v1

type Assertion struct {
	// type is a required field which specifies the type of probe to use.
	//
	// The allowed probe types are "ConditionEqual", "FieldsEqual", and "FieldValue".
	//
	// When set to "ConditionEqual", the probe checks objects that have reached a condition of specified type and status.
	// When set to "FieldsEqual", the probe checks that the values found at two provided field paths are matching.
	// When set to "FieldValue", the probe checks that the value found at the provided field path matches what was specified.
	//
	// +unionDiscriminator
	// +kubebuilder:validation:Enum=ConditionEqual;FieldsEqual;FieldValue
	// +required
	// <opcon:experimental>
	Type ProbeType `json:"type,omitempty"`

	// conditionEqual contains the expected condition type and status.
	//
	// +unionMember
	// +optional
	// <opcon:experimental>
	ConditionEqual ConditionEqualProbe `json:"conditionEqual,omitzero"`

	// fieldsEqual contains the two field paths whose values are expected to match.
	//
	// +unionMember
	// +optional
	// <opcon:experimental>
	FieldsEqual FieldsEqualProbe `json:"fieldsEqual,omitzero"`

	// fieldValue contains the expected field path and value found within.
	//
	// +unionMember
	// +optional
	// <opcon:experimental>
	FieldValue FieldValueProbe `json:"fieldValue,omitzero"`
}

type AvailabilityMode string

type BundleMetadata struct {
	// name is required and follows the DNS subdomain standard as defined in [RFC 1123].
	// It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.),
	// start and end with an alphanumeric character, and be no longer than 253 characters.
	//
	// +required
	// +kubebuilder:validation:XValidation:rule="self.matches(\"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\")",message="packageName must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters"
	Name string `json:"name"`

	// version is required and references the version that this bundle represents.
	// It follows the semantic versioning standard as defined in https://semver.org/.
	//
	// +required
	// +kubebuilder:validation:XValidation:rule="self.matches(\"^([0-9]+)(\\\\.[0-9]+)?(\\\\.[0-9]+)?(-([-0-9A-Za-z]+(\\\\.[-0-9A-Za-z]+)*))?(\\\\+([-0-9A-Za-z]+(-\\\\.[-0-9A-Za-z]+)*))?\")",message="version must be well-formed semver"
	Version string `json:"version"`

	// release is an optional field that identifies a specific release of this bundle's version.
	// A release represents a re-publication of the same version, typically used to deliver
	// packaging or metadata changes without changing the version number. When multiple
	// releases exist for the same version, higher releases are preferred. An unset release
	// is less preferred than all other release values.
	//
	// The value consists of dot-separated identifiers, where each identifier is either a
	// numeric value (without leading zeros) or an alphanumeric string (e.g., "2", "1.el9",
	// "3.alpha.1"). Releases are compared identifier by identifier: numeric identifiers are
	// compared as integers, alphanumeric identifiers are compared lexically, and numeric
	// identifiers always sort before alphanumeric identifiers.
	//
	// For bundles with explicit pkg.Release metadata, this field contains that release value.
	// For registry+v1 bundles lacking an explicit release value, this field contains the release
	// extracted from version's build metadata (e.g., '2' from '1.0.0+2').
	// This field is omitted when the bundle's release value is unset.
	//
	// +optional
	// <opcon:experimental>
	// +kubebuilder:validation:MaxLength=20
	// +kubebuilder:validation:XValidation:rule="self.matches(\"^$|^(0|[1-9][0-9]*|[0-9]*[A-Za-z-][0-9A-Za-z-]*)(\\\\.(0|[1-9][0-9]*|[0-9]*[A-Za-z-][0-9A-Za-z-]*))*$\")",message="release must be empty or consist of dot-separated identifiers (numeric without leading zeros, or alphanumeric)"
	Release *string `json:"release,omitempty"`
}

type CRDUpgradeSafetyEnforcement string

type CRDUpgradeSafetyPreflightConfig struct {
	// enforcement is required and configures the state of the CRD Upgrade Safety pre-flight check.
	//
	// Allowed values are "None" or "Strict". The default value is "Strict".
	//
	// When set to "None", the CRD Upgrade Safety pre-flight check is skipped during an upgrade operation.
	// Use this option with caution as unintended consequences such as data loss can occur.
	//
	// When set to "Strict", the CRD Upgrade Safety pre-flight check runs during an upgrade operation.
	//
	// +kubebuilder:validation:Enum:="None";"Strict"
	// +required
	Enforcement CRDUpgradeSafetyEnforcement `json:"enforcement"`
}

type CatalogFilter struct {
	// packageName specifies the name of the package to be installed and is used to filter
	// the content from catalogs.
	//
	// It is required, immutable, and follows the DNS subdomain standard as defined in [RFC 1123].
	// It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.),
	// start and end with an alphanumeric character, and be no longer than 253 characters.
	//
	// Some examples of valid values are:
	//   - some-package
	//   - 123-package
	//   - 1-package-2
	//   - somepackage
	//
	// Some examples of invalid values are:
	//   - -some-package
	//   - some-package-
	//   - thisisareallylongpackagenamethatisgreaterthanthemaximumlength
	//   - some.package
	//
	// [RFC 1123]: https://tools.ietf.org/html/rfc1123
	//
	// +kubebuilder:validation.Required
	// +kubebuilder:validation:MaxLength:=253
	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="packageName is immutable"
	// +kubebuilder:validation:XValidation:rule="self.matches(\"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\")",message="packageName must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters"
	// +required
	PackageName string `json:"packageName"`

