Default to repo kubeconfig and document deploy access

deploy/README.md

@@ -0,0 +1,26 @@
+Deploying to k3s (Hetzner)
+==========================
+
+Prereqs
+- `kubectl` installed locally.
+- Access to the cluster kubeconfig.
+- Secrets loaded (dotenv via `scripts/load-secrets.sh`).
+
+Kubeconfig
+- By default `deploy/deploy.sh` will use `$KUBECONFIG`. If that is unset and `creds/kubeconfig.yaml` exists, it will export `KUBECONFIG=$PWD/creds/kubeconfig.yaml`.
+- Recommended flow for new devs:
+  1) Obtain the kubeconfig from the cluster admin.
+  2) Save it as `creds/kubeconfig.yaml` (ignored by git), or set `KUBECONFIG` to your own path.
+  3) Verify access: `kubectl get ns` (you should see `lomavuokraus-test/staging/prod`).
+- If you want to keep the kubeconfig in-repo but encrypted, store it as `creds/kubeconfig.enc.yaml` with sops/age and decrypt to `creds/kubeconfig.yaml` before deploying:
+  - Decrypt: `SOPS_AGE_KEY_FILE=creds/age-key.txt sops -d creds/kubeconfig.enc.yaml > creds/kubeconfig.yaml`
+  - Encrypt (admin only): `SOPS_AGE_KEY_FILE=creds/age-key.txt sops -e kubeconfig.yaml > creds/kubeconfig.enc.yaml`
+
+Deploy commands
+- Test: `./deploy/deploy-test.sh`
+- Staging (default): `./deploy/deploy-staging.sh` or `TARGET=staging ./deploy/deploy.sh`
+- Prod: `./deploy/deploy-prod.sh`
+
+Notes
+- Ensure `deploy/.last-image` exists (run `deploy/build.sh` first).
+- `AUTH_SECRET`/`DATABASE_URL` should be in your env or loaded via `scripts/load-secrets.sh`.

deploy/deploy.sh

@@ -6,6 +6,12 @@ if [[ -f scripts/load-secrets.sh ]]; then
   # Export secrets from creds/secrets.env (dotenv) when available.
   source scripts/load-secrets.sh
 fi
+
+# Prefer repo-local kubeconfig if present and KUBECONFIG is not set.
+if [[ -z "${KUBECONFIG:-}" && -f creds/kubeconfig.yaml ]]; then
+  export KUBECONFIG="$(pwd)/creds/kubeconfig.yaml"
+fi
+
 source deploy/env.sh
 
 if [[ ! -f deploy/.last-image ]]; then