A QuayEcosystem with user-provided TLS certs cannot be easily migrated to a QuayRegistry, because the certs fail the k8s service name SAN requirement.

What happens:
1. QuayEcosystem exists with custom hostname, passthrough TLS and a user-provided TLS cert/key pair.
2. TNG migrates to QuayRegistry with route component marked as managed: true
3. TNG reconciles QuayRegistry, discovers user-provided TLS cert/key pair not valid for internal k8s hostnames, and generates its own self-signed certs.

Step 3 was fixed in Quay Operator v3.5.0, but that does not help with the upgrade path of 3.3->3.4->3.5.