	// version is an optional semver constraint (a specific version or range of versions).
	// When unspecified, the latest version available is installed.
	//
	// Acceptable version ranges are no longer than 64 characters.
	// Version ranges are composed of comma- or space-delimited values and one or more comparison operators,
	// known as comparison strings.
	// You can add additional comparison strings using the OR operator (||).
	//
	// # Range Comparisons
	//
	// To specify a version range, you can use a comparison string like ">=3.0,
	// <3.6". When specifying a range, automatic updates will occur within that
	// range. The example comparison string means "install any version greater than
	// or equal to 3.0.0 but less than 3.6.0.". It also states intent that if any
	// upgrades are available within the version range after initial installation,
	// those upgrades should be automatically performed.
	//
	// # Pinned Versions
	//
	// To specify an exact version to install you can use a version range that
	// "pins" to a specific version. When pinning to a specific version, no
	// automatic updates will occur. An example of a pinned version range is
	// "0.6.0", which means "only install version 0.6.0 and never
	// upgrade from this version".
	//
	// # Basic Comparison Operators
	//
	// The basic comparison operators and their meanings are:
	//   - "=", equal (not aliased to an operator)
	//   - "!=", not equal
	//   - "<", less than
	//   - ">", greater than
	//   - ">=", greater than OR equal to
	//   - "<=", less than OR equal to
	//
	// # Wildcard Comparisons
	//
	// You can use the "x", "X", and "*" characters as wildcard characters in all
	// comparison operations. Some examples of using the wildcard characters:
	//   - "1.2.x", "1.2.X", and "1.2.*" is equivalent to ">=1.2.0, < 1.3.0"
	//   - ">= 1.2.x", ">= 1.2.X", and ">= 1.2.*" is equivalent to ">= 1.2.0"
	//   - "<= 2.x", "<= 2.X", and "<= 2.*" is equivalent to "< 3"
	//   - "x", "X", and "*" is equivalent to ">= 0.0.0"
	//
	// # Patch Release Comparisons
	//
	// When you want to specify a minor version up to the next major version you
	// can use the "~" character to perform patch comparisons. Some examples:
	//   - "~1.2.3" is equivalent to ">=1.2.3, <1.3.0"
	//   - "~1" and "~1.x" is equivalent to ">=1, <2"
	//   - "~2.3" is equivalent to ">=2.3, <2.4"
	//   - "~1.2.x" is equivalent to ">=1.2.0, <1.3.0"
	//
	// # Major Release Comparisons
	//
	// You can use the "^" character to make major release comparisons after a
	// stable 1.0.0 version is published. If there is no stable version published, // minor versions define the stability level. Some examples:
	//   - "^1.2.3" is equivalent to ">=1.2.3, <2.0.0"
	//   - "^1.2.x" is equivalent to ">=1.2.0, <2.0.0"
	//   - "^2.3" is equivalent to ">=2.3, <3"
	//   - "^2.x" is equivalent to ">=2.0.0, <3"
	//   - "^0.2.3" is equivalent to ">=0.2.3, <0.3.0"
	//   - "^0.2" is equivalent to ">=0.2.0, <0.3.0"
	//   - "^0.0.3" is equvalent to ">=0.0.3, <0.0.4"
	//   - "^0.0" is equivalent to ">=0.0.0, <0.1.0"
	//   - "^0" is equivalent to ">=0.0.0, <1.0.0"
	//
	// # OR Comparisons
	// You can use the "||" character to represent an OR operation in the version
	// range. Some examples:
	//   - ">=1.2.3, <2.0.0 || >3.0.0"
	//   - "^0 || ^3 || ^5"
	//
	// For more information on semver, please see https://semver.org/
	//
	// +kubebuilder:validation:MaxLength:=64
	// +kubebuilder:validation:XValidation:rule="self.matches(\"^(\\\\s*(=||!=|>|<|>=|=>|<=|=<|~|~>|\\\\^)\\\\s*(v?(0|[1-9]\\\\d*|[x|X|\\\\*])(\\\\.(0|[1-9]\\\\d*|x|X|\\\\*]))?(\\\\.(0|[1-9]\\\\d*|x|X|\\\\*))?(-([0-9A-Za-z\\\\-]+(\\\\.[0-9A-Za-z\\\\-]+)*))?(\\\\+([0-9A-Za-z\\\\-]+(\\\\.[0-9A-Za-z\\\\-]+)*))?)\\\\s*)((?:\\\\s+|,\\\\s*|\\\\s*\\\\|\\\\|\\\\s*)(=||!=|>|<|>=|=>|<=|=<|~|~>|\\\\^)\\\\s*(v?(0|[1-9]\\\\d*|x|X|\\\\*])(\\\\.(0|[1-9]\\\\d*|x|X|\\\\*))?(\\\\.(0|[1-9]\\\\d*|x|X|\\\\*]))?(-([0-9A-Za-z\\\\-]+(\\\\.[0-9A-Za-z\\\\-]+)*))?(\\\\+([0-9A-Za-z\\\\-]+(\\\\.[0-9A-Za-z\\\\-]+)*))?)\\\\s*)*$\")",message="invalid version expression"
	// +optional
	Version string `json:"version,omitempty"`

	// channels is optional and specifies a set of channels belonging to the package
	// specified in the packageName field.
	//
	// A channel is a package-author-defined stream of updates for an extension.
	//
	// Each channel in the list must follow the DNS subdomain standard as defined in [RFC 1123].
	// It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.),
	// start and end with an alphanumeric character, and be no longer than 253 characters.
	// You can specify no more than 256 channels.
	//
	// When specified, it constrains the set of installable bundles and the automated upgrade path.
	// This constraint is an AND operation with the version field. For example:
	//   - Given channel is set to "foo"
	//   - Given version is set to ">=1.0.0, <1.5.0"
	//   - Only bundles that exist in channel "foo" AND satisfy the version range comparison are considered installable
	//   - Automatic upgrades are constrained to upgrade edges defined by the selected channel
	//
	// When unspecified, upgrade edges across all channels are used to identify valid automatic upgrade paths.
	//
	// Some examples of valid values are:
	//   - 1.1.x
	//   - alpha
	//   - stable
	//   - stable-v1
	//   - v1-stable
	//   - dev-preview
	//   - preview
	//   - community
	//
	// Some examples of invalid values are:
	//   - -some-channel
	//   - some-channel-
	//   - thisisareallylongchannelnamethatisgreaterthanthemaximumlength
	//   - original_40
	//   - --default-channel
	//
	// [RFC 1123]: https://tools.ietf.org/html/rfc1123
	//
	// +kubebuilder:validation:items:MaxLength:=253
	// +kubebuilder:validation:MaxItems:=256
	// +kubebuilder:validation:items:XValidation:rule="self.matches(\"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\")",message="channels entries must be valid DNS1123 subdomains"
	// +optional
	Channels []string `json:"channels,omitempty"`

	// selector is optional and filters the set of ClusterCatalogs used in the bundle selection process.
	//
	// When unspecified, all ClusterCatalogs are used in the bundle selection process.
	//
	// +optional
	Selector *metav1.LabelSelector `json:"selector,omitempty"`

	// upgradeConstraintPolicy is optional and controls whether the upgrade paths defined in the catalog
	// are enforced for the package referenced in the packageName field.
	//
	// Allowed values are "CatalogProvided", "SelfCertified", or omitted.
	//
	// When set to "CatalogProvided", automatic upgrades only occur when upgrade constraints specified by the package
	// author are met.
	//
	// When set to "SelfCertified", the upgrade constraints specified by the package author are ignored.
	// This allows upgrades and downgrades to any version of the package.
	// This is considered a dangerous operation as it can lead to unknown and potentially disastrous outcomes,
	// such as data loss.
	// Use this option only if you have independently verified the changes.
	//
	// When omitted, the default value is "CatalogProvided".
	//
	// +kubebuilder:validation:Enum:=CatalogProvided;SelfCertified
	// +kubebuilder:default:=CatalogProvided
	// +optional
	UpgradeConstraintPolicy UpgradeConstraintPolicy `json:"upgradeConstraintPolicy,omitempty"`
}

type CatalogSource struct {
	// type is a required field that specifies the type of source for the catalog.
	//
	// The only allowed value is "Image".
	//
	// When set to "Image", the ClusterCatalog content is sourced from an OCI image.
	// When using an image source, the image field must be set and must be the only field defined for this type.
	//
	// +unionDiscriminator
	// +kubebuilder:validation:Enum:="Image"
	// +required
	Type SourceType `json:"type"`
	// image configures how catalog contents are sourced from an OCI image.
	// It is required when type is Image, and forbidden otherwise.
	// +optional
	Image *ImageSource `json:"image,omitempty"`
}

type ClusterCatalog struct {
	metav1.TypeMeta `json:",inline"`

	// metadata is the standard object's metadata.
	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
	metav1.ObjectMeta `json:"metadata"`

