replace test.sh with deploy.sh — full one-command setup

deploy.sh automates the entire flow:
- Deploy CVM via phala CLI
- Wait for SSH, extract kubeconfig
- Wait for k3s node Ready
- Wait for wildcard TLS certificate
- Deploy nginx test workload with IngressRoute
- Run a quick smoke test

README restructured: Quick Start now points to deploy.sh,
manual steps moved into a collapsible details section.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: h4x3rotab

k3s/README.md

@@ -17,12 +17,97 @@ Run a single-node Kubernetes cluster inside an Intel TDX Confidential VM with wi
   npm install -g phala
   phala auth login
   ```
-- `kubectl` installed ([install guide](https://kubernetes.io/docs/tasks/tools/))
+- `kubectl` and `jq` installed ([kubectl install guide](https://kubernetes.io/docs/tasks/tools/))
 - A domain you control (for the wildcard certificate)
 - Cloudflare API token with **Zone:Read** and **DNS:Edit** permissions (see [DNS_PROVIDERS.md](../custom-domain/dstack-ingress/DNS_PROVIDERS.md) for other DNS providers)
 
 ## Quick Start
 
+The deploy script handles everything — CVM provisioning, kubeconfig extraction, certificate waiting, and a test workload:
+
+```bash
+export CLOUDFLARE_API_TOKEN=your-cloudflare-token
+export CERTBOT_EMAIL=you@example.com
+
+./deploy.sh k3s.example.com
+```
+
+Replace `k3s.example.com` with your actual domain. The script takes ~10 minutes (mostly waiting for the wildcard certificate). When done, it prints:
+
+```
+============================================
+  k3s on dstack is ready!
+============================================
+
+  Kubeconfig:  export KUBECONFIG=/path/to/k3s.yaml
+  kubectl:     kubectl get nodes
+  Test URL:    https://nginx.k3s.example.com/
+  Evidence:    https://nginx.k3s.example.com/evidences/quote
+```
+
+You can then deploy your own services:
+
+```bash
+export KUBECONFIG=k3s.yaml
+kubectl run my-app --image=my-app:latest --port=8080
+kubectl expose pod my-app --port=8080
+kubectl apply -f - <<EOF
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: my-app
+spec:
+  entryPoints: [web]
+  routes:
+    - match: Host(\`my-app.k3s.example.com\`)
+      kind: Rule
+      services:
+        - name: my-app
+          port: 8080
+EOF
+```
+
+### Clean Up
+
+Remove the test workload:
+
+```bash
+kubectl delete ingressroute.traefik.io nginx
+kubectl delete svc nginx
+kubectl delete pod nginx
+```
+
+Delete the CVM entirely:
+
+```bash
+echo y | phala cvms delete my-k3s
+rm k3s.yaml
+```
+
+### Configuration
+
+You can customize the deployment with environment variables:
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `CVM_NAME` | `my-k3s` | CVM name |
+| `INSTANCE_TYPE` | `tdx.medium` | Instance type |
+| `DISK_SIZE` | `50G` | Disk size |
+| `KUBECONFIG_FILE` | `k3s.yaml` | Output kubeconfig path |
+
+Example:
+
+```bash
+CVM_NAME=prod-k3s INSTANCE_TYPE=tdx.4xlarge DISK_SIZE=100G ./deploy.sh k3s.example.com
+```
+
+## Step-by-Step Guide
+
+If you prefer to run each step manually instead of using the deploy script:
+
+<details>
+<summary>Click to expand manual steps</summary>
+
 ### 1. Deploy the CVM
 
 ```bash
@@ -38,8 +123,6 @@ phala deploy \
   --wait
 ```
 
-Replace `k3s.example.com` with your actual domain. All subdomains under it (e.g., `nginx.k3s.example.com`) will get TLS automatically.
-
 The `--dev-os` flag enables SSH access (needed to extract the kubeconfig). The `--disk-size 50G` gives enough room for k3s images and workloads.
 
 The deploy command outputs an **App ID** and gateway info. Save the App ID (a 40-character hex string):
@@ -107,54 +190,37 @@ Retry until you see an HTTP response (a 404 is fine — it means TLS works but n
 HTTP/1.1 404 Not Found
 ```
 
