v1beta2

type AdditionalRoleBindingsSpec struct {
	ClusterRoleName string `json:"clusterRoleName"`
	// kubebuilder:validation:Minimum=1
	Subjects []rbacv1.Subject `json:"subjects"`
}

type ByKindAndName OwnerListSpec

type CapsuleConfiguration struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec CapsuleConfigurationSpec `json:"spec,omitempty"`
}

type CapsuleConfigurationList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`

	Items []CapsuleConfiguration `json:"items"`
}

type CapsuleConfigurationSpec struct {
	// Names of the users considered as Capsule users.
	UserNames []string `json:"userNames,omitempty"`
	// Names of the groups considered as Capsule users.
	// +kubebuilder:default={capsule.clastix.io}
	UserGroups []string `json:"userGroups,omitempty"`
	// Define groups which when found in the request of a user will be ignored by the Capsule
	// this might be useful if you have one group where all the users are in, but you want to separate administrators from normal users with additional groups.
	IgnoreUserWithGroups []string `json:"ignoreUserWithGroups,omitempty"`
	// ServiceAccounts within tenant namespaces can be promoted to owners of the given tenant
	// this can be achieved by labeling the serviceaccount and then they are considered owners. This can only be done by other owners of the tenant.
	// However ServiceAccounts which have been promoted to owner can not promote further serviceAccounts.
	// +kubebuilder:default=false
	AllowServiceAccountPromotion bool `json:"allowServiceAccountPromotion,omitempty"`
	// Enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix,
	// separated by a dash. This is useful to avoid Namespace name collision in a public CaaS environment.
	// +kubebuilder:default=false
	ForceTenantPrefix bool `json:"forceTenantPrefix,omitempty"`
	// Disallow creation of namespaces, whose name matches this regexp
	ProtectedNamespaceRegexpString string `json:"protectedNamespaceRegex,omitempty"`
	// Allows to set different name rather than the canonical one for the Capsule configuration objects,
	// such as webhook secret or configurations.
	// +kubebuilder:default={TLSSecretName:"capsule-tls",mutatingWebhookConfigurationName:"capsule-mutating-webhook-configuration",validatingWebhookConfigurationName:"capsule-validating-webhook-configuration"}
	CapsuleResources CapsuleResources `json:"overrides,omitempty"`
	// Allows to set the forbidden metadata for the worker nodes that could be patched by a Tenant.
	// This applies only if the Tenant has an active NodeSelector, and the Owner have right to patch their nodes.
	NodeMetadata *NodeMetadata `json:"nodeMetadata,omitempty"`
	// Toggles the TLS reconciler, the controller that is able to generate CA and certificates for the webhooks
	// when not using an already provided CA and certificate, or when these are managed externally with Vault, or cert-manager.
	// +kubebuilder:default=true
	EnableTLSReconciler bool `json:"enableTLSReconciler"` //nolint:tagliatelle
}

type CapsuleResources struct {
	// Defines the Secret name used for the webhook server.
	// Must be in the same Namespace where the Capsule Deployment is deployed.
	// +kubebuilder:default=capsule-tls
	TLSSecretName string `json:"TLSSecretName"` //nolint:tagliatelle
	// Name of the MutatingWebhookConfiguration which contains the dynamic admission controller paths and resources.
	// +kubebuilder:default=capsule-mutating-webhook-configuration
	MutatingWebhookConfigurationName string `json:"mutatingWebhookConfigurationName"`
	// Name of the ValidatingWebhookConfiguration which contains the dynamic admission controller paths and resources.
	// +kubebuilder:default=capsule-validating-webhook-configuration
	ValidatingWebhookConfigurationName string `json:"validatingWebhookConfigurationName"`
}

type GatewayOptions struct {
	AllowedClasses *api.SelectionListWithDefaultSpec `json:"allowedClasses,omitempty"`
}

type GlobalTenantResource struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   GlobalTenantResourceSpec   `json:"spec,omitempty"`
	Status GlobalTenantResourceStatus `json:"status,omitempty"`
}

type GlobalTenantResourceList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`