	// spec is a required field that defines the desired state of the ClusterCatalog.
	// The controller ensures that the catalog is unpacked and served over the catalog content HTTP server.
	// +required
	Spec ClusterCatalogSpec `json:"spec"`

	// status contains the following information about the state of the ClusterCatalog:
	//   - Whether the catalog contents are being served via the catalog content HTTP server
	//   - Whether the ClusterCatalog is progressing to a new state
	//   - A reference to the source from which the catalog contents were retrieved
	// +optional
	Status ClusterCatalogStatus `json:"status,omitempty"`
}

type ClusterCatalogList struct {
	metav1.TypeMeta `json:",inline"`

	// metadata is the standard object's metadata.
	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
	metav1.ListMeta `json:"metadata"`

	// items is a list of ClusterCatalogs.
	// items is required.
	// +required
	Items []ClusterCatalog `json:"items"`
}

type ClusterCatalogSpec struct {
	// source is a required field that defines the source of a catalog.
	// A catalog contains information on content that can be installed on a cluster.
	// The catalog source makes catalog contents discoverable and usable by other on-cluster components.
	// These components can present the content in a GUI dashboard or install content from the catalog on the cluster.
	// The catalog source must contain catalog metadata in the File-Based Catalog (FBC) format.
	// For more information on FBC, see https://olm.operatorframework.io/docs/reference/file-based-catalogs/#docs.
	//
	// Below is a minimal example of a ClusterCatalogSpec that sources a catalog from an image:
	//
	//  source:
	//    type: Image
	//    image:
	//      ref: quay.io/operatorhubio/catalog:latest
	//
	// +required
	Source CatalogSource `json:"source"`

	// priority is an optional field that defines a priority for this ClusterCatalog.
	//
	// Clients use the ClusterCatalog priority as a tie-breaker between ClusterCatalogs that meet their requirements.
	// Higher numbers mean higher priority.
	//
	// Clients decide how to handle scenarios where multiple ClusterCatalogs with the same priority meet their requirements.
	// Clients should prompt users for additional input to break the tie.
	//
	// When omitted, the default priority is 0.
	//
	// Use negative numbers to specify a priority lower than the default.
	// Use positive numbers to specify a priority higher than the default.
	//
	// The lowest possible value is -2147483648.
	// The highest possible value is 2147483647.
	//
	// +kubebuilder:default:=0
	// +kubebuilder:validation:Minimum:=-2147483648
	// +kubebuilder:validation:Maximum:=2147483647
	// +optional
	Priority int32 `json:"priority"`

	// availabilityMode is an optional field that defines how the ClusterCatalog is made available to clients on the cluster.
	//
	// Allowed values are "Available", "Unavailable", or omitted.
	//
	// When omitted, the default value is "Available".
	//
	// When set to "Available", the catalog contents are unpacked and served over the catalog content HTTP server.
	// Clients should consider this ClusterCatalog and its contents as usable.
	//
	// When set to "Unavailable", the catalog contents are no longer served over the catalog content HTTP server.
	// Treat this the same as if the ClusterCatalog does not exist.
	// Use "Unavailable" when you want to keep the ClusterCatalog but treat it as if it doesn't exist.
	//
	// +kubebuilder:validation:Enum:="Unavailable";"Available"
	// +kubebuilder:default:="Available"
	// +optional
	AvailabilityMode AvailabilityMode `json:"availabilityMode,omitempty"`
}

type ClusterCatalogStatus struct {
	// conditions represents the current state of this ClusterCatalog.
	//
	// The current condition types are Serving and Progressing.
	//
	// The Serving condition represents whether the catalog contents are being served via the HTTP(S) web server:
	//   - When status is True and reason is Available, the catalog contents are being served.
	//   - When status is False and reason is Unavailable, the catalog contents are not being served because the contents are not yet available.
	//   - When status is False and reason is UserSpecifiedUnavailable, the catalog contents are not being served because the catalog has been intentionally marked as unavailable.
	//
	// The Progressing condition represents whether the ClusterCatalog is progressing or is ready to progress towards a new state:
	//   - When status is True and reason is Retrying, an error occurred that may be resolved on subsequent reconciliation attempts.
	//   - When status is True and reason is Succeeded, the ClusterCatalog has successfully progressed to a new state and is ready to continue progressing.
	//   - When status is False and reason is Blocked, an error occurred that requires manual intervention for recovery.
	//
	// If the system initially fetched contents and polling identifies updates, both conditions can be active simultaneously:
	//   - The Serving condition remains True with reason Available because the previous contents are still served via the HTTP(S) web server.
	//   - The Progressing condition is True with reason Retrying because the system is working to serve the new version.
	//
	// +listType=map
	// +listMapKey=type
	// +optional
	Conditions []metav1.Condition `json:"conditions,omitempty"`
	// resolvedSource contains information about the resolved source based on the source type.
	// +optional
	ResolvedSource *ResolvedCatalogSource `json:"resolvedSource,omitempty"`
	// urls contains the URLs that can be used to access the catalog.
	// +optional
	URLs *ClusterCatalogURLs `json:"urls,omitempty"`
	// lastUnpacked represents the last time the catalog contents were extracted from their source format.
	// For example, when using an Image source, the OCI image is pulled and image layers are written to a file-system backed cache.
	// This extraction from the source format is called "unpacking".
	// +optional
	LastUnpacked *metav1.Time `json:"lastUnpacked,omitempty"`
}

type ClusterCatalogURLs struct {
	// base is a cluster-internal URL that provides endpoints for accessing the catalog content.
	//
	// Clients should append the path for the endpoint they want to access.
	//
	// Currently, only a single endpoint is served and is accessible at the path /api/v1.
	//
	// The endpoints served for the v1 API are:
	//   - /all - this endpoint returns the entire catalog contents in the FBC format
	//
	// New endpoints may be added as needs evolve.
	//
	// +required
	// +kubebuilder:validation:MaxLength:=525
	// +kubebuilder:validation:XValidation:rule="isURL(self)",message="must be a valid URL"
	// +kubebuilder:validation:XValidation:rule="isURL(self) ? (url(self).getScheme() == \"http\" || url(self).getScheme() == \"https\") : true",message="scheme must be either http or https"
	Base string `json:"base"`
}

type ClusterExtension struct {
	metav1.TypeMeta `json:",inline"`

	// metadata is the standard object's metadata.
	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
	// +optional
	metav1.ObjectMeta `json:"metadata,omitempty"`

	// spec is an optional field that defines the desired state of the ClusterExtension.
	// +optional
	Spec ClusterExtensionSpec `json:"spec,omitempty"`

