v1alpha1

type Attestor struct {
	metav1.TypeMeta   `json:",inline,omitempty"`
	metav1.ObjectMeta `json:"metadata,omitempty"`
	Spec              AttestorSpec   `json:"spec,omitempty"`
	Status            AttestorStatus `json:"status,omitempty"`
}

type AttestorIamBinding struct {
	metav1.TypeMeta   `json:",inline,omitempty"`
	metav1.ObjectMeta `json:"metadata,omitempty"`
	Spec              AttestorIamBindingSpec   `json:"spec,omitempty"`
	Status            AttestorIamBindingStatus `json:"status,omitempty"`
}

type AttestorIamBindingList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	// Items is a list of AttestorIamBinding CRD objects
	Items []AttestorIamBinding `json:"items,omitempty"`
}

type AttestorIamBindingSpec struct {
	State *AttestorIamBindingSpecResource `json:"state,omitempty" tf:"-"`

	Resource AttestorIamBindingSpecResource `json:"resource" tf:"resource"`

	UpdatePolicy base.UpdatePolicy `json:"updatePolicy,omitempty" tf:"-"`

	TerminationPolicy base.TerminationPolicy `json:"terminationPolicy,omitempty" tf:"-"`

	ProviderRef core.LocalObjectReference `json:"providerRef" tf:"-"`

	BackendRef *core.LocalObjectReference `json:"backendRef,omitempty" tf:"-"`
}

type AttestorIamBindingSpecCondition struct {
	// +optional
	Description *string `json:"description,omitempty" tf:"description"`
	Expression  *string `json:"expression" tf:"expression"`
	Title       *string `json:"title" tf:"title"`
}

type AttestorIamBindingSpecConditionCodec struct {
}

type AttestorIamBindingSpecResource struct {
	ID string `json:"id,omitempty" tf:"id,omitempty"`

	Attestor *string `json:"attestor" tf:"attestor"`
	// +optional
	Condition *AttestorIamBindingSpecCondition `json:"condition,omitempty" tf:"condition"`
	// +optional
	Etag    *string  `json:"etag,omitempty" tf:"etag"`
	Members []string `json:"members" tf:"members"`
	// +optional
	Project *string `json:"project,omitempty" tf:"project"`
	Role    *string `json:"role" tf:"role"`
}

type AttestorIamBindingStatus struct {
	// Resource generation, which is updated on mutation by the API Server.
	// +optional
	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
	// +optional
	Phase status.Status `json:"phase,omitempty"`
	// +optional
	Conditions []kmapi.Condition `json:"conditions,omitempty"`
}

type AttestorIamMember struct {
	metav1.TypeMeta   `json:",inline,omitempty"`
	metav1.ObjectMeta `json:"metadata,omitempty"`
	Spec              AttestorIamMemberSpec   `json:"spec,omitempty"`
	Status            AttestorIamMemberStatus `json:"status,omitempty"`
}

type AttestorIamMemberList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	// Items is a list of AttestorIamMember CRD objects
	Items []AttestorIamMember `json:"items,omitempty"`
}

type AttestorIamMemberSpec struct {
	State *AttestorIamMemberSpecResource `json:"state,omitempty" tf:"-"`

	Resource AttestorIamMemberSpecResource `json:"resource" tf:"resource"`

	UpdatePolicy base.UpdatePolicy `json:"updatePolicy,omitempty" tf:"-"`

	TerminationPolicy base.TerminationPolicy `json:"terminationPolicy,omitempty" tf:"-"`

	ProviderRef core.LocalObjectReference `json:"providerRef" tf:"-"`

	BackendRef *core.LocalObjectReference `json:"backendRef,omitempty" tf:"-"`
}

type AttestorIamMemberSpecCondition struct {
	// +optional
	Description *string `json:"description,omitempty" tf:"description"`
	Expression  *string `json:"expression" tf:"expression"`
	Title       *string `json:"title" tf:"title"`
}

type AttestorIamMemberSpecConditionCodec struct {
}

type AttestorIamMemberSpecResource struct {
	ID string `json:"id,omitempty" tf:"id,omitempty"`

