v1alpha1

type AllAtOnceRolloutStrategy struct{}

type BaseWorkerDeploymentVersion struct {
	// BuildID is the unique identifier for this version of the worker deployment.
	BuildID string `json:"buildID"`

	// Status indicates whether workers in this version may
	// be eligible to receive tasks from the Temporal server.
	Status VersionStatus `json:"status"`

	// Healthy indicates whether the deployment version is healthy.
	// +optional
	HealthySince *metav1.Time `json:"healthySince,omitempty"`

	// A pointer to the version's managed k8s deployment.
	// +optional
	Deployment *corev1.ObjectReference `json:"deployment,omitempty"`

	// TaskQueues is a list of task queues that are associated with this version.
	TaskQueues []TaskQueue `json:"taskQueues,omitempty"`

	// ManagedBy is the identity of the client that is managing the rollout of this version.
	// +optional
	ManagedBy string `json:"managedBy,omitempty"`
}

type CurrentWorkerDeploymentVersion struct {
	BaseWorkerDeploymentVersion `json:",inline"`
}

type DefaultVersionUpdateStrategy string

type DeprecatedWorkerDeploymentVersion struct {
	BaseWorkerDeploymentVersion `json:",inline"`

	// DrainedSince is the time at which the version became drained.
	// Only set when Status is VersionStatusDrained.
	// +optional
	DrainedSince *metav1.Time `json:"drainedSince,omitempty"`

	// A Version is considered eligible for deletion if it is drained and has no
	// controller-managed workers with active replicas polling on its task queues.
	// The server automatically deletes eligible versions when it needs to make room for new ones.
	// If this version has pollers that are not managed by the controller, the server
	// will not be able to delete the version. `EligibleForDeletion=true` does not consider
	// that scenario, because it is rare and it is too expensive to cover (requires describing
	// every drained version without controller-managed pollers and all task queues in
	// that version).
	// +optional
	EligibleForDeletion bool `json:"eligibleForDeletion,omitempty"`
}

type GateInputSource struct {
	// Select a key of a ConfigMap in the same namespace
	// +optional
	ConfigMapKeyRef *corev1.ConfigMapKeySelector `json:"configMapKeyRef,omitempty"`
	// Select a key of a Secret in the same namespace
	// +optional
	SecretKeyRef *corev1.SecretKeySelector `json:"secretKeyRef,omitempty"`
}

type GateWorkflowConfig struct {
	WorkflowType string `json:"workflowType"`
	// Input is an arbitrary JSON object passed as the first parameter to the gate workflow.
	// For inputs with secrets use SecretKeyRef in InputFrom to omit from logs.
	// +optional
	Input *apiextensionsv1.JSON `json:"input,omitempty"`
	// InputFrom references a key in a ConfigMap or Secret whose contents are passed
	// as the first parameter to the gate workflow. The referenced value should be a JSON document.
	// For inputs with secrets use SecretKeyRef to omit from logs.
	// +optional
	InputFrom *GateInputSource `json:"inputFrom,omitempty"`
}

type ManualRolloutStrategy struct{}

type RolloutStep struct {
	// RampPercentage indicates what percentage of new workflow executions should be
	// routed to the new worker deployment version while this step is active.
	// For example, 15 means 15%.
	//
	// Acceptable range is [1,99] (1% to 99%).
	// +kubebuilder:validation:Minimum=1
	// +kubebuilder:validation:Maximum=99
	RampPercentage int `json:"rampPercentage"`

	// PauseDuration indicates how long to pause before progressing to the next step.
	PauseDuration metav1.Duration `json:"pauseDuration"`
}

type RolloutStrategy struct {
	// Specifies how to treat concurrent executions of a Job.
	// Valid values are:
	// - "Manual"
	// - "AllAtOnce"
	// - "Progressive"
	Strategy DefaultVersionUpdateStrategy `json:"strategy"`

	// Gate specifies a workflow type that must run once to completion on the new worker deployment version before
	// any traffic is directed to the new version.
	Gate *GateWorkflowConfig `json:"gate,omitempty"`

	// Steps to execute progressive rollouts. Only required when strategy is "Progressive".
	// +optional
	Steps []RolloutStep `json:"steps,omitempty" protobuf:"bytes,3,rep,name=steps"`
}

type SecretReference struct {
	// Name of the Secret resource.
	// +kubebuilder:validation:Required
	// +kubebuilder:validation:Pattern=`^[a-z0-9]([-a-z0-9]*[a-z0-9])?$`
	Name string `json:"name"`
}

type SunsetStrategy struct {
	// ScaledownDelay specifies how long to wait after a version is drained before scaling its Deployment to zero.
	// Defaults to 1 hour.
	// +optional
	// +kubebuilder:default="1h"
	ScaledownDelay *metav1.Duration `json:"scaledownDelay"`

