v1alpha1

type BundleEndpointProfile struct {
	// Type is the type of the bundle endpoint profile.
	Type BundleEndpointProfileType `json:"type"`

	// EndpointSPIFFEID is the SPIFFE ID of the bundle endpoint. It is
	// required for the "https_spiffe" profile.
	// +kubebuilder:validation:Optional
	EndpointSPIFFEID string `json:"endpointSPIFFEID,omitempty"`
}

type BundleEndpointProfileType string

type ClusterFederatedTrustDomain struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   ClusterFederatedTrustDomainSpec   `json:"spec,omitempty"`
	Status ClusterFederatedTrustDomainStatus `json:"status,omitempty"`
}

type ClusterFederatedTrustDomainList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []ClusterFederatedTrustDomain `json:"items"`
}

type ClusterFederatedTrustDomainSpec struct {
	// TrustDomain is the name of the trust domain to federate with (e.g. example.org)
	// +kubebuilder:validation:Pattern="[a-z0-9._-]{1,255}"
	TrustDomain string `json:"trustDomain"`

	// BundleEndpointURL is the URL of the bundle endpoint. It must be an
	// HTTPS URL and cannot contain userinfo (i.e. username/password).
	BundleEndpointURL string `json:"bundleEndpointURL"`

	// BundleEndpointProfile is the profile for the bundle endpoint.
	BundleEndpointProfile BundleEndpointProfile `json:"bundleEndpointProfile"`

	// TrustDomainBundle is the contents of the bundle for the referenced trust
	// domain. This field is optional when the resource is created.
	// +kubebuilder:validation:Optional
	TrustDomainBundle string `json:"trustDomainBundle,omitempty"`

	// Set which Controller Class will act on this object
	// +kubebuilder:validation:Optional
	ClassName string `json:"className,omitempty"`
}

type ClusterFederatedTrustDomainStatus struct {
}

type ClusterSPIFFEID struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec ClusterSPIFFEIDSpec `json:"spec,omitempty"`
	// +optional
	Status ClusterSPIFFEIDStatus `json:"status,omitempty"`
}

type ClusterSPIFFEIDList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []ClusterSPIFFEID `json:"items"`
}

type ClusterSPIFFEIDSpec struct {

	// SPIFFEID is the SPIFFE ID template. The node and pod spec are made
	// available to the template under .NodeSpec, .PodSpec respectively.
	SPIFFEIDTemplate string `json:"spiffeIDTemplate"`

	// TTL indicates an upper-bound time-to-live for X509 SVIDs minted for this
	// ClusterSPIFFEID. If unset, a default will be chosen.
	TTL metav1.Duration `json:"ttl,omitempty"`

	// JWTTTL indicates an upper-bound time-to-live for JWT SVIDs minted for this
	// ClusterSPIFFEID.
	JWTTTL metav1.Duration `json:"jwtTtl,omitempty"`

	// DNSNameTemplate represents templates for extra DNS names that are
	// applicable to SVIDs minted for this ClusterSPIFFEID.
	// The node and pod spec are made available to the template under
	// .NodeSpec, .PodSpec respectively.
	DNSNameTemplates []string `json:"dnsNameTemplates,omitempty"`

	// WorkloadSelectorTemplates are templates to produce arbitrary workload
	// selectors that apply to a given workload before it will receive this
	// SPIFFE ID. The rendered value is interpreted by SPIRE and are of the
	// form type:value, where the value may, and often does, contain
	// semicolons, .e.g., k8s:container-image:docker/hello-world
	// The node and pod spec are made available to the template under
	// .NodeSpec, .PodSpec respectively.
	WorkloadSelectorTemplates []string `json:"workloadSelectorTemplates,omitempty"`

	// FederatesWith is a list of trust domain names that workloads that
	// obtain this SPIFFE ID will federate with.
	FederatesWith []string `json:"federatesWith,omitempty"`

