I recently switched from Gitlab to Keycloak as Identity Provider for my OCP cluster. Keyclaok itself had then in turn Gitlab as IdP. Since we use a custom PKI at home, Keyclaok had to trust this PKI.

I use ArgoCD / Openshift Gitops for configuring the cluster, here’s the relevant bits for the certificate configuration I added:

Patch added to the kustomization.yaml:

- op: add
  path: "/spec/keycloakDeploymentSpec"
  value:
    experimental:
      volumes:
        defaultMode: 420
        items:
          - configMaps:
              - trusted-cas
            mountPath: /tmp/additional-user-certs
            name: trusted-cas
      env:
        - name: X509_CA_BUNDLE
          value: '/var/run/secrets/kubernetes.io/serviceaccount/*.crt /tmp/additional-user-certs/*.crt'

And the configmap trusted-cas is simply just an empty config map properly labelled to get the cluster’s trusted CAs (which includes our custom CA) injected to it:

apiVersion: v1
kind: ConfigMap
metadata:
  creationTimestamp: null
  name: trusted-cas
  annotations:
    argocd.argoproj.io/sync-wave: "-1"
  labels:
    config.openshift.io/inject-trusted-cabundle: "true"