v1alpha1

type AuditSpec struct {
	Webhook *AuditWebhookSpec `json:"webhook,omitempty"`
}

type AuditWebhookMode string

type AuditWebhookSpec struct {
	// The size of the buffer to store events before batching and writing. Only used in batch mode.
	BatchBufferSize int `json:"batchBufferSize,omitempty"`
	// The maximum size of a batch. Only used in batch mode.
	BatchMaxSize int `json:"batchMaxSize,omitempty"`
	// The amount of time to wait before force writing the batch that hadn't reached the max size.
	// Only used in batch mode.
	BatchMaxWait *metav1.Duration `json:"batchMaxWait,omitempty"`
	// Maximum number of requests sent at the same moment if ThrottleQPS was not utilized before.
	// Only used in batch mode.
	BatchThrottleBurst int `json:"batchThrottleBurst,omitempty"`
	// Whether batching throttling is enabled. Only used in batch mode.
	BatchThrottleEnable bool `json:"batchThrottleEnable,omitempty"`
	// Maximum average number of batches per second. Only used in batch mode.
	// This value is a floating point number, stored as a string (e.g. "3.1").
	BatchThrottleQPS string `json:"batchThrottleQPS,omitempty"`

	// Name of a Kubernetes Secret that contains a kubeconfig formatted file that defines the
	// audit webhook configuration.
	ConfigSecretName string `json:"configSecretName,omitempty"`
	// The amount of time to wait before retrying the first failed request.
	InitialBackoff *metav1.Duration `json:"initialBackoff,omitempty"`
	// Strategy for sending audit events. Blocking indicates sending events should block server
	// responses. Batch causes the backend to buffer and write events asynchronously.
	Mode AuditWebhookMode `json:"mode,omitempty"`
	// Whether event and batch truncating is enabled.
	TruncateEnabled bool `json:"truncateEnabled,omitempty"`
	// Maximum size of the batch sent to the underlying backend. Actual serialized size can be
	// several hundreds of bytes greater. If a batch exceeds this limit, it is split into several
	// batches of smaller size.
	TruncateMaxBatchSize int `json:"truncateMaxBatchSize,omitempty"`
	// Maximum size of the audit event sent to the underlying backend. If the size of an event
	// is greater than this number, first request and response are removed, and if this doesn't
	// reduce the size enough, event is discarded.
	TruncateMaxEventSize int `json:"truncateMaxEventSize,omitempty"`
	// API group and version used for serializing audit events written to webhook.
	Version string `json:"version,omitempty"`
}

type AuthSpec struct {
	// Optional: OIDC configures OpenID Connect Authentication.
	OIDC *OIDCConfiguration `json:"oidc,omitempty"`

	// Optional: serviceAccountAuthentication configures ServiceAccount Authentication.
	ServiceAccount *ServiceAccountAuthentication `json:"serviceAccount,omitempty"`

	// Optional: DropGroups configures groups to be dropped before forwarding requests to Shards.
	DropGroups []string `json:"dropGroups,omitempty"`

	// Optional: PassOnGroups configures groups to be passed on before forwarding requests to Shards
	PassOnGroups []string `json:"passOnGroups,omitempty"`
}

type AuthorizationSpec struct {
	Webhook *AuthorizationWebhookSpec `json:"webhook,omitempty"`
}

type AuthorizationWebhookSpec struct {
	// A list of HTTP paths to skip during authorization, i.e. these are authorized without contacting the 'core' kubernetes server.
	// If specified, completely overwrites the default of [/healthz,/readyz,/livez].
	AllowPaths []string `json:"allowPaths,omitempty"`
	// The duration to cache 'authorized' responses from the webhook authorizer.
	CacheAuthorizedTTL *metav1.Duration `json:"cacheAuthorizedTTL,omitempty"`
	// The duration to cache 'unauthorized' responses from the webhook authorizer.
	CacheUnauthorizedTTL *metav1.Duration `json:"cacheUnauthorizedTTL,omitempty"`
	// Name of a Kubernetes Secret that contains a kubeconfig formatted file that defines the
	// authorization webhook configuration.
	ConfigSecretName string `json:"configSecretName,omitempty"`
	// The API version of the authorization.k8s.io SubjectAccessReview to send to and expect from the webhook.
	Version string `json:"version,omitempty"`
}

