From 675c0c0924fb78b3fced89f6bbdac24e540f26fc Mon Sep 17 00:00:00 2001
From: Tero Halla-aho <thallaa@gmail.com>
Date: Thu, 18 Dec 2025 12:45:30 +0200
Subject: [PATCH] deploy: run migrations using in-cluster DATABASE_URL

---
 deploy/README.md |  2 +-
 deploy/deploy.sh | 31 +++++++++++++++++++++++++------
 2 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/deploy/README.md b/deploy/README.md
index 1750032..76722af 100644
--- a/deploy/README.md
+++ b/deploy/README.md
@@ -24,4 +24,4 @@ Deploy commands
 Notes
 - Ensure `deploy/.last-image` exists (run `deploy/build.sh` first).
 - `AUTH_SECRET`/`DATABASE_URL` should be in your env or loaded via `scripts/load-secrets.sh`.
-- `deploy/deploy.sh` now runs `prisma migrate deploy` automatically when `DATABASE_URL` is set (recommended for test/staging/prod).
+- `deploy/deploy.sh` runs `prisma migrate deploy` automatically when `DATABASE_URL` is set; if it isn't, it will try to read `DATABASE_URL` from the in-cluster `lomavuokraus-web-secrets` in the target namespace (recommended for test/staging/prod).
diff --git a/deploy/deploy.sh b/deploy/deploy.sh
index 1f7f36a..4b19c27 100755
--- a/deploy/deploy.sh
+++ b/deploy/deploy.sh
@@ -71,12 +71,31 @@ APP_VERSION="${APP_VERSION:-$(echo \"$IMAGE\" | awk -F: '{print $NF}')}"
 
 export K8S_NAMESPACE APP_HOST API_HOST NEXT_PUBLIC_SITE_URL NEXT_PUBLIC_API_BASE APP_ENV CLUSTER_ISSUER INGRESS_CLASS APP_REPLICAS K8S_IMAGE APP_VERSION
 
-if [[ -n "${DATABASE_URL:-}" ]]; then
-  echo "Running Prisma migrations for APP_ENV=$APP_ENV"
-  npx prisma migrate deploy
-else
-  echo "DATABASE_URL not set; skipping Prisma migrations" >&2
-fi
+maybe_run_prisma_migrations() {
+  local db_url="${DATABASE_URL:-}"
+  if [[ -z "$db_url" ]]; then
+    # If DATABASE_URL isn't available locally, try to reuse the in-cluster secret.
+    # This prevents "works in cluster but deploy skipped migrations" drift.
+    if command -v kubectl >/dev/null 2>&1 && command -v jq >/dev/null 2>&1; then
+      if kubectl -n "$K8S_NAMESPACE" get secret lomavuokraus-web-secrets >/dev/null 2>&1; then
+        db_url="$(
+          kubectl -n "$K8S_NAMESPACE" get secret lomavuokraus-web-secrets -o json \
+            | jq -r '.data.DATABASE_URL // empty' \
+            | base64 -d 2>/dev/null || true
+        )"
+      fi
+    fi
+  fi
+
+  if [[ -n "$db_url" ]]; then
+    echo "Running Prisma migrations for APP_ENV=$APP_ENV (namespace=$K8S_NAMESPACE)"
+    DATABASE_URL="$db_url" npx prisma migrate deploy
+  else
+    echo "DATABASE_URL not set and lomavuokraus-web-secrets/DATABASE_URL not found; skipping Prisma migrations" >&2
+  fi
+}
+
+maybe_run_prisma_migrations
 
 TMP_MANIFEST=$(mktemp)
 envsubst < k8s/app.yaml > "$TMP_MANIFEST"