apiVersion: apps/v1
kind: Deployment
metadata:
  name: pingora
  namespace: ingress
spec:
  replicas: 1
  selector:
    matchLabels:
      app: pingora
  template:
    metadata:
      labels:
        app: pingora
      annotations:
        # Pingora terminates TLS at the mesh boundary; sidecar injection is disabled here
        linkerd.io/inject: disabled
    spec:
      containers:
        - name: pingora
          image: ghcr.io/sunbeam-studio/pingora:latest
          ports:
            - name: http
              containerPort: 80
              protocol: TCP
            - name: https
              containerPort: 443
              protocol: TCP
            - name: turn-udp
              containerPort: 3478
              protocol: UDP
            # TURN relay range 49152–49252 exposed via hostPort in local overlay
          volumeMounts:
            - name: config
              mountPath: /etc/pingora
              readOnly: true
            - name: tls
              mountPath: /etc/tls
              readOnly: true
          resources:
            limits:
              memory: 64Mi
            requests:
              memory: 32Mi
              cpu: 50m
      volumes:
        - name: config
          configMap:
            name: pingora-config
        - name: tls
          secret:
            secretName: pingora-tls