type CA string

type CacheConfig struct {
	// Embedded configures settings for starting the cache server embedded in the root shard.
	Embedded *EmbeddedCacheConfiguration `json:"embedded,omitempty"`
}

type CacheServer struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   CacheServerSpec   `json:"spec,omitempty"`
	Status CacheServerStatus `json:"status,omitempty"`
}

type CacheServerList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []CacheServer `json:"items"`
}

type CacheServerSpec struct {
	// Etcd configures the etcd cluster that this cache server should be using.
	Etcd EtcdConfig `json:"etcd"`

	// Optional: Image overwrites the container image used to deploy the cache server.
	Image *ImageSpec `json:"image,omitempty"`
}

type CacheServerStatus struct {
}

type Certificate string

type CertificateMetadataTemplate struct {
	// Annotations is a key value map to be copied to the target Certificate.
	// +optional
	Annotations map[string]string `json:"annotations,omitempty"`

	// Labels is a key value map to be copied to the target Certificate.
	// +optional
	Labels map[string]string `json:"labels,omitempty"`
}

type CertificatePrivateKeyTemplate struct {
	// RotationPolicy controls how private keys should be regenerated when a
	// re-issuance is being processed.
	//
	// If set to `Never`, a private key will only be generated if one does not
	// already exist in the target `spec.secretName`. If one does exist but it
	// does not have the correct algorithm or size, a warning will be raised
	// to await user intervention.
	// If set to `Always`, a private key matching the specified requirements
	// will be generated whenever a re-issuance occurs.
	// Default is `Never` for backward compatibility.
	// +optional
	RotationPolicy PrivateKeyRotationPolicy `json:"rotationPolicy,omitempty"`

	// The private key cryptography standards (PKCS) encoding for this
	// certificate's private key to be encoded in.
	//
	// If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1
	// and PKCS#8, respectively.
	// Defaults to `PKCS1` if not specified.
	// +optional
	Encoding PrivateKeyEncoding `json:"encoding,omitempty"`

	// Algorithm is the private key algorithm of the corresponding private key
	// for this certificate.
	//
	// If provided, allowed values are either `RSA`, `ECDSA` or `Ed25519`.
	// If `algorithm` is specified and `size` is not provided,
	// key size of 2048 will be used for `RSA` key algorithm and
	// key size of 256 will be used for `ECDSA` key algorithm.
	// key size is ignored when using the `Ed25519` key algorithm.
	// +optional
	Algorithm PrivateKeyAlgorithm `json:"algorithm,omitempty"`

	// Size is the key bit size of the corresponding private key for this certificate.
	//
	// If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`,
	// and will default to `2048` if not specified.
	// If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`,
	// and will default to `256` if not specified.
	// If `algorithm` is set to `Ed25519`, Size is ignored.
	// No other values are allowed.
	// +optional
	Size int `json:"size,omitempty"`
}

type CertificateSecretTemplate struct {
	// Annotations is a key value map to be copied to the target Kubernetes Secret.
	// +optional
	Annotations map[string]string `json:"annotations,omitempty"`

	// Labels is a key value map to be copied to the target Kubernetes Secret.
	// +optional
	Labels map[string]string `json:"labels,omitempty"`
}

type CertificateSpecTemplate struct {
	// Requested set of X509 certificate subject attributes.
	// More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
	//
	// +optional
	Subject *X509Subject `json:"subject,omitempty"`

	// Requested DNS subject alternative names. The values given here will be merged into the
	// DNS names determined automatically by the kcp-operator.
	//
	// +optional
	DNSNames []string `json:"dnsNames,omitempty"`

