaultAuth,
	// configured in its own Kubernetes namespace.
	VaultAuthRef string `json:"vaultAuthRef,omitempty"`
	// Namespace where the secrets engine is mounted in Vault.
	Namespace string `json:"namespace,omitempty"`
	// Mount path of the secret's engine in Vault.
	Mount string `json:"mount"`
	// Role in Vault to get the credentials for.
	Role string `json:"role"`
	// RolloutRestartTargets should be configured whenever the application(s) consuming the Vault secret does
	// not support dynamically reloading a rotated secret.
	// In that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will
	// trigger a "rollout-restart" for each target whenever the Vault secret changes between reconciliation events.
	// See RolloutRestartTarget for more details.
	RolloutRestartTargets []RolloutRestartTarget `json:"rolloutRestartTargets,omitempty"`
	// Destination provides configuration necessary for syncing the Vault secret to Kubernetes.
	Destination Destination `json:"destination"`
}

type VaultDynamicSecretStatus struct {
	// LastRenewalTime of the last, successful, secret lease renewal,
	LastRenewalTime int64 `json:"lastRenewalTime"`
	// SecretLease for the Vault secret.
	SecretLease VaultSecretLease `json:"secretLease"`
	// LastRuntimePodUID used for tracking the transition from one Pod to the next.
	// It is used to mitigate the effects of a Vault lease renewal storm.
	LastRuntimePodUID types.UID `json:"lastRuntimePodUID,omitempty"`
}

type VaultPKISecret struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   VaultPKISecretSpec   `json:"spec,omitempty"`
	Status VaultPKISecretStatus `json:"status,omitempty"`
}

type VaultPKISecretList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []VaultPKISecret `json:"items"`
}

type VaultPKISecretSpec struct {
	// VaultAuthRef of the VaultAuth resource
	// If no value is specified the Operator will default to the `default` VaultAuth,
	// configured in its own Kubernetes namespace.
	VaultAuthRef string `json:"vaultAuthRef,omitempty"`

	// Namespace to get the secret from in Vault
	Namespace string `json:"namespace,omitempty"`

	// Mount for the secret in Vault
	Mount string `json:"mount"`

	// Name of the secret in Vault
	Name string `json:"name"`

	// Revoke the certificate when the resource is deleted.
	Revoke bool `json:"revoke,omitempty"`

	// Clear the Kubernetes secret when the resource is deleted.
	Clear bool `json:"clear,omitempty"`

	// ExpiryOffset to use for computing when the certificate should be renewed.
	// The rotation time will be difference between the expiration and the offset.
	// Should be in duration notation e.g. 30s, 120s, etc.
	// Set to empty string "" to prevent certificate rotation.
	ExpiryOffset string `json:"expiryOffset,omitempty"`

	// IssuerRef reference to an existing PKI issuer, either by Vault-generated
	// identifier, the literal string default to refer to the currently
	// configured default issuer, or the name assigned to an issuer.
	// This parameter is part of the request URL.
	IssuerRef string `json:"issuerRef,omitempty"`

	// RolloutRestartTargets should be configured whenever the application(s) consuming the Vault secret does
	// not support dynamically reloading a rotated secret.
	// In that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will
	// trigger a "rollout-restart" for each target whenever the Vault secret changes between reconciliation events.
	// See RolloutRestartTarget for more details.
	RolloutRestartTargets []RolloutRestartTarget `json:"rolloutRestartTargets,omitempty"`

	// Destination provides configuration necessary for syncing the Vault secret
	// to Kubernetes. If the type is set to "kubernetes.io/tls", the Vault
	// response fields "certificate" and "private_key" will be copied to fields
	// "tls.crt" and "tls.key", respectively, in the Kubernetes secret.
	Destination Destination `json:"destination"`

	// CommonName to include in the request.
	CommonName string `json:"commonName"`

	// AltNames to include in the request
	// May contain both DNS names and email addresses.
	AltNames []string `json:"altNames,omitempty"`

	// IPSans to include in the request.
	IPSans []string `json:"ipSans,omitempty"`

	// The requested URI SANs.
	URISans []string `json:"uriSans,omitempty"`

	// Requested other SANs, in an array with the format
	// oid;type:value for each entry.
	OtherSans string `json:"otherSans,omitempty"`