	// status is an optional field that defines the observed state of the ClusterExtension.
	// +optional
	Status ClusterExtensionStatus `json:"status,omitempty"`
}

type ClusterExtensionConfig struct {
	// configType is required and specifies the type of configuration source.
	//
	// The only allowed value is "Inline".
	//
	// When set to "Inline", the cluster extension configuration is defined inline within the ClusterExtension resource.
	//
	// +unionDiscriminator
	// +kubebuilder:validation:Enum:="Inline"
	// +required
	ConfigType ClusterExtensionConfigType `json:"configType"`

	// inline contains JSON or YAML values specified directly in the ClusterExtension.
	//
	// It is used to specify arbitrary configuration values for the ClusterExtension.
	// It must be set if configType is 'Inline' and must be a valid JSON/YAML object containing at least one property.
	// The configuration values are validated at runtime against a JSON schema provided by the bundle.
	//
	// +kubebuilder:validation:Type=object
	// +kubebuilder:validation:MinProperties=1
	// +optional
	// +unionMember
	Inline *apiextensionsv1.JSON `json:"inline,omitempty"`
}

type ClusterExtensionConfigType string

type ClusterExtensionInstallConfig struct {
	// preflight is optional and configures the checks that run before installation or upgrade
	// of the content for the package specified in the packageName field.
	//
	// When specified, it replaces the default preflight configuration for install/upgrade actions.
	// When not specified, the default configuration is used.
	//
	// +optional
	Preflight *PreflightConfig `json:"preflight,omitempty"`
}

type ClusterExtensionInstallStatus struct {
	// bundle is required and represents the identifying attributes of a bundle.
	//
	// A "bundle" is a versioned set of content that represents the resources that need to be applied
	// to a cluster to install a package.
	//
	// +required
	Bundle BundleMetadata `json:"bundle"`
}

type ClusterExtensionList struct {
	metav1.TypeMeta `json:",inline"`

	// +optional
	metav1.ListMeta `json:"metadata,omitempty"`

	// items is a required list of ClusterExtension objects.
	//
	// +required
	Items []ClusterExtension `json:"items"`
}

type ClusterExtensionSpec struct {
	// namespace specifies a Kubernetes namespace.
	// This is the namespace where the provided ServiceAccount must exist.
	// It also designates the default namespace where namespace-scoped resources for the extension are applied to the cluster.
	// Some extensions may contain namespace-scoped resources to be applied in other namespaces.
	// This namespace must exist.
	//
	// The namespace field is required, immutable, and follows the DNS label standard as defined in [RFC 1123].
	// It must contain only lowercase alphanumeric characters or hyphens (-), start and end with an alphanumeric character,
	// and be no longer than 63 characters.
	//
	// [RFC 1123]: https://tools.ietf.org/html/rfc1123
	//
	// +kubebuilder:validation:MaxLength:=63
	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="namespace is immutable"
	// +kubebuilder:validation:XValidation:rule="self.matches(\"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$\")",message="namespace must be a valid DNS1123 label"
	// +required
	Namespace string `json:"namespace"`

	// serviceAccount specifies a ServiceAccount used to perform all interactions with the cluster
	// that are required to manage the extension.
	// The ServiceAccount must be configured with the necessary permissions to perform these interactions.
	// The ServiceAccount must exist in the namespace referenced in the spec.
	// The serviceAccount field is required.
	//
	// +required
	ServiceAccount ServiceAccountReference `json:"serviceAccount"`

	// source is required and selects the installation source of content for this ClusterExtension.
	// Set the sourceType field to perform the selection.
	//
	// Catalog is currently the only implemented sourceType.
	// Setting sourceType to "Catalog" requires the catalog field to also be defined.
	//
	// Below is a minimal example of a source definition (in yaml):
	//
	// source:
	//   sourceType: Catalog
	//   catalog:
	//     packageName: example-package
	//
	// +required
	Source SourceConfig `json:"source"`

	// install is optional and configures installation options for the ClusterExtension,
	// such as the pre-flight check configuration.
	//
	// +optional
	Install *ClusterExtensionInstallConfig `json:"install,omitempty"`

	// config is optional and specifies bundle-specific configuration.
	// Configuration is bundle-specific and a bundle may provide a configuration schema.
	// When not specified, the default configuration of the resolved bundle is used.
	//
	// config is validated against a configuration schema provided by the resolved bundle. If the bundle does not provide
	// a configuration schema the bundle is deemed to not be configurable. More information on how
	// to configure bundles can be found in the OLM documentation associated with your current OLM version.
	//
	// <opcon:experimental>
	// +optional
	Config *ClusterExtensionConfig `json:"config,omitempty"`

	// progressDeadlineMinutes is an optional field that defines the maximum period
	// of time in minutes after which an installation should be considered failed and
	// require manual intervention. This functionality is disabled when no value
	// is provided. The minimum period is 10 minutes, and the maximum is 720 minutes (12 hours).
	//
	// +kubebuilder:validation:Minimum:=10
	// +kubebuilder:validation:Maximum:=720
	// +optional
	// <opcon:experimental>
	ProgressDeadlineMinutes int32 `json:"progressDeadlineMinutes,omitempty"`
}

type ClusterExtensionStatus struct {
	// conditions represents the current state of the ClusterExtension.
	//
	// The set of condition types which apply to all spec.source variations are Installed and Progressing.
	//
	// The Installed condition represents whether the bundle has been installed for this ClusterExtension:
	//   - When Installed is True and the Reason is Succeeded, the bundle has been successfully installed.
	//   - When Installed is False and the Reason is Failed, the bundle has failed to install.
	//
	// The Progressing condition represents whether or not the ClusterExtension is advancing towards a new state.
	// When Progressing is True and the Reason is Succeeded, the ClusterExtension is making progress towards a new state.
	// When Progressing is True and the Reason is Retrying, the ClusterExtension has encountered an error that could be resolved on subsequent reconciliation attempts.
	// When Progressing is False and the Reason is Blocked, the ClusterExtension has encountered an error that requires manual intervention for recovery.
	// <opcon:experimental:description>
	// When Progressing is True and Reason is RollingOut, the ClusterExtension has one or more ClusterObjectSets in active roll out.
	// </opcon:experimental:description>
	//
	// When the ClusterExtension is sourced from a catalog, it surfaces deprecation conditions based on catalog metadata.
	// These are indications from a package owner to guide users away from a particular package, channel, or bundle:
	//   - BundleDeprecated is True if the installed bundle is marked deprecated, False if not deprecated, or Unknown if no bundle is installed yet or if catalog data is unavailable.
	//   - ChannelDeprecated is True if any requested channel is marked deprecated, False if not deprecated, or Unknown if catalog data is unavailable.
	//   - PackageDeprecated is True if the requested package is marked deprecated, False if not deprecated, or Unknown if catalog data is unavailable.
	//   - Deprecated is a rollup condition that is True when any deprecation exists, False when none exist, or Unknown when catalog data is unavailable.
	//
	// +listType=map
	// +listMapKey=type
	// +optional
	Conditions []metav1.Condition `json:"conditions,omitempty"`

