v1beta2

type AWSManagedControlPlane struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   AWSManagedControlPlaneSpec   `json:"spec,omitempty"`
	Status AWSManagedControlPlaneStatus `json:"status,omitempty"`
}

type AWSManagedControlPlaneList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []AWSManagedControlPlane `json:"items"`
}

type AWSManagedControlPlaneSpec struct {
	// EKSClusterName allows you to specify the name of the EKS cluster in
	// AWS. If you don't specify a name then a default name will be created
	// based on the namespace and name of the managed control plane.
	// +optional
	EKSClusterName string `json:"eksClusterName,omitempty"`

	// IdentityRef is a reference to an identity to be used when reconciling the managed control plane.
	// If no identity is specified, the default identity for this controller will be used.
	// +optional
	IdentityRef *infrav1.AWSIdentityReference `json:"identityRef,omitempty"`

	// NetworkSpec encapsulates all things related to AWS network.
	NetworkSpec infrav1.NetworkSpec `json:"network,omitempty"`

	// SecondaryCidrBlock is the additional CIDR range to use for pod IPs.
	// Must be within the 100.64.0.0/10 or 198.19.0.0/16 range.
	// +optional
	SecondaryCidrBlock *string `json:"secondaryCidrBlock,omitempty"`

	// The AWS Region the cluster lives in.
	Region string `json:"region,omitempty"`

	// Partition is the AWS security partition being used. Defaults to "aws"
	// +optional
	Partition string `json:"partition,omitempty"`

	// SSHKeyName is the name of the ssh key to attach to the bastion host. Valid values are empty string (do not use SSH keys), a valid SSH key name, or omitted (use the default SSH key name)
	// +optional
	SSHKeyName *string `json:"sshKeyName,omitempty"`

	// Version defines the desired Kubernetes version. If no version number
	// is supplied then the latest version of Kubernetes that EKS supports
	// will be used.
	// +kubebuilder:validation:MinLength:=2
	// +kubebuilder:validation:Pattern:=^v?(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.?(\.0|[1-9][0-9]*)?$
	// +optional
	Version *string `json:"version,omitempty"`

	// RoleName specifies the name of IAM role that gives EKS
	// permission to make API calls. If the role is pre-existing
	// we will treat it as unmanaged and not delete it on
	// deletion. If the EKSEnableIAM feature flag is true
	// and no name is supplied then a role is created.
	// +kubebuilder:validation:MinLength:=2
	// +optional
	RoleName *string `json:"roleName,omitempty"`

	// RoleAdditionalPolicies allows you to attach additional polices to
	// the control plane role. You must enable the EKSAllowAddRoles
	// feature flag to incorporate these into the created role.
	// +optional
	RoleAdditionalPolicies *[]string `json:"roleAdditionalPolicies,omitempty"`

	// RolePath sets the path to the role. For more information about paths, see IAM Identifiers
	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html)
	// in the IAM User Guide.
	//
	// This parameter is optional. If it is not included, it defaults to a slash
	// (/).
	// +optional
	RolePath string `json:"rolePath,omitempty"`

	// RolePermissionsBoundary sets the ARN of the managed policy that is used
	// to set the permissions boundary for the role.
	//
	// A permissions boundary policy defines the maximum permissions that identity-based
	// policies can grant to an entity, but does not grant permissions. Permissions
	// boundaries do not define the maximum permissions that a resource-based policy
	// can grant to an entity. To learn more, see Permissions boundaries for IAM
	// entities (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
	// in the IAM User Guide.
	//
	// For more information about policy types, see Policy types (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types)
	// in the IAM User Guide.
	// +optional
	RolePermissionsBoundary string `json:"rolePermissionsBoundary,omitempty"`

	// Logging specifies which EKS Cluster logs should be enabled. Entries for
	// each of the enabled logs will be sent to CloudWatch
	// +optional
	Logging *ControlPlaneLoggingSpec `json:"logging,omitempty"`

	// EncryptionConfig specifies the encryption configuration for the cluster
	// +optional
	EncryptionConfig *EncryptionConfig `json:"encryptionConfig,omitempty"`

	// AdditionalTags is an optional set of tags to add to AWS resources managed by the AWS provider, in addition to the
	// ones added by default.
	// +optional
	AdditionalTags infrav1.Tags `json:"additionalTags,omitempty"`

	// IAMAuthenticatorConfig allows the specification of any additional user or role mappings
	// for use when generating the aws-iam-authenticator configuration. If this is nil the
	// default configuration is still generated for the cluster.
	// +optional
	IAMAuthenticatorConfig *IAMAuthenticatorConfig `json:"iamAuthenticatorConfig,omitempty"`