-### 5. Deploy and Test a Workload
-
-Run the included test script to deploy an nginx pod, verify HTTPS, check evidence endpoints, and confirm kubectl access — all in one command:
-
-```bash
-./test.sh k3s.example.com
-```
-
-Expected output:
-
-```
-==> Deploying test workload...
-==> Waiting for pod to be ready...
-==> Running smoke tests...
-
-  PASS: https://nginx.k3s.example.com/ returned 200
-  PASS: TLS cert CN matches *.k3s.example.com
-  PASS: /evidences/quote returned 200
-  PASS: /evidences/cc_eventlog returned 200
-  PASS: /evidences/raw_quote returned 200
-  PASS: k3s API /version returned 200
-  PASS: kubectl reports node Ready
-
-==> Results: 7/7 passed
-```
-
-The test workload stays running so you can try it yourself:
-
-```bash
-curl "https://nginx.k3s.example.com/"
-```
-
-### 6. Clean Up
-
-Remove the test workload:
+### 5. Deploy a Test Workload
 
 ```bash
-kubectl delete ingressroute.traefik.io nginx
-kubectl delete svc nginx
-kubectl delete pod nginx
+CLUSTER_DOMAIN=k3s.example.com
+
+kubectl run nginx --image=nginx:alpine --port=80
+kubectl expose pod nginx --port=80 --target-port=80 --name=nginx
+kubectl wait --for=condition=Ready pod/nginx --timeout=120s
+
+kubectl apply -f - <<EOF
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: nginx
+spec:
+  entryPoints: [web]
+  routes:
+    - match: Host(\`nginx.${CLUSTER_DOMAIN}\`)
+      kind: Rule
+      services:
+        - name: nginx
+          port: 80
+EOF
+
+sleep 10
+curl -s "https://nginx.${CLUSTER_DOMAIN}/"
 ```
 
-Delete the CVM entirely:
+You should see the nginx welcome page served over HTTPS with a valid Let's Encrypt certificate.
 
-```bash
-echo y | phala cvms delete my-k3s
-rm k3s.yaml
-```
+</details>
 
 ## How It Works
 
@@ -203,9 +269,7 @@ External HTTPS traffic hits dstack-ingress, which terminates TLS using the wildc
 4. The decrypted HTTP traffic is forwarded to Traefik on port 80
 5. Traefik matches the `Host` header against IngressRoute rules and routes to the right pod
 
