# Example: Regional multi-cluster control plane (regional-gateway + scheduler)
# This sample assumes a separate global-service layer handles bootstrap user auth.
apiVersion: v1
kind: Namespace
metadata:
  name: sandbox0-system
---
apiVersion: infra.sandbox0.ai/v1alpha1
kind: Sandbox0Infra
metadata:
  name: s0cp
  namespace: sandbox0-system
spec:
  # Optional explicit enterprise license reference. When omitted, infra-operator
  # falls back to s0cp-enterprise-license / license.lic.
  # enterpriseLicense:
  #   secretRef:
  #     name: s0cp-enterprise-license
  #     key: license.lic
  database:
    # Control plane and data plane should share the same PG instance.
    type: external
    external:
      host: your-db.rds.amazonaws.com
      port: 5432
      database: sandbox0
      username: sandbox0
      passwordSecret:
        name: db-credentials
        key: password
  publicExposure:
    enabled: true
    rootDomain: sandbox0.app
    regionId: aws-us-east-1
  registry:
     # Builtin registry defaults to NodePort for easy kind debugging.
     provider: builtin
     builtin:
       enabled: true
       service:
         type: NodePort
         port: 30500
       # For local kind debug, s0 CLI can push via this endpoint.
       pushEndpoint: 127.0.0.1:30500
    ## Shared regional registry for all data-plane clusters in this region.
    ## regional-gateway issues upload credentials from this config.
    #provider: aws
    #imagePullSecretName: sandbox0-registry-pull
    #aws:
    #  region: us-east-1
    #  registryId: "123456789012"
    #  # Optional when registryId+region are set, but explicit host is clearer.
    #  registry: 123456789012.dkr.ecr.us-east-1.amazonaws.com
    #  pullSecret:
    #    name: ecr-pull-secret
    #    key: .dockerconfigjson
    #  credentialsSecret:
    #    name: aws-credentials
    #    accessKeyKey: accessKeyId
    #    secretKeyKey: secretAccessKey
  services:
    regionalGateway:
      enabled: true
      replicas: 1
      # service:
      #   type: ClusterIP
      #   port: 80
      # For AWS with an ACM-backed LoadBalancer, declare annotations here and
      # set config.baseUrl to the final Cloudflare-managed origin hostname.
      # service:
      #   type: LoadBalancer
      #   port: 443
      #   annotations:
      #     service.beta.kubernetes.io/aws-load-balancer-type: nlb
      #     service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
      #     service.beta.kubernetes.io/aws-load-balancer-ssl-cert: <acm-certificate-arn>
      #     service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
      service:
        type: NodePort
        port: 30080
      config:
        authMode: federated_global
        # baseUrl: https://your-gateway.example.com
    scheduler:
      enabled: true
      replicas: 1