diff --git a/api/v1alpha1/microvm_types.go b/api/v1alpha1/microvm_types.go
index 70cb7f7..7278fff 100644
--- a/api/v1alpha1/microvm_types.go
+++ b/api/v1alpha1/microvm_types.go
@@ -20,22 +20,105 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
-// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
+const (
+	// MvmFinalizer allows ReconcileMicrovm to clean up resources associated with Microvm
+	// before removing it from the apiserver.
+	MvmFinalizer = "microvm.infrastructure.microvm.x-k8s.io"
+)
 
 // MicrovmSpec defines the desired state of Microvm
 type MicrovmSpec struct {
-	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
-	// Important: Run "make" to regenerate code after modifying this file
-
-	// Foo is an example field of Microvm. Edit microvm_types.go to remove/update
-	Foo string `json:"foo,omitempty"`
+	// Host sets the host device address for Microvm creation.
+	// +kubebuilder:validation:Required
+	Host Host `json:"host"`
+	// VMSpec contains the Microvm spec.
+	// +kubebuilder:validation:Required
+	VMSpec `json:",inline"`
+	// SSHPublicKeys is list of SSH public keys which will be added to the Microvm.
+	// +optional
+	SSHPublicKeys []SSHPublicKey `json:"sshPublicKeys,omitempty"`
+	// mTLS Configuration:
+	//
+	// It is recommended that each flintlock host is configured with its own cert
+	// signed by a common CA, and set to use mTLS.
+	// The flintlock-operator should be provided with the CA, and a client cert and key
+	// signed by that CA.
+	// TLSSecretRef is a reference to the name of a secret which contains TLS cert information
+	// for connecting to Flintlock hosts.
+	// The secret should be created in the same namespace as the MicroVMCluster.
+	// The secret should be of type Opaque
+	// with the addition of a ca.crt key.
+	//
+	// apiVersion: v1
+	// kind: Secret
+	// metadata:
+	// 	name: secret-tls
+	// 	namespace: default  <- same as Cluster
+	// type: Opaque
+	// data:
+	// 	tls.crt: |
+	// 		-----BEGIN CERTIFICATE-----
+	// 		MIIC2DCCAcCgAwIBAgIBATANBgkqh ...
+	// 		-----END CERTIFICATE-----
+	// 	tls.key: |
+	// 		-----BEGIN EC PRIVATE KEY-----
+	// 		MIIEpgIBAAKCAQEA7yn3bRHQ5FHMQ ...
+	// 		-----END EC PRIVATE KEY-----
+	// 	ca.crt: |
+	// 		-----BEGIN CERTIFICATE-----
+	// 		MIIEpgIBAAKCAQEA7yn3bRHQ5FHMQ ...
+	// 		-----END CERTIFICATE-----
+	// +optional
+	TLSSecretRef string `json:"tlsSecretRef,omitempty"`
 }
 
 // MicrovmStatus defines the observed state of Microvm
 type MicrovmStatus struct {
-	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
-	// Important: Run "make" to regenerate code after modifying this file
+	// Ready is true when the provider resource is ready.
+	// +optional
+	// +kubebuilder:default=false
+	Ready bool `json:"ready"`
+
+	// VMState indicates the state of the microvm.
+	VMState *VMState `json:"vmState,omitempty"`
+
+	// FailureReason will be set in the event that there is a terminal problem
+	// reconciling the Machine and will contain a succinct value suitable
+	// for machine interpretation.
+	//
+	// This field should not be set for transitive errors that a controller
+	// faces that are expected to be fixed automatically over
+	// time (like service outages), but instead indicate that something is
+	// fundamentally wrong with the Machine's spec or the configuration of
+	// the controller, and that manual intervention is required. Examples
+	// of terminal errors would be invalid combinations of settings in the
+	// spec, values that are unsupported by the controller, or the
+	// responsible controller itself being critically misconfigured.
+	//
+	// Any transient errors that occur during the reconciliation of Machines
+	// can be added as events to the Machine object and/or logged in the
+	// controller's output.
+	// +optional
+	FailureReason *string `json:"failureReason,omitempty"`
+
+	// FailureMessage will be set in the event that there is a terminal problem
+	// reconciling the Machine and will contain a more verbose string suitable
+	// for logging and human consumption.
+	//
+	// This field should not be set for transitive errors that a controller
+	// faces that are expected to be fixed automatically over
+	// time (like service outages), but instead indicate that something is
+	// fundamentally wrong with the Machine's spec or the configuration of
+	// the controller, and that manual intervention is required. Examples
+	// of terminal errors would be invalid combinations of settings in the
+	// spec, values that are unsupported by the controller, or the
+	// responsible controller itself being critically misconfigured.
+	//
+	// Any transient errors that occur during the reconciliation of Machines
+	// can be added as events to the Machine object and/or logged in the
+	// controller's output.
+	// +optional
+	FailureMessage *string `json:"failureMessage,omitempty"`
 }
 
