Skip to content

feat: backup route certificates to OpenShift secrets #218

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

feat: backup route certificates to OpenShift secrets #218

Copilot wants to merge 5 commits into from
+746 −0

Conversation

Copy link

Copilot AI commented Jan 6, 2026
edited
Loading

Routes with custom TLS certificates lose those certificates when deleted. This adds scheduled backup of route certificates to secrets.

Implementation

Backup script (cert-setup/backup_certs.sh)

  • Extracts TLS certificates from routes and stores as secrets with source annotations
  • Supports filtering by route name or label selector, dry-run mode
  • Secure temp file handling, no eval of user data

GitHub Actions workflow (.github/workflows/backup-certs.yml)

  • Reusable workflow for scheduled backups via GitHub Actions
  • Configurable route filtering and secret prefix

OpenShift CronJob template (cert-setup/cronjob-template.yaml)

  • In-cluster automated backups with ServiceAccount, Role, RoleBinding
  • Configurable schedule (default: daily at 2 AM)

Usage

Manual backup:

# Backup all routes
./backup_certs.sh

# Backup specific route
./backup_certs.sh --route myapp-vanity

# Preview only
./backup_certs.sh --dry-run

Scheduled via GitHub Actions:

jobs:
  backup:
    uses: bcgov/quickstart-openshift-helpers/.github/workflows/[email protected]
    secrets:
      oc_token: ${{ secrets.OC_TOKEN }}
      oc_namespace: ${{ secrets.OC_NAMESPACE }}

Scheduled via OpenShift CronJob:

oc process -f cert-setup/cronjob-template.yaml | oc apply -f -

Restore from backup:

oc get secret backup-myapp-vanity-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > myapp-vanity.pem
oc get secret backup-myapp-vanity-tls -o jsonpath='{.data.tls\.key}' | base64 -d > myapp-vanity.key

Backup secrets are labeled with backup.openshift.io/type=route-tls and annotated with source route, timestamp, and TLS termination type.

Original prompt

This section details on the original issue you should resolve

<issue_title>feat: backup CSR and more to namespace secrets</issue_title>
<issue_description>We have existing routes with that use a variety of certs. If the route is deleted, then we can lose those certs. We should run scheduled jobs that back up those certs into OpenShift secrets.</issue_description>

Comments on the Issue (you are @copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI changed the title [WIP] Add scheduled jobs to back up certs to OpenShift secrets feat: Add route certificate backup to OpenShift secrets Jan 6, 2026
Copilot AI requested a review from DerekRoberts January 6, 2026 18:40
@DerekRoberts DerekRoberts moved this from New to Active in DevOps (NR) Jan 7, 2026
@DerekRoberts DerekRoberts changed the title feat: Add route certificate backup to OpenShift secrets feat: backup route certificates to OpenShift secrets Jan 8, 2026
@DerekRoberts DerekRoberts moved this from Active to Next in DevOps (NR) Jan 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DerekRoberts DerekRoberts Awaiting requested review from DerekRoberts DerekRoberts is a code owner

@mishraomp mishraomp Awaiting requested review from mishraomp mishraomp will be requested when the pull request is marked ready for review mishraomp is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@DerekRoberts DerekRoberts

Copilot code review Copilot

Labels

None yet

Projects

DevOps (NR)
Status: Next

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: backup CSR and more to namespace secrets

2 participants

@DerekRoberts