	Attestor *string `json:"attestor" tf:"attestor"`
	// +optional
	Condition *AttestorIamMemberSpecCondition `json:"condition,omitempty" tf:"condition"`
	// +optional
	Etag   *string `json:"etag,omitempty" tf:"etag"`
	Member *string `json:"member" tf:"member"`
	// +optional
	Project *string `json:"project,omitempty" tf:"project"`
	Role    *string `json:"role" tf:"role"`
}

type AttestorIamMemberStatus struct {
	// Resource generation, which is updated on mutation by the API Server.
	// +optional
	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
	// +optional
	Phase status.Status `json:"phase,omitempty"`
	// +optional
	Conditions []kmapi.Condition `json:"conditions,omitempty"`
}

type AttestorIamPolicy struct {
	metav1.TypeMeta   `json:",inline,omitempty"`
	metav1.ObjectMeta `json:"metadata,omitempty"`
	Spec              AttestorIamPolicySpec   `json:"spec,omitempty"`
	Status            AttestorIamPolicyStatus `json:"status,omitempty"`
}

type AttestorIamPolicyList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	// Items is a list of AttestorIamPolicy CRD objects
	Items []AttestorIamPolicy `json:"items,omitempty"`
}

type AttestorIamPolicySpec struct {
	State *AttestorIamPolicySpecResource `json:"state,omitempty" tf:"-"`

	Resource AttestorIamPolicySpecResource `json:"resource" tf:"resource"`

	UpdatePolicy base.UpdatePolicy `json:"updatePolicy,omitempty" tf:"-"`

	TerminationPolicy base.TerminationPolicy `json:"terminationPolicy,omitempty" tf:"-"`

	ProviderRef core.LocalObjectReference `json:"providerRef" tf:"-"`

	BackendRef *core.LocalObjectReference `json:"backendRef,omitempty" tf:"-"`
}

type AttestorIamPolicySpecResource struct {
	ID string `json:"id,omitempty" tf:"id,omitempty"`

	Attestor *string `json:"attestor" tf:"attestor"`
	// +optional
	Etag       *string `json:"etag,omitempty" tf:"etag"`
	PolicyData *string `json:"policyData" tf:"policy_data"`
	// +optional
	Project *string `json:"project,omitempty" tf:"project"`
}

type AttestorIamPolicyStatus struct {
	// Resource generation, which is updated on mutation by the API Server.
	// +optional
	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
	// +optional
	Phase status.Status `json:"phase,omitempty"`
	// +optional
	Conditions []kmapi.Condition `json:"conditions,omitempty"`
}

type AttestorList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	// Items is a list of Attestor CRD objects
	Items []Attestor `json:"items,omitempty"`
}

type AttestorSpec struct {
	State *AttestorSpecResource `json:"state,omitempty" tf:"-"`

	Resource AttestorSpecResource `json:"resource" tf:"resource"`

	UpdatePolicy base.UpdatePolicy `json:"updatePolicy,omitempty" tf:"-"`

	TerminationPolicy base.TerminationPolicy `json:"terminationPolicy,omitempty" tf:"-"`

	ProviderRef core.LocalObjectReference `json:"providerRef" tf:"-"`

	BackendRef *core.LocalObjectReference `json:"backendRef,omitempty" tf:"-"`
}

type AttestorSpecAttestationAuthorityNote struct {
	// This field will contain the service account email address that
	// this Attestor will use as the principal when querying Container
	// Analysis. Attestor administrators must grant this service account
	// the IAM role needed to read attestations from the noteReference in
	// Container Analysis (containeranalysis.notes.occurrences.viewer).
	// This email address is fixed for the lifetime of the Attestor, but
	// callers should not make any other assumptions about the service
	// account email; future versions may use an email based on a
	// different naming pattern.
	// +optional
	DelegationServiceAccountEmail *string `json:"delegationServiceAccountEmail,omitempty" tf:"delegation_service_account_email"`
	// The resource name of a ATTESTATION_AUTHORITY Note, created by the
	// user. If the Note is in a different project from the Attestor, it
	// should be specified in the format 'projects/*/notes/*' (or the legacy
	// 'providers/*/notes/*'). This field may not be updated.
	// An attestation by this attestor is stored as a Container Analysis
	// ATTESTATION_AUTHORITY Occurrence that names a container image
	// and that links to this Note.
	NoteReference *string `json:"noteReference" tf:"note_reference"`
	// Public keys that verify attestations signed by this attestor. This
	// field may be updated.
	// If this field is non-empty, one of the specified public keys must
	// verify that an attestation was signed by this attestor for the
	// image specified in the admission request.
	// If this field is empty, this attestor always returns that no valid
	// attestations exist.
	// +optional
	PublicKeys []AttestorSpecAttestationAuthorityNotePublicKeys `json:"publicKeys,omitempty" tf:"public_keys"`
}