	// DeleteDelay specifies how long to wait after a version is drained before deleting its Deployment.
	// Defaults to 24 hours.
	// +optional
	// +kubebuilder:default="24h"
	DeleteDelay *metav1.Duration `json:"deleteDelay"`
}

type TargetWorkerDeploymentVersion struct {
	BaseWorkerDeploymentVersion `json:",inline"`

	// A TestWorkflow is used to validate the deployment version before making it the default.
	// +optional
	TestWorkflows []WorkflowExecution `json:"testWorkflows,omitempty"`

	// RampPercentage is the percentage of new workflow executions that are
	// configured to start on this version. For example, 1.5 means 1.5%.
	// Only set when Status is VersionStatusRamping.
	//
	// Acceptable range is [0.0,100.0] (0% to 100%).
	// +kubebuilder:validation:Minimum=0.0
	// +kubebuilder:validation:Maximum=100.0
	RampPercentage *float32 `json:"rampPercentage,omitempty"`

	// RampingSince is time when the version first started ramping.
	// Only set when Status is VersionStatusRamping.
	// +optional
	RampingSince *metav1.Time `json:"rampingSince,omitempty"`

	// RampLastModifiedAt is the time when the ramp percentage was last changed for the target version.
	// +optional
	RampLastModifiedAt *metav1.Time `json:"rampLastModifiedAt,omitempty"`
}

type TaskQueue struct {
	// Name is the name of the task queue.
	Name string `json:"name"`
}

type TemporalConnection struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   TemporalConnectionSpec   `json:"spec,omitempty"`
	Status TemporalConnectionStatus `json:"status,omitempty"`
}

type TemporalConnectionList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []TemporalConnection `json:"items"`
}

type TemporalConnectionReference struct {
	// Name of the TemporalConnection resource.
	// +kubebuilder:validation:Required
	// +kubebuilder:validation:Pattern=`^[a-z0-9]([-a-z0-9]*[a-z0-9])?$`
	Name string `json:"name"`
}

type TemporalConnectionSpec struct {
	// The host and port of the Temporal server.
	// +kubebuilder:validation:Pattern=`^[a-zA-Z0-9.-]+:[0-9]+$`
	HostPort string `json:"hostPort"`

	// MutualTLSSecretRef is the name of the Secret that contains the TLS certificate and key
	// for mutual TLS authentication. The secret must be `type: kubernetes.io/tls` and exist
	// in the same Kubernetes namespace as the TemporalConnection resource.
	//
	// More information about creating a TLS secret:
	// https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets
	// +optional
	MutualTLSSecretRef *SecretReference `json:"mutualTLSSecretRef,omitempty"`

	// APIKeySecretRef selects the Secret key that contains the API key used for authentication.
	// The Secret must be `type: kubernetes.io/opaque` and exist in the same Kubernetes namespace as
	// the TemporalConnection resource. This is a corev1.SecretKeySelector and encodes both:
	//   - LocalObjectReference.Name: the name of the Secret resource
	//   - Key: the data key within Secret.Data whose value is the API key token
	// +optional
	APIKeySecretRef *corev1.SecretKeySelector `json:"apiKeySecretRef,omitempty"`
}

type TemporalConnectionStatus struct {
}

type TemporalWorkerDeployment struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   TemporalWorkerDeploymentSpec   `json:"spec,omitempty"`
	Status TemporalWorkerDeploymentStatus `json:"status,omitempty"`
}

type TemporalWorkerDeploymentList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []TemporalWorkerDeployment `json:"items"`
}

type TemporalWorkerDeploymentReference struct {
	// Name of the TemporalWorkerDeployment resource in the same namespace.
	// +kubebuilder:validation:Required
	// +kubebuilder:validation:Pattern=`^[a-z0-9]([-a-z0-9]*[a-z0-9])?$`
	Name string `json:"name"`
}

type TemporalWorkerDeploymentSpec struct {

	// Number of desired pods. When set, the controller manages replicas for all active
	// worker versions. When omitted (nil), the controller creates versioned Deployments
	// with nil replicas and never calls UpdateScale on active versions — following the
	// Kubernetes-recommended pattern for HPA and other external autoscalers
	// (https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#migrating-deployments-and-statefulsets-to-horizontal-autoscaling).
	// The controller still scales drained versions (and inactive versions that are not
	// the rollout target) to zero regardless.
	// This field makes TemporalWorkerDeploymentSpec implement the scale subresource, which is compatible with auto-scalers.
	// +optional
	Replicas *int32 `json:"replicas,omitempty" protobuf:"varint,1,opt,name=replicas"`

	// Template describes the pods that will be created.
	// The only allowed template.spec.restartPolicy value is "Always".
	Template corev1.PodTemplateSpec `json:"template"`