-## Configuration
-
-### Environment Variables
+## Environment Variables
 
 | Variable | Required | Description |
 |----------|----------|-------------|
@@ -310,7 +374,7 @@ phala ssh <app-id> -- "docker logs dstack-k3s-1 2>&1 | tail -30"
 ```
 k3s/
 ├── docker-compose.yaml          # k3s + kmod-installer + dstack-ingress
-├── test.sh                      # One-command smoke test
+├── deploy.sh                    # One-command deploy + setup
 ├── README.md
 └── manifests/
     ├── rbac.yaml                # Optional: scoped service account

k3s/deploy.sh

@@ -0,0 +1,189 @@
+#!/usr/bin/env bash
+# Deploy k3s on dstack and set up kubectl access.
+#
+# Usage:
+#   export CLOUDFLARE_API_TOKEN=xxx
+#   export CERTBOT_EMAIL=you@example.com
+#   ./deploy.sh k3s.example.com
+#
+# Prerequisites:
+#   - phala CLI installed and authenticated (phala auth login)
+#   - kubectl and jq installed
+
+set -euo pipefail
+
+CLUSTER_DOMAIN="${1:-${CLUSTER_DOMAIN:-}}"
+CVM_NAME="${CVM_NAME:-my-k3s}"
+INSTANCE_TYPE="${INSTANCE_TYPE:-tdx.medium}"
+DISK_SIZE="${DISK_SIZE:-50G}"
+KUBECONFIG_FILE="${KUBECONFIG_FILE:-k3s.yaml}"
+
+if [[ -z "$CLUSTER_DOMAIN" ]]; then
+  echo "Usage: $0 <cluster-domain>"
+  echo "  e.g. $0 k3s.example.com"
+  echo ""
+  echo "Required env vars:"
+  echo "  CLOUDFLARE_API_TOKEN   Cloudflare API token (Zone:Read + DNS:Edit)"
+  echo "  CERTBOT_EMAIL          Email for Let's Encrypt registration"
+  echo ""
+  echo "Optional env vars:"
+  echo "  CVM_NAME               CVM name (default: my-k3s)"
+  echo "  INSTANCE_TYPE          Instance type (default: tdx.medium)"
+  echo "  DISK_SIZE              Disk size (default: 50G)"
+  echo "  KUBECONFIG_FILE        Output kubeconfig path (default: k3s.yaml)"
+  exit 1
+fi
+
+: "${CLOUDFLARE_API_TOKEN:?CLOUDFLARE_API_TOKEN is required}"
+: "${CERTBOT_EMAIL:?CERTBOT_EMAIL is required}"
+
+for cmd in phala kubectl jq; do
+  command -v "$cmd" >/dev/null 2>&1 || { echo "Error: $cmd is required but not found"; exit 1; }
+done
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+# ---------- Step 1: Deploy the CVM ----------
+
+echo "==> Deploying CVM '${CVM_NAME}'..."
+phala deploy \
+  -n "$CVM_NAME" \
+  -c "${SCRIPT_DIR}/docker-compose.yaml" \
+  -t "$INSTANCE_TYPE" \
+  --disk-size "$DISK_SIZE" \
+  --dev-os \
+  -e "CLOUDFLARE_API_TOKEN=${CLOUDFLARE_API_TOKEN}" \
+  -e "CERTBOT_EMAIL=${CERTBOT_EMAIL}" \
+  -e "CLUSTER_DOMAIN=${CLUSTER_DOMAIN}" \
+  --wait
+
+# ---------- Step 2: Extract APP_ID and GATEWAY_DOMAIN ----------
+
+echo "==> Fetching CVM info..."
+CVM_JSON=$(phala cvms get "$CVM_NAME" --json 2>/dev/null)
+APP_ID=$(echo "$CVM_JSON" | jq -r '.app_id')
+GATEWAY_DOMAIN=$(echo "$CVM_JSON" | jq -r '.gateway.base_domain')
+
+echo "    App ID:         ${APP_ID}"
+echo "    Gateway domain: ${GATEWAY_DOMAIN}"
+
+# ---------- Step 3: Wait for SSH and extract kubeconfig ----------
+
+echo "==> Waiting for CVM to boot (this takes 2-3 minutes)..."
+for i in $(seq 1 30); do
+  if phala ssh "$APP_ID" -- "echo ok" >/dev/null 2>&1; then
+    break
+  fi
+  if [[ $i -eq 30 ]]; then
+    echo "Error: SSH not available after 5 minutes"
+    exit 1
+  fi
+  sleep 10
+done
+
+echo "==> Extracting kubeconfig..."
+for i in $(seq 1 12); do
