# Example: Single-cluster full mode (internal-gateway + manager + storage + network)
apiVersion: v1
kind: Namespace
metadata:
  name: sandbox0-system
---
apiVersion: infra.sandbox0.ai/v1alpha1
kind: Sandbox0Infra
metadata:
  name: fullmode
  namespace: sandbox0-system
spec:
  database:
    # Use builtin for quick start; switch to external for managed PG.
    type: builtin
    builtin:
      enabled: true
      persistence:
        enabled: true
        size: "20Gi"
  # Example external database:
  # database:
  #   type: external
  #   external:
  #     host: your-db.rds.amazonaws.com
  #     port: 5432
  #     database: sandbox0
  #     username: sandbox0
  #     passwordSecret:
  #       name: db-credentials
  #       key: password
  publicExposure:
    enabled: true
    rootDomain: sandbox0.app
    regionId: aws-us-east-1
  storage:
    # Builtin storage is for quick start; use s3/oss for production scale.
    type: builtin
    builtin:
      enabled: true
      persistence:
        enabled: true
        size: "20Gi"
  # Example S3 storage:
  # storage:
  #   type: s3
  #   s3:
  #     bucket: sandbox0-prod
  #     region: us-east-1
  #     endpoint: https://s3.amazonaws.com
  #     credentialsSecret:
  #       name: aws-credentials
  #       accessKeyKey: accessKeyId
  #       secretKeyKey: secretAccessKey
  registry:
    # Builtin registry is for quick start; external registries use provider config.
    provider: builtin
    builtin:
      enabled: true
      service:
        type: NodePort
        port: 30500
      # For local kind debug, s0 CLI can push via this endpoint.
      pushEndpoint: 127.0.0.1:30500
      # ingress:
      #   enabled: true
      #   className: nginx
      #   host: registry.example.com
      #   tlsSecret: registry-tls
  # Example external AWS registry:
  # registry:
  #   provider: aws
  #   aws:
  #     region: us-east-1
  #     registryId: "123456789012"
  #     pullSecret:
  #       name: ecr-pull-secret
  #       key: .dockerconfigjson
  #     credentialsSecret:
  #       name: aws-credentials
  #       accessKeyKey: accessKeyId
  #       secretKeyKey: secretAccessKey
  builtinTemplates:
    - templateId: default
      image: sandbox0ai/otemplates:default-v0.1.0
      displayName: Default
      description: Builtin template installed by infra-operator.
      pool:
        minIdle: 1
        maxIdle: 5
  # Shared placement for sandbox template Pods plus node-local helpers such as
  # netd and k8s-plugin.
  #sandboxNodePlacement:
  #  nodeSelector:
  #    sandbox0.ai/node-role: sandbox
  #  tolerations:
  #    - key: sandbox0.ai/sandbox
  #      operator: Equal
  #      value: "true"
  #      effect: NoSchedule
  #    - key: sandbox.gke.io/runtime
  #      operator: Equal
  #      value: gvisor
  #      effect: NoSchedule
  services:
    internalGateway:
      enabled: true
      replicas: 1
      # service:
      #   type: ClusterIP
      #   port: 80
      service:
        type: NodePort
        port: 30080
      config:
        authMode: public
    netd:
      enabled: true
      # Keep netd on a regular host runtime such as runc; do not run netd on gVisor or Kata.
      # runtimeClassName: runc
      # By default infra-operator manages a cluster-local MITM CA secret for HTTPS/gRPC auth injection.
      # Set this only when you want to provide your own secret containing ca.crt and ca.key.
      # mitmCaSecretName: netd-mitm-ca
      config:
        egressAuthEnabled: true
        egressAuthFailurePolicy: fail-closed
    manager:
      enabled: true
      replicas: 1
    storageProxy:
      enabled: true
      replicas: 1
      config:
        juicefsEncryptionEnabled: false
  initUser:
    email: "admin@example.com"