Customers deploying Quay in disconnected / air-gapped environments often employ a custom CA that signed all their TLS-protected internal endpoints. To allow the config-app to do validation of configuration settings it needs to call those endpoints (S3, Postgres, etc) using a correct SSL certificate chain.
Therefore it needs to be possible to inject a CA certificate into the config-app at startup.

This will be possible with 3.3.1 and should be achieved by running the config-app like so:

podman run -d -p 8443:8443 -v /path/to/my/ca.pem:/conf/stack/extra_ca_certs/ca.pem:Z quay.io/redhat/quay:v3.3.1 config my-secret-password