v1beta1

type Destination struct {
	// Name of the Secret
	Name string `json:"name"`
	// Create the destination Secret.
	// If the Secret already exists this should be set to false.
	Create bool `json:"create,omitempty"`
	// Labels to apply to the Secret. Requires Create to be set to true.
	Labels map[string]string `json:"labels,omitempty"`
	// Annotations to apply to the Secret. Requires Create to be set to true.
	Annotations map[string]string `json:"annotations,omitempty"`
	// Type of Kubernetes Secret. Requires Create to be set to true.
	// Defaults to Opaque.
	Type v1.SecretType `json:"type,omitempty"`
}

type RolloutRestartTarget struct {
	// +kubebuilder:validation:Enum={Deployment,DaemonSet,StatefulSet}
	Kind string `json:"kind"`
	Name string `json:"name"`
}

type StorageEncryption struct {
	// Mount path of the Transit engine in Vault.
	Mount string `json:"mount"`
	// KeyName to use for encrypt/decrypt operations via Vault Transit.
	KeyName string `json:"keyName"`
}

type VaultAuth struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   VaultAuthSpec   `json:"spec,omitempty"`
	Status VaultAuthStatus `json:"status,omitempty"`
}

type VaultAuthConfigAWS struct {
	// Vault role to use for authenticating
	Role string `json:"role"`
	// AWS Region to use for signing the authentication request
	Region string `json:"region,omitempty"`
	// The Vault header value to include in the STS signing request
	HeaderValue string `json:"headerValue,omitempty"`

	// The role session name to use when creating a webidentity provider
	SessionName string `json:"sessionName,omitempty"`

	// The STS endpoint to use; if not set will use the default
	STSEndpoint string `json:"stsEndpoint,omitempty"`

	// The IAM endpoint to use; if not set will use the default
	IAMEndpoint string `json:"iamEndpoint,omitempty"`

	// SecretRef is the name of a Kubernetes Secret which holds credentials for
	// AWS. Expected keys include `access_key_id`, `secret_access_key`,
	// `session_token`
	SecretRef string `json:"secretRef,omitempty"`

	// IRSAServiceAccount name to use with IAM Roles for Service Accounts
	// (IRSA), and should be annotated with "eks.amazonaws.com/role-arn". This
	// ServiceAccount will be checked for other EKS annotations:
	// eks.amazonaws.com/audience and eks.amazonaws.com/token-expiration
	IRSAServiceAccount string `json:"irsaServiceAccount,omitempty"`
}

type VaultAuthConfigAppRole struct {
	// RoleID of the AppRole Role to use for authenticating to Vault.
	RoleID string `json:"roleId"`

	// SecretRef is the name of a Kubernetes secret in the consumer's (VDS/VSS/PKI) namespace which
	// provides the AppRole Role's SecretID. The secret must have a key named `id` which holds the
	// AppRole Role's secretID.
	SecretRef string `json:"secretRef"`
}

type VaultAuthConfigJWT struct {
	// Role to use for authenticating to Vault.
	Role string `json:"role"`
	// SecretRef is the name of a Kubernetes secret in the consumer's (VDS/VSS/PKI) namespace which
	// provides the JWT token to authenticate to Vault's JWT authentication backend. The secret must
	// have a key named `jwt` which holds the JWT token.
	SecretRef string `json:"secretRef,omitempty"`
	// ServiceAccount to use when creating a ServiceAccount token to authenticate to Vault's
	// JWT authentication backend.
	ServiceAccount string `json:"serviceAccount,omitempty"`
	// TokenAudiences to include in the ServiceAccount token.
	TokenAudiences []string `json:"audiences,omitempty"`
	// TokenExpirationSeconds to set the ServiceAccount token.
	// +kubebuilder:default=600
	// +kubebuilder:validation:Minimum=600
	TokenExpirationSeconds int64 `json:"tokenExpirationSeconds,omitempty"`
}