+  if phala ssh "$APP_ID" -- \
+    "docker exec dstack-k3s-1 cat /etc/rancher/k3s/k3s.yaml" \
+    2>/dev/null > "$KUBECONFIG_FILE" && [[ -s "$KUBECONFIG_FILE" ]]; then
+    break
+  fi
+  if [[ $i -eq 12 ]]; then
+    echo "Error: could not extract kubeconfig after 2 minutes"
+    exit 1
+  fi
+  sleep 10
+done
+
+# Rewrite API server URL to use the gateway TLS passthrough endpoint
+sed -i "s|https://127.0.0.1:6443|https://${APP_ID}-6443s.${GATEWAY_DOMAIN}|" "$KUBECONFIG_FILE"
+
+export KUBECONFIG="${KUBECONFIG_FILE}"
+
+# ---------- Step 4: Wait for node Ready ----------
+
+echo "==> Waiting for k3s node to become Ready..."
+for i in $(seq 1 30); do
+  STATUS=$(kubectl get nodes -o jsonpath='{.items[0].status.conditions[?(@.type=="Ready")].status}' 2>/dev/null || echo "")
+  if [[ "$STATUS" == "True" ]]; then
+    break
+  fi
+  if [[ $i -eq 30 ]]; then
+    echo "Error: node not Ready after 5 minutes"
+    exit 1
+  fi
+  sleep 10
+done
+
+echo "==> Node is Ready:"
+kubectl get nodes
+
+# ---------- Step 5: Wait for wildcard certificate ----------
+
+echo "==> Waiting for wildcard TLS certificate (this takes 5-8 minutes)..."
+CERT_TEST_URL="https://test.${CLUSTER_DOMAIN}/"
+for i in $(seq 1 60); do
+  HTTP_CODE=$(curl -s -o /dev/null -w '%{http_code}' --max-time 5 "$CERT_TEST_URL" 2>/dev/null || echo "000")
+  if [[ "$HTTP_CODE" != "000" ]]; then
+    echo "    Certificate is ready (got HTTP ${HTTP_CODE})"
+    break
+  fi
+  if [[ $i -eq 60 ]]; then
+    echo "Warning: certificate not ready after 10 minutes, continuing anyway"
+    break
+  fi
+  sleep 10
+done
+
+# ---------- Step 6: Deploy test workload ----------
+
+echo "==> Deploying nginx test workload..."
+NGINX_HOST="nginx.${CLUSTER_DOMAIN}"
+
+kubectl run nginx --image=nginx:alpine --port=80 --restart=Never 2>/dev/null || true
+kubectl expose pod nginx --port=80 --target-port=80 --name=nginx 2>/dev/null || true
+
+kubectl apply -f - <<EOF
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: nginx
+spec:
+  entryPoints: [web]
+  routes:
+    - match: Host(\`${NGINX_HOST}\`)
+      kind: Rule
+      services:
+        - name: nginx
+          port: 80
+EOF
+
+kubectl wait --for=condition=Ready pod/nginx --timeout=120s
+sleep 10
+
+# ---------- Smoke test ----------
+
+echo ""
+echo "==> Smoke test..."
+HTTP_CODE=$(curl -s -o /dev/null -w '%{http_code}' --max-time 10 "https://${NGINX_HOST}/" 2>/dev/null || echo "000")
+if [[ "$HTTP_CODE" == "200" ]]; then
+  echo "    PASS: https://${NGINX_HOST}/ returned 200"
+else
+  echo "    WARN: https://${NGINX_HOST}/ returned ${HTTP_CODE} (cert may still be propagating)"
+fi
+
+# ---------- Done ----------
+
+echo ""
+echo "============================================"
+echo "  k3s on dstack is ready!"
+echo "============================================"
+echo ""
+echo "  Kubeconfig:  export KUBECONFIG=$(pwd)/${KUBECONFIG_FILE}"
+echo "  kubectl:     kubectl get nodes"
+echo "  Test URL:    https://${NGINX_HOST}/"
+echo "  Evidence:    https://${NGINX_HOST}/evidences/quote"
+echo ""
+echo "  To clean up:"
+echo "    kubectl delete ingressroute.traefik.io nginx && kubectl delete svc nginx && kubectl delete pod nginx"
+echo "    echo y | phala cvms delete ${CVM_NAME} && rm ${KUBECONFIG_FILE}"