	Items []GlobalTenantResource `json:"items"`
}

type GlobalTenantResourceSpec struct {
	TenantResourceSpec `json:",inline"`

	// Defines the Tenant selector used target the tenants on which resources must be propagated.
	TenantSelector metav1.LabelSelector `json:"tenantSelector,omitempty"`
}

type GlobalTenantResourceStatus struct {
	// List of Tenants addressed by the GlobalTenantResource.
	SelectedTenants []string `json:"selectedTenants"`
	// List of the replicated resources for the given TenantResource.
	ProcessedItems ProcessedItems `json:"processedItems"`
}

type IngressOptions struct {
	// Specifies the allowed IngressClasses assigned to the Tenant.
	// Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed IngressClasses.
	// A default value can be specified, and all the Ingress resources created will inherit the declared class.
	// Optional.
	AllowedClasses *api.DefaultAllowedListSpec `json:"allowedClasses,omitempty"`
	// Defines the scope of hostname collision check performed when Tenant Owners create Ingress with allowed hostnames.
	//
	//
	// - Cluster: disallow the creation of an Ingress if the pair hostname and path is already used across the Namespaces managed by Capsule.
	//
	// - Tenant: disallow the creation of an Ingress if the pair hostname and path is already used across the Namespaces of the Tenant.
	//
	// - Namespace: disallow the creation of an Ingress if the pair hostname and path is already used in the Ingress Namespace.
	//
	//
	// Optional.
	// +kubebuilder:default=Disabled
	HostnameCollisionScope api.HostnameCollisionScope `json:"hostnameCollisionScope,omitempty"`
	// Specifies the allowed hostnames in Ingresses for the given Tenant. Capsule assures that all Ingress resources created in the Tenant can use only one of the allowed hostnames. Optional.
	AllowedHostnames *api.AllowedListSpec `json:"allowedHostnames,omitempty"`
	// Toggles the ability for Ingress resources created in a Tenant to have a hostname wildcard.
	AllowWildcardHostnames bool `json:"allowWildcardHostnames,omitempty"`
}

type NamespaceOptions struct {
	// +kubebuilder:validation:Minimum=1
	// Specifies the maximum number of namespaces allowed for that Tenant. Once the namespace quota assigned to the Tenant has been reached, the Tenant owner cannot create further namespaces. Optional.
	Quota *int32 `json:"quota,omitempty"`
	// Specifies additional labels and annotations the Capsule operator places on any Namespace resource in the Tenant. Optional.
	// Deprecated: Use additionalMetadataList instead
	AdditionalMetadata *api.AdditionalMetadataSpec `json:"additionalMetadata,omitempty"`
	// Specifies additional labels and annotations the Capsule operator places on any Namespace resource in the Tenant via a list. Optional.
	AdditionalMetadataList []api.AdditionalMetadataSelectorSpec `json:"additionalMetadataList,omitempty"`
	// Define the labels that a Tenant Owner cannot set for their Namespace resources.
	ForbiddenLabels api.ForbiddenListSpec `json:"forbiddenLabels,omitempty"`
	// Define the annotations that a Tenant Owner cannot set for their Namespace resources.
	ForbiddenAnnotations api.ForbiddenListSpec `json:"forbiddenAnnotations,omitempty"`
	// If enabled only metadata from additionalMetadata is reconciled to the namespaces.
	//+kubebuilder:default:=false
	ManagedMetadataOnly bool `json:"managedMetadataOnly,omitempty"`
}

type NodeMetadata struct {
	// Define the labels that a Tenant Owner cannot set for their nodes.
	ForbiddenLabels api.ForbiddenListSpec `json:"forbiddenLabels"`
	// Define the annotations that a Tenant Owner cannot set for their nodes.
	ForbiddenAnnotations api.ForbiddenListSpec `json:"forbiddenAnnotations"`
}

