For quay.io, the config.yaml file is entirely maintained in a single key in vault. This isn't very manageable and requires vault access and knowledge of quay's syntax to modify. Additionally it doesn't use any of the configuration data already available from app-sre's pipelines, meaning data has to be managed in the quay config secret separately.
It should be possible to remove the config.yaml from vault and use a templated secret or similar to provide non-sensitive configuration in a file in app-interface, but retrieve sensitive values from vault.
This also means we should get rid of the multiple secret deployments in app-interface and rely upon a single secret. This would also allow automated quay rollouts if the configuration changes, if desired.