# Patch: local Pingora overrides
# - Disables rustls-acme (ACME negotiation not needed locally)
# - Mounts mkcert wildcard cert from the pingora-tls Secret
# - Exposes TURN relay range as hostPort on the Lima VM

apiVersion: apps/v1
kind: Deployment
metadata:
  name: pingora
  namespace: ingress
spec:
  template:
    spec:
      containers:
        - name: pingora
          env:
            - name: ACME_ENABLED
              value: "false"
          ports:
            # Expose full TURN relay range as hostPort so the Lima VM forwards UDP
            - name: turn-relay-start
              containerPort: 49152
              hostPort: 49152
              protocol: UDP
            - name: turn-relay-end
              containerPort: 49252
              hostPort: 49252
              protocol: UDP
          # TLS cert comes from mkcert Secret created by scripts/local-certs.sh
          # Secret name: pingora-tls, keys: tls.crt / tls.key