	// TTL for the certificate; sets the expiration date.
	// If not specified the Vault role's default,
	// backend default, or system default TTL is used, in that order.
	// Cannot be larger than the mount's max TTL.
	// Note: this only has an effect when generating a CA cert or signing a CA cert,
	// not when generating a CSR for an intermediate CA.
	// Should be in duration notation e.g. 120s, 2h, etc.
	TTL string `json:"ttl,omitempty"`

	// Format for the certificate. Choices: "pem", "der", "pem_bundle".
	// If "pem_bundle",
	// any private key and issuing cert will be appended to the certificate pem.
	// If "der", the value will be base64 encoded.
	// Default: pem
	Format string `json:"format,omitempty"`

	// PrivateKeyFormat, generally the default will be controlled by the Format
	// parameter as either base64-encoded DER or PEM-encoded DER.
	// However, this can be set to "pkcs8" to have the returned
	// private key contain base64-encoded pkcs8 or PEM-encoded
	// pkcs8 instead.
	// Default: der
	PrivateKeyFormat string `json:"privateKeyFormat,omitempty"`

	// NotAfter field of the certificate with specified date value.
	// The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ
	NotAfter string `json:"notAfter,omitempty"`

	// ExcludeCNFromSans from DNS or Email Subject Alternate Names.
	// Default: false
	ExcludeCNFromSans bool `json:"excludeCNFromSans,omitempty"`
}

type VaultPKISecretStatus struct {
	SerialNumber string `json:"serialNumber,omitempty"`
	Expiration   int64  `json:"expiration,omitempty"`
	Valid        bool   `json:"valid"`
	Error        string `json:"error"`
}

type VaultSecretLease struct {
	// ID of the Vault secret.
	ID string `json:"id"`
	// LeaseDuration of the Vault secret.
	LeaseDuration int `json:"duration"`
	// Renewable Vault secret lease
	Renewable bool `json:"renewable"`
	// RequestID of the Vault secret request.
	RequestID string `json:"requestID"`
}

type VaultStaticSecret struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   VaultStaticSecretSpec   `json:"spec,omitempty"`
	Status VaultStaticSecretStatus `json:"status,omitempty"`
}

type VaultStaticSecretList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []VaultStaticSecret `json:"items"`
}

type VaultStaticSecretSpec struct {
	// VaultAuthRef of the VaultAuth resource
	// If no value is specified the Operator will default to the `default` VaultAuth,
	// configured in its own Kubernetes namespace.
	VaultAuthRef string `json:"vaultAuthRef,omitempty"`
	// Namespace to get the secret from in Vault
	Namespace string `json:"namespace,omitempty"`
	// Mount for the secret in Vault
	Mount string `json:"mount"`
	// Name of the secret in Vault
	Name string `json:"name"`
	// Type of the Vault static secret
	// +kubebuilder:validation:Enum={kv-v1,kv-v2}
	Type string `json:"type"`
	// RefreshAfter a period of time, in duration notation
	RefreshAfter string `json:"refreshAfter,omitempty"`
	// HMACSecretData determines whether the Operator computes the
	// HMAC of the Secret's data. The MAC value will be stored in
	// the resource's Status.SecretMac field, and will be used for drift detection
	// and during incoming Vault secret comparison.
	// Enabling this feature is recommended to ensure that Secret's data stays consistent with Vault.
	// +kubebuilder:default=true
	HMACSecretData bool `json:"hmacSecretData,omitempty"`
	// RolloutRestartTargets should be configured whenever the application(s) consuming the Vault secret does
	// not support dynamically reloading a rotated secret.
	// In that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will
	// trigger a "rollout-restart" for each target whenever the Vault secret changes between reconciliation events.
	// All configured targets wil be ignored if HMACSecretData is set to false.
	// See RolloutRestartTarget for more details.
	RolloutRestartTargets []RolloutRestartTarget `json:"rolloutRestartTargets,omitempty"`
	// Destination provides configuration necessary for syncing the Vault secret to Kubernetes.
	Destination Destination `json:"destination"`
}

type VaultStaticSecretStatus struct {
	// SecretMAC used when deciding whether new Vault secret data should be synced.
	//
	// The controller will compare the "new" Vault secret data to this value using HMAC,
	// if they are different, then the data will be synced to the Destination.
	//
	// The SecretMac is also used to detect drift in the Destination Secret's Data.
	// If drift is detected the data will be synced to the Destination.
	SecretMAC string `json:"secretMAC,omitempty"`
}