 //+kubebuilder:object:root=true
diff --git a/api/v1alpha1/types.go b/api/v1alpha1/types.go
new file mode 100644
index 0000000..2e21775
--- /dev/null
+++ b/api/v1alpha1/types.go
@@ -0,0 +1,149 @@
+/*
+Copyright 2022 Weaveworks.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+// TODO refactor out into shared lib
+type VMSpec struct {
+	// VCPU specifies how many vcpu's the microvm will be allocated.
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Minimum:=1
+	VCPU int64 `json:"vcpu"`
+
+	// MemoryMb is the amount of memory in megabytes that the microvm will be allocated.
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Minimum:=1024
+	MemoryMb int64 `json:"memoryMb"`
+
+	// RootVolume specifies the volume to use for the root of the microvm.
+	// +kubebuilder:validation:Required
+	RootVolume Volume `json:"rootVolume"`
+
+	// AdditionalVolumes specifies additional non-root volumes to attach to the microvm.
+	// +optional
+	AdditionalVolumes []Volume `json:"volumes,omitempty"`
+
+	// Kernel specifies the kernel and its arguments to use.
+	// +kubebuilder:validation:Required
+	Kernel ContainerFileSource `json:"kernel"`
+
+	// KernelCmdLine are the additional args to use for the kernel cmdline.
+	// Each MicroVM provider has its own recommended list, they will be used
+	// automatically. This field is for additional values.
+	KernelCmdLine map[string]string `json:"kernelCmdline,omitempty"`
+
+	// Initrd is an optional initial ramdisk to use.
+	// +optional
+	Initrd *ContainerFileSource `json:"initrd,omitempty"`
+
+	// NetworkInterfaces specifies the network interfaces attached to the microvm.
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:MinItems:=1
+	NetworkInterfaces []NetworkInterface `json:"networkInterfaces"`
+}
+
+// ContainerFileSource represents a file coming from a container image.
+type ContainerFileSource struct {
+	// Image is the container image to use.
+	// +kubebuilder:validation:Required
+	Image string `json:"image"`
+	// Filename is the name of the file in the container to use.
+	// +optional
+	Filename string `json:"filename,omitempty"`
+}
+
+// Volume represents a volume to be attached to a microvm.
+type Volume struct {
+	// ID is a unique identifier for this volume.
+	// +kubebuilder:validation:Required
+	ID string `json:"id"`
+	// Image is the container image to use for the volume.
+	// +kubebuilder:validation:Required
+	Image string `json:"image"`
+	// ReadOnly specifies that the volume is to be mounted readonly.
+	// +kubebuilder:default:=false
+	// +optional
+	ReadOnly bool `json:"readOnly,omitempty"`
+}
+
+// IfaceType is a type representing the network interface types.
+type IfaceType string
+
+const (
+	// IfaceTypeTap is a TAP network interface.
+	IfaceTypeTap = "tap"
+	// IfaceTypeMacvtap is a MACVTAP network interface.
+	IfaceTypeMacvtap = "macvtap"
+)
+
+// NetworkInterface represents a network interface for the microvm.
+type NetworkInterface struct {
+	// GuestDeviceName is the name of the network interface to create in the microvm.
+	// +kubebuilder:validation:Required
+	GuestDeviceName string `json:"guestDeviceName"`
+	// GuestMAC allows the specifying of a specific MAC address to use for the interface. If
+	// not supplied a autogenerated MAC address will be used.
+	// +optional
+	GuestMAC string `json:"guestMac,omitempty"`
+	// Type is the type of host network interface type to create to use by the guest.
+	// +kubebuilder:validation:Enum=macvtap;tap
+	Type IfaceType `json:"type"`
+	// Address is an optional IP address to assign to this interface. If not supplied then DHCP will be used.
+	// +optional
+	Address string `json:"address,omitempty"`
+}
+
+// VMState is a type that represents the state of a microvm.
+type VMState string
+
+var (
+	// VMStatePending indicates the microvm hasn't been started.
+	VMStatePending = VMState("pending")
+	// VMStateRunning indicates the microvm is running.
+	VMStateRunning = VMState("running")
+	// VMStateFailed indicates the microvm has failed.
+	VMStateFailed = VMState("failed")
+	// VMStateDeleted indicates the microvm has been deleted.
+	VMStateDeleted = VMState("deleted")
+	// VMStateUnknown indicates the microvm is in an state that is unknown/supported by CAPMVM.
+	VMStateUnknown = VMState("unknown")
+)
+
+type Host struct {
+	// Name is an optional name for the host.
+	// +optional
+	Name string `json:"name,omitempty"`
+	// Endpoint is the API endpoint for the microvm service (i.e. flintloc)
+	// including the port.
+	// +kubebuilder:validation:Required
+	Endpoint string `json:"endpoint"`
+}
+
+// TLSConfig represents config for connecting to TLS enabled hosts.
+type TLSConfig struct {
+	Cert   []byte `json:"cert"`
+	Key    []byte `json:"key"`
+	CACert []byte `json:"caCert"`
+}
+
+type SSHPublicKey struct {
+	// User is the name of the user to add keys for (eg root, ubuntu).
+	// +kubebuilder:validation:Required
+	User string `json:"user,omitempty"`
+	// AuthorizedKeys is a list of public keys to add to the user
+	// +kubebuilder:validation:Required
+	AuthorizedKeys []string `json:"authorizedKeys,omitempty"`
+}