From 104a8a4cab62b1862e4dcddeae12207397233989 Mon Sep 17 00:00:00 2001
From: Tero Halla-aho <thallaa@gmail.com>
Date: Fri, 12 Dec 2025 11:48:39 +0200
Subject: [PATCH] Default to repo kubeconfig and document deploy access

---
 deploy/README.md | 26 ++++++++++++++++++++++++++
 deploy/deploy.sh |  6 ++++++
 2 files changed, 32 insertions(+)
 create mode 100644 deploy/README.md

diff --git a/deploy/README.md b/deploy/README.md
new file mode 100644
index 0000000..cbd7ffb
--- /dev/null
+++ b/deploy/README.md
@@ -0,0 +1,26 @@
+Deploying to k3s (Hetzner)
+==========================
+
+Prereqs
+- `kubectl` installed locally.
+- Access to the cluster kubeconfig.
+- Secrets loaded (dotenv via `scripts/load-secrets.sh`).
+
+Kubeconfig
+- By default `deploy/deploy.sh` will use `$KUBECONFIG`. If that is unset and `creds/kubeconfig.yaml` exists, it will export `KUBECONFIG=$PWD/creds/kubeconfig.yaml`.
+- Recommended flow for new devs:
+  1) Obtain the kubeconfig from the cluster admin.
+  2) Save it as `creds/kubeconfig.yaml` (ignored by git), or set `KUBECONFIG` to your own path.
+  3) Verify access: `kubectl get ns` (you should see `lomavuokraus-test/staging/prod`).
+- If you want to keep the kubeconfig in-repo but encrypted, store it as `creds/kubeconfig.enc.yaml` with sops/age and decrypt to `creds/kubeconfig.yaml` before deploying:
+  - Decrypt: `SOPS_AGE_KEY_FILE=creds/age-key.txt sops -d creds/kubeconfig.enc.yaml > creds/kubeconfig.yaml`
+  - Encrypt (admin only): `SOPS_AGE_KEY_FILE=creds/age-key.txt sops -e kubeconfig.yaml > creds/kubeconfig.enc.yaml`
+
+Deploy commands
+- Test: `./deploy/deploy-test.sh`
+- Staging (default): `./deploy/deploy-staging.sh` or `TARGET=staging ./deploy/deploy.sh`
+- Prod: `./deploy/deploy-prod.sh`
+
+Notes
+- Ensure `deploy/.last-image` exists (run `deploy/build.sh` first).
+- `AUTH_SECRET`/`DATABASE_URL` should be in your env or loaded via `scripts/load-secrets.sh`.
diff --git a/deploy/deploy.sh b/deploy/deploy.sh
index 645ed1c..1317dd2 100755
--- a/deploy/deploy.sh
+++ b/deploy/deploy.sh
@@ -6,6 +6,12 @@ if [[ -f scripts/load-secrets.sh ]]; then
   # Export secrets from creds/secrets.env (dotenv) when available.
   source scripts/load-secrets.sh
 fi
+
+# Prefer repo-local kubeconfig if present and KUBECONFIG is not set.
+if [[ -z "${KUBECONFIG:-}" && -f creds/kubeconfig.yaml ]]; then
+  export KUBECONFIG="$(pwd)/creds/kubeconfig.yaml"
+fi
+
 source deploy/env.sh
 
 if [[ ! -f deploy/.last-image ]]; then