doc: add keycloak cr truststores (#28015)

closes: #27892 Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-03-22 03:27:15 -04:00 · 2024-03-22 03:27:15 -04:00 · 6cc66109d5
commit 6cc66109d5
parent 3f9cebca39
1 changed files with 37 additions and 0 deletions
--- a/docs/guides/operator/advanced-configuration.adoc
+++ b/docs/guides/operator/advanced-configuration.adoc
@ -205,4 +205,41 @@ It is achieved by providing certain JVM options.

 For more details, see <@links.server id="containers" />.

+=== Truststores
+
+If you need to provide trusted certificates, the Keycloak CR provides a top level feature for configuring the server's truststore as discussed in <@links.server id="keycloak-truststore"/>.
+
+Use the truststores stanza of the Keycloak spec to specify Secrets containing PEM encoded files, or PKCS12 files with extension `.p12` or `.pfx`, for example:
+
+[source,yaml]
+----
+apiVersion: k8s.keycloak.org/v2alpha1
+kind: Keycloak
+metadata:
+  name: example-kc
+spec:
+  ...
+  truststores:
+    my-truststore:
+      secret:
+        name: my-secret
+----
+
+Where the contents of my-secret could be a PEM file, for example:
+
+[source,yaml]
+------
+apiVersion: v1
+kind: Secret
+metadata:
+  name: my-secret
+stringData:
+  cert.pem: |
+    -----BEGIN CERTIFICATE-----
+    ...
+------
+
+When running on a Kubernetes or OpenShift environment well-known locations of trusted certificates are included automatically. 
+This includes /var/run/secrets/kubernetes.io/serviceaccount/ca.crt and the /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt when present.
+
 </@tmpl.guide>