	// install is a representation of the current installation status for this ClusterExtension.
	//
	// +optional
	Install *ClusterExtensionInstallStatus `json:"install,omitempty"`

	// activeRevisions holds a list of currently active (non-archived) ClusterObjectSets,
	// including both installed and rolling out revisions.
	// +listType=map
	// +listMapKey=name
	// +optional
	// <opcon:experimental>
	ActiveRevisions []RevisionStatus `json:"activeRevisions,omitempty"`
}

type ClusterObjectSet struct {
	metav1.TypeMeta `json:",inline"`

	// metadata is the standard object's metadata.
	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
	// +optional
	metav1.ObjectMeta `json:"metadata,omitempty"`

	// spec defines the desired state of the ClusterObjectSet.
	// +optional
	Spec ClusterObjectSetSpec `json:"spec,omitempty"`

	// status is optional and defines the observed state of the ClusterObjectSet.
	// +optional
	Status ClusterObjectSetStatus `json:"status,omitempty"`
}

type ClusterObjectSetLifecycleState string

type ClusterObjectSetList struct {
	metav1.TypeMeta `json:",inline"`

	// +optional
	metav1.ListMeta `json:"metadata,omitempty"`

	// items is a required list of ClusterObjectSet objects.
	//
	// +required
	Items []ClusterObjectSet `json:"items"`
}

type ClusterObjectSetObject struct {
	// object is an optional embedded Kubernetes object to be applied.
	//
	// Exactly one of object or ref must be set.
	//
	// This object must be a valid Kubernetes resource with apiVersion, kind, and metadata fields.
	//
	// +kubebuilder:validation:EmbeddedResource
	// +kubebuilder:pruning:PreserveUnknownFields
	// +optional
	Object unstructured.Unstructured `json:"object,omitzero"`

	// ref is an optional reference to a Secret that holds the serialized
	// object manifest.
	//
	// Exactly one of object or ref must be set.
	//
	// +optional
	Ref ObjectSourceRef `json:"ref,omitzero"`

	// collisionProtection controls whether the operator can adopt and modify objects
	// that already exist on the cluster.
	//
	// Allowed values are: "Prevent", "IfNoController", and "None".
	//
	// When set to "Prevent", the operator only manages objects it created itself.
	// This prevents ownership collisions.
	//
	// When set to "IfNoController", the operator can adopt and modify pre-existing objects
	// that are not owned by another controller.
	// This is useful for taking over management of manually-created resources.
	//
	// When set to "None", the operator can adopt and modify any pre-existing object, even if
	// owned by another controller.
	// Use this setting with extreme caution as it may cause multiple controllers to fight over
	// the same resource, resulting in increased load on the API server and etcd.
	//
	// When omitted, the value is inherited from the phase, then spec.
	//
	// +optional
	// +kubebuilder:validation:Enum=Prevent;IfNoController;None
	CollisionProtection CollisionProtection `json:"collisionProtection,omitempty"`
}

type ClusterObjectSetPhase struct {
	// name is a required identifier for this phase.
	//
	// phase names must follow the DNS label standard as defined in [RFC 1123].
	// They must contain only lowercase alphanumeric characters or hyphens (-),
	// start and end with an alphanumeric character, and be no longer than 63 characters.
	//
	// Common phase names include: namespaces, policies, rbac, crds, storage, deploy, publish.
	//
	// [RFC 1123]: https://tools.ietf.org/html/rfc1123
	//
	// +required
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:MaxLength=63
	// +kubebuilder:validation:XValidation:rule=`!format.dns1123Label().validate(self).hasValue()`,message="the value must consist of only lowercase alphanumeric characters and hyphens, and must start and end with an alphanumeric character."
	Name string `json:"name"`

	// objects is a required list of all Kubernetes objects that belong to this phase.
	//
	// All objects in this list are applied to the cluster in no particular order. The maximum number of objects per phase is 50.
	// +required
	// +kubebuilder:validation:MaxItems=50
	Objects []ClusterObjectSetObject `json:"objects"`

	// collisionProtection specifies the default collision protection strategy for all objects
	// in this phase. Individual objects can override this value.
	//
	// When set, this value is used as the default for any object in this phase that does not
	// explicitly specify its own collisionProtection.
	//
	// When omitted, we use .spec.collistionProtection as the default for any object in this phase that does not
	// explicitly specify its own collisionProtection.
	//
	// +optional
	// +kubebuilder:validation:Enum=Prevent;IfNoController;None
	CollisionProtection CollisionProtection `json:"collisionProtection,omitempty"`
}

type ClusterObjectSetSpec struct {
	// lifecycleState specifies the lifecycle state of the ClusterObjectSet.
	//
	// When set to "Active", the revision is actively managed and reconciled.
	// When set to "Archived", the revision is inactive and any resources not managed by a subsequent revision are deleted.
	// The revision is removed from the owner list of all objects previously under management.
	// All objects that did not transition to a succeeding revision are deleted.
	//
	// Once a revision is set to "Archived", it cannot be un-archived.
	//
	// It is possible for more than one revision to be "Active" simultaneously. This will occur when
	// moving from one revision to another. The old revision will not be set to "Archived" until the
	// new revision has been completely rolled out.
	//
	// +required
	// +kubebuilder:validation:Enum=Active;Archived
	// +kubebuilder:validation:XValidation:rule="oldSelf == 'Active' || oldSelf == 'Archived' && oldSelf == self", message="cannot un-archive"
	LifecycleState ClusterObjectSetLifecycleState `json:"lifecycleState,omitempty"`

	// revision is a required, immutable sequence number representing a specific revision
	// of the parent ClusterExtension.
	//
	// The revision field must be a positive integer.
	// Each ClusterObjectSet belonging to the same parent ClusterExtension must have a unique revision number.
	// The revision number must always be the previous revision number plus one, or 1 for the first revision.
	//
	// +required
	// +kubebuilder:validation:Minimum:=1
	// +kubebuilder:validation:XValidation:rule="self == oldSelf", message="revision is immutable"
	Revision int64 `json:"revision"`

	// phases is an optional, immutable list of phases that group objects to be applied together.
	//
	// Objects are organized into phases based on their Group-Kind. Common phases include:
	//   - namespaces: Namespace objects
	//   - policies: ResourceQuota, LimitRange, NetworkPolicy objects
	//   - rbac: ServiceAccount, Role, RoleBinding, ClusterRole, ClusterRoleBinding objects
	//   - crds: CustomResourceDefinition objects
	//   - storage: PersistentVolume, PersistentVolumeClaim, StorageClass objects
	//   - deploy: Deployment, StatefulSet, DaemonSet, Service, ConfigMap, Secret objects
	//   - publish: Ingress, APIService, Route, Webhook objects
	//
	// All objects in a phase are applied in no particular order.
	// The revision progresses to the next phase only after all objects in the current phase pass their readiness probes.
	//
	// Once set, even if empty, the phases field is immutable.
	//
	// Each phase in the list must have a unique name. The maximum number of phases is 20.
	//
	// +kubebuilder:validation:XValidation:rule="self == oldSelf || oldSelf.size() == 0", message="phases is immutable"
	// +kubebuilder:validation:MaxItems=20
	// +listType=map
	// +listMapKey=name
	// +optional
	Phases []ClusterObjectSetPhase `json:"phases,omitempty"`

