v1beta1

type AuditPolicyType string

type Condition struct {
	// Type of condition in CamelCase or in foo.example.com/CamelCase.
	// Many .condition.type values are consistent across resources like Available, but because arbitrary conditions
	// can be useful (see .node.status.conditions), the ability to deconflict is important.
	// +required
	Type ConditionType `json:"type"`

	// Status of the condition, one of True, False, Unknown.
	// +required
	Status corev1.ConditionStatus `json:"status"`

	// Severity provides an explicit classification of Reason code, so the users or machines can immediately
	// understand the current situation and act accordingly.
	// The Severity field MUST be set only when Status=False.
	// +optional
	Severity ConditionSeverity `json:"severity,omitempty"`

	// Last time the condition transitioned from one status to another.
	// This should be when the underlying condition changed. If that is not known, then using the time when
	// the API field changed is acceptable.
	// +required
	LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty"`

	// The reason for the condition's last transition in CamelCase.
	// The specific API may choose whether this field is considered a guaranteed API.
	// This field may not be empty.
	// +optional
	Reason string `json:"reason,omitempty"`

	// A human readable message indicating details about the transition.
	// This field may be empty.
	// +optional
	Message string `json:"message,omitempty"`
}

type ConditionSeverity string

type ConditionType string

type Conditions []Condition

type JsPolicy struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   JsPolicySpec   `json:"spec,omitempty"`
	Status JsPolicyStatus `json:"status,omitempty"`
}

type JsPolicyBundle struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   JsPolicyBundleSpec   `json:"spec,omitempty"`
	Status JsPolicyBundleStatus `json:"status,omitempty"`
}

type JsPolicyBundleList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []JsPolicyBundle `json:"items"`
}

type JsPolicyBundleSpec struct {
	// Bundle holds the bundled payload (including dependencies and minified javascript code)
	// +optional
	Bundle []byte `json:"bundle,omitempty"`
}

type JsPolicyBundleStatus struct {
}

type JsPolicyList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []JsPolicy `json:"items"`
}

type JsPolicySpec struct {
	// Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *
	// for all of those operations and any future admission operations that are added.
	// If '*' is present, the length of the slice must be one.
	// Required.
	Operations []admissionregistrationv1.OperationType `json:"operations,omitempty" protobuf:"bytes,1,rep,name=operations,casttype=OperationType"`

	// Resources is a list of resources this rule applies to.
	//
	// For example:
	// 'pods' means pods.
	// 'pods/log' means the log subresource of pods.
	// '*' means all resources, but not subresources.
	// 'pods/*' means all subresources of pods.
	// '*/scale' means all scale subresources.
	// '*/*' means all resources and their subresources.
	//
	// If wildcard is present, the validation rule will ensure resources do not
	// overlap with each other.
	//
	// Depending on the enclosing object, subresources might not be allowed.
	// Required.
	Resources []string `json:"resources,omitempty" protobuf:"bytes,3,rep,name=resources"`

	// APIGroups is the API groups the resources belong to. '*' is all groups.
	// If '*' is present, the length of the slice must be one.
	// +optional
	APIGroups []string `json:"apiGroups,omitempty" protobuf:"bytes,1,rep,name=apiGroups"`

	// APIVersions is the API versions the resources belong to. '*' is all versions.
	// If '*' is present, the length of the slice must be one.
	// +optional
	APIVersions []string `json:"apiVersions,omitempty" protobuf:"bytes,2,rep,name=apiVersions"`

	// scope specifies the scope of this rule.
	// Valid values are "Cluster", "Namespaced", and "*"
	// "Cluster" means that only cluster-scoped resources will match this rule.
	// Namespace API objects are cluster-scoped.
	// "Namespaced" means that only namespaced resources will match this rule.
	// "*" means that there are no scope restrictions.
	// Subresources match the scope of their parent resource.
	// Default is "*".
	//
	// +optional
	Scope *admissionregistrationv1.ScopeType `json:"scope,omitempty" protobuf:"bytes,4,rep,name=scope"`

	// FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
	// allowed values are Ignore or Fail. Defaults to Fail.
	// +optional
	FailurePolicy *admissionregistrationv1.FailurePolicyType `json:"failurePolicy,omitempty" protobuf:"bytes,4,opt,name=failurePolicy,casttype=FailurePolicyType"`

	// matchPolicy defines how the "rules" list is used to match incoming requests.
	// Allowed values are "Exact" or "Equivalent".
	//
	// - Exact: match a request only if it exactly matches a specified rule.
	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
	// but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
	// a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
	//
	// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
	// For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
	// and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
	// a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
	//
	// Defaults to "Equivalent"
	// +optional
	MatchPolicy *admissionregistrationv1.MatchPolicyType `json:"matchPolicy,omitempty" protobuf:"bytes,9,opt,name=matchPolicy,casttype=MatchPolicyType"`

	// NamespaceSelector decides whether to run the webhook on an object based
	// on whether the namespace for that object matches the selector. If the
	// object itself is a namespace, the matching is performed on
	// object.metadata.labels. If the object is another cluster scoped resource,
	// it never skips the webhook.
	//
	// For example, to run the webhook on any objects whose namespace is not
	// associated with "runlevel" of "0" or "1";  you will set the selector as
	// follows:
	// "namespaceSelector": {
	//   "matchExpressions": [
	//     {
	//       "key": "runlevel",
	//       "operator": "NotIn",
	//       "values": [
	//         "0",
	//         "1"
	//       ]
	//     }
	//   ]
	// }
	//
	// If instead you want to only run the webhook on any objects whose
	// namespace is associated with the "environment" of "prod" or "staging";
	// you will set the selector as follows:
	// "namespaceSelector": {
	//   "matchExpressions": [
	//     {
	//       "key": "environment",
	//       "operator": "In",
	//       "values": [
	//         "prod",
	//         "staging"
	//       ]
	//     }
	//   ]
	// }
	//
	// See
	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
	// for more examples of label selectors.
	//
	// Default to the empty LabelSelector, which matches everything.
	// +optional
	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty" protobuf:"bytes,5,opt,name=namespaceSelector"`

	// ObjectSelector decides whether to run the webhook based on if the
	// object has matching labels. objectSelector is evaluated against both
	// the oldObject and newObject that would be sent to the webhook, and
	// is considered to match if either object matches the selector. A null
	// object (oldObject in the case of create, or newObject in the case of
	// delete) or an object that cannot have labels (like a
	// DeploymentRollback or a PodProxyOptions object) is not considered to
	// match.
	// Use the object selector only if the webhook is opt-in, because end
	// users may skip the admission webhook by setting the labels.
	// Default to the empty LabelSelector, which matches everything.
	// +optional
	ObjectSelector *metav1.LabelSelector `json:"objectSelector,omitempty" protobuf:"bytes,10,opt,name=objectSelector"`

	// TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
	// the webhook call will be ignored or the API call will fail based on the
	// failure policy.
	// The timeout value must be between 1 and 30 seconds.
	// Default to 10 seconds.
	// +optional
	TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty" protobuf:"varint,7,opt,name=timeoutSeconds"`

	// Violation policy describes how violations should be handled. You can either specify deny (which is the default),
	// warn or dry.
	// +optional
	ViolationPolicy *ViolationPolicyType `json:"violationPolicy,omitempty"`

	// AuditPolicy defines if violations should be logged to the webhook status or not. By default, violations
	// will be logged to the CRD status.
	// +optional
	AuditPolicy *AuditPolicyType `json:"auditPolicy,omitempty"`

	// AuditLogSize defines how many violations should be logged in the status. Defaults to 10
	// +optional
	AuditLogSize *int32 `json:"auditLogSize,omitempty"`

