From 1cd6cafa9d42479a16cf2e7dca51ee6be1cfde19 Mon Sep 17 00:00:00 2001
From: Trey t <treytartt@fastmail.com>
Date: Sat, 25 Apr 2026 00:53:25 -0500
Subject: [PATCH] deploy-k3s: wire B2_KEY_ID/B2_APP_KEY into api Deployment
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The B2 credentials existed in honeydue-secrets (created by
02-setup-secrets.sh) but were never referenced from the api
Deployment, so StorageConfig.IsS3() returned false at runtime →
StorageService fell back to local filesystem. With
readOnlyRootFilesystem=true on the api container, that local
fallback would silently fail on every upload — meaning every
photo, document, and task-completion upload was broken in prod
since the k3s migration on 2026-04-24.

Adding both as secretKeyRef on the api container only (the worker
doesn't perform uploads). Verified end-to-end with a registered
test user: source PDF (sha256=3af3a645...) → POST /api/uploads/document/
→ POST /api/documents/ → GET /api/media/document/:id → byte-identical
download. Storage init log now reports "Storage service initialized (S3)".

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 deploy-k3s/manifests/api/deployment.yaml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/deploy-k3s/manifests/api/deployment.yaml b/deploy-k3s/manifests/api/deployment.yaml
index ec1a8f7..c79e593 100644
--- a/deploy-k3s/manifests/api/deployment.yaml
+++ b/deploy-k3s/manifests/api/deployment.yaml
@@ -73,6 +73,21 @@ spec:
                   name: honeydue-secrets
                   key: REDIS_PASSWORD
                   optional: true
+            # B2 (Backblaze) credentials. With both set, StorageConfig.IsS3()
+            # returns true and uploads stream to B2 via minio-go. With either
+            # missing, code falls back to local filesystem — and since
+            # readOnlyRootFilesystem is true on this container, that fallback
+            # silently fails. So both must be wired or uploads break.
+            - name: B2_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  name: honeydue-secrets
+                  key: B2_KEY_ID
+            - name: B2_APP_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: honeydue-secrets
+                  key: B2_APP_KEY
           volumeMounts:
             - name: apns-key
               mountPath: /secrets/apns