	// Minimum number of seconds for which a newly created pod should be ready
	// without any of its container crashing, for it to be considered available.
	// Defaults to 0 (pod will be considered available as soon as it is ready)
	// +optional
	// +kubebuilder:default=0
	MinReadySeconds int32 `json:"minReadySeconds,omitempty"`

	// The maximum time in seconds for a deployment to make progress before it
	// is considered to be failed. The deployment controller will continue to
	// process failed deployments and a condition with a ProgressDeadlineExceeded
	// reason will be surfaced in the deployment status. Note that progress will
	// not be estimated during the time a deployment is paused. Defaults to 600s.
	// +kubebuilder:default=600
	ProgressDeadlineSeconds *int32 `json:"progressDeadlineSeconds,omitempty" protobuf:"varint,9,opt,name=progressDeadlineSeconds"`

	// How to rollout new workflow executions to the target version.
	RolloutStrategy RolloutStrategy `json:"rollout"`

	// How to manage sunsetting drained versions.
	SunsetStrategy SunsetStrategy `json:"sunset"`

	// WorkerOptions configures the worker's connection to Temporal.
	WorkerOptions WorkerOptions `json:"workerOptions"`
}

type TemporalWorkerDeploymentStatus struct {

	// TargetVersion is the desired next version. If TargetVersion.Deployment is nil,
	// then the controller should create it. If not nil, the controller should
	// wait for it to become healthy and then move it to the CurrentVersion.
	TargetVersion TargetWorkerDeploymentVersion `json:"targetVersion"`

	// CurrentVersion is the version that is currently registered with
	// Temporal as the current version of its worker deployment. This will be nil
	// during initial bootstrap until a version is registered and set as current.
	CurrentVersion *CurrentWorkerDeploymentVersion `json:"currentVersion,omitempty"`

	// DeprecatedVersions are deployment versions that are no longer the default. Any
	// deployment versions that are unreachable should be deleted by the controller.
	DeprecatedVersions []*DeprecatedWorkerDeploymentVersion `json:"deprecatedVersions,omitempty"`

	// VersionConflictToken prevents concurrent modifications to the deployment status.
	// It ensures reconciliation operations don't inadvertently override changes made
	// by external systems while processing is underway.
	VersionConflictToken []byte `json:"versionConflictToken,omitempty"`

	// LastModifierIdentity is the identity of the client that most recently modified the worker deployment.
	// +optional
	LastModifierIdentity string `json:"lastModifierIdentity,omitempty"`

	// ManagerIdentity is the identity that has exclusive rights to modify this Worker Deployment's routing config.
	// When set, clients whose identity does not match will be blocked from making routing changes.
	// Empty by default. Use `temporal worker deployment manager-identity set/unset` to change.
	// +optional
	ManagerIdentity string `json:"managerIdentity,omitempty"`

	// VersionCount is the total number of versions currently known by the worker deployment.
	// This includes current, target, ramping, and deprecated versions.
	// +optional
	// +kubebuilder:validation:Minimum=0
	VersionCount int32 `json:"versionCount,omitempty"`

	// Conditions represent the latest available observations of the TemporalWorkerDeployment's current state.
	// +optional
	Conditions []metav1.Condition `json:"conditions,omitempty"`
}

type VersionStatus string

type WorkerOptions struct {
	// The name of a TemporalConnection in the same namespace as the TemporalWorkerDeployment.
	TemporalConnectionRef TemporalConnectionReference `json:"connectionRef"`
	// The Temporal namespace for the worker to connect to.
	// +kubebuilder:validation:MinLength=1
	TemporalNamespace string `json:"temporalNamespace"`
	// UnsafeCustomBuildID optionally overrides the auto-generated build ID for this worker deployment.
	// When set, the controller uses this value instead of computing a build ID from the
	// pod template hash. This enables rolling updates for non-workflow code changes
	// (bug fixes, config changes) while preserving the same build ID.
	//
	// WARNING: Using a custom build ID requires careful management. If workflow code changes
	// but UnsafeCustomBuildID stays the same, pinned workflows may execute on workers running incompatible
	// code. Only use this when you have a reliable way to detect changes in your workflow
	// definitions (e.g., hashing workflow source files in CI/CD).
	//
	// When the UnsafeCustomBuildID is stable but pod template spec changes, the controller triggers
	// a rolling update instead of creating a new deployment version. The controller uses
	// a hash of the user-provided pod template spec to detect ANY changes, including
	// container images, env vars, commands, volumes, resources, and all other fields.
	// +optional
	// +kubebuilder:validation:MaxLength=63
	// +kubebuilder:validation:Pattern=`^[a-zA-Z0-9]([a-zA-Z0-9._-]*[a-zA-Z0-9])?$`
	UnsafeCustomBuildID string `json:"unsafeCustomBuildID,omitempty"`
}

type WorkerResourceTemplate struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   WorkerResourceTemplateSpec   `json:"spec,omitempty"`
	Status WorkerResourceTemplateStatus `json:"status,omitempty"`
}

type WorkerResourceTemplateList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []WorkerResourceTemplate `json:"items"`
}

type WorkerResourceTemplateSpec struct {
	// TemporalWorkerDeploymentRef references the TemporalWorkerDeployment to attach this resource to.
	// +kubebuilder:validation:Required
	TemporalWorkerDeploymentRef TemporalWorkerDeploymentReference `json:"temporalWorkerDeploymentRef"`