	// Requested IP address subject alternative names. The values given here will be merged into the
	// DNS names determined automatically by the kcp-operator.
	//
	// +optional
	IPAddresses []string `json:"ipAddresses,omitempty"`

	// Defines annotations and labels to be copied to the Certificate's Secret.
	// Labels and annotations on the Secret will be changed as they appear on the
	// SecretTemplate when added or removed. SecretTemplate annotations are added
	// in conjunction with, and cannot overwrite, the base set of annotations
	// cert-manager sets on the Certificate's Secret.
	// +optional
	SecretTemplate *CertificateSecretTemplate `json:"secretTemplate,omitempty"`

	// Requested 'duration' (i.e. lifetime) of the Certificate. Note that the
	// issuer may choose to ignore the requested duration, just like any other
	// requested attribute.
	//
	// If unset, this defaults to 90 days.
	// Minimum accepted duration is 1 hour.
	// Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
	// +optional
	Duration *metav1.Duration `json:"duration,omitempty"`

	// How long before the currently issued certificate's expiry cert-manager should
	// renew the certificate. For example, if a certificate is valid for 60 minutes,
	// and `renewBefore=10m`, cert-manager will begin to attempt to renew the certificate
	// 50 minutes after it was issued (i.e. when there are 10 minutes remaining until
	// the certificate is no longer valid).
	//
	// NOTE: The actual lifetime of the issued certificate is used to determine the
	// renewal time. If an issuer returns a certificate with a different lifetime than
	// the one requested, cert-manager will use the lifetime of the issued certificate.
	//
	// If unset, this defaults to 1/3 of the issued certificate's lifetime.
	// Minimum accepted value is 5 minutes.
	// Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
	// Cannot be set if the `renewBeforePercentage` field is set.
	// +optional
	RenewBefore *metav1.Duration `json:"renewBefore,omitempty"`

	// Private key options. These include the key algorithm and size, the used
	// encoding and the rotation policy.
	// +optional
	PrivateKey *CertificatePrivateKeyTemplate `json:"privateKey,omitempty"`
}

type CertificateTemplate struct {
	Metadata *CertificateMetadataTemplate `json:"metadata,omitempty"`
	Spec     *CertificateSpecTemplate     `json:"spec,omitempty"`
}

type CertificateTemplateMap map[string]CertificateTemplate

type Certificates struct {
	// IssuerRef points to a pre-existing cert-manager Issuer or ClusterIssuer that shall be used
	// to acquire new certificates. This field is mutually exclusive with caSecretRef.
	IssuerRef *ObjectReference `json:"issuerRef,omitempty"`

	// CASecretRef can be used as an alternative to the IssuerRef: This field allows to configure
	// a pre-existing CA certificate that should be used as sign kcp certificates.
	// This Secret must contain both the certificate and the private key so that new sub certificates
	// can be signed and created from this CA. This field is mutually exclusive with issuerRef.
	CASecretRef *corev1.LocalObjectReference `json:"caSecretRef,omitempty"`
}

type CommonShardSpec struct {
	ClusterDomain string `json:"clusterDomain,omitempty"`

	// Etcd configures the etcd cluster that this shard should be using.
	Etcd EtcdConfig `json:"etcd"`

	Image *ImageSpec `json:"image,omitempty"`

	// Replicas configures how many instances of this shard run in parallel. Defaults to 2 if not set.
	Replicas *int32 `json:"replicas,omitempty"`

	// Resources overrides the default resource requests and limits.
	Resources *corev1.ResourceRequirements `json:"resources,omitempty"`

	Audit         *AuditSpec         `json:"audit,omitempty"`
	Authorization *AuthorizationSpec `json:"authorization,omitempty"`

	// Optional: Auth configures various aspects of Authentication and Authorization for this shard.
	Auth *AuthSpec `json:"auth,omitempty"`

	// CertificateTemplates allows to customize the properties on the generated
	// certificates for this shard.
	CertificateTemplates CertificateTemplateMap `json:"certificateTemplates,omitempty"`

