deploy-k3s: wire B2_KEY_ID/B2_APP_KEY into api Deployment

The B2 credentials existed in honeydue-secrets (created by
02-setup-secrets.sh) but were never referenced from the api
Deployment, so StorageConfig.IsS3() returned false at runtime →
StorageService fell back to local filesystem. With
readOnlyRootFilesystem=true on the api container, that local
fallback would silently fail on every upload — meaning every
photo, document, and task-completion upload was broken in prod
since the k3s migration on 2026-04-24.

Adding both as secretKeyRef on the api container only (the worker
doesn't perform uploads). Verified end-to-end with a registered
test user: source PDF (sha256=3af3a645...) → POST /api/uploads/document/
→ POST /api/documents/ → GET /api/media/document/:id → byte-identical
download. Storage init log now reports "Storage service initialized (S3)".

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

deploy-k3s/manifests/api/deployment.yaml

@@ -73,6 +73,21 @@ spec:
                   name: honeydue-secrets
                   key: REDIS_PASSWORD
                   optional: true
+            # B2 (Backblaze) credentials. With both set, StorageConfig.IsS3()
+            # returns true and uploads stream to B2 via minio-go. With either
+            # missing, code falls back to local filesystem — and since
+            # readOnlyRootFilesystem is true on this container, that fallback
+            # silently fails. So both must be wired or uploads break.
+            - name: B2_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  name: honeydue-secrets
+                  key: B2_KEY_ID
+            - name: B2_APP_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: honeydue-secrets
+                  key: B2_APP_KEY
           volumeMounts:
             - name: apns-key
               mountPath: /secrets/apns