	// NamespaceSelector selects the namespaces that are targeted by this
	// CRD.
	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`

	// PodSelector selects the pods that are targeted by this
	// CRD.
	PodSelector *metav1.LabelSelector `json:"podSelector,omitempty"`

	// Admin indicates whether or not the SVID can be used to access the SPIRE
	// administrative APIs. Extra care should be taken to only apply this
	// SPIFFE ID to admin workloads.
	Admin bool `json:"admin,omitempty"`

	// Downstream indicates that the entry describes a downstream SPIRE server.
	Downstream bool `json:"downstream,omitempty"`

	// AutoPopulateDNSNames indicates whether or not to auto populate service DNS names.
	AutoPopulateDNSNames bool `json:"autoPopulateDNSNames,omitempty"`

	// Set which Controller Class will act on this object
	// +kubebuilder:validation:Optional
	ClassName string `json:"className,omitempty"`
}

type ClusterSPIFFEIDStats struct {
	// How many namespaces were selected.
	// +kubebuilder:validation:Optional
	NamespacesSelected int `json:"namespacesSelected"`

	// How many (selected) namespaces were ignored (based on configuration).
	// +kubebuilder:validation:Optional
	NamespacesIgnored int `json:"namespacesIgnored"`

	// How many pods were selected out of the namespaces.
	// +kubebuilder:validation:Optional
	PodsSelected int `json:"podsSelected"`

	// How many failures were encountered rendering an entry selected pods.
	// This could be due to either a bad template in the ClusterSPIFFEID or
	// Pod metadata that when applied to the template did not produce valid
	// entry values.
	// +kubebuilder:validation:Optional
	PodEntryRenderFailures int `json:"podEntryRenderFailures"`

	// How many entries were masked by entries for other ClusterSPIFFEIDs.
	// This happens when one or more ClusterSPIFFEIDs produce an entry for
	// the same pod with the same set of workload selectors.
	// +kubebuilder:validation:Optional
	EntriesMasked int `json:"entriesMasked"`

	// How many entries are to be set for this ClusterSPIFFEID. In nominal
	// conditions, this should reflect the number of pods selected, but not
	// always if there were problems encountered rendering an entry for the pod
	// (RenderFailures) or entries are masked (EntriesMasked).
	// +kubebuilder:validation:Optional
	EntriesToSet int `json:"entriesToSet"`

	// How many entries were unable to be set due to failures to create or
	// update the entries via the SPIRE Server API.
	// +kubebuilder:validation:Optional
	EntryFailures int `json:"entryFailures"`
}

type ClusterSPIFFEIDStatus struct {
	// Stats produced by the last entry reconciliation run
	// +kubebuilder:validation:Optional
	Stats ClusterSPIFFEIDStats `json:"stats"`
}

type ClusterStaticEntry struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   ClusterStaticEntrySpec   `json:"spec,omitempty"`
	Status ClusterStaticEntryStatus `json:"status,omitempty"`
}

type ClusterStaticEntryList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []ClusterStaticEntry `json:"items"`
}

type ClusterStaticEntrySpec struct {
	SPIFFEID      string          `json:"spiffeID"`
	ParentID      string          `json:"parentID"`
	Selectors     []string        `json:"selectors"`
	FederatesWith []string        `json:"federatesWith,omitempty"`
	X509SVIDTTL   metav1.Duration `json:"x509SVIDTTL,omitempty"`
	JWTSVIDTTL    metav1.Duration `json:"jwtSVIDTTL,omitempty"`
	DNSNames      []string        `json:"dnsNames,omitempty"`
	Hint          string          `json:"hint,omitempty"`
	Admin         bool            `json:"admin,omitempty"`
	Downstream    bool            `json:"downstream,omitempty"`
	// Set which Controller Class will act on this object
	// +kubebuilder:validation:Optional
	ClassName string `json:"className,omitempty"`
}

type ClusterStaticEntryStatus struct {
	// If the static entry rendered properly.
	Rendered bool `json:"rendered"`

