Auto-decrypt kubeconfig when loading secrets

scripts/load-secrets.sh

@@ -7,6 +7,8 @@ set -euo pipefail
 ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 SECRETS_FILE="${SECRETS_FILE:-$ROOT_DIR/creds/secrets.env}"
 ENCRYPTED_FILE="${ENCRYPTED_FILE:-$ROOT_DIR/creds/secrets.enc.env}"
+KUBECONFIG_FILE="${KUBECONFIG_FILE:-$ROOT_DIR/creds/kubeconfig.yaml}"
+KUBECONFIG_ENC_FILE="${KUBECONFIG_ENC_FILE:-$ROOT_DIR/creds/kubeconfig.enc.yaml}"
 
 ensure_decrypted() {
   if [[ -f "$SECRETS_FILE" ]]; then
@@ -24,8 +26,33 @@ ensure_decrypted() {
 }
 
 ensure_decrypted || exit 0
-
 echo "Loading secrets from $SECRETS_FILE"
+
 set -a
 source "$SECRETS_FILE"
 set +a
+
+ensure_kubeconfig() {
+  # If user already set KUBECONFIG, respect it.
+  if [[ -n "${KUBECONFIG:-}" ]]; then
+    return 0
+  fi
+
+  if [[ -f "$KUBECONFIG_FILE" ]]; then
+    export KUBECONFIG="$KUBECONFIG_FILE"
+    return 0
+  fi
+
+  if [[ -f "$KUBECONFIG_ENC_FILE" ]]; then
+    if command -v sops >/dev/null 2>&1; then
+      echo "Decrypting $KUBECONFIG_ENC_FILE -> $KUBECONFIG_FILE"
+      sops -d "$KUBECONFIG_ENC_FILE" >"$KUBECONFIG_FILE"
+      export KUBECONFIG="$KUBECONFIG_FILE"
+    else
+      echo "sops not found and kubeconfig is missing. Install sops or set KUBECONFIG manually." >&2
+      return 1
+    fi
+  fi
+}
+
+ensure_kubeconfig || true