	// Template is the Kubernetes resource template applied per active Build ID.
	// Must include apiVersion, kind, and spec. metadata.name and metadata.namespace
	// are generated by the controller; do not set them.
	//
	// The controller auto-injects fields when they are present as an empty object ({}):
	//
	//   scaleTargetRef: {}
	//     Injected to point at the versioned Deployment. Use this for HPAs, WPAs, and
	//     other autoscaler CRDs that need a scale target.
	//
	//   spec.selector.matchLabels: {}
	//     Injected with the versioned Deployment's pod selector labels. Use this for
	//     PodDisruptionBudgets and other resources that select pods.
	//
	//   spec.metrics[*].external.metric.selector.matchLabels: {} (or with user labels)
	//     The controller appends temporal_worker_deployment_name, temporal_worker_build_id, and
	//     temporal_namespace to any External metric selector where matchLabels is present.
	//     User labels (e.g. task_type: "Activity") coexist alongside the injected keys.
	//     Do not set temporal_worker_deployment_name, temporal_worker_build_id, or
	//     temporal_namespace manually — the webhook will reject them.
	// +kubebuilder:validation:Required
	// +kubebuilder:pruning:PreserveUnknownFields
	Template runtime.RawExtension `json:"template"`
}

type WorkerResourceTemplateStatus struct {
	// Versions describes the per-Build-ID status of worker resource template instances.
	// +optional
	Versions []WorkerResourceTemplateVersionStatus `json:"versions,omitempty"`

	// Conditions describe the current state of the WorkerResourceTemplate.
	// The Ready condition is True when all active Build ID instances have been
	// successfully applied with the current template generation.
	// +optional
	// +listType=map
	// +listMapKey=type
	Conditions []metav1.Condition `json:"conditions,omitempty"`
}

type WorkerResourceTemplateValidator struct {
	Client                client.Client
	RESTMapper            meta.RESTMapper
	ControllerSAName      string
	ControllerSANamespace string
	// AllowedKinds is the explicit list of resource kinds permitted as WorkerResourceTemplate objects.
	// Must be non-empty; when empty or nil, all kinds are rejected.
	// Populated from the ALLOWED_KINDS environment variable (comma-separated).
	AllowedKinds []string
}

type WorkerResourceTemplateVersionStatus struct {
	// BuildID is the Build ID of the versioned Deployment this entry refers to.
	BuildID string `json:"buildID"`

	// ResourceName is the name of the applied Kubernetes resource.
	// +optional
	ResourceName string `json:"resourceName,omitempty"`

	// LastAppliedGeneration is the WorkerResourceTemplate metadata.generation at the time
	// of the last **successful** apply for this Build ID. A value of 0 means no successful
	// apply has occurred yet.
	//
	// Reading the status:
	//   - 0                                  → never applied
	//   - 0 < lastAppliedGeneration < .metadata.generation → older spec applied; current spec pending or failing (see ApplyError)
	//   - lastAppliedGeneration == .metadata.generation    → healthy, up-to-date
	//   - lastAppliedGeneration > 0 && message != ""       → previously applied at that generation; current apply failing
	// +optional
	LastAppliedGeneration int64 `json:"lastAppliedGeneration,omitempty"`

	// ApplyError is non-empty when the most recent apply attempt failed.
	// +optional
	ApplyError string `json:"applyError,omitempty"`

	// LastAppliedHash is a hash of the rendered resource as of the last successful apply.
	// The controller uses this internally to skip redundant SSA apply calls when the
	// rendered output has not changed. Users can treat this as an opaque value.
	// +optional
	LastAppliedHash string `json:"lastAppliedHash,omitempty"`

	// LastTransitionTime is the last time this status entry changed.
	LastTransitionTime metav1.Time `json:"lastTransitionTime"`
}

type WorkflowExecution struct {
	WorkflowID string                  `json:"workflowID"`
	RunID      string                  `json:"runID"`
	Status     WorkflowExecutionStatus `json:"status"`
	TaskQueue  string                  `json:"taskQueue"`
}

type WorkflowExecutionStatus string