type VaultAuthConfigKubernetes struct {
	// Role to use for authenticating to Vault.
	Role string `json:"role"`
	// ServiceAccount to use when authenticating to Vault's kubernetes
	// authentication backend.
	ServiceAccount string `json:"serviceAccount"`
	// TokenAudiences to include in the ServiceAccount token.
	TokenAudiences []string `json:"audiences,omitempty"`
	// TokenExpirationSeconds to set the ServiceAccount token.
	// +kubebuilder:default=600
	// +kubebuilder:validation:Minimum=600
	TokenExpirationSeconds int64 `json:"tokenExpirationSeconds,omitempty"`
}

type VaultAuthList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []VaultAuth `json:"items"`
}

type VaultAuthSpec struct {
	// VaultConnectionRef of the corresponding VaultConnection CustomResource.
	// If no value is specified the Operator will default to the `default` VaultConnection,
	// configured in its own Kubernetes namespace.
	VaultConnectionRef string `json:"vaultConnectionRef,omitempty"`
	// Namespace to auth to in Vault
	Namespace string `json:"namespace,omitempty"`
	// Method to use when authenticating to Vault.
	// +kubebuilder:validation:Enum=kubernetes;jwt;appRole;aws
	Method string `json:"method"`
	// Mount to use when authenticating to auth method.
	Mount string `json:"mount"`
	// Params to use when authenticating to Vault
	Params map[string]string `json:"params,omitempty"`
	// Headers to be included in all Vault requests.
	Headers map[string]string `json:"headers,omitempty"`
	// Kubernetes specific auth configuration, requires that the Method be set to `kubernetes`.
	Kubernetes *VaultAuthConfigKubernetes `json:"kubernetes,omitempty"`
	// AppRole specific auth configuration, requires that the Method be set to `appRole`.
	AppRole *VaultAuthConfigAppRole `json:"appRole,omitempty"`
	// JWT specific auth configuration, requires that the Method be set to `jwt`.
	JWT *VaultAuthConfigJWT `json:"jwt,omitempty"`
	// AWS specific auth configuration, requires that Method be set to `aws`.
	AWS *VaultAuthConfigAWS `json:"aws,omitempty"`
	// StorageEncryption provides the necessary configuration to encrypt the client storage cache.
	// This should only be configured when client cache persistence with encryption is enabled.
	// This is done by passing setting the manager's commandline argument
	// --client-cache-persistence-model=direct-encrypted. Typically there should only ever
	// be one VaultAuth configured with StorageEncryption in the Cluster, and it should have
	// the label: cacheStorageEncryption=true
	StorageEncryption *StorageEncryption `json:"storageEncryption,omitempty"`
}

type VaultAuthStatus struct {
	// Valid auth mechanism.
	Valid bool   `json:"valid"`
	Error string `json:"error"`
}

type VaultConnection struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   VaultConnectionSpec   `json:"spec,omitempty"`
	Status VaultConnectionStatus `json:"status,omitempty"`
}

type VaultConnectionList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []VaultConnection `json:"items"`
}

type VaultConnectionSpec struct {
	// Address of the Vault server
	Address string `json:"address"`
	// Headers to be included in all Vault requests.
	Headers map[string]string `json:"headers,omitempty"`
	// TLSServerName to use as the SNI host for TLS connections.
	TLSServerName string `json:"tlsServerName,omitempty"`
	// CACertSecretRef is the name of a Kubernetes secret containing the trusted PEM encoded CA certificate chain as `ca.crt`.
	CACertSecretRef string `json:"caCertSecretRef,omitempty"`
	// SkipTLSVerify for TLS connections.
	SkipTLSVerify bool `json:"skipTLSVerify,omitempty"`
}

type VaultConnectionStatus struct {
	// Valid auth mechanism.
	Valid bool `json:"valid"`
}

type VaultDynamicSecret struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   VaultDynamicSecretSpec   `json:"spec,omitempty"`
	Status VaultDynamicSecretStatus `json:"status,omitempty"`
}

type VaultDynamicSecretList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []VaultDynamicSecret `json:"items"`
}

