db-backup-s3/tests/k8s-mssql-secret-example.yaml

# Example mssql-general Secret
# This secret contains ONLY sensitive credentials (passwords, keys)
# Non-sensitive configuration is in the ConfigMap (tests/k8s-mssql-configmap-example.yaml)
#
# Usage:
#   1. Copy this file and update with your actual values
#   2. Apply ConfigMap: kubectl apply -f tests/k8s-mssql-configmap.yaml
#   3. Apply Secret: kubectl apply -f tests/k8s-mssql-secret.yaml
#   4. Deploy: kubectl apply -f tests/k8s-statefulset-with-sidecar.yaml

apiVersion: v1
kind: Secret
metadata:
  name: mssql-general
  namespace: default # Update with your namespace
type: Opaque
stringData:
  # ============================================
  # MSSQL Server Credentials
  # ============================================
  MSSQL_SA_PASSWORD: "YourStrong@Passw0rd" # Must meet SQL Server complexity requirements

  # ============================================
  # Database Backup Credentials
  # ============================================
  DATABASE_USER: "sa"
  DATABASE_PASSWORD: "YourStrong@Passw0rd" # Same as MSSQL_SA_PASSWORD

  # ============================================
  # AWS S3 Credentials
  # ============================================
  S3_ACCESS_KEY_ID: "AKIAIOSFODNN7EXAMPLE"
  S3_SECRET_ACCESS_KEY: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"

  # ============================================
  # Optional: GPG Encryption Passphrase
  # ============================================
  # Uncomment to enable encryption of backup files before upload
  # PASSPHRASE: "my-super-secret-gpg-passphrase"

---
# Notes:
#
# 1. Password Requirements:
#    - MSSQL_SA_PASSWORD must meet SQL Server complexity requirements:
#      * At least 8 characters
#      * Mix of uppercase, lowercase, digits, and symbols
#      * Example: "MyP@ssw0rd123"
#
# 2. For production, consider using:
#    - SealedSecrets: https://github.com/bitnami-labs/sealed-secrets
#    - External Secrets Operator: https://external-secrets.io/
#    - AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault
#
# 3. Non-sensitive configuration (bucket, endpoints, schedule):
#    These are now in the ConfigMap (tests/k8s-mssql-configmap-example.yaml)
#    This keeps secrets clean and allows easier configuration changes
#
# 4. Alternative: Create secret from command line:
#    kubectl create secret generic mssql-general \
#      --from-literal=MSSQL_SA_PASSWORD='YourStrong@Passw0rd' \
#      --from-literal=DATABASE_USER='sa' \
#      --from-literal=DATABASE_PASSWORD='YourStrong@Passw0rd' \
#      --from-literal=S3_ACCESS_KEY_ID='YOUR_KEY' \
#      --from-literal=S3_SECRET_ACCESS_KEY='YOUR_SECRET'
#
# 4. To view the secret (base64 encoded):
#    kubectl get secret mssql-general -o yaml
#
# 5. To decode a specific key:
#    kubectl get secret mssql-general -o jsonpath='{.data.DATABASE_NAME}' | base64 -d