type NonLimitedResourceError struct {
	// contains filtered or unexported fields
}

type ObjectReference struct {
	ObjectReferenceAbstract `json:",inline"`

	// Label selector used to select the given resources in the given Namespace.
	Selector metav1.LabelSelector `json:"selector"`
}

type ObjectReferenceAbstract struct {
	// Kind of the referent.
	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
	Kind string `json:"kind"`
	// Namespace of the referent.
	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
	Namespace string `json:"namespace"`
	// API version of the referent.
	APIVersion string `json:"apiVersion,omitempty"`
}

type ObjectReferenceStatus struct {
	ObjectReferenceAbstract `json:",inline"`

	// Name of the referent.
	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
	Name string `json:"name"`
}

type OwnerKind string

type OwnerListSpec []OwnerSpec

type OwnerSpec struct {
	// Kind of tenant owner. Possible values are "User", "Group", and "ServiceAccount"
	Kind OwnerKind `json:"kind"`
	// Name of tenant owner.
	Name string `json:"name"`
	// Defines additional cluster-roles for the specific Owner.
	// +kubebuilder:default={admin,capsule-namespace-deleter}
	ClusterRoles []string `json:"clusterRoles,omitempty"`
	// Proxy settings for tenant owner.
	ProxyOperations []ProxySettings `json:"proxySettings,omitempty"`
	// Additional Labels for the synchronized rolebindings
	Labels map[string]string `json:"labels,omitempty"`
	// Additional Annotations for the synchronized rolebindings
	Annotations map[string]string `json:"annotations,omitempty"`
}

type ProcessedItems []ObjectReferenceStatus

type ProxyOperation string

type ProxyServiceKind string

type ProxySettings struct {
	Kind       ProxyServiceKind `json:"kind"`
	Operations []ProxyOperation `json:"operations"`
}

type RawExtension struct {
	runtime.RawExtension `json:",inline"`
}

type ResourcePool struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   ResourcePoolSpec   `json:"spec,omitempty"`
	Status ResourcePoolStatus `json:"status,omitempty"`
}

type ResourcePoolClaim struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   ResourcePoolClaimSpec   `json:"spec,omitempty"`
	Status ResourcePoolClaimStatus `json:"status,omitempty"`
}

type ResourcePoolClaimList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`

	Items []ResourcePoolClaim `json:"items"`
}

type ResourcePoolClaimSpec struct {
	// If there's the possability to claim from multiple global Quotas
	// You must be specific about which one you want to claim resources from
	// Once bound to a ResourcePool, this field is immutable
	Pool string `json:"pool"`
	// Amount which should be claimed for the resourcequota
	ResourceClaims corev1.ResourceList `json:"claim"`
}

type ResourcePoolClaimStatus struct {
	// Reference to the GlobalQuota being claimed from
	Pool api.StatusNameUID `json:"pool,omitempty"`
	// Condtion for this resource claim
	Condition metav1.Condition `json:"condition,omitempty"`
}

type ResourcePoolClaimsItem struct {
	// Reference to the GlobalQuota being claimed from
	api.StatusNameUID `json:",inline"`

	// Claimed resources
	Claims corev1.ResourceList `json:"claims,omitempty"`
}

type ResourcePoolClaimsList []*ResourcePoolClaimsItem

type ResourcePoolList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`

	Items []ResourcePool `json:"items"`
}

type ResourcePoolNamespaceClaimsStatus map[string]ResourcePoolClaimsList

type ResourcePoolQuotaStatus struct {
	// Hard is the set of enforced hard limits for each named resource.
	// More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/
	// +optional
	Hard corev1.ResourceList `json:"hard,omitempty" protobuf:"bytes,1,rep,name=hard,casttype=ResourceList,castkey=ResourceName"`
	// Used is the current observed total usage of the resource in the namespace.
	// +optional
	Claimed corev1.ResourceList `json:"used,omitempty" protobuf:"bytes,2,rep,name=used,casttype=ResourceList,castkey=ResourceName"`
	// Used to track the usage of the resource in the pool (diff hard - claimed). May be used for further automation
	// +optional
	Available corev1.ResourceList `json:"available,omitempty" protobuf:"bytes,2,rep,name=available,casttype=ResourceList,castkey=ResourceName"`
}

