syntax = "proto3";

package talos.resource.definitions.secrets;

option go_package = "github.com/siderolabs/talos/pkg/machinery/api/resource/definitions/secrets";

import "common/common.proto";

// APICertsSpec describes etcd certs secrets.
message APICertsSpec {
  common.PEMEncodedCertificateAndKey ca = 1;
  common.PEMEncodedCertificateAndKey client = 2;
  common.PEMEncodedCertificateAndKey server = 3;
}

// CertSANSpec describes fields of the cert SANs.
message CertSANSpec {
  repeated common.NetIP i_ps = 1;
  repeated string dns_names = 2;
  string fqdn = 3;
}

// EtcdCertsSpec describes etcd certs secrets.
message EtcdCertsSpec {
  common.PEMEncodedCertificateAndKey etcd = 1;
  common.PEMEncodedCertificateAndKey etcd_peer = 2;
  common.PEMEncodedCertificateAndKey etcd_admin = 3;
  common.PEMEncodedCertificateAndKey etcd_api_server = 4;
}

// EtcdRootSpec describes etcd CA secrets.
message EtcdRootSpec {
  common.PEMEncodedCertificateAndKey etcd_ca = 1;
}

// KubeletSpec describes root Kubernetes secrets.
message KubeletSpec {
  common.URL endpoint = 1;
  common.PEMEncodedCertificateAndKey ca = 2;
  string bootstrap_token_id = 3;
  string bootstrap_token_secret = 4;
}

// KubernetesCertsSpec describes generated Kubernetes certificates.
message KubernetesCertsSpec {
  common.PEMEncodedCertificateAndKey api_server = 1;
  common.PEMEncodedCertificateAndKey api_server_kubelet_client = 2;
  common.PEMEncodedCertificateAndKey front_proxy = 3;
  string scheduler_kubeconfig = 4;
  string controller_manager_kubeconfig = 5;
  string localhost_admin_kubeconfig = 6;
  string admin_kubeconfig = 7;
}

// KubernetesRootSpec describes root Kubernetes secrets.
message KubernetesRootSpec {
  string name = 1;
  common.URL endpoint = 2;
  common.URL local_endpoint = 3;
  repeated string cert_sa_ns = 4;
  string dns_domain = 6;
  common.PEMEncodedCertificateAndKey ca = 7;
  common.PEMEncodedKey service_account = 8;
  common.PEMEncodedCertificateAndKey aggregator_ca = 9;
  string aescbc_encryption_secret = 10;
  string bootstrap_token_id = 11;
  string bootstrap_token_secret = 12;
  string secretbox_encryption_secret = 13;
  repeated common.NetIP api_server_ips = 14;
}

// OSRootSpec describes operating system CA.
message OSRootSpec {
  common.PEMEncodedCertificateAndKey ca = 1;
  repeated common.NetIP cert_sani_ps = 2;
  repeated string cert_sandns_names = 3;
  string token = 4;
}

// TrustdCertsSpec describes etcd certs secrets.
message TrustdCertsSpec {
  common.PEMEncodedCertificateAndKey ca = 1;
  common.PEMEncodedCertificateAndKey server = 2;
}