	// Type defines what kind of policy the object represents. Valid values are Validating, Mutating and
	// Controller. Defaults to Validating.
	// +optional
	Type PolicyType `json:"type,omitempty"`

	// Dependencies is a map of npm modules this webhook should be bundled with
	// +optional
	Dependencies map[string]string `json:"dependencies,omitempty"`

	// JavaScript is the payload of the webhook that will be executed. If this is not defined,
	// jsPolicy expects the user to create a JsPolicyBundle for this policy.
	// +optional
	JavaScript string `json:"javascript,omitempty"`
}

type JsPolicyStatus struct {
	// Phase describes how the syncing status of the webhook is
	// +optional
	Phase WebhookPhase `json:"phase,omitempty"`

	// Reason holds the error in machine-readable language if the webhook is in a failed state
	// +optional
	Reason string `json:"reason,omitempty"`

	// Message describes the error in human-readable language if the webhook is in a failed state
	// +optional
	Message string `json:"message,omitempty"`

	// Conditions holds several conditions the virtual cluster might be in
	// +optional
	Conditions Conditions `json:"conditions,omitempty"`

	// ObservedGeneration is the latest generation observed by the controller.
	// +optional
	ObservedGeneration int64 `json:"observedGeneration,omitempty"`

	// BundleHash is used to determine if we have to re-bundle the javascript
	// +optional
	BundleHash string `json:"bundleHash,omitempty"`
}

type JsPolicyViolations struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   JsPolicyViolationsSpec   `json:"spec,omitempty"`
	Status JsPolicyViolationsStatus `json:"status,omitempty"`
}

type JsPolicyViolationsList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []JsPolicyViolations `json:"items"`
}

type JsPolicyViolationsSpec struct {
}

type JsPolicyViolationsStatus struct {
	// Violations is an array of violations that were recorded by the webhook
	// +optional
	Violations []PolicyViolation `json:"violations,omitempty"`
}

type PolicyType string

type PolicyViolation struct {
	// Action holds the the action type the webhook reacted with
	// +optional
	Action string `json:"action,omitempty"`

	// Code is the error code that was returned to the client
	// +optional
	Code int32 `json:"code,omitempty"`

	// Reason is the error reason that was returned to the client
	// +optional
	Reason string `json:"reason,omitempty"`

	// Message holds the message that was sent to the client
	// +optional
	Message string `json:"message,omitempty"`

	// The request this violation is about
	// +optional
	RequestInfo *RequestInfo `json:"requestInfo,omitempty"`

	// The user that sent the request
	// +optional
	UserInfo *UserInfo `json:"userInfo,omitempty"`

	// The timestamp when this violation has occurred
	// +optional
	Timestamp metav1.Time `json:"timestamp,omitempty"`
}

type RequestInfo struct {
	// Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and
	// rely on the server to generate the name. If that is the case, this field will contain an empty string.
	// +optional
	Name string `json:"name,omitempty"`
	// Namespace is the namespace associated with the request (if any).
	// +optional
	Namespace string `json:"namespace,omitempty"`
	// Kind is the type of object being submitted (for example, Pod or Deployment)
	// +optional
	Kind string `json:"kind,omitempty"`
	// Kind is the type of object being submitted (for example, Pod or Deployment)
	// +optional
	APIVersion string `json:"apiVersion,omitempty"`
	// Operation is the operation being performed. This may be different than the operation
	// requested. e.g. a patch can result in either a CREATE or UPDATE Operation.
	// +optional
	Operation admissionv1.Operation `json:"operation,omitempty"`
}

type UserInfo struct {
	// The name that uniquely identifies this user among all active users.
	// +optional
	Username string `json:"username,omitempty" protobuf:"bytes,1,opt,name=username"`
	// A unique value that identifies this user across time. If this user is
	// deleted and another user by the same name is added, they will have
	// different UIDs.
	// +optional
	UID string `json:"uid,omitempty" protobuf:"bytes,2,opt,name=uid"`
}

type ViolationPolicyType string

type WebhookPhase string