fix: make quay-registry-ca ConfigMap name configurable for partner overlays

[maorfr]

Summary

Extract the hardcoded quay-registry-ca ConfigMap name into a global variable to support partner overlays that replace image.config.spec.additionalTrustedCA.

Changes

• Add quay_registry_ca_configmap_name variable in defaults/deployment.yaml
• Replace all hardcoded 'quay-registry-ca' references in playbooks/tasks/trust_quay_registry_ca_for_image_config.yaml
• Document the updateservice-registry key requirement for partner overlays

Context

Partner overlays (e.g., IBM's mirror-registry setup) replace the image.config.spec.additionalTrustedCA ConfigMap to point to their own CA bundle. This breaks UpdateService reconciliation because the operator expects the updateservice-registry key to be present in the referenced ConfigMap.

By extracting the ConfigMap name to a global variable with inline documentation, partners can:

1. Discover the expected ConfigMap name in defaults/deployment.yaml
2. Understand the requirement to include the updateservice-registry key
3. Override the ConfigMap name if needed (via config/global.yaml)

Related Issues

• https://github.com/gori-project/GoRI/issues/924

Test Plan

• Verify existing deployments continue to work with default quay-registry-ca name
• Verify playbook creates ConfigMap with correct name
• Verify partner overlay documentation is clear about key requirement
• Run make -f Makefile.ci validate to ensure no linting issues

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes

  • Improved handling of the trusted registry CA configuration so the cluster can reference the correct ConfigMap more reliably.
  • Reduced the chance of UpdateService reconciliation issues by aligning the registry CA reference with the expected configuration.

• Documentation

  • Added guidance on including the registry CA key in partner overlay configurations when using the registry trust setup.

[coderabbitai]

Warning

Review limit reached

@maorfr, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 50 minutes and 47 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5f9c0b1d-ca8c-4343-bf41-3b03c31390d6

📥 Commits

Reviewing files that changed from the base of the PR and between 72005f5 and ee71187.

📒 Files selected for processing (3)

• config/global.example.yaml
• schemas/deployment.yaml
• schemas/global.yaml

Walkthrough

A new default variable quay_registry_ca_configmap_name (value: quay-registry-ca) is introduced in defaults/deployment.yaml with inline documentation for overlay requirements. The trust playbook replaces three hardcoded quay-registry-ca string literals with this variable for the ConfigMap name, conditional check, and cluster Image configuration patch.

Changes

Quay Registry CA ConfigMap Parameterization

Layer / File(s)	Summary
Default variable + playbook substitutions defaults/deployment.yaml, playbooks/tasks/trust_quay_registry_ca_for_image_config.yaml	quay_registry_ca_configmap_name is declared with default value quay-registry-ca and accompanying overlay usage comments; the trust playbook's ConfigMap metadata.name, the existing-name conditional comparison, and the spec.additionalTrustedCA.name patch all switch from the hardcoded string to {{ quay_registry_ca_configmap_name }}.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🔐 No more secrets hardcoded in plain sight,
A variable stands guard, holding the name just right.
The ConfigMap whispers, "I am what you need,"
Overrides now flow — low severity, agreed.
🛡️ Parameterized trust: LOW risk, HIGH readability!

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely describes the main change with low ambiguity and low risk of misleading reviewers.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
No-Hardcoded-Secrets	✅ Passed	No hardcoded secrets found; changes only add a ConfigMap name and CA trust data. Security risk is low.
No-Weak-Crypto	✅ Passed	No weak crypto, custom crypto, or non-constant-time secret comparison appears in the touched files; changes are config/docs only.
No-Injection-Vectors	✅ Passed	No SQL/eval/pickle/yaml.load/os.system/innerHTML patterns in touched lines; changes only parameterize a ConfigMap name and comments.
Container-Privileges	✅ Passed	PASS: The PR only changes a default variable and Ansible tasks; no manifests add privileged=true, host* flags, SYS_ADMIN, root, or allowPrivilegeEscalation=true.
No-Sensitive-Data-In-Logs	✅ Passed	Low risk: the PR only adds a ConfigMap-name variable and comments; no new debug/log statements or sensitive literals (passwords/tokens/PII/internal hostnames) were introduced.
Ai-Attribution	✅ Passed	Low risk: PR mentions Claude Code, and the HEAD commit includes the required Assisted-by trailer; no Co-Authored-By AI misuse found.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/quay-registry-ca-configmap-name

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[rporres]

nit: we favor all over the place camel case properties, let's try not to introduce new snake case ones

[rporres]

default value is outside of this schema, let's remove this.

[rporres]

default value is outside of this schema, let's remove this.