# Example: Single-cluster network policy mode (netd)
apiVersion: v1
kind: Namespace
metadata:
  name: sandbox0-system
---
apiVersion: infra.sandbox0.ai/v1alpha1
kind: Sandbox0Infra
metadata:
  name: network-policy
  namespace: sandbox0-system
spec:
  database:
    # Use builtin for quick start; switch to external for managed PG.
    type: builtin
    builtin:
      enabled: true
      persistence:
        enabled: true
        size: "20Gi"
  # Example external database:
  # database:
  #   type: external
  #   external:
  #     host: your-db.rds.amazonaws.com
  #     port: 5432
  #     database: sandbox0
  #     username: sandbox0
  #     passwordSecret:
  #       name: db-credentials
  #       key: password
  publicExposure:
    enabled: true
    rootDomain: sandbox0.app
    regionId: aws-us-east-1
  # registry:
  #   # Builtin registry defaults to NodePort for easy kind debugging.
  #   provider: builtin
  #   builtin:
  #     enabled: true
  #     service:
  #       type: NodePort
  #       port: 30500
  #     # For local kind debug, s0 CLI can push via this endpoint.
  #     pushEndpoint: 127.0.0.1:30500
  builtinTemplates:
    - templateId: default
      image: sandbox0ai/otemplates:default-v0.1.0
      displayName: Default
      description: Builtin template installed by infra-operator.
      pool:
        minIdle: 1
        maxIdle: 5
  # Shared placement for sandbox template Pods plus node-local helpers such as
  # netd and k8s-plugin.
  #sandboxNodePlacement:
  #  nodeSelector:
  #    sandbox0.ai/node-role: sandbox
  #  tolerations:
  #    - key: sandbox0.ai/sandbox
  #      operator: Equal
  #      value: "true"
  #      effect: NoSchedule
  #    - key: sandbox.gke.io/runtime
  #      operator: Equal
  #      value: gvisor
  #      effect: NoSchedule
  services:
    internalGateway:
      enabled: true
      replicas: 1
      service:
        type: NodePort
        port: 30080
      config:
        authMode: public
    netd:
      enabled: true
      # Keep netd on a regular host runtime such as runc; do not run netd on gVisor or Kata.
      # runtimeClassName: runc
      # By default infra-operator manages a cluster-local MITM CA secret for HTTPS/gRPC auth injection.
      # Set this only when you want to provide your own secret containing ca.crt and ca.key.
      # mitmCaSecretName: netd-mitm-ca
      config:
        egressAuthEnabled: true
        egressAuthFailurePolicy: fail-closed
    manager:
      enabled: true
      replicas: 1
  initUser:
    email: "admin@example.com"