v1alpha1

type Connector struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	// ConnectorSpec describes the desired Tailscale component.
	// More info:
	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
	Spec ConnectorSpec `json:"spec"`

	// ConnectorStatus describes the status of the Connector. This is set
	// and managed by the Tailscale operator.
	// +optional
	Status ConnectorStatus `json:"status"`
}

type ConnectorCondition struct {
	// Type of the condition, known values are (`SubnetRouterReady`).
	Type ConnectorConditionType `json:"type"`

	// Status of the condition, one of ('True', 'False', 'Unknown').
	Status metav1.ConditionStatus `json:"status"`

	// LastTransitionTime is the timestamp corresponding to the last status
	// change of this condition.
	// +optional
	LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"`

	// Reason is a brief machine readable explanation for the condition's last
	// transition.
	// +optional
	Reason string `json:"reason,omitempty"`

	// Message is a human readable description of the details of the last
	// transition, complementing reason.
	// +optional
	Message string `json:"message,omitempty"`

	// If set, this represents the .metadata.generation that the condition was
	// set based upon.
	// For instance, if .metadata.generation is currently 12, but the
	// .status.condition[x].observedGeneration is 9, the condition is out of date
	// with respect to the current state of the Connector.
	// +optional
	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
}

type ConnectorConditionType string

type ConnectorList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata"`

	Items []Connector `json:"items"`
}

type ConnectorSpec struct {
	// Tags that the Tailscale node will be tagged with.
	// Defaults to [tag:k8s].
	// To autoapprove the subnet routes or exit node defined by a Connector,
	// you can configure Tailscale ACLs to give these tags the necessary
	// permissions.
	// See https://tailscale.com/kb/1018/acls/#auto-approvers-for-routes-and-exit-nodes.
	// If you specify custom tags here, you must also make the operator an owner of these tags.
	// See  https://tailscale.com/kb/1236/kubernetes-operator/#setting-up-the-kubernetes-operator.
	// Tags cannot be changed once a Connector node has been created.
	// Tag values must be in form ^tag:[a-zA-Z][a-zA-Z0-9-]*$.
	// +optional
	Tags Tags `json:"tags,omitempty"`
	// Hostname is the tailnet hostname that should be assigned to the
	// Connector node. If unset, hostname defaults to <connector
	// name>-connector. Hostname can contain lower case letters, numbers and
	// dashes, it must not start or end with a dash and must be between 2
	// and 63 characters long.
	// +optional
	Hostname Hostname `json:"hostname,omitempty"`
	// ProxyClass is the name of the ProxyClass custom resource that
	// contains configuration options that should be applied to the
	// resources created for this Connector. If unset, the operator will
	// create resources with the default configuration.
	// +optional
	ProxyClass string `json:"proxyClass,omitempty"`
	// SubnetRouter defines subnet routes that the Connector node should
	// expose to tailnet. If unset, none are exposed.
	// https://tailscale.com/kb/1019/subnets/
	// +optional
	SubnetRouter *SubnetRouter `json:"subnetRouter"`
	// ExitNode defines whether the Connector node should act as a
	// Tailscale exit node. Defaults to false.
	// https://tailscale.com/kb/1103/exit-nodes
	// +optional
	ExitNode bool `json:"exitNode"`
}

type ConnectorStatus struct {
	// List of status conditions to indicate the status of the Connector.
	// Known condition types are `ConnectorReady`.
	// +listType=map
	// +listMapKey=type
	// +optional
	Conditions []ConnectorCondition `json:"conditions"`
	// SubnetRoutes are the routes currently exposed to tailnet via this
	// Connector instance.
	// +optional
	SubnetRoutes string `json:"subnetRoutes"`
	// IsExitNode is set to true if the Connector acts as an exit node.
	// +optional
	IsExitNode bool `json:"isExitNode"`
	// TailnetIPs is the set of tailnet IP addresses (both IPv4 and IPv6)
	// assigned to the Connector node.
	// +optional
	TailnetIPs []string `json:"tailnetIPs,omitempty"`
	// Hostname is the fully qualified domain name of the Connector node.
	// If MagicDNS is enabled in your tailnet, it is the MagicDNS name of the
	// node.
	// +optional
	Hostname string `json:"hostname,omitempty"`
}