type ResourcePoolSpec struct {
	// Selector to match the namespaces that should be managed by the GlobalResourceQuota
	Selectors []api.NamespaceSelector `json:"selectors,omitempty"`
	// Define the resourcequota served by this resourcepool.
	Quota corev1.ResourceQuotaSpec `json:"quota"`
	// The Defaults given for each namespace, the default is not counted towards the total allocation
	// When you use claims it's recommended to provision Defaults as the prevent the scheduling of any resources
	Defaults corev1.ResourceList `json:"defaults,omitempty"`
	// Additional Configuration
	//+kubebuilder:default:={}
	Config ResourcePoolSpecConfiguration `json:"config,omitempty"`
}

type ResourcePoolSpecConfiguration struct {
	// With this option all resources which can be allocated are set to 0 for the resourcequota defaults.
	// +kubebuilder:default=false
	DefaultsAssignZero *bool `json:"defaultsZero,omitempty"`
	// Claims are queued whenever they are allocated to a pool. A pool tries to allocate claims in order based on their
	// creation date. But no matter their creation time, if a claim is requesting too much resources it's put into the queue
	// but if a lower priority claim still has enough space in the available resources, it will be able to claim them. Eventough
	// it's priority was lower
	// Enabling this option respects to Order. Meaning the Creationtimestamp matters and if a resource is put into the queue, no
	// other claim can claim the same resources with lower priority.
	// +kubebuilder:default=false
	OrderedQueue *bool `json:"orderedQueue,omitempty"`
	// When a resourcepool is deleted, the resourceclaims bound to it are disassociated from the resourcepool but not deleted.
	// By Enabling this option, the resourceclaims will be deleted when the resourcepool is deleted, if they are in bound state.
	// +kubebuilder:default=false
	DeleteBoundResources *bool `json:"deleteBoundResources,omitempty"`
}

type ResourcePoolStatus struct {
	// How many namespaces are considered
	// +kubebuilder:default=0
	NamespaceSize uint `json:"namespaceCount,omitempty"`
	// Amount of claims
	// +kubebuilder:default=0
	ClaimSize uint `json:"claimCount,omitempty"`
	// Namespaces which are considered for claims
	Namespaces []string `json:"namespaces,omitempty"`
	// Tracks the quotas for the Resource.
	Claims ResourcePoolNamespaceClaimsStatus `json:"claims,omitempty"`
	// Tracks the Usage from Claimed against what has been granted from the pool
	Allocation ResourcePoolQuotaStatus `json:"allocation,omitempty"`
	// Exhaustions from claims associated with the pool
	Exhaustions map[string]api.PoolExhaustionResource `json:"exhaustions,omitempty"`
}

type ResourceSpec struct {
	// Defines the Namespace selector to select the Tenant Namespaces on which the resources must be propagated.
	// In case of nil value, all the Tenant Namespaces are targeted.
	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
	// List of the resources already existing in other Namespaces that must be replicated.
	NamespacedItems []ObjectReference `json:"namespacedItems,omitempty"`
	// List of raw resources that must be replicated.
	RawItems []RawExtension `json:"rawItems,omitempty"`
	// Besides the Capsule metadata required by TenantResource controller, defines additional metadata that must be
	// added to the replicated resources.
	AdditionalMetadata *api.AdditionalMetadataSpec `json:"additionalMetadata,omitempty"`
}

type Tenant struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   TenantSpec   `json:"spec,omitempty"`
	Status TenantStatus `json:"status,omitempty"`
}