type AttestorSpecAttestationAuthorityNoteCodec struct {
}

type AttestorSpecAttestationAuthorityNotePublicKeys struct {
	// ASCII-armored representation of a PGP public key, as the
	// entire output by the command
	// 'gpg --export --armor foo@example.com' (either LF or CRLF
	// line endings). When using this field, id should be left
	// blank. The BinAuthz API handlers will calculate the ID
	// and fill it in automatically. BinAuthz computes this ID
	// as the OpenPGP RFC4880 V4 fingerprint, represented as
	// upper-case hex. If id is provided by the caller, it will
	// be overwritten by the API-calculated ID.
	// +optional
	AsciiArmoredPgpPublicKey *string `json:"asciiArmoredPgpPublicKey,omitempty" tf:"ascii_armored_pgp_public_key"`
	// A descriptive comment. This field may be updated.
	// +optional
	Comment *string `json:"comment,omitempty" tf:"comment"`
	// The ID of this public key. Signatures verified by BinAuthz
	// must include the ID of the public key that can be used to
	// verify them, and that ID must match the contents of this
	// field exactly. Additional restrictions on this field can
	// be imposed based on which public key type is encapsulated.
	// See the documentation on publicKey cases below for details.
	// +optional
	ID *string `json:"ID,omitempty" tf:"id"`
	// A raw PKIX SubjectPublicKeyInfo format public key.
	//
	// NOTE: id may be explicitly provided by the caller when using this
	// type of public key, but it MUST be a valid RFC3986 URI. If id is left
	// blank, a default one will be computed based on the digest of the DER
	// encoding of the public key.
	// +optional
	PkixPublicKey *AttestorSpecAttestationAuthorityNotePublicKeysPkixPublicKey `json:"pkixPublicKey,omitempty" tf:"pkix_public_key"`
}

type AttestorSpecAttestationAuthorityNotePublicKeysPkixPublicKey struct {
	// A PEM-encoded public key, as described in
	// 'https://tools.ietf.org/html/rfc7468#section-13'
	// +optional
	PublicKeyPem *string `json:"publicKeyPem,omitempty" tf:"public_key_pem"`
	// The signature algorithm used to verify a message against
	// a signature using this key. These signature algorithm must
	// match the structure and any object identifiers encoded in
	// publicKeyPem (i.e. this algorithm must match that of the
	// public key).
	// +optional
	SignatureAlgorithm *string `json:"signatureAlgorithm,omitempty" tf:"signature_algorithm"`
}

type AttestorSpecAttestationAuthorityNotePublicKeysPkixPublicKeyCodec struct {
}

type AttestorSpecResource struct {
	Timeouts *base.ResourceTimeout `json:"timeouts,omitempty" tf:"timeouts"`

	ID string `json:"id,omitempty" tf:"id,omitempty"`

	// A Container Analysis ATTESTATION_AUTHORITY Note, created by the user.
	AttestationAuthorityNote *AttestorSpecAttestationAuthorityNote `json:"attestationAuthorityNote" tf:"attestation_authority_note"`
	// A descriptive comment. This field may be updated. The field may be
	// displayed in chooser dialogs.
	// +optional
	Description *string `json:"description,omitempty" tf:"description"`
	// The resource name.
	Name *string `json:"name" tf:"name"`
	// +optional
	Project *string `json:"project,omitempty" tf:"project"`
}

type AttestorStatus struct {
	// Resource generation, which is updated on mutation by the API Server.
	// +optional
	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
	// +optional
	Phase status.Status `json:"phase,omitempty"`
	// +optional
	Conditions []kmapi.Condition `json:"conditions,omitempty"`
}

type Policy struct {
	metav1.TypeMeta   `json:",inline,omitempty"`
	metav1.ObjectMeta `json:"metadata,omitempty"`
	Spec              PolicySpec   `json:"spec,omitempty"`
	Status            PolicyStatus `json:"status,omitempty"`
}

type PolicyList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	// Items is a list of Policy CRD objects
	Items []Policy `json:"items,omitempty"`
}

type PolicySpec struct {
	State *PolicySpecResource `json:"state,omitempty" tf:"-"`

	Resource PolicySpecResource `json:"resource" tf:"resource"`

	UpdatePolicy base.UpdatePolicy `json:"updatePolicy,omitempty" tf:"-"`

	TerminationPolicy base.TerminationPolicy `json:"terminationPolicy,omitempty" tf:"-"`