	// If the static entry was masked by another entry.
	Masked bool `json:"masked"`

	// If the static entry was successfully created/updated.
	Set bool `json:"set"`
}

type ControllerConfigurationSpec struct {
	// GroupKindConcurrency is a map from a Kind to the number of concurrent reconciliation
	// allowed for that controller.
	//
	// When a controller is registered within this manager using the builder utilities,
	// users have to specify the type the controller reconciles in the For(...) call.
	// If the object's kind passed matches one of the keys in this map, the concurrency
	// for that controller is set to the number specified.
	//
	// The key is expected to be consistent in form with GroupKind.String(),
	// e.g. ReplicaSet in apps group (regardless of version) would be `ReplicaSet.apps`.
	//
	// +optional
	GroupKindConcurrency map[string]int `json:"groupKindConcurrency,omitempty"`

	// CacheSyncTimeout refers to the time limit set to wait for syncing caches.
	// Defaults to 2 minutes if not set.
	// +optional
	CacheSyncTimeout *time.Duration `json:"cacheSyncTimeout,omitempty"`

	// RecoverPanic indicates if panics should be recovered.
	// +optional
	RecoverPanic *bool `json:"recoverPanic,omitempty"`
}

type ControllerHealth struct {
	// HealthProbeBindAddress is the TCP address that the controller should bind to
	// for serving health probes
	// It can be set to "0" or "" to disable serving the health probe.
	// +optional
	HealthProbeBindAddress string `json:"healthProbeBindAddress,omitempty"`

	// ReadinessEndpointName, defaults to "readyz"
	// +optional
	ReadinessEndpointName string `json:"readinessEndpointName,omitempty"`

	// LivenessEndpointName, defaults to "healthz"
	// +optional
	LivenessEndpointName string `json:"livenessEndpointName,omitempty"`
}

type ControllerManagerConfig struct {
	metav1.TypeMeta `json:",inline"`

	// ControllerManagerConfigurationSpec returns the contfigurations for controllers
	ControllerManagerConfigurationSpec `json:",inline"`

	// ClusterName is the cluster name
	ClusterName string `json:"clusterName"`

	// ClusterDomain is the cluster domain, ie cluster.local
	ClusterDomain string `json:"clusterDomain"`

	// TrustDomain is the name of the SPIFFE trust domain
	TrustDomain string `json:"trustDomain"`

	// IgnoreNamespaces are the namespaces to ignore
	IgnoreNamespaces []string `json:"ignoreNamespaces"`

	// ValidatingWebhookConfigurationName selects the webhook configuration to manage.
	// Defaults to spire-controller-manager-webhook.
	ValidatingWebhookConfigurationName string `json:"validatingWebhookConfigurationName"`

	// GCInterval is how often SPIRE state is reconciled when the controller
	// is otherwise idle. This impacts how quickly SPIRE state will converge
	// after CRDs are removed or SPIRE state is mutated out from underneath
	// the controller.
	GCInterval time.Duration `json:"gcInterval"`

	// SPIREServerSocketPath is the path to the SPIRE Server API socket
	SPIREServerSocketPath string `json:"spireServerSocketPath"`
}

type ControllerManagerConfigurationSpec struct {
	// SyncPeriod determines the minimum frequency at which watched resources are
	// reconciled. A lower period will correct entropy more quickly, but reduce
	// responsiveness to change if there are many watched resources. Change this
	// value only if you know what you are doing. Defaults to 10 hours if unset.
	// there will a 10 percent jitter between the SyncPeriod of all controllers
	// so that all controllers will not send list requests simultaneously.
	// +optional
	SyncPeriod *metav1.Duration `json:"syncPeriod,omitempty"`