	// progressDeadlineMinutes is an optional field that defines the maximum period
	// of time in minutes after which an installation should be considered failed and
	// require manual intervention. This functionality is disabled when no value
	// is provided. The minimum period is 10 minutes, and the maximum is 720 minutes (12 hours).
	//
	// +kubebuilder:validation:Minimum:=10
	// +kubebuilder:validation:Maximum:=720
	// +optional
	// <opcon:experimental>
	ProgressDeadlineMinutes int32 `json:"progressDeadlineMinutes,omitempty"`

	// progressionProbes is an optional field which provides the ability to define custom readiness probes
	// for objects defined within spec.phases. As documented in that field, most kubernetes-native objects
	// within the phases already have some kind of readiness check built-in, but this field allows for checks
	// which are tailored to the objects being rolled out - particularly custom resources.
	//
	// Probes defined within the progressionProbes list will apply to every phase in the revision. However, the probes will only
	// execute against phase objects which are a match for the provided selector type. For instance, a probe using a GroupKind selector
	// for ConfigMaps will automatically be considered to have passed for any non-ConfigMap object, but will halt any phase containing
	// a ConfigMap if that particular object does not pass the probe check.
	//
	// The maximum number of probes is 20.
	//
	// +kubebuilder:validation:MinItems=1
	// +kubebuilder:validation:MaxItems=20
	// +listType=atomic
	// +optional
	// <opcon:experimental>
	ProgressionProbes []ProgressionProbe `json:"progressionProbes,omitempty"`

	// collisionProtection specifies the default collision protection strategy for all objects
	// in this revision. Individual phases or objects can override this value.
	//
	// When set, this value is used as the default for any phase or object that does not
	// explicitly specify its own collisionProtection.
	//
	// The resolution order is: object > phase > spec
	//
	// +required
	// +kubebuilder:validation:Enum=Prevent;IfNoController;None
	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="collisionProtection is immutable"
	CollisionProtection CollisionProtection `json:"collisionProtection,omitempty"`
}

type ClusterObjectSetStatus struct {
	// conditions is an optional list of status conditions describing the state of the
	// ClusterObjectSet.
	//
	// The Progressing condition represents whether the revision is actively rolling out:
	//   - When status is True and reason is RollingOut, the ClusterObjectSet rollout is actively making progress and is in transition.
	//   - When status is True and reason is Retrying, the ClusterObjectSet has encountered an error that could be resolved on subsequent reconciliation attempts.
	//   - When status is True and reason is Succeeded, the ClusterObjectSet has reached the desired state.
	//   - When status is False and reason is Blocked, the ClusterObjectSet has encountered an error that requires manual intervention for recovery.
	//   - When status is False and reason is Archived, the ClusterObjectSet is archived and not being actively reconciled.
	//
	// The Available condition represents whether the revision has been successfully rolled out and is available:
	//   - When status is True and reason is ProbesSucceeded, the ClusterObjectSet has been successfully rolled out and all objects pass their readiness probes.
	//   - When status is False and reason is ProbeFailure, one or more objects are failing their readiness probes during rollout.
	//   - When status is Unknown and reason is Reconciling, the ClusterObjectSet has encountered an error that prevented it from observing the probes.
	//   - When status is Unknown and reason is Archived, the ClusterObjectSet has been archived and its objects have been torn down.
	//   - When status is Unknown and reason is Migrated, the ClusterObjectSet was migrated from an existing release and object status probe results have not yet been observed.
	//
	// The Succeeded condition represents whether the revision has successfully completed its rollout:
	//   - When status is True and reason is Succeeded, the ClusterObjectSet has successfully completed its rollout. This condition is set once and persists even if the revision later becomes unavailable.
	//
	// +listType=map
	// +listMapKey=type
	// +optional
	Conditions []metav1.Condition `json:"conditions,omitempty"`

	// observedPhases records the content hashes of resolved phases
	// at first successful reconciliation. This is used to detect if
	// referenced object sources were deleted and recreated with
	// different content. Each entry covers all fully-resolved object
	// manifests within a phase, making it source-agnostic.
	//
	// +kubebuilder:validation:XValidation:rule="self == oldSelf || oldSelf.size() == 0",message="observedPhases is immutable"
	// +kubebuilder:validation:MaxItems=20
	// +listType=map
	// +listMapKey=name
	// +optional
	ObservedPhases []ObservedPhase `json:"observedPhases,omitempty"`
}

type CollisionProtection string

type ConditionEqualProbe struct {
	// type sets the expected condition type, i.e. "Ready".
	//
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:MaxLength=200
	// +required
	// <opcon:experimental>
	Type string `json:"type,omitempty"`

	// status sets the expected condition status.
	//
	// Allowed values are "True" and "False".
	//
	// +kubebuilder:validation:Enum=True;False
	// +required
	// <opcon:experimental>
	Status string `json:"status,omitempty"`
}

type FieldValueProbe struct {
	// fieldPath sets the field path for the field to check, i.e. "status.phase". The probe will fail
	// if the path does not exist.
	//
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:MaxLength=200
	// +kubebuilder:validation:XValidation:rule="self.matches('^[a-zA-Z0-9]+(?:\\\\.[a-zA-Z0-9]+)*$')",message="must contain a valid field path. valid fields contain upper or lower-case alphanumeric characters separated by the \".\" character."
	// +required
	// <opcon:experimental>
	FieldPath string `json:"fieldPath,omitempty"`

	// value sets the expected value found at fieldPath, i.e. "Bound".
	//
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:MaxLength=200
	// +required
	// <opcon:experimental>
	Value string `json:"value,omitempty"`
}

type FieldsEqualProbe struct {
	// fieldA sets the field path for the first field, i.e. "spec.replicas". The probe will fail
	// if the path does not exist.
	//
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:MaxLength=200
	// +kubebuilder:validation:XValidation:rule="self.matches('^[a-zA-Z0-9]+(?:\\\\.[a-zA-Z0-9]+)*$')",message="must contain a valid field path. valid fields contain upper or lower-case alphanumeric characters separated by the \".\" character."
	// +required
	// <opcon:experimental>
	FieldA string `json:"fieldA,omitempty"`