type Container struct {
	// List of environment variables to set in the container.
	// https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables
	// Note that environment variables provided here will take precedence
	// over Tailscale-specific environment variables set by the operator,
	// however running proxies with custom values for Tailscale environment
	// variables (i.e TS_USERSPACE) is not recommended and might break in
	// the future.
	// +optional
	Env []Env `json:"env,omitempty"`
	// Container image name. By default images are pulled from
	// docker.io/tailscale/tailscale, but the official images are also
	// available at ghcr.io/tailscale/tailscale. Specifying image name here
	// will override any proxy image values specified via the Kubernetes
	// operator's Helm chart values or PROXY_IMAGE env var in the operator
	// Deployment.
	// https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#image
	// +optional
	Image string `json:"image,omitempty"`
	// Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always.
	// https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#image
	// +kubebuilder:validation:Enum=Always;Never;IfNotPresent
	// +optional
	ImagePullPolicy corev1.PullPolicy `json:"imagePullPolicy,omitempty"`
	// Container resource requirements.
	// By default Tailscale Kubernetes operator does not apply any resource
	// requirements. The amount of resources required wil depend on the
	// amount of resources the operator needs to parse, usage patterns and
	// cluster size.
	// https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources
	// +optional
	Resources corev1.ResourceRequirements `json:"resources,omitempty"`
	// Container security context.
	// Security context specified here will override the security context by the operator.
	// By default the operator:
	// - sets 'privileged: true' for the init container
	// - set NET_ADMIN capability for tailscale container for proxies that
	// are created for Services or Connector.
	// https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context
	// +optional
	SecurityContext *corev1.SecurityContext `json:"securityContext,omitempty"`
}

type DNSConfig struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	// Spec describes the desired DNS configuration.
	// More info:
	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
	Spec DNSConfigSpec `json:"spec"`

	// Status describes the status of the DNSConfig. This is set
	// and managed by the Tailscale operator.
	// +optional
	Status DNSConfigStatus `json:"status"`
}

type DNSConfigList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata"`

	Items []DNSConfig `json:"items"`
}

type DNSConfigSpec struct {
	// Configuration for a nameserver that can resolve ts.net DNS names
	// associated with in-cluster proxies for Tailscale egress Services and
	// Tailscale Ingresses. The operator will always deploy this nameserver
	// when a DNSConfig is applied.
	Nameserver *Nameserver `json:"nameserver"`
}

type DNSConfigStatus struct {
	// +listType=map
	// +listMapKey=type
	// +optional
	Conditions []ConnectorCondition `json:"conditions"`
	// Nameserver describes the status of nameserver cluster resources.
	// +optional
	Nameserver *NameserverStatus `json:"nameserver"`
}

type Env struct {
	// Name of the environment variable. Must be a C_IDENTIFIER.
	Name Name `json:"name"`
	// Variable references $(VAR_NAME) are expanded using the previously defined
	//  environment variables in the container and any service environment
	// variables. If a variable cannot be resolved, the reference in the input
	// string will be unchanged. Double $$ are reduced to a single $, which
	// allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
	// produce the string literal "$(VAR_NAME)". Escaped references will never
	// be expanded, regardless of whether the variable exists or not. Defaults
	// to "".
	// +optional
	Value string `json:"value,omitempty"`
}

type Hostname string

type Image struct {
	// Repo defaults to tailscale/k8s-nameserver.
	// +optional
	Repo string `json:"repo,omitempty"`
	// Tag defaults to operator's own tag.
	// +optional
	Tag string `json:"tag,omitempty"`
}

type Metrics struct {
	// Setting enable to true will make the proxy serve Tailscale metrics
	// at <pod-ip>:9001/debug/metrics.
	// Defaults to false.
	Enable bool `json:"enable"`
}

type Name string

type Nameserver struct {
	// Nameserver image.
	// +optional
	Image *Image `json:"image,omitempty"`
}

type NameserverStatus struct {
	// IP is the ClusterIP of the Service fronting the deployed ts.net nameserver.
	// Currently you must manually update your cluster DNS config to add
	// this address as a stub nameserver for ts.net for cluster workloads to be
	// able to resolve MagicDNS names associated with egress or Ingress
	// proxies.
	// The IP address will change if you delete and recreate the DNSConfig.
	// +optional
	IP string `json:"ip"`
}

