apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

# Local dev overlay — targets Lima VM running k3s on macOS
# Deploy with: kubectl apply -k overlays/local/
#
# NOTE: base/mesh (Linkerd) is excluded here. Linkerd is bootstrapped
# separately by scripts/local-up.sh via the Linkerd CLI, which avoids
# the identity cert bootstrapping problem at kustomize render time.
#
# DOMAIN_SUFFIX substitution: local-up.sh pipes `kustomize build | sed` to
# replace DOMAIN_SUFFIX with <LIMA_IP>.sslip.io before kubectl apply.

resources:
  - ../../base/build
  - ../../base/ingress
  - ../../base/ory
  - ../../base/data
  - ../../base/storage
  - ../../base/lasuite
  - ../../base/media
  - ../../base/devtools
  - ../../base/vso

images:
  # La Gaufre v2 integration service — lagaufre.js widget + SVG logos + nginx
  - name: integration
    newName: src.DOMAIN_SUFFIX/studio/integration
    newTag: latest

  # amd64-only La Suite images — mirrored to our Gitea registry with a patched
  # OCI index that adds an arm64 alias so Rosetta can run them on the Lima VM.
  # DOMAIN_SUFFIX is substituted by local-up.py at deploy time (sed replacement).
  # Meet — built from source and pushed to Gitea registry.
  - name: meet-backend
    newName: src.DOMAIN_SUFFIX/studio/meet-backend
    newTag: latest
  - name: meet-frontend
    newName: src.DOMAIN_SUFFIX/studio/meet-frontend
    newTag: latest

  # Projects (Kanban) — built and pushed by `sunbeam build projects`
  - name: projects
    newName: src.DOMAIN_SUFFIX/studio/projects
    newTag: latest

  # Calendars — built from source and pushed to Gitea registry.
  - name: calendars-backend
    newName: src.DOMAIN_SUFFIX/studio/calendars-backend
    newTag: latest
  - name: calendars-caldav
    newName: src.DOMAIN_SUFFIX/studio/calendars-caldav
    newTag: latest
  - name: calendars-frontend
    newName: src.DOMAIN_SUFFIX/studio/calendars-frontend
    newTag: latest

patches:
  # Disable SSL verification for OIDC server-side calls — mkcert CA not trusted in pods
  - path: patch-oidc-verify-ssl.yaml
    target:
      kind: ConfigMap
      name: lasuite-oidc-provider

  # Add hostPort for TURN relay range + bind :80/:443 on Lima VM
  - path: values-pingora.yaml
    target:
      kind: Deployment
      name: pingora

  # Downgrade LiveKit TURN service from LoadBalancer → ClusterIP (klipper would take hostPort 443)
  - path: values-livekit.yaml
    target:
      kind: Service
      name: livekit-server-turn

  # Set SSL_CERT_FILE so Gitea's Go TLS trusts the mkcert wildcard CA for OIDC calls
  - path: patch-gitea-mkcert-ca.yaml
    target:
      kind: Deployment
      name: gitea

  # Apply §10.7 memory limits to all Deployments
  - path: values-resources.yaml