# Patch: local Pingora overrides
# - ACME disabled (mkcert wildcard cert from pingora-tls Secret)
# - hostPort for TURN relay range on the Lima VM

apiVersion: apps/v1
kind: Deployment
metadata:
  name: pingora
  namespace: ingress
spec:
  template:
    spec:
      containers:
        - name: pingora
          imagePullPolicy: Never
          ports:
            # Bind HTTP/HTTPS directly to the Lima VM's host network
            - name: http
              containerPort: 80
              hostPort: 80
              protocol: TCP
            - name: https
              containerPort: 443
              hostPort: 443
              protocol: TCP
            # Expose full TURN relay range as hostPort so the Lima VM forwards UDP
            - name: turn-start
              containerPort: 49152
              hostPort: 49152
              protocol: UDP
            - name: turn-end
              containerPort: 49252
              hostPort: 49252
              protocol: UDP
          # acme.enabled = false is the default in pingora-config.yaml.
          # The mkcert cert Secret (pingora-tls) is created by scripts/local-certs.sh
          # before kustomize runs, so it is always present on first apply.