	// Optional: ServiceTemplate configures the Kubernetes Service created for this shard.
	ServiceTemplate *ServiceTemplate `json:"serviceTemplate,omitempty"`

	// Optional: DeploymentTemplate configures the Kubernetes Deployment created for this shard.
	DeploymentTemplate *DeploymentTemplate `json:"deploymentTemplate,omitempty"`
}

type ConditionReason string

type ConditionType string

type DeploymentMetadataTemplate struct {
	// Annotations is a key value map to be copied to the target Deployment.
	// +optional
	Annotations map[string]string `json:"annotations,omitempty"`

	// Labels is a key value map to be copied to the target Deployment.
	// +optional
	Labels map[string]string `json:"labels,omitempty"`
}

type DeploymentSpecTemplate struct {
	// Template describes the pods that will be created.
	Template *PodTemplateSpec `json:"template,omitempty"`
}

type DeploymentTemplate struct {
	Metadata *DeploymentMetadataTemplate `json:"metadata,omitempty"`
	Spec     *DeploymentSpecTemplate     `json:"spec,omitempty"`
}

type EmbeddedCacheConfiguration struct {
	// Enabled enables or disables running the cache server as embedded.
	Enabled bool `json:"enabled"`
}

type EtcdConfig struct {
	// Endpoints is a list of http urls at which etcd nodes are available. The expected format is "https://etcd-hostname:2379".
	Endpoints []string `json:"endpoints"`
	// ClientCert configures the client certificate used to access etcd.
	// +optional
	TLSConfig *EtcdTLSConfig `json:"tlsConfig,omitempty"`
}

type EtcdTLSConfig struct {
	// SecretRef is the reference to a v1.Secret object that contains the TLS certificate.
	SecretRef corev1.LocalObjectReference `json:"secretRef"`
}

type ExternalConfig struct {
	// Hostname is the external name of the kcp instance. This should be matched by a DNS
	// record pointing to the kcp-front-proxy Service's external IP address.
	Hostname string `json:"hostname"`
	Port     uint32 `json:"port"`
}

type FrontProxy struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   FrontProxySpec   `json:"spec,omitempty"`
	Status FrontProxyStatus `json:"status,omitempty"`
}

type FrontProxyList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []FrontProxy `json:"items"`
}

type FrontProxyPhase string

type FrontProxySpec struct {
	// RootShard configures the kcp root shard that this front-proxy instance should connect to.
	RootShard RootShardConfig `json:"rootShard"`
	// Optional: Replicas configures the replica count for the front-proxy Deployment.
	Replicas *int32 `json:"replicas,omitempty"`
	// Resources overrides the default resource requests and limits.
	Resources *corev1.ResourceRequirements `json:"resources,omitempty"`
	// Optional: Auth configures various aspects of Authentication and Authorization for this front-proxy instance.
	// If OIDC is enabled, it also requires enabling ServiceAccount authentication (as front-proxy will start validating JWT tokens, which includes ServiceAccount tokens).
	// +kubebuilder:validation:XValidation:rule="!has(self.oidc) || (has(self.serviceAccount) && self.serviceAccount.enabled)",message="OIDC requires ServiceAccount auth to be enabled."
	Auth *AuthSpec `json:"auth,omitempty"`
	// Optional: AdditionalPathMappings configures // TODO ?
	AdditionalPathMappings []PathMappingEntry `json:"additionalPathMappings,omitempty"`
	// Optional: Image defines the image to use. Defaults to the latest versioned image during the release of kcp-operator.
	Image *ImageSpec `json:"image,omitempty"`
	// Optional: ExternalHostname under which the FrontProxy can be reached. If empty, the RootShard's external hostname will be used only.
	ExternalHostname string `json:"externalHostname,omitempty"`

	// Optional: ServiceTemplate configures the Kubernetes Service created for this front-proxy instance.
	ServiceTemplate *ServiceTemplate `json:"serviceTemplate,omitempty"`