type Pod struct {
	// Labels that will be added to the proxy Pod.
	// Any labels specified here will be merged with the default labels
	// applied to the Pod by the Tailscale Kubernetes operator.
	// Label keys and values must be valid Kubernetes label keys and values.
	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set
	// +optional
	Labels map[string]string `json:"labels,omitempty"`
	// Annotations that will be added to the proxy Pod.
	// Any annotations specified here will be merged with the default
	// annotations applied to the Pod by the Tailscale Kubernetes operator.
	// Annotations must be valid Kubernetes annotations.
	// https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/#syntax-and-character-set
	// +optional
	Annotations map[string]string `json:"annotations,omitempty"`
	// Proxy Pod's affinity rules.
	// By default, the Tailscale Kubernetes operator does not apply any affinity rules.
	// https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#affinity
	// +optional
	Affinity *corev1.Affinity `json:"affinity,omitempty"`
	// Configuration for the proxy container running tailscale.
	// +optional
	TailscaleContainer *Container `json:"tailscaleContainer,omitempty"`
	// Configuration for the proxy init container that enables forwarding.
	// +optional
	TailscaleInitContainer *Container `json:"tailscaleInitContainer,omitempty"`
	// Proxy Pod's security context.
	// By default Tailscale Kubernetes operator does not apply any Pod
	// security context.
	// https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-2
	// +optional
	SecurityContext *corev1.PodSecurityContext `json:"securityContext,omitempty"`
	// Proxy Pod's image pull Secrets.
	// https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#PodSpec
	// +optional
	ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
	// Proxy Pod's node name.
	// https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling
	// +optional
	NodeName string `json:"nodeName,omitempty"`
	// Proxy Pod's node selector.
	// By default Tailscale Kubernetes operator does not apply any node
	// selector.
	// https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling
	// +optional
	NodeSelector map[string]string `json:"nodeSelector,omitempty"`
	// Proxy Pod's tolerations.
	// By default Tailscale Kubernetes operator does not apply any
	// tolerations.
	// https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling
	// +optional
	Tolerations []corev1.Toleration `json:"tolerations,omitempty"`
}

type ProxyClass struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	// Specification of the desired state of the ProxyClass resource.
	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
	Spec ProxyClassSpec `json:"spec"`

	// +optional
	// Status of the ProxyClass. This is set and managed automatically.
	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
	Status ProxyClassStatus `json:"status"`
}

type ProxyClassList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata"`

	Items []ProxyClass `json:"items"`
}

type ProxyClassSpec struct {
	// Configuration parameters for the proxy's StatefulSet. Tailscale
	// Kubernetes operator deploys a StatefulSet for each of the user
	// configured proxies (Tailscale Ingress, Tailscale Service, Connector).
	// +optional
	StatefulSet *StatefulSet `json:"statefulSet"`
	// Configuration for proxy metrics. Metrics are currently not supported
	// for egress proxies and for Ingress proxies that have been configured
	// with tailscale.com/experimental-forward-cluster-traffic-via-ingress
	// annotation. Note that the metrics are currently considered unstable
	// and will likely change in breaking ways in the future - we only
	// recommend that you use those for debugging purposes.
	// +optional
	Metrics *Metrics `json:"metrics,omitempty"`
	// TailscaleConfig contains options to configure the tailscale-specific
	// parameters of proxies.
	// +optional
	TailscaleConfig *TailscaleConfig `json:"tailscale,omitempty"`
}

type ProxyClassStatus struct {
	// List of status conditions to indicate the status of the ProxyClass.
	// Known condition types are `ProxyClassReady`.
	// +listType=map
	// +listMapKey=type
	// +optional
	Conditions []ConnectorCondition `json:"conditions,omitempty"`
}

type Route string

type Routes []Route

type StatefulSet struct {
	// Labels that will be added to the StatefulSet created for the proxy.
	// Any labels specified here will be merged with the default labels
	// applied to the StatefulSet by the Tailscale Kubernetes operator as
	// well as any other labels that might have been applied by other
	// actors.
	// Label keys and values must be valid Kubernetes label keys and values.
	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set
	// +optional
	Labels map[string]string `json:"labels,omitempty"`
	// Annotations that will be added to the StatefulSet created for the proxy.
	// Any Annotations specified here will be merged with the default annotations
	// applied to the StatefulSet by the Tailscale Kubernetes operator as
	// well as any other annotations that might have been applied by other
	// actors.
	// Annotations must be valid Kubernetes annotations.
	// https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/#syntax-and-character-set
	// +optional
	Annotations map[string]string `json:"annotations,omitempty"`
	// Configuration for the proxy Pod.
	// +optional
	Pod *Pod `json:"pod,omitempty"`
}

type SubnetRouter struct {
	// AdvertiseRoutes refer to CIDRs that the subnet router should make
	// available. Route values must be strings that represent a valid IPv4
	// or IPv6 CIDR range. Values can be Tailscale 4via6 subnet routes.
	// https://tailscale.com/kb/1201/4via6-subnets/
	AdvertiseRoutes Routes `json:"advertiseRoutes"`
}

type Tag string

type Tags []Tag

type TailscaleConfig struct {
	// AcceptRoutes can be set to true to make the proxy instance accept
	// routes advertized by other nodes on the tailnet, such as subnet
	// routes.
	// This is equivalent of passing --accept-routes flag to a tailscale Linux client.
	// https://tailscale.com/kb/1019/subnets#use-your-subnet-routes-from-other-machines
	// Defaults to false.
	AcceptRoutes bool `json:"acceptRoutes,omitempty"`
}