# Example: Multi-cluster data plane (internal-gateway + manager + storage-proxy)
apiVersion: v1
kind: Namespace
metadata:
  name: sandbox0-system
---
apiVersion: infra.sandbox0.ai/v1alpha1
kind: Sandbox0Infra
metadata:
  name: s0dp
  namespace: sandbox0-system
spec:
  database:
    # Must match the control plane database.
    type: external
    external:
      host: your-db.rds.amazonaws.com
      port: 5432
      database: sandbox0
      username: sandbox0
      passwordSecret:
        name: db-credentials
        key: password
  publicExposure:
    enabled: false
    rootDomain: sandbox0.app
    regionId: aws-us-east-1
  storage:
    # Data plane storage (choose s3 or oss for production).
    type: s3
    s3:
      bucket: sandbox0-prod
      region: us-east-1
      endpoint: https://s3.amazonaws.com
      credentialsSecret:
        name: aws-credentials
        accessKeyKey: accessKeyId
        secretKeyKey: secretAccessKey
  # Example OSS storage:
  # storage:
  #   type: oss
  #   oss:
  #     bucket: sandbox0-prod
  #     region: cn-hangzhou
  #     endpoint: https://oss-cn-hangzhou.aliyuncs.com
  #     credentialsSecret:
  #       name: oss-credentials
  #       accessKeyKey: accessKeyId
  #       secretKeyKey: accessKeySecret
  controlPlane:
    url: https://api.sandbox0.ai
    internalAuthPublicKeySecret:
      name: control-plane-public-key
      key: public.key
  registry:
    # Must match control-plane registry config in this region.
    # Data-plane uses this for pull secret propagation to sandbox namespaces.
    provider: aws
    imagePullSecretName: sandbox0-registry-pull
    aws:
      region: us-east-1
      registryId: "123456789012"
      registry: 123456789012.dkr.ecr.us-east-1.amazonaws.com
      pullSecret:
        name: ecr-pull-secret
        key: .dockerconfigjson
      credentialsSecret:
        name: aws-credentials
        accessKeyKey: accessKeyId
        secretKeyKey: secretAccessKey
  cluster:
    id: cluster-001
    name: Production US East 1
  builtinTemplates:
    - templateId: default
      image: sandbox0ai/otemplates:default-v0.1.0
      displayName: Default
      description: Builtin template installed by infra-operator.
      pool:
        minIdle: 1
        maxIdle: 5
  # Shared placement for sandbox template Pods plus node-local helpers such as
  # netd and k8s-plugin.
  #sandboxNodePlacement:
  #  nodeSelector:
  #    sandbox0.ai/node-role: sandbox
  #  tolerations:
  #    - key: sandbox0.ai/sandbox
  #      operator: Equal
  #      value: "true"
  #      effect: NoSchedule
  #    - key: sandbox.gke.io/runtime
  #      operator: Equal
  #      value: gvisor
  #      effect: NoSchedule
  services:
    internalGateway:
      enabled: true
      replicas: 1
      # service:
      #   type: ClusterIP
      #   port: 80
      service:
        type: NodePort
        port: 30080
      config:
        authMode: internal
    manager:
      enabled: true
      replicas: 1
    storageProxy:
      enabled: true
      replicas: 1
    netd:
      enabled: true
      # Keep netd on a regular host runtime such as runc; do not run netd on gVisor or Kata.
      # runtimeClassName: runc