	// LeaderElection is the LeaderElection config to be used when configuring
	// the manager.Manager leader election.
	// +optional
	LeaderElection *configv1alpha1.LeaderElectionConfiguration `json:"leaderElection,omitempty"`

	// CacheNamespace if specified restricts the manager's cache to watch objects in
	// the desired namespace. Defaults to all namespaces.
	// Deprecated: use cacheNamespaces instead
	//
	// Note: If a namespace is specified, controllers can still Watch for a
	// cluster-scoped resource (e.g Node).  For namespaced resources the cache
	// will only hold objects from the desired namespace.
	// +optional
	CacheNamespace string `json:"cacheNamespace,omitempty"`

	// CacheNamespaces if specified restricts the manager's cache to watch objects in
	// the desired namespaces. Defaults to all namespaces.
	// +optional
	CacheNamespaces map[string]*NamespaceConfig `json:"cacheNamespaces,omitempty"`

	// GracefulShutdownTimeout is the duration given to runnable to stop before the manager actually returns on stop.
	// To disable graceful shutdown, set to time.Duration(0)
	// To use graceful shutdown without timeout, set to a negative duration, e.G. time.Duration(-1)
	// The graceful shutdown is skipped for safety reasons in case the leader election lease is lost.
	GracefulShutdownTimeout *metav1.Duration `json:"gracefulShutDown,omitempty"`

	// Controller contains global configuration options for controllers
	// registered within this manager.
	// +optional
	Controller *ControllerConfigurationSpec `json:"controller,omitempty"`

	// Metrics contains the controller metrics configuration
	// +optional
	Metrics ControllerMetrics `json:"metrics,omitempty"`

	// Health contains the controller health configuration
	// +optional
	Health ControllerHealth `json:"health,omitempty"`

	// Webhook contains the controllers webhook configuration
	// +optional
	Webhook ControllerWebhook `json:"webhook,omitempty"`

	// ClassName contains the name of a class to watch CRs for. Others will be ignored.
	// If unset all will be watched.
	// +optional
	ClassName string `json:"className,omitempty"`

	// If WatchClassless is set and ClassName is set, any CR without a ClassName
	// specified will also be handled by this controller.
	// +optional
	WatchClassless bool `json:"watchClassless,omitempty"`
}

type ControllerMetrics struct {
	// BindAddress is the TCP address that the controller should bind to
	// for serving prometheus metrics.
	// It can be set to "0" to disable the metrics serving.
	// +optional
	BindAddress string `json:"bindAddress,omitempty"`
}

type ControllerWebhook struct {
	// Port is the port that the webhook server serves at.
	// It is used to set webhook.Server.Port.
	// +optional
	Port *int `json:"port,omitempty"`

	// Host is the hostname that the webhook server binds to.
	// It is used to set webhook.Server.Host.
	// +optional
	Host string `json:"host,omitempty"`

	// CertDir is the directory that contains the server key and certificate.
	// if not set, webhook server would look up the server key and certificate in
	// {TempDir}/k8s-webhook-server/serving-certs. The server key and certificate
	// must be named tls.key and tls.crt, respectively.
	// +optional
	CertDir string `json:"certDir,omitempty"`
}

type NamespaceConfig struct {
	// LabelSelectors map of Labels selectors
	// +optional
	LabelSelectors map[string]string `json:"labelSelectors,omitempty"`

	// FieldSelectors map of Fields selectors
	// +optional
	FieldSelectors map[string]string `json:"fieldSelectors,omitempty"`
}

type ParsedClusterSPIFFEIDSpec struct {
	SPIFFEIDTemplate          *template.Template
	NamespaceSelector         labels.Selector
	PodSelector               labels.Selector
	TTL                       time.Duration
	JWTTTL                    time.Duration
	FederatesWith             []spiffeid.TrustDomain
	DNSNameTemplates          []*template.Template
	WorkloadSelectorTemplates []*template.Template
	Admin                     bool
	Downstream                bool
	AutoPopulateDNSNames      bool
}