Goal: Allow administrators to leverage OpenShift Routes in re-encrypt mode so they can rely on OpenShift to provide TLS endpoints using certificates form the cluster CA.
Problem statement: Quay prefers to manage TLS termination but the Operator is currently not far enough to support picking up existing TLS certs declaratively from existing Secrets or from other sources in the OpenShift cluster (ca-signer-services). When customers want to use custom OpenShift Routes for this reason it is complicated by the Operator rotating the Operator-managed CA on every config change because for re-encrypt routes to work the CA cert needs to be in-lined in the Route definition.
- allow using re-encrypt routes effectively
- stop rotating the CA every time the Operator updates / reconciles the Quay registry
- is there a better way for the Operator to expose the CA it manages?