	// Endpoints specifies access to this cluster's control plane endpoints
	// +optional
	EndpointAccess EndpointAccess `json:"endpointAccess,omitempty"`

	// ControlPlaneEndpoint represents the endpoint used to communicate with the control plane.
	// +optional
	ControlPlaneEndpoint clusterv1beta1.APIEndpoint `json:"controlPlaneEndpoint"`

	// ImageLookupFormat is the AMI naming format to look up machine images when
	// a machine does not specify an AMI. When set, this will be used for all
	// cluster machines unless a machine specifies a different ImageLookupOrg.
	// Supports substitutions for {{.BaseOS}} and {{.K8sVersion}} with the base
	// OS and kubernetes version, respectively. The BaseOS will be the value in
	// ImageLookupBaseOS or ubuntu (the default), and the kubernetes version as
	// defined by the packages produced by kubernetes/release without v as a
	// prefix: 1.13.0, 1.12.5-mybuild.1, or 1.17.3. For example, the default
	// image format of capa-ami-{{.BaseOS}}-?{{.K8sVersion}}-* will end up
	// searching for AMIs that match the pattern capa-ami-ubuntu-?1.18.0-* for a
	// Machine that is targeting kubernetes v1.18.0 and the ubuntu base OS. See
	// also: https://golang.org/pkg/text/template/
	// +optional
	ImageLookupFormat string `json:"imageLookupFormat,omitempty"`

	// ImageLookupOrg is the AWS Organization ID to look up machine images when a
	// machine does not specify an AMI. When set, this will be used for all
	// cluster machines unless a machine specifies a different ImageLookupOrg.
	// +optional
	ImageLookupOrg string `json:"imageLookupOrg,omitempty"`

	// ImageLookupBaseOS is the name of the base operating system used to look
	// up machine images when a machine does not specify an AMI. When set, this
	// will be used for all cluster machines unless a machine specifies a
	// different ImageLookupBaseOS.
	ImageLookupBaseOS string `json:"imageLookupBaseOS,omitempty"`

	// Bastion contains options to configure the bastion host.
	// +optional
	Bastion infrav1.Bastion `json:"bastion"`

	// TokenMethod is used to specify the method for obtaining a client token for communicating with EKS
	// iam-authenticator - obtains a client token using iam-authentictor
	// aws-cli - obtains a client token using the AWS CLI
	// Defaults to iam-authenticator
	// +kubebuilder:default=iam-authenticator
	// +kubebuilder:validation:Enum=iam-authenticator;aws-cli
	TokenMethod *EKSTokenMethod `json:"tokenMethod,omitempty"`

	// AssociateOIDCProvider can be enabled to automatically create an identity
	// provider for the controller for use with IAM roles for service accounts
	// +kubebuilder:default=false
	AssociateOIDCProvider bool `json:"associateOIDCProvider,omitempty"`

	// Addons defines the EKS addons to enable with the EKS cluster.
	// +optional
	Addons *[]Addon `json:"addons,omitempty"`

	// OIDCIdentityProviderConfig is used to specify the OIDC provider config
	// to be attached with this eks cluster
	// +optional
	OIDCIdentityProviderConfig *OIDCIdentityProviderConfig `json:"oidcIdentityProviderConfig,omitempty"`

	// AccessConfig specifies the access configuration information for the cluster
	// +optional
	AccessConfig *AccessConfig `json:"accessConfig,omitempty"`

	// VpcCni is used to set configuration options for the VPC CNI plugin
	// +optional
	VpcCni VpcCni `json:"vpcCni,omitempty"`

	// BootstrapSelfManagedAddons is used to set configuration options for
	// bare EKS cluster without EKS default networking addons
	// If you set this value to false when creating a cluster, the default networking add-ons will not be installed
	// +kubebuilder:default=true
	BootstrapSelfManagedAddons bool `json:"bootstrapSelfManagedAddons,omitempty"`

	// RestrictPrivateSubnets indicates that the EKS control plane should only use private subnets.
	// +kubebuilder:default=false
	RestrictPrivateSubnets bool `json:"restrictPrivateSubnets,omitempty"`

	// KubeProxy defines managed attributes of the kube-proxy daemonset
	KubeProxy KubeProxy `json:"kubeProxy,omitempty"`

