deploy-k3s: align _config.sh::generate_env with live ConfigMap

generate_env was missing 5 keys that exist in the live honeydue-config
ConfigMap (drift introduced over time by manual kubectl patches):
STATIC_DIR, STORAGE_UPLOAD_DIR, STORAGE_BASE_URL, B2_REGION, B2_USE_SSL.
Without these, running 03-deploy.sh would silently drop them and
break static asset serving + B2 region/TLS.

Also:
- Move B2_KEY_ID/B2_APP_KEY out of generate_env: they're credentials
  and belong in honeydue-secrets, not cleartext in the ConfigMap. The
  api/worker deployments still need to be wired to read them via
  envFrom: secretRef before B2 uploads will work — pre-existing gap,
  not caused by this commit.
- Use the in-namespace short DNS form for REDIS_URL ('redis:6379') to
  match what the live cluster has — pods' resolv.conf search path
  already covers honeydue.svc.cluster.local.
- config.yaml.example: add b2_region, b2_use_ssl, upload_dir, base_url,
  static_dir under storage so a fresh bootstrap sets them correctly.

Verified by sourcing _config.sh and diffing generate_env output against
`kubectl get cm honeydue-config -o jsonpath='{.data}'`: clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

deploy-k3s/config.yaml.example

@@ -72,8 +72,13 @@ storage:
   b2_app_key: ""
   b2_bucket: ""
   b2_endpoint: ""                           # e.g. s3.us-west-004.backblazeb2.com
+  b2_region: ""                             # e.g. us-east-005
+  b2_use_ssl: true
   max_file_size: 10485760
   allowed_types: "image/jpeg,image/png,image/gif,image/webp,application/pdf"
+  upload_dir: /app/uploads                  # filesystem path inside the api container
+  base_url: /uploads                        # public URL prefix served by the api
+  static_dir: /app/static                   # static asset path inside the api container
 
 # --- Worker Schedules (UTC hours) ---
 worker:

deploy-k3s/scripts/_config.sh

@@ -118,8 +118,9 @@ lines = [
     f\"DB_MAX_OPEN_CONNS={db['max_open_conns']}\",
     f\"DB_MAX_IDLE_CONNS={db['max_idle_conns']}\",
     f\"DB_MAX_LIFETIME={db['max_lifetime']}\",
-    # Redis (K8s internal DNS — password injected if configured)
+    # Redis (in-namespace DNS short form — password injected if configured;
-    f\"REDIS_URL=redis://{':%s@' % val(rd.get('password')) if rd.get('password') else ''}redis.honeydue.svc.cluster.local:6379/0\",
+    # short form works because /etc/resolv.conf in pods searches honeydue.svc.cluster.local)
+    f\"REDIS_URL=redis://{':%s@' % val(rd.get('password')) if rd.get('password') else ''}redis:6379/0\",
     'REDIS_DB=0',
     # Email
     f\"EMAIL_HOST={em['host']}\",
@@ -139,12 +140,21 @@ lines = [
     f\"OVERDUE_REMINDER_HOUR={wk['overdue_reminder_hour']}\",
     f\"DAILY_DIGEST_HOUR={wk['daily_digest_hour']}\",
     # B2 Storage
-    f\"B2_KEY_ID={val(st['b2_key_id'])}\",
+    # B2_KEY_ID and B2_APP_KEY are intentionally NOT emitted into the
-    f\"B2_APP_KEY={val(st['b2_app_key'])}\",
+    # ConfigMap — they're credentials and belong in honeydue-secrets
+    # (set by 02-setup-secrets.sh). Wire them into the api/worker
+    # deployments via envFrom: secretRef when B2 uploads need to be
+    # active. Leaving them in cleartext here would leak via
+    # `kubectl get cm`.
     f\"B2_BUCKET_NAME={val(st['b2_bucket'])}\",
     f\"B2_ENDPOINT={val(st['b2_endpoint'])}\",
+    f\"B2_REGION={val(st.get('b2_region'))}\",
+    f\"B2_USE_SSL={b(st.get('b2_use_ssl', True))}\",
     f\"STORAGE_MAX_FILE_SIZE={st['max_file_size']}\",
     f\"STORAGE_ALLOWED_TYPES={st['allowed_types']}\",
+    f\"STORAGE_UPLOAD_DIR={val(st.get('upload_dir', '/app/uploads'))}\",
+    f\"STORAGE_BASE_URL={val(st.get('base_url', '/uploads'))}\",
+    f\"STATIC_DIR={val(st.get('static_dir', '/app/static'))}\",
     # Features
     f\"FEATURE_PUSH_ENABLED={b(ft['push_enabled'])}\",
     f\"FEATURE_EMAIL_ENABLED={b(ft['email_enabled'])}\",