This bug affects the Quay operator-based installations with managed object storage provided by ODF.

When provisioning a new Quay registry, the operator takes care of adding the service CA used for signing the certificate used by the object storage endpoint inside the Quay certificate bundle automatically.

There are some occasions where the service CA gets rotated[1](for example OCP upgrade) and we observed that the Quay operator does not add the new service CA inside the certificate bundle.

This generates some SSL: CERTIFICATE_VERIFY_FAILED exceptions inside Quay logs because the certificate validation fails and the registry will stop working because it is not able to communicate with the storage anymore.

The only possible workaround is adding the service CA to the config bundle secret manually[2]

 [1]https://docs.openshift.com/container-platform/4.12/security/certificates/service-serving-certificate.html

[2]https://access.redhat.com/documentation/en-us/red_hat_quay/3/html/manage_red_hat_quay/config-custom-ssl-certs-manual#config-custom-ssl-cert-kubernetes