	// The cluster upgrade policy to use for the cluster.
	// (Official AWS docs for this policy: https://docs.aws.amazon.com/eks/latest/userguide/view-upgrade-policy.html)
	// `extended` upgrade policy indicates that the cluster will enter into extended support once the Kubernetes version reaches end of standard support. You will incur extended support charges with this setting. You can upgrade your cluster to a standard supported Kubernetes version to stop incurring extended support charges.
	// `standard` upgrade policy indicates that the cluster is eligible for automatic upgrade at the end of standard support. You will not incur extended support charges with this setting but your EKS cluster will automatically upgrade to the next supported Kubernetes version in standard support.
	// If omitted, new clusters will use the AWS default upgrade policy (which at the time of writing is "extended") and existing clusters will have their upgrade policy unchanged.
	// +kubebuilder:validation:Enum=extended;standard
	// +optional
	UpgradePolicy UpgradePolicy `json:"upgradePolicy,omitempty"`
}

type AWSManagedControlPlaneStatus struct {
	// Networks holds details about the AWS networking resources used by the control plane
	// +optional
	Network infrav1.NetworkStatus `json:"networkStatus,omitempty"`
	// FailureDomains specifies a list fo available availability zones that can be used
	// +optional
	FailureDomains clusterv1beta1.FailureDomains `json:"failureDomains,omitempty"`
	// Bastion holds details of the instance that is used as a bastion jump box
	// +optional
	Bastion *infrav1.Instance `json:"bastion,omitempty"`
	// OIDCProvider holds the status of the identity provider for this cluster
	// +optional
	OIDCProvider OIDCProviderStatus `json:"oidcProvider,omitempty"`
	// ExternalManagedControlPlane indicates to cluster-api that the control plane
	// is managed by an external service such as AKS, EKS, GKE, etc.
	// +kubebuilder:default=true
	ExternalManagedControlPlane *bool `json:"externalManagedControlPlane,omitempty"`
	// Initialized denotes whether or not the control plane has the
	// uploaded kubernetes config-map.
	// +optional
	Initialized bool `json:"initialized"`
	// Ready denotes that the AWSManagedControlPlane API Server is ready to
	// receive requests and that the VPC infra is ready.
	// +kubebuilder:default=false
	Ready bool `json:"ready"`
	// ErrorMessage indicates that there is a terminal problem reconciling the
	// state, and will be set to a descriptive error message.
	// +optional
	FailureMessage *string `json:"failureMessage,omitempty"`
	// Conditions specifies the cpnditions for the managed control plane
	Conditions clusterv1beta1.Conditions `json:"conditions,omitempty"`
	// Addons holds the current status of the EKS addons
	// +optional
	Addons []AddonState `json:"addons,omitempty"`
	// IdentityProviderStatus holds the status for
	// associated identity provider
	// +optional
	IdentityProviderStatus IdentityProviderStatus `json:"identityProviderStatus,omitempty"`
	// Version represents the minimum Kubernetes version for the control plane machines
	// in the cluster.
	// +optional
	Version *string `json:"version,omitempty"`
}

type AWSManagedControlPlaneTemplate struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec AWSManagedControlPlaneTemplateSpec `json:"spec,omitempty"`
}

type AWSManagedControlPlaneTemplateList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []AWSManagedControlPlaneTemplate `json:"items"`
}

type AWSManagedControlPlaneTemplateResource struct {
	Spec AWSManagedControlPlaneSpec `json:"spec"`
}

type AWSManagedControlPlaneTemplateSpec struct {
	Template AWSManagedControlPlaneTemplateResource `json:"template"`
}

type AccessConfig struct {
	// AuthenticationMode specifies the desired authentication mode for the cluster
	// Defaults to config_map
	// +kubebuilder:default=config_map
	// +kubebuilder:validation:Enum=config_map;api;api_and_config_map
	AuthenticationMode EKSAuthenticationMode `json:"authenticationMode,omitempty"`