type TenantList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`

	Items []Tenant `json:"items"`
}

type TenantResource struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   TenantResourceSpec   `json:"spec,omitempty"`
	Status TenantResourceStatus `json:"status,omitempty"`
}

type TenantResourceList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`

	Items []TenantResource `json:"items"`
}

type TenantResourceSpec struct {
	// Define the period of time upon a second reconciliation must be invoked.
	// Keep in mind that any change to the manifests will trigger a new reconciliation.
	// +kubebuilder:default="60s"
	ResyncPeriod metav1.Duration `json:"resyncPeriod"`
	// When the replicated resource manifest is deleted, all the objects replicated so far will be automatically deleted.
	// Disable this to keep replicated resources although the deletion of the replication manifest.
	// +kubebuilder:default=true
	PruningOnDelete *bool `json:"pruningOnDelete,omitempty"`
	// Defines the rules to select targeting Namespace, along with the objects that must be replicated.
	Resources []ResourceSpec `json:"resources"`
}

type TenantResourceStatus struct {
	// List of the replicated resources for the given TenantResource.
	ProcessedItems ProcessedItems `json:"processedItems"`
}

type TenantSpec struct {
	// Specifies the owners of the Tenant.
	// Optional
	Owners OwnerListSpec `json:"owners,omitempty"`
	// Specifies options for the Namespaces, such as additional metadata or maximum number of namespaces allowed for that Tenant. Once the namespace quota assigned to the Tenant has been reached, the Tenant owner cannot create further namespaces. Optional.
	NamespaceOptions *NamespaceOptions `json:"namespaceOptions,omitempty"`
	// Specifies options for the Service, such as additional metadata or block of certain type of Services. Optional.
	ServiceOptions *api.ServiceOptions `json:"serviceOptions,omitempty"`
	// Specifies options for the Pods deployed in the Tenant namespaces, such as additional metadata.
	PodOptions *api.PodOptions `json:"podOptions,omitempty"`
	// Specifies the allowed StorageClasses assigned to the Tenant.
	// Capsule assures that all PersistentVolumeClaim resources created in the Tenant can use only one of the allowed StorageClasses.
	// A default value can be specified, and all the PersistentVolumeClaim resources created will inherit the declared class.
	// Optional.
	StorageClasses *api.DefaultAllowedListSpec `json:"storageClasses,omitempty"`
	// Specifies options for the Ingress resources, such as allowed hostnames and IngressClass. Optional.
	IngressOptions IngressOptions `json:"ingressOptions,omitempty"`
	// Specifies the trusted Image Registries assigned to the Tenant. Capsule assures that all Pods resources created in the Tenant can use only one of the allowed trusted registries. Optional.
	ContainerRegistries *api.AllowedListSpec `json:"containerRegistries,omitempty"`
	// Specifies the label to control the placement of pods on a given pool of worker nodes. All namespaces created within the Tenant will have the node selector annotation. This annotation tells the Kubernetes scheduler to place pods on the nodes having the selector label. Optional.
	NodeSelector map[string]string `json:"nodeSelector,omitempty"`
	// Specifies the NetworkPolicies assigned to the Tenant. The assigned NetworkPolicies are inherited by any namespace created in the Tenant. Optional.
	// Deprecated: Use Tenant Replications instead (https://projectcapsule.dev/docs/replications/)
	NetworkPolicies api.NetworkPolicySpec `json:"networkPolicies,omitempty"`
	// Specifies the resource min/max usage restrictions to the Tenant. The assigned values are inherited by any namespace created in the Tenant. Optional.
	// Deprecated: Use Tenant Replications instead (https://projectcapsule.dev/docs/replications/)
	LimitRanges api.LimitRangesSpec `json:"limitRanges,omitempty"`