	ProviderRef core.LocalObjectReference `json:"providerRef" tf:"-"`

	BackendRef *core.LocalObjectReference `json:"backendRef,omitempty" tf:"-"`
}

type PolicySpecAdmissionWhitelistPatterns struct {
	// An image name pattern to whitelist, in the form
	// 'registry/path/to/image'. This supports a trailing * as a
	// wildcard, but this is allowed only in text after the registry/
	// part.
	NamePattern *string `json:"namePattern" tf:"name_pattern"`
}

type PolicySpecClusterAdmissionRules struct {
	Cluster *string `json:"cluster" tf:"cluster"`
	// The action when a pod creation is denied by the admission rule. Possible values: ["ENFORCED_BLOCK_AND_AUDIT_LOG", "DRYRUN_AUDIT_LOG_ONLY"]
	EnforcementMode *string `json:"enforcementMode" tf:"enforcement_mode"`
	// How this admission rule will be evaluated. Possible values: ["ALWAYS_ALLOW", "REQUIRE_ATTESTATION", "ALWAYS_DENY"]
	EvaluationMode *string `json:"evaluationMode" tf:"evaluation_mode"`
	// The resource names of the attestors that must attest to a
	// container image. If the attestor is in a different project from the
	// policy, it should be specified in the format 'projects/*/attestors/*'.
	// Each attestor must exist before a policy can reference it. To add an
	// attestor to a policy the principal issuing the policy change
	// request must be able to read the attestor resource.
	//
	// Note: this field must be non-empty when the evaluation_mode field
	// specifies REQUIRE_ATTESTATION, otherwise it must be empty.
	// +optional
	RequireAttestationsBy []string `json:"requireAttestationsBy,omitempty" tf:"require_attestations_by"`
}

type PolicySpecDefaultAdmissionRule struct {
	// The action when a pod creation is denied by the admission rule. Possible values: ["ENFORCED_BLOCK_AND_AUDIT_LOG", "DRYRUN_AUDIT_LOG_ONLY"]
	EnforcementMode *string `json:"enforcementMode" tf:"enforcement_mode"`
	// How this admission rule will be evaluated. Possible values: ["ALWAYS_ALLOW", "REQUIRE_ATTESTATION", "ALWAYS_DENY"]
	EvaluationMode *string `json:"evaluationMode" tf:"evaluation_mode"`
	// The resource names of the attestors that must attest to a
	// container image. If the attestor is in a different project from the
	// policy, it should be specified in the format 'projects/*/attestors/*'.
	// Each attestor must exist before a policy can reference it. To add an
	// attestor to a policy the principal issuing the policy change
	// request must be able to read the attestor resource.
	//
	// Note: this field must be non-empty when the evaluation_mode field
	// specifies REQUIRE_ATTESTATION, otherwise it must be empty.
	// +optional
	RequireAttestationsBy []string `json:"requireAttestationsBy,omitempty" tf:"require_attestations_by"`
}

type PolicySpecDefaultAdmissionRuleCodec struct {
}

type PolicySpecResource struct {
	Timeouts *base.ResourceTimeout `json:"timeouts,omitempty" tf:"timeouts"`

	ID string `json:"id,omitempty" tf:"id,omitempty"`

	// A whitelist of image patterns to exclude from admission rules. If an
	// image's name matches a whitelist pattern, the image's admission
	// requests will always be permitted regardless of your admission rules.
	// +optional
	AdmissionWhitelistPatterns []PolicySpecAdmissionWhitelistPatterns `json:"admissionWhitelistPatterns,omitempty" tf:"admission_whitelist_patterns"`
	// Per-cluster admission rules. An admission rule specifies either that
	// all container images used in a pod creation request must be attested
	// to by one or more attestors, that all pod creations will be allowed,
	// or that all pod creations will be denied. There can be at most one
	// admission rule per cluster spec.
	//
	//
	// Identifier format: '{{location}}.{{clusterId}}'.
	// A location is either a compute zone (e.g. 'us-central1-a') or a region
	// (e.g. 'us-central1').
	// +optional
	ClusterAdmissionRules []PolicySpecClusterAdmissionRules `json:"clusterAdmissionRules,omitempty" tf:"cluster_admission_rules"`
	// Default admission rule for a cluster without a per-cluster admission
	// rule.
	DefaultAdmissionRule *PolicySpecDefaultAdmissionRule `json:"defaultAdmissionRule" tf:"default_admission_rule"`
	// A descriptive comment.
	// +optional
	Description *string `json:"description,omitempty" tf:"description"`
	// Controls the evaluation of a Google-maintained global admission policy
	// for common system-level images. Images not covered by the global
	// policy will be subject to the project admission policy. Possible values: ["ENABLE", "DISABLE"]
	// +optional
	GlobalPolicyEvaluationMode *string `json:"globalPolicyEvaluationMode,omitempty" tf:"global_policy_evaluation_mode"`
	// +optional
	Project *string `json:"project,omitempty" tf:"project"`
}

type PolicyStatus struct {
	// Resource generation, which is updated on mutation by the API Server.
	// +optional
	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
	// +optional
	Phase status.Status `json:"phase,omitempty"`
	// +optional
	Conditions []kmapi.Condition `json:"conditions,omitempty"`
}