	// BootstrapClusterCreatorAdminPermissions grants cluster admin permissions
	// to the IAM identity creating the cluster. Only applied during creation,
	// ignored when updating existing clusters. Defaults to true.
	// +kubebuilder:default=true
	BootstrapClusterCreatorAdminPermissions *bool `json:"bootstrapClusterCreatorAdminPermissions,omitempty"`
}

type Addon struct {
	// Name is the name of the addon
	// +kubebuilder:validation:MinLength:=2
	// +kubebuilder:validation:Required
	Name string `json:"name"`
	// Version is the version of the addon to use
	Version string `json:"version"`
	// Configuration of the EKS addon
	// +optional
	Configuration string `json:"configuration,omitempty"`
	// ConflictResolution is used to declare what should happen if there
	// are parameter conflicts. Defaults to overwrite
	// +kubebuilder:default=overwrite
	// +kubebuilder:validation:Enum=overwrite;none;preserve
	ConflictResolution *AddonResolution `json:"conflictResolution,omitempty"`
	// ServiceAccountRoleArn is the ARN of an IAM role to bind to the addons service account
	// +optional
	ServiceAccountRoleArn *string `json:"serviceAccountRoleARN,omitempty"`
	// PreserveOnDelete indicates that the addon resources should be
	// preserved in the cluster on delete.
	// +optional
	PreserveOnDelete bool `json:"preserveOnDelete,omitempty"`
}

type AddonIssue struct {
	// Code is the issue code
	Code *string `json:"code,omitempty"`
	// Message is the textual description of the issue
	Message *string `json:"message,omitempty"`
	// ResourceIDs is a list of resource ids for the issue
	ResourceIDs []string `json:"resourceIds,omitempty"`
}

type AddonResolution string

type AddonState struct {
	// Name is the name of the addon
	Name string `json:"name"`
	// Version is the version of the addon to use
	Version string `json:"version"`
	// ARN is the AWS ARN of the addon
	ARN string `json:"arn"`
	// ServiceAccountRoleArn is the ARN of the IAM role used for the service account
	ServiceAccountRoleArn *string `json:"serviceAccountRoleARN,omitempty"`
	// CreatedAt is the date and time the addon was created at
	CreatedAt metav1.Time `json:"createdAt,omitempty"`
	// ModifiedAt is the date and time the addon was last modified
	ModifiedAt metav1.Time `json:"modifiedAt,omitempty"`
	// Status is the status of the addon
	Status *string `json:"status,omitempty"`
	// Issues is a list of issue associated with the addon
	Issues []AddonIssue `json:"issues,omitempty"`
}

type AddonStatus string

type ControlPlaneLoggingSpec struct {
	// APIServer indicates if the Kubernetes API Server log (kube-apiserver) shoulkd be enabled
	// +kubebuilder:default=false
	APIServer bool `json:"apiServer"`
	// Audit indicates if the Kubernetes API audit log should be enabled
	// +kubebuilder:default=false
	Audit bool `json:"audit"`
	// Authenticator indicates if the iam authenticator log should be enabled
	// +kubebuilder:default=false
	Authenticator bool `json:"authenticator"`
	// ControllerManager indicates if the controller manager (kube-controller-manager) log should be enabled
	// +kubebuilder:default=false
	ControllerManager bool `json:"controllerManager"`
	// Scheduler indicates if the Kubernetes scheduler (kube-scheduler) log should be enabled
	// +kubebuilder:default=false
	Scheduler bool `json:"scheduler"`
}

type EKSAuthenticationMode string

type EKSTokenMethod string

type EncryptionConfig struct {
	// Provider specifies the ARN or alias of the CMK (in AWS KMS)
	Provider *string `json:"provider,omitempty"`
	// Resources specifies the resources to be encrypted
	Resources []*string `json:"resources,omitempty"`
}

type EndpointAccess struct {
	// Public controls whether control plane endpoints are publicly accessible
	// +optional
	Public *bool `json:"public,omitempty"`
	// PublicCIDRs specifies which blocks can access the public endpoint
	// +optional
	PublicCIDRs []*string `json:"publicCIDRs,omitempty"`
	// Private points VPC-internal control plane access to the private endpoint
	// +optional
	Private *bool `json:"private,omitempty"`
}

type IAMAuthenticatorConfig struct {
	// RoleMappings is a list of role mappings
	// +optional
	RoleMappings []RoleMapping `json:"mapRoles,omitempty"`
	// UserMappings is a list of user mappings
	// +optional
	UserMappings []UserMapping `json:"mapUsers,omitempty"`
}

type IdentityProviderStatus struct {
	// ARN holds the ARN of associated identity provider
	ARN string `json:"arn,omitempty"`