type VaultDynamicSecretSpec struct {
	// VaultAuthRef to the VaultAuth resource
	// If no value is specified the Operator will default to the `default` VaultAuth,
	// configured in its own Kubernetes namespace.
	VaultAuthRef string `json:"vaultAuthRef,omitempty"`
	// Namespace where the secrets engine is mounted in Vault.
	Namespace string `json:"namespace,omitempty"`
	// Mount path of the secret's engine in Vault.
	Mount string `json:"mount"`
	// RequestHTTPMethod to use when syncing Secrets from Vault.
	// Setting a value here is not typically required.
	// If left unset the Operator will make requests using the GET method.
	// In the case where Params are specified the Operator will use the PUT method.
	// Please consult https://developer.hashicorp.com/vault/docs/secrets if you are
	// uncertain about what method to use.
	// Of note, the Vault client treats PUT and POST as being equivalent.
	// The underlying Vault client implementation will always use the PUT method.
	// +kubebuilder:validation:Enum={GET,POST,PUT}
	RequestHTTPMethod string `json:"requestHTTPMethod,omitempty"`
	// Path in Vault to get the credentials for, and is relative to Mount.
	// Please consult https://developer.hashicorp.com/vault/docs/secrets if you are
	// uncertain about what 'path' should be set to.
	Path string `json:"path"`
	// Params that can be passed when requesting credentials/secrets.
	// When Params is set the configured RequestHTTPMethod will be
	// ignored. See RequestHTTPMethod for more details.
	// Please consult https://developer.hashicorp.com/vault/docs/secrets if you are
	// uncertain about what 'params' should/can be set to.
	Params map[string]string `json:"params,omitempty"`
	// RenewalPercent is the percent out of 100 of the lease duration when the
	// lease is renewed. Defaults to 67 percent plus jitter.
	// +kubebuilder:default=67
	// +kubebuilder:validation:Minimum=0
	// +kubebuilder:validation:Maximum=90
	RenewalPercent int `json:"renewalPercent,omitempty"`
	// Revoke the existing lease on VDS resource deletion.
	Revoke bool `json:"revoke,omitempty"`
	// AllowStaticCreds should be set when syncing credentials that are periodically
	// rotated by the Vault server, rather than created upon request. These secrets
	// are sometimes referred to as "static roles", or "static credentials", with a
	// request path that contains "static-creds".
	AllowStaticCreds bool `json:"allowStaticCreds,omitempty"`
	// RolloutRestartTargets should be configured whenever the application(s) consuming the Vault secret does
	// not support dynamically reloading a rotated secret.
	// In that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will
	// trigger a "rollout-restart" for each target whenever the Vault secret changes between reconciliation events.
	// See RolloutRestartTarget for more details.
	RolloutRestartTargets []RolloutRestartTarget `json:"rolloutRestartTargets,omitempty"`
	// Destination provides configuration necessary for syncing the Vault secret to Kubernetes.
	Destination Destination `json:"destination"`
}

type VaultDynamicSecretStatus struct {
	// LastRenewalTime of the last successful secret lease renewal.
	LastRenewalTime int64 `json:"lastRenewalTime"`
	// LastGeneration is the Generation of the last reconciled resource.
	LastGeneration int64 `json:"lastGeneration"`
	// SecretLease for the Vault secret.
	SecretLease VaultSecretLease `json:"secretLease"`
	// StaticCredsMetaData contains the static creds response meta-data
	StaticCredsMetaData VaultStaticCredsMetaData `json:"staticCredsMetaData,omitempty"`
	// LastRuntimePodUID used for tracking the transition from one Pod to the next.
	// It is used to mitigate the effects of a Vault lease renewal storm.
	LastRuntimePodUID types.UID `json:"lastRuntimePodUID,omitempty"`
	// SecretMAC used when deciding whether new Vault secret data should be synced.
	//
	// The controller will compare the "new" Vault secret data to this value using HMAC,
	// if they are different, then the data will be synced to the Destination.
	//
	// The SecretMac is also used to detect drift in the Destination Secret's Data.
	// If drift is detected the data will be synced to the Destination.
	// SecretMAC will only be stored when VaultDynamicSecretSpec.AllowStaticCreds is true.
	SecretMAC string `json:"secretMAC,omitempty"`
}

type VaultPKISecret struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   VaultPKISecretSpec   `json:"spec,omitempty"`
	Status VaultPKISecretStatus `json:"status,omitempty"`
}

type VaultPKISecretList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []VaultPKISecret `json:"items"`
}

type VaultPKISecretSpec struct {
	// VaultAuthRef of the VaultAuth resource
	// If no value is specified the Operator will default to the `default` VaultAuth,
	// configured in its own Kubernetes namespace.
	VaultAuthRef string `json:"vaultAuthRef,omitempty"`