	// Specifies a list of ResourceQuota resources assigned to the Tenant. The assigned values are inherited by any namespace created in the Tenant. The Capsule operator aggregates ResourceQuota at Tenant level, so that the hard quota is never crossed for the given Tenant. This permits the Tenant owner to consume resources in the Tenant regardless of the namespace. Optional.
	ResourceQuota api.ResourceQuotaSpec `json:"resourceQuotas,omitempty"`
	// Specifies additional RoleBindings assigned to the Tenant. Capsule will ensure that all namespaces in the Tenant always contain the RoleBinding for the given ClusterRole. Optional.
	AdditionalRoleBindings []api.AdditionalRoleBindingsSpec `json:"additionalRoleBindings,omitempty"`
	// Specify the allowed values for the imagePullPolicies option in Pod resources. Capsule assures that all Pod resources created in the Tenant can use only one of the allowed policy. Optional.
	ImagePullPolicies []api.ImagePullPolicySpec `json:"imagePullPolicies,omitempty"`
	// Specifies the allowed RuntimeClasses assigned to the Tenant.
	// Capsule assures that all Pods resources created in the Tenant can use only one of the allowed RuntimeClasses.
	// Optional.
	RuntimeClasses *api.DefaultAllowedListSpec `json:"runtimeClasses,omitempty"`
	// Specifies the allowed priorityClasses assigned to the Tenant.
	// Capsule assures that all Pods resources created in the Tenant can use only one of the allowed PriorityClasses.
	// A default value can be specified, and all the Pod resources created will inherit the declared class.
	// Optional.
	PriorityClasses *api.DefaultAllowedListSpec `json:"priorityClasses,omitempty"`
	// Specifies options for the GatewayClass resources.
	GatewayOptions GatewayOptions `json:"gatewayOptions,omitempty"`
	// Toggling the Tenant resources cordoning, when enable resources cannot be deleted.
	//+kubebuilder:default:=false
	Cordoned bool `json:"cordoned,omitempty"`
	// Prevent accidental deletion of the Tenant.
	// When enabled, the deletion request will be declined.
	//+kubebuilder:default:=false
	PreventDeletion bool `json:"preventDeletion,omitempty"`
	// Use this if you want to disable/enable the Tenant name prefix to specific Tenants, overriding global forceTenantPrefix in CapsuleConfiguration.
	// When set to 'true', it enforces Namespaces created for this Tenant to be named with the Tenant name prefix,
	// separated by a dash (i.e. for Tenant 'foo', namespace names must be prefixed with 'foo-'),
	// this is useful to avoid Namespace name collision.
	// When set to 'false', it allows Namespaces created for this Tenant to be named anything.
	// Overrides CapsuleConfiguration global forceTenantPrefix for the Tenant only.
	// If unset, Tenant uses CapsuleConfiguration's forceTenantPrefix
	// Optional
	ForceTenantPrefix *bool `json:"forceTenantPrefix,omitempty"`
}

type TenantStatus struct {
	// +kubebuilder:default=Active
	// The operational state of the Tenant. Possible values are "Active", "Cordoned".
	State tenantState `json:"state"`
	// How many namespaces are assigned to the Tenant.
	Size uint `json:"size"`
	// List of namespaces assigned to the Tenant. (Deprecated)
	Namespaces []string `json:"namespaces,omitempty"`
	// Tracks state for the namespaces associated with this tenant
	Spaces []*TenantStatusNamespaceItem `json:"spaces,omitempty"`
	// Tenant Condition
	Conditions meta.ConditionList `json:"conditions"`
}

type TenantStatusNamespaceItem struct {
	// Conditions
	Conditions meta.ConditionList `json:"conditions"`
	// Namespace Name
	Name string `json:"name"`
	// Namespace UID
	UID k8stypes.UID `json:"uid,omitempty"`
	// Managed Metadata
	Metadata *TenantStatusNamespaceMetadata `json:"metadata,omitempty"`
}

type TenantStatusNamespaceMetadata struct {
	// Managed Labels
	Labels map[string]string `json:"labels,omitempty"`
	// Managed Annotations
	Annotations map[string]string `json:"annotations,omitempty"`
}