	// Optional: DeploymentTemplate configures the Kubernetes Deployment created for this shard.
	DeploymentTemplate *DeploymentTemplate `json:"deploymentTemplate,omitempty"`

	// CertificateTemplates allows to customize the properties on the generated
	// certificates for this front-proxy.
	CertificateTemplates CertificateTemplateMap `json:"certificateTemplates,omitempty"`
}

type FrontProxyStatus struct {
	Phase FrontProxyPhase `json:"phase,omitempty"`

	// +listType=map
	// +listMapKey=type
	Conditions []metav1.Condition `json:"conditions,omitempty"`
}

type ImageSpec struct {
	// Repository is the container image repository to use for KCP containers. Defaults to `ghcr.io/kcp-dev/kcp`.
	Repository string `json:"repository,omitempty"`
	// Tag is the container image tag to use for KCP containers. Defaults to the latest kcp release that the operator supports.
	Tag string `json:"tag,omitempty"`
	// Optional: ImagePullSecrets is a list of secret references that should be used as image pull secrets (e.g. when a private registry is used).
	ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
}

type Kubeconfig struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   KubeconfigSpec   `json:"spec,omitempty"`
	Status KubeconfigStatus `json:"status,omitempty"`
}

type KubeconfigList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []Kubeconfig `json:"items"`
}

type KubeconfigSpec struct {
	// Target configures which kcp-operator object this kubeconfig should be generated for (shard or front-proxy).
	Target KubeconfigTarget `json:"target"`

	// Username defines the username embedded in the TLS certificate generated for this kubeconfig.
	Username string `json:"username"`
	// Username defines the groups embedded in the TLS certificate generated for this kubeconfig.
	Groups []string `json:"groups,omitempty"`

	// Validity configures the lifetime of the embedded TLS certificate. The kubeconfig secret will be automatically regenerated when the certificate expires.
	Validity metav1.Duration `json:"validity"`

	// SecretRef defines the v1.Secret object that the resulting kubeconfig should be written to.
	SecretRef corev1.LocalObjectReference `json:"secretRef"`

	// CertificateTemplate allows to customize the properties on the generated
	// certificate for this kubeconfig.
	CertificateTemplate *CertificateTemplate `json:"certificateTemplate,omitempty"`
}

type KubeconfigStatus struct {
}

type KubeconfigTarget struct {
	RootShardRef  *corev1.LocalObjectReference `json:"rootShardRef,omitempty"`
	ShardRef      *corev1.LocalObjectReference `json:"shardRef,omitempty"`
	FrontProxyRef *corev1.LocalObjectReference `json:"frontProxyRef,omitempty"`
}

type OIDCCAFileRef struct {
	// Name is the name of the secret that contains the CA file.
	Name string `json:"name"`
	// Key is the key in the secret that contains the CA file. Defaults to "ca.crt".
	// +optional
	Key string `json:"key,omitempty"`
}

type OIDCConfiguration struct {
	// IssuerURL is used for the OIDC issuer URL. Only https URLs will be accepted.
	IssuerURL string `json:"issuerURL"`
	// ClientID is the OIDC client ID configured on the issuer side for this KCP instance.
	ClientID string `json:"clientID"`

	// Optionally provide the client secret for the OIDC client. This is not used by KCP itself, but is used to generate
	// a OIDC kubeconfig that can be shared with users to log in via the OIDC provider.
	ClientSecret string `json:"clientSecret,omitempty"`

	// Experimental: Optionally provides a custom claim for fetching groups. The claim must be a string or an array of strings.
	GroupsClaim string `json:"groupsClaim,omitempty"`
	// Optionally uses a custom claim for fetching the username. This defaults to "sub" if unset.
	UsernameClaim string `json:"usernameClaim,omitempty"`