	// Namespace to get the secret from in Vault
	Namespace string `json:"namespace,omitempty"`

	// Mount for the secret in Vault
	Mount string `json:"mount"`

	// Role in Vault to use when issuing TLS certificates.
	Role string `json:"role"`

	// Revoke the certificate when the resource is deleted.
	Revoke bool `json:"revoke,omitempty"`

	// Clear the Kubernetes secret when the resource is deleted.
	Clear bool `json:"clear,omitempty"`

	// ExpiryOffset to use for computing when the certificate should be renewed.
	// The rotation time will be difference between the expiration and the offset.
	// Should be in duration notation e.g. 30s, 120s, etc.
	// Set to empty string "" to prevent certificate rotation.
	ExpiryOffset string `json:"expiryOffset,omitempty"`

	// IssuerRef reference to an existing PKI issuer, either by Vault-generated
	// identifier, the literal string default to refer to the currently
	// configured default issuer, or the name assigned to an issuer.
	// This parameter is part of the request URL.
	IssuerRef string `json:"issuerRef,omitempty"`

	// RolloutRestartTargets should be configured whenever the application(s) consuming the Vault secret does
	// not support dynamically reloading a rotated secret.
	// In that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will
	// trigger a "rollout-restart" for each target whenever the Vault secret changes between reconciliation events.
	// See RolloutRestartTarget for more details.
	RolloutRestartTargets []RolloutRestartTarget `json:"rolloutRestartTargets,omitempty"`

	// Destination provides configuration necessary for syncing the Vault secret
	// to Kubernetes. If the type is set to "kubernetes.io/tls", the Vault
	// response fields "certificate" and "private_key" will be copied to fields
	// "tls.crt" and "tls.key", respectively, in the Kubernetes secret.
	Destination Destination `json:"destination"`

	// CommonName to include in the request.
	CommonName string `json:"commonName,omitempty"`

	// AltNames to include in the request
	// May contain both DNS names and email addresses.
	AltNames []string `json:"altNames,omitempty"`

	// IPSans to include in the request.
	IPSans []string `json:"ipSans,omitempty"`

	// The requested URI SANs.
	URISans []string `json:"uriSans,omitempty"`

	// Requested other SANs, in an array with the format
	// oid;type:value for each entry.
	OtherSans []string `json:"otherSans,omitempty"`

	// TTL for the certificate; sets the expiration date.
	// If not specified the Vault role's default,
	// backend default, or system default TTL is used, in that order.
	// Cannot be larger than the mount's max TTL.
	// Note: this only has an effect when generating a CA cert or signing a CA cert,
	// not when generating a CSR for an intermediate CA.
	// Should be in duration notation e.g. 120s, 2h, etc.
	TTL string `json:"ttl,omitempty"`

	// Format for the certificate. Choices: "pem", "der", "pem_bundle".
	// If "pem_bundle",
	// any private key and issuing cert will be appended to the certificate pem.
	// If "der", the value will be base64 encoded.
	// Default: pem
	Format string `json:"format,omitempty"`

	// PrivateKeyFormat, generally the default will be controlled by the Format
	// parameter as either base64-encoded DER or PEM-encoded DER.
	// However, this can be set to "pkcs8" to have the returned
	// private key contain base64-encoded pkcs8 or PEM-encoded
	// pkcs8 instead.
	// Default: der
	PrivateKeyFormat string `json:"privateKeyFormat,omitempty"`

	// NotAfter field of the certificate with specified date value.
	// The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ
	NotAfter string `json:"notAfter,omitempty"`