	// fieldB sets the field path for the second field, i.e. "status.readyReplicas". The probe will fail
	// if the path does not exist.
	//
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:MaxLength=200
	// +kubebuilder:validation:XValidation:rule="self.matches('^[a-zA-Z0-9]+(?:\\\\.[a-zA-Z0-9]+)*$')",message="must contain a valid field path. valid fields contain upper or lower-case alphanumeric characters separated by the \".\" character."
	// +required
	// <opcon:experimental>
	FieldB string `json:"fieldB,omitempty"`
}

type ImageSource struct {
	// ref is a required field that defines the reference to a container image containing catalog contents.
	// It cannot be more than 1000 characters.
	//
	// A reference has 3 parts: the domain, name, and identifier.
	//
	// The domain is typically the registry where an image is located.
	// It must be alphanumeric characters (lowercase and uppercase) separated by the "." character.
	// Hyphenation is allowed, but the domain must start and end with alphanumeric characters.
	// Specifying a port to use is also allowed by adding the ":" character followed by numeric values.
	// The port must be the last value in the domain.
	// Some examples of valid domain values are "registry.mydomain.io", "quay.io", "my-registry.io:8080".
	//
	// The name is typically the repository in the registry where an image is located.
	// It must contain lowercase alphanumeric characters separated only by the ".", "_", "__", "-" characters.
	// Multiple names can be concatenated with the "/" character.
	// The domain and name are combined using the "/" character.
	// Some examples of valid name values are "operatorhubio/catalog", "catalog", "my-catalog.prod".
	// An example of the domain and name parts of a reference being combined is "quay.io/operatorhubio/catalog".
	//
	// The identifier is typically the tag or digest for an image reference and is present at the end of the reference.
	// It starts with a separator character used to distinguish the end of the name and beginning of the identifier.
	// For a digest-based reference, the "@" character is the separator.
	// For a tag-based reference, the ":" character is the separator.
	// An identifier is required in the reference.
	//
	// Digest-based references must contain an algorithm reference immediately after the "@" separator.
	// The algorithm reference must be followed by the ":" character and an encoded string.
	// The algorithm must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the "-", "_", "+", and "." characters.
	// Some examples of valid algorithm values are "sha256", "sha256+b64u", "multihash+base58".
	// The encoded string following the algorithm must be hex digits (a-f, A-F, 0-9) and must be a minimum of 32 characters.
	//
	// Tag-based references must begin with a word character (alphanumeric + "_") followed by word characters or ".", and "-" characters.
	// The tag must not be longer than 127 characters.
	//
	// An example of a valid digest-based image reference is "quay.io/operatorhubio/catalog@sha256:200d4ddb2a73594b91358fe6397424e975205bfbe44614f5846033cad64b3f05"
	// An example of a valid tag-based image reference is "quay.io/operatorhubio/catalog:latest"
	//
	// +required
	// +kubebuilder:validation:MaxLength:=1000
	// +kubebuilder:validation:XValidation:rule="self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\\\b')",message="must start with a valid domain. valid domains must be alphanumeric characters (lowercase and uppercase) separated by the \".\" character."
	// +kubebuilder:validation:XValidation:rule="self.find('(\\\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') != \"\"",message="a valid name is required. valid names must contain lowercase alphanumeric characters separated only by the \".\", \"_\", \"__\", \"-\" characters."
	// +kubebuilder:validation:XValidation:rule="self.find('(@.*:)') != \"\" || self.find(':.*$') != \"\"",message="must end with a digest or a tag"
	// +kubebuilder:validation:XValidation:rule="self.find('(@.*:)') == \"\" ? (self.find(':.*$') != \"\" ? self.find(':.*$').substring(1).size() <= 127 : true) : true",message="tag is invalid. the tag must not be more than 127 characters"
	// +kubebuilder:validation:XValidation:rule="self.find('(@.*:)') == \"\" ? (self.find(':.*$') != \"\" ? self.find(':.*$').matches(':[\\\\w][\\\\w.-]*$') : true) : true",message="tag is invalid. valid tags must begin with a word character (alphanumeric + \"_\") followed by word characters or \".\", and \"-\" characters"
	// +kubebuilder:validation:XValidation:rule="self.find('(@.*:)') != \"\" ? self.find('(@.*:)').matches('(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])') : true",message="digest algorithm is not valid. valid algorithms must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the \"-\", \"_\", \"+\", and \".\" characters."
	// +kubebuilder:validation:XValidation:rule="self.find('(@.*:)') != \"\" ? self.find(':.*$').substring(1).size() >= 32 : true",message="digest is not valid. the encoded string must be at least 32 characters"
	// +kubebuilder:validation:XValidation:rule="self.find('(@.*:)') != \"\" ? self.find(':.*$').matches(':[0-9A-Fa-f]*$') : true",message="digest is not valid. the encoded string must only contain hex characters (A-F, a-f, 0-9)"
	Ref string `json:"ref"`

	// pollIntervalMinutes is an optional field that sets the interval, in minutes, at which the image source is polled for new content.
	// You cannot specify pollIntervalMinutes when ref is a digest-based reference.
	//
	// When omitted, the image is not polled for new content.
	// +kubebuilder:validation:Minimum:=1
	// +optional
	PollIntervalMinutes *int `json:"pollIntervalMinutes,omitempty"`
}

type ObjectSelector struct {
	// type is a required field which specifies the type of selector to use.
	//
	// The allowed selector types are "GroupKind" and "Label".
	//
	// When set to "GroupKind", all objects which match the specified group and kind will be selected.
	// When set to "Label", all objects which match the specified labels and/or expressions will be selected.
	//
	// +unionDiscriminator
	// +kubebuilder:validation:Enum=GroupKind;Label
	// +required
	// <opcon:experimental>
	Type SelectorType `json:"type,omitempty"`

	// groupKind specifies the group and kind of objects to select.
	//
	// Required when type is "GroupKind".
	//
	// Uses the Kubernetes format specified here:
	// https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#GroupKind
	//
	// +optional
	// +unionMember
	// <opcon:experimental>
	GroupKind metav1.GroupKind `json:"groupKind,omitempty,omitzero"`

	// label is the label selector definition.
	//
	// Required when type is "Label".
	//
	// A probe using a Label selector will be executed against every object matching the labels or expressions; you must use care
	// when using this type of selector. For example, if multiple Kind objects are selected via labels then the probe is
	// likely to fail because the values of different Kind objects rarely share the same schema.
	//
	// The LabelSelector field uses the following Kubernetes format:
	// https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#LabelSelector
	// Requires exactly one of matchLabels or matchExpressions.
	//
	// +optional
	// +unionMember
	// +kubebuilder:validation:XValidation:rule="(has(self.matchExpressions) && !has(self.matchLabels)) || (!has(self.matchExpressions) && has(self.matchLabels))",message="exactly one of matchLabels or matchExpressions must be set"
	// <opcon:experimental>
	Label metav1.LabelSelector `json:"label,omitempty,omitzero"`
}

type ObjectSourceRef struct {
	// name is the name of the referenced Secret.
	//
	// +required
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:MaxLength=253
	Name string `json:"name"`

	// namespace is the namespace of the referenced Secret.
	// When empty, defaults to the OLM system namespace during ref resolution.
	//
	// +optional
	// +kubebuilder:validation:MaxLength=63
	Namespace string `json:"namespace,omitempty"`

