apiVersion: apps/v1
kind: Deployment
metadata:
  name: pingora
  namespace: ingress
spec:
  replicas: 1
  # Recreate avoids rolling-update conflicts (single-node; hostPorts in local overlay)
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: pingora
  template:
    metadata:
      labels:
        app: pingora
      annotations:
        # Pingora terminates TLS at the mesh boundary; sidecar injection is disabled here
        linkerd.io/inject: disabled
    spec:
      serviceAccountName: pingora
      containers:
        - name: pingora
          image: sunbeam-proxy:latest   # overridden per overlay via kustomize images:
          ports:
            - name: http
              containerPort: 80
              protocol: TCP
            - name: https
              containerPort: 443
              protocol: TCP
            - name: turn-udp
              containerPort: 3478
              protocol: UDP
            # TURN relay range 49152–49252 exposed via hostPort in local overlay
          volumeMounts:
            - name: config
              mountPath: /etc/pingora
              readOnly: true
            # /etc/tls is an emptyDir written by the proxy via the K8s API on
            # startup and on cert renewal, so Pingora always reads a fresh cert
            # without depending on kubelet volume-sync timing.
            - name: tls
              mountPath: /etc/tls
          resources:
            limits:
              memory: 256Mi
            requests:
              memory: 128Mi
              cpu: 100m
      volumes:
        - name: config
          configMap:
            name: pingora-config
        - name: tls
          emptyDir: {}