From 281fffbe4f65ce0e034e70af8ab85578011a4310 Mon Sep 17 00:00:00 2001
From: Tero Halla-aho <thallaa@gmail.com>
Date: Mon, 15 Dec 2025 20:07:45 +0200
Subject: [PATCH] Auto-decrypt kubeconfig when loading secrets

---
 scripts/load-secrets.sh | 29 ++++++++++++++++++++++++++++-
 1 file changed, 28 insertions(+), 1 deletion(-)

diff --git a/scripts/load-secrets.sh b/scripts/load-secrets.sh
index 87276b7..c78c5ad 100644
--- a/scripts/load-secrets.sh
+++ b/scripts/load-secrets.sh
@@ -7,6 +7,8 @@ set -euo pipefail
 ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 SECRETS_FILE="${SECRETS_FILE:-$ROOT_DIR/creds/secrets.env}"
 ENCRYPTED_FILE="${ENCRYPTED_FILE:-$ROOT_DIR/creds/secrets.enc.env}"
+KUBECONFIG_FILE="${KUBECONFIG_FILE:-$ROOT_DIR/creds/kubeconfig.yaml}"
+KUBECONFIG_ENC_FILE="${KUBECONFIG_ENC_FILE:-$ROOT_DIR/creds/kubeconfig.enc.yaml}"
 
 ensure_decrypted() {
   if [[ -f "$SECRETS_FILE" ]]; then
@@ -24,8 +26,33 @@ ensure_decrypted() {
 }
 
 ensure_decrypted || exit 0
-
 echo "Loading secrets from $SECRETS_FILE"
+
 set -a
 source "$SECRETS_FILE"
 set +a
+
+ensure_kubeconfig() {
+  # If user already set KUBECONFIG, respect it.
+  if [[ -n "${KUBECONFIG:-}" ]]; then
+    return 0
+  fi
+
+  if [[ -f "$KUBECONFIG_FILE" ]]; then
+    export KUBECONFIG="$KUBECONFIG_FILE"
+    return 0
+  fi
+
+  if [[ -f "$KUBECONFIG_ENC_FILE" ]]; then
+    if command -v sops >/dev/null 2>&1; then
+      echo "Decrypting $KUBECONFIG_ENC_FILE -> $KUBECONFIG_FILE"
+      sops -d "$KUBECONFIG_ENC_FILE" >"$KUBECONFIG_FILE"
+      export KUBECONFIG="$KUBECONFIG_FILE"
+    else
+      echo "sops not found and kubeconfig is missing. Install sops or set KUBECONFIG manually." >&2
+      return 1
+    fi
+  fi
+}
+
+ensure_kubeconfig || true