	// key is the data key within the referenced Secret containing the
	// object manifest content. The value at this key must be a
	// JSON-serialized Kubernetes object manifest.
	//
	// +required
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:MaxLength=253
	Key string `json:"key"`
}

type ObservedPhase struct {
	// name is the phase name matching a phase in spec.phases.
	//
	// +required
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:MaxLength=63
	// +kubebuilder:validation:XValidation:rule=`!format.dns1123Label().validate(self).hasValue()`,message="the value must consist of only lowercase alphanumeric characters and hyphens, and must start and end with an alphanumeric character."
	Name string `json:"name"`

	// digest is the digest of the phase's resolved object content
	// at first successful resolution, in the format "<algorithm>:<hex>".
	//
	// +required
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:MaxLength=256
	// +kubebuilder:validation:XValidation:rule=`self.matches('^[a-z0-9]+:[a-f0-9]+$')`,message="digest must be in the format '<algorithm>:<hex>'"
	Digest string `json:"digest"`
}

type PreflightConfig struct {
	// crdUpgradeSafety configures the CRD Upgrade Safety pre-flight checks that run
	// before upgrades of installed content.
	//
	// The CRD Upgrade Safety pre-flight check safeguards from unintended consequences of upgrading a CRD,
	// such as data loss.
	CRDUpgradeSafety *CRDUpgradeSafetyPreflightConfig `json:"crdUpgradeSafety"`
}

type ProbeType string

type ProgressionProbe struct {
	// selector is a required field which defines the method by which we select objects to apply the below
	// assertions to. Any object which matches the defined selector will have all the associated assertions
	// applied against it.
	//
	// If no objects within a phase are selected by the provided selector, then all assertions defined here
	// are considered to have succeeded.
	//
	// +required
	// <opcon:experimental>
	Selector ObjectSelector `json:"selector,omitzero"`

	// assertions is a required list of checks which will run against the objects selected by the selector. If
	// one or more assertions fail then the phase within which the object lives will be not be considered
	// 'Ready', blocking rollout of all subsequent phases.
	//
	// +kubebuilder:validation:MinItems=1
	// +kubebuilder:validation:MaxItems=20
	// +listType=atomic
	// +required
	// <opcon:experimental>
	Assertions []Assertion `json:"assertions,omitempty"`
}

type ResolvedCatalogSource struct {
	// type is a required field that specifies the type of source for the catalog.
	//
	// The only allowed value is "Image".
	//
	// When set to "Image", information about the resolved image source is set in the image field.
	//
	// +unionDiscriminator
	// +kubebuilder:validation:Enum:="Image"
	// +required
	Type SourceType `json:"type"`
	// image contains resolution information for a catalog sourced from an image.
	// It must be set when type is Image, and forbidden otherwise.
	Image *ResolvedImageSource `json:"image"`
}

type ResolvedImageSource struct {
	// ref contains the resolved image digest-based reference.
	// The digest format allows you to use other tooling to fetch the exact OCI manifests
	// that were used to extract the catalog contents.
	// +required
	// +kubebuilder:validation:MaxLength:=1000
	// +kubebuilder:validation:XValidation:rule="self.matches('^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])((\\\\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(:[0-9]+)?\\\\b')",message="must start with a valid domain. valid domains must be alphanumeric characters (lowercase and uppercase) separated by the \".\" character."
	// +kubebuilder:validation:XValidation:rule="self.find('(\\\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?((\\\\/[a-z0-9]+((([._]|__|[-]*)[a-z0-9]+)+)?)+)?)') != \"\"",message="a valid name is required. valid names must contain lowercase alphanumeric characters separated only by the \".\", \"_\", \"__\", \"-\" characters."
	// +kubebuilder:validation:XValidation:rule="self.find('(@.*:)') != \"\"",message="must end with a digest"
	// +kubebuilder:validation:XValidation:rule="self.find('(@.*:)') != \"\" ? self.find('(@.*:)').matches('(@[A-Za-z][A-Za-z0-9]*([-_+.][A-Za-z][A-Za-z0-9]*)*[:])') : true",message="digest algorithm is not valid. valid algorithms must start with an uppercase or lowercase alpha character followed by alphanumeric characters and may contain the \"-\", \"_\", \"+\", and \".\" characters."
	// +kubebuilder:validation:XValidation:rule="self.find('(@.*:)') != \"\" ? self.find(':.*$').substring(1).size() >= 32 : true",message="digest is not valid. the encoded string must be at least 32 characters"
	// +kubebuilder:validation:XValidation:rule="self.find('(@.*:)') != \"\" ? self.find(':.*$').matches(':[0-9A-Fa-f]*$') : true",message="digest is not valid. the encoded string must only contain hex characters (A-F, a-f, 0-9)"
	Ref string `json:"ref"`
}

type RevisionStatus struct {
	// name of the ClusterObjectSet resource
	Name string `json:"name"`
	// conditions optionally expose Progressing and Available condition of the revision,
	// in case when it is not yet marked as successfully installed (condition Succeeded is not set to True).
	// Given that a ClusterExtension should remain available during upgrades, an observer may use these conditions
	// to get more insights about reasons for its current state.
	//
	// +listType=map
	// +listMapKey=type
	// +optional
	Conditions []metav1.Condition `json:"conditions,omitempty"`
}

type SelectorType string

type ServiceAccountReference struct {
	// name is a required, immutable reference to the name of the ServiceAccount used for installation
	// and management of the content for the package specified in the packageName field.
	//
	// This ServiceAccount must exist in the installNamespace.
	//
	// The name field follows the DNS subdomain standard as defined in [RFC 1123].
	// It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.),
	// start and end with an alphanumeric character, and be no longer than 253 characters.
	//
	// Some examples of valid values are:
	//   - some-serviceaccount
	//   - 123-serviceaccount
	//   - 1-serviceaccount-2
	//   - someserviceaccount
	//   - some.serviceaccount
	//
	// Some examples of invalid values are:
	//   - -some-serviceaccount
	//   - some-serviceaccount-
	//
	// [RFC 1123]: https://tools.ietf.org/html/rfc1123
	//
	// +kubebuilder:validation:MaxLength:=253
	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="name is immutable"
	// +kubebuilder:validation:XValidation:rule="self.matches(\"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\")",message="name must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters"
	// +required
	Name string `json:"name"`
}

type SourceConfig struct {
	// sourceType is required and specifies the type of install source.
	//
	// The only allowed value is "Catalog".
	//
	// When set to "Catalog", information for determining the appropriate bundle of content to install
	// is fetched from ClusterCatalog resources on the cluster.
	// When using the Catalog sourceType, the catalog field must also be set.
	//
	// +unionDiscriminator
	// +kubebuilder:validation:Enum:="Catalog"
	// +required
	SourceType string `json:"sourceType"`

	// catalog configures how information is sourced from a catalog.
	// It is required when sourceType is "Catalog", and forbidden otherwise.
	//
	// +optional
	Catalog *CatalogFilter `json:"catalog,omitempty"`
}

type SourceType string

type UpgradeConstraintPolicy string