	// ExcludeCNFromSans from DNS or Email Subject Alternate Names.
	// Default: false
	ExcludeCNFromSans bool `json:"excludeCNFromSans,omitempty"`
}

type VaultPKISecretStatus struct {
	SerialNumber string `json:"serialNumber,omitempty"`
	Expiration   int64  `json:"expiration,omitempty"`
	Valid        bool   `json:"valid"`
	Error        string `json:"error"`
}

type VaultSecretLease struct {
	// ID of the Vault secret.
	ID string `json:"id"`
	// LeaseDuration of the Vault secret.
	LeaseDuration int `json:"duration"`
	// Renewable Vault secret lease
	Renewable bool `json:"renewable"`
	// RequestID of the Vault secret request.
	RequestID string `json:"requestID"`
}

type VaultStaticCredsMetaData struct {
	// LastVaultRotation represents the last time Vault rotated the password
	LastVaultRotation int64 `json:"lastVaultRotation"`
	// RotationPeriod is number in seconds between each rotation, effectively a
	// "time to live". This value is compared to the LastVaultRotation to
	// determine if a password needs to be rotated
	RotationPeriod int64 `json:"rotationPeriod"`
	// TTL is the seconds remaining before the next rotation.
	TTL int64 `json:"ttl"`
}

type VaultStaticSecret struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   VaultStaticSecretSpec   `json:"spec,omitempty"`
	Status VaultStaticSecretStatus `json:"status,omitempty"`
}

type VaultStaticSecretList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []VaultStaticSecret `json:"items"`
}

type VaultStaticSecretSpec struct {
	// VaultAuthRef of the VaultAuth resource
	// If no value is specified the Operator will default to the `default` VaultAuth,
	// configured in its own Kubernetes namespace.
	VaultAuthRef string `json:"vaultAuthRef,omitempty"`
	// Namespace to get the secret from in Vault
	Namespace string `json:"namespace,omitempty"`
	// Mount for the secret in Vault
	Mount string `json:"mount"`
	// Path of the secret in Vault, corresponds to the `path` parameter for,
	// kv-v1: https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v1#read-secret
	// kv-v2: https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v2#read-secret-version
	Path string `json:"path"`
	// Version of the secret to fetch. Only valid for type kv-v2. Corresponds to version query parameter:
	// https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v2#version
	// +kubebuilder:validation:Minimum=0
	Version int `json:"version,omitempty"`
	// Type of the Vault static secret
	// +kubebuilder:validation:Enum={kv-v1,kv-v2}
	Type string `json:"type"`
	// RefreshAfter a period of time, in duration notation
	RefreshAfter string `json:"refreshAfter,omitempty"`
	// HMACSecretData determines whether the Operator computes the
	// HMAC of the Secret's data. The MAC value will be stored in
	// the resource's Status.SecretMac field, and will be used for drift detection
	// and during incoming Vault secret comparison.
	// Enabling this feature is recommended to ensure that Secret's data stays consistent with Vault.
	// +kubebuilder:default=true
	HMACSecretData bool `json:"hmacSecretData,omitempty"`
	// RolloutRestartTargets should be configured whenever the application(s) consuming the Vault secret does
	// not support dynamically reloading a rotated secret.
	// In that case one, or more RolloutRestartTarget(s) can be configured here. The Operator will
	// trigger a "rollout-restart" for each target whenever the Vault secret changes between reconciliation events.
	// All configured targets wil be ignored if HMACSecretData is set to false.
	// See RolloutRestartTarget for more details.
	RolloutRestartTargets []RolloutRestartTarget `json:"rolloutRestartTargets,omitempty"`
	// Destination provides configuration necessary for syncing the Vault secret to Kubernetes.
	Destination Destination `json:"destination"`
}

type VaultStaticSecretStatus struct {
	// SecretMAC used when deciding whether new Vault secret data should be synced.
	//
	// The controller will compare the "new" Vault secret data to this value using HMAC,
	// if they are different, then the data will be synced to the Destination.
	//
	// The SecretMac is also used to detect drift in the Destination Secret's Data.
	// If drift is detected the data will be synced to the Destination.
	SecretMAC string `json:"secretMAC,omitempty"`
}