	// Status holds current status of associated identity provider
	Status string `json:"status,omitempty"`
}

type KubeProxy struct {
	// Disable set to true indicates that kube-proxy should be disabled. With EKS clusters
	// kube-proxy is automatically installed into the cluster. For clusters where you want
	// to use kube-proxy functionality that is provided with an alternate CNI, this option
	// provides a way to specify that the kube-proxy daemonset should be deleted. You cannot
	// set this to true if you are using the Amazon kube-proxy addon.
	// +kubebuilder:default=false
	Disable bool `json:"disable,omitempty"`
}

type KubernetesMapping struct {
	// UserName is a kubernetes RBAC user subject
	UserName string `json:"username"`
	// Groups is a list of kubernetes RBAC groups
	Groups []string `json:"groups"`
}

type OIDCIdentityProviderConfig struct {
	// This is also known as audience. The ID for the client application that makes
	// authentication requests to the OpenID identity provider.
	// +kubebuilder:validation:Required
	ClientID string `json:"clientId,omitempty"`

	// The JWT claim that the provider uses to return your groups.
	// +optional
	GroupsClaim *string `json:"groupsClaim,omitempty"`

	// The prefix that is prepended to group claims to prevent clashes with existing
	// names (such as system: groups). For example, the valueoidc: will create group
	// names like oidc:engineering and oidc:infra.
	// +optional
	GroupsPrefix *string `json:"groupsPrefix,omitempty"`

	// The name of the OIDC provider configuration.
	//
	// IdentityProviderConfigName is a required field
	// +kubebuilder:validation:Required
	IdentityProviderConfigName string `json:"identityProviderConfigName,omitempty"`

	// The URL of the OpenID identity provider that allows the API server to discover
	// public signing keys for verifying tokens. The URL must begin with https://
	// and should correspond to the iss claim in the provider's OIDC ID tokens.
	// Per the OIDC standard, path components are allowed but query parameters are
	// not. Typically the URL consists of only a hostname, like https://server.example.org
	// or https://example.com. This URL should point to the level below .well-known/openid-configuration
	// and must be publicly accessible over the internet.
	//
	// +kubebuilder:validation:Required
	IssuerURL string `json:"issuerUrl,omitempty"`

	// The key value pairs that describe required claims in the identity token.
	// If set, each claim is verified to be present in the token with a matching
	// value. For the maximum number of claims that you can require, see Amazon
	// EKS service quotas (https://docs.aws.amazon.com/eks/latest/userguide/service-quotas.html)
	// in the Amazon EKS User Guide.
	// +optional
	RequiredClaims map[string]string `json:"requiredClaims,omitempty"`

	// The JSON Web Token (JWT) claim to use as the username. The default is sub,
	// which is expected to be a unique identifier of the end user. You can choose
	// other claims, such as email or name, depending on the OpenID identity provider.
	// Claims other than email are prefixed with the issuer URL to prevent naming
	// clashes with other plug-ins.
	// +optional
	UsernameClaim *string `json:"usernameClaim,omitempty"`

	// The prefix that is prepended to username claims to prevent clashes with existing
	// names. If you do not provide this field, and username is a value other than
	// email, the prefix defaults to issuerurl#. You can use the value - to disable
	// all prefixing.
	// +optional
	UsernamePrefix *string `json:"usernamePrefix,omitempty"`

	// tags to apply to oidc identity provider association
	// +optional
	Tags infrav1.Tags `json:"tags,omitempty"`
}

type OIDCProviderStatus struct {
	// ARN holds the ARN of the provider
	ARN string `json:"arn,omitempty"`
	// TrustPolicy contains the boilerplate IAM trust policy to use for IRSA
	TrustPolicy string `json:"trustPolicy,omitempty"`
}

type RoleMapping struct {
	// RoleARN is the AWS ARN for the role to map
	// +kubebuilder:validation:MinLength:=31
	RoleARN string `json:"rolearn"`
	// KubernetesMapping holds the RBAC details for the mapping
	KubernetesMapping `json:",inline"`
}

type UpgradePolicy string

type UserMapping struct {
	// UserARN is the AWS ARN for the user to map
	// +kubebuilder:validation:MinLength:=31
	UserARN string `json:"userarn"`
	// KubernetesMapping holds the RBAC details for the mapping
	KubernetesMapping `json:",inline"`
}

type VpcCni struct {
	// Disable indicates that the Amazon VPC CNI should be disabled. With EKS clusters the
	// Amazon VPC CNI is automatically installed into the cluster. For clusters where you want
	// to use an alternate CNI this option provides a way to specify that the Amazon VPC CNI
	// should be deleted. You cannot set this to true if you are using the
	// Amazon VPC CNI addon.
	// +kubebuilder:default=false
	Disable bool `json:"disable,omitempty"`
	// Env defines a list of environment variables to apply to the `aws-node` DaemonSet
	// +optional
	Env []corev1.EnvVar `json:"env,omitempty"`
}