	// Optionally sets a custom groups prefix. This defaults to "oidc:" if unset, which means a group called "group1"
	// on the OIDC side will be recognised as "oidc:group1" in KCP.
	GroupsPrefix string `json:"groupsPrefix,omitempty"`
	// Optionally sets a custom username prefix. This defaults to "oidc:" if unset, which means a user called "user@example.com"
	// on the OIDC side will be recognised as "oidc:user@example.com" in KCP.
	UsernamePrefix string `json:"usernamePrefix,omitempty"`

	// Optionally provides a reference to a secret that contains a CA bundle for the OIDC issuer. This is useful when
	// the OIDC issuer is not publicly trusted.
	CAFileRef *OIDCCAFileRef `json:"caFileRef,omitempty"`
}

type ObjectReference struct {
	// Name of the object being referred to.
	Name string `json:"name"`
	// Kind of the object being referred to.
	// +optional
	Kind string `json:"kind,omitempty"`
	// Group of the object being referred to.
	// +optional
	Group string `json:"group,omitempty"`
}

type PathMappingEntry struct {
	Path            string `json:"path"`
	Backend         string `json:"backend"`
	BackendServerCA string `json:"backend_server_ca"`
	ProxyClientCert string `json:"proxy_client_cert"`
	ProxyClientKey  string `json:"proxy_client_key"`
}

type PodMetadataTemplate struct {
	// Annotations is a key value map to be copied to the Pod.
	// +optional
	Annotations map[string]string `json:"annotations,omitempty"`

	// Labels is a key value map to be copied to the Pod.
	// +optional
	Labels map[string]string `json:"labels,omitempty"`
}

type PodSpecTemplate struct {
	// NodeSelector is a selector which must be true for the pod to fit on a node.
	// Selector which must match a node's labels for the pod to be scheduled on that node.
	// More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
	// +optional
	// +mapType=atomic
	NodeSelector map[string]string `json:"nodeSelector,omitempty"`

	// If specified, the pod's scheduling constraints
	// +optional
	Affinity *corev1.Affinity `json:"affinity,omitempty"`

	// If specified, the pod's tolerations.
	// +optional
	// +listType=atomic
	Tolerations []corev1.Toleration `json:"tolerations,omitempty"`

	// HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts
	// file if specified.
	// +optional
	// +patchMergeKey=ip
	// +patchStrategy=merge
	// +listType=map
	// +listMapKey=ip
	HostAliases []corev1.HostAlias `json:"hostAliases,omitempty"`

	// ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec.
	// If specified, these secrets will be passed to individual puller implementations for them to use.
	// More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod
	// +optional
	// +patchMergeKey=name
	// +patchStrategy=merge
	// +listType=map
	// +listMapKey=name
	ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
}

type PodTemplateSpec struct {
	Metadata *PodMetadataTemplate `json:"metadata,omitempty"`
	Spec     *PodSpecTemplate     `json:"spec,omitempty"`
}

type PrivateKeyAlgorithm string

type PrivateKeyEncoding string

type PrivateKeyRotationPolicy string

type RootShard struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   RootShardSpec   `json:"spec,omitempty"`
	Status RootShardStatus `json:"status,omitempty"`
}

type RootShardConfig struct {
	// Reference references a local RootShard object.
	Reference *corev1.LocalObjectReference `json:"ref,omitempty"`
}

type RootShardList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []RootShard `json:"items"`
}

type RootShardPhase string

type RootShardProxySpec struct {
	// Optional: Image allows to override the container image used for this proxy.
	Image *ImageSpec `json:"image,omitempty"`

	// Optional: Replicas configures how many instances of this proxy run in parallel. Defaults to 2 if not set.
	Replicas *int32 `json:"replicas,omitempty"`

	// Optional: Resources overrides the default resource requests and limits.
	Resources *corev1.ResourceRequirements `json:"resources,omitempty"`

	// Optional: ServiceTemplate configures the Kubernetes Service created for this proxy.
	ServiceTemplate *ServiceTemplate `json:"serviceTemplate,omitempty"`

	// Optional: DeploymentTemplate configures the Kubernetes Deployment created for this proxy.
	DeploymentTemplate *DeploymentTemplate `json:"deploymentTemplate,omitempty"`

	// CertificateTemplates allows to customize the properties on the generated
	// certificates for this front-proxy.
	CertificateTemplates CertificateTemplateMap `json:"certificateTemplates,omitempty"`
}

type RootShardSpec struct {
	CommonShardSpec `json:",inline"`

	External ExternalConfig `json:"external"`

	// Cache configures the cache server (with a Kubernetes-like API) used by a sharded kcp instance.
	Cache CacheConfig `json:"cache"`

	// Proxy configures the internal front-proxy that is only (supposed to be) used by the kcp-operator
	// to manage all shards belonging to a root shard instance. No external traffic should ever be
	// routed through this proxy, use a dedicated FrontProxy for that purpose.
	Proxy *RootShardProxySpec `json:"proxy,omitempty"`

	// Certificates configures how the operator should create the kcp root CA, from which it will
	// then create all other sub CAs and leaf certificates.
	Certificates Certificates `json:"certificates"`
}

type RootShardStatus struct {
	Phase RootShardPhase `json:"phase,omitempty"`

	// +listType=map
	// +listMapKey=type
	Conditions []metav1.Condition `json:"conditions,omitempty"`

	// Shards is a list of shards that are currently registered with this root shard.
	// +listType=map
	// +listMapKey=name
	// +optional
	Shards []ShardReference `json:"shards,omitempty"`
}

type ServiceAccountAuthentication struct {
	// Optional: Enabled enables or disables ServiceAccount Authentication.
	// If set, it will mount every shard's service account certificate to the front-proxy.
	Enabled bool `json:"enabled"`
}

type ServiceMetadataTemplate struct {
	// Annotations is a key value map to be copied to the target Kubernetes Service.
	// +optional
	Annotations map[string]string `json:"annotations,omitempty"`

	// Labels is a key value map to be copied to the target Kubernetes Service.
	// +optional
	Labels map[string]string `json:"labels,omitempty"`
}

type ServiceSpecTemplate struct {
	Type      corev1.ServiceType `json:"type,omitempty"`
	ClusterIP string             `json:"clusterIP,omitempty"`
}

type ServiceTemplate struct {
	Metadata *ServiceMetadataTemplate `json:"metadata,omitempty"`
	Spec     *ServiceSpecTemplate     `json:"spec,omitempty"`
}

type Shard struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   ShardSpec   `json:"spec,omitempty"`
	Status ShardStatus `json:"status,omitempty"`
}

type ShardList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []Shard `json:"items"`
}

type ShardPhase string

type ShardReference struct {
	// Name is the name of the shard.
	Name string `json:"name"`
}

type ShardSpec struct {
	CommonShardSpec `json:",inline"`

	RootShard RootShardConfig `json:"rootShard"`
}

type ShardStatus struct {
	Phase ShardPhase `json:"phase,omitempty"`

	// +listType=map
	// +listMapKey=type
	Conditions []metav1.Condition `json:"conditions,omitempty"`
}

type X509Subject struct {
	// Organizations to be used on the Certificate.
	// +optional
	Organizations []string `json:"organizations,omitempty"`
	// Countries to be used on the Certificate.
	// +optional
	Countries []string `json:"countries,omitempty"`
	// Organizational Units to be used on the Certificate.
	// +optional
	OrganizationalUnits []string `json:"organizationalUnits,omitempty"`
	// Cities to be used on the Certificate.
	// +optional
	Localities []string `json:"localities,omitempty"`
	// State/Provinces to be used on the Certificate.
	// +optional
	Provinces []string `json:"provinces,omitempty"`
	// Street addresses to be used on the Certificate.
	// +optional
	StreetAddresses []string `json:"streetAddresses,omitempty"`
	// Postal codes to be used on the Certificate.
	// +optional
	PostalCodes []string `json:"postalCodes,omitempty"`
	// Serial number to be used on the Certificate.
	// +optional
	SerialNumber string `json:"serialNumber,omitempty"`
}