Skip to content

Root CA Validation different from base Docker image behaviour #1298

New issue
New issue
Open
Open
Root CA Validation different from base Docker image behaviour#1298
Labels
bug
@SSchwaiger

Description

@SSchwaiger
SSchwaiger
opened on May 23, 2025

Current Behavior

When I add custom certificates (via a Kubernetes init container) and mount /etc/ssl/certs into the keycloak-config-cli container in the same Pod, the extra certificates are not recognized by Java and therefore the connection to Keycloak fails. Putting KEYCLOAK_SSL_VERIFY is not a good solutions though.

Expected Behavior

Implement the behaviour of the base image, which has the environment variable "USE_SYSTEM_CA_CERTS" to import the certificates already registered with the operating system. (e.g. https://github.com/adoptium/containers/blob/main/21/jre/alpine/3.21/entrypoint.sh#L32)

Explicitly setting

command: ["/__cacert_entrypoint.sh"]
args: ["/opt/java/openjdk/bin/java", "-jar", "/app/keycloak-config-cli.jar"]

and therefore overriding ENTRYPOINT exec java $JAVA_OPTS -jar /app/keycloak-config-cli.jar $0 $@ works for my use case, but having a built-in solution for this issue would be greatly appreciated.

Steps To Reproduce



Environment


    

  • Keycloak Version: [26.1.0]
    • 

  • keycloak-config-cli Version: [6.4.0]
    • 

  • Java Version: [21]
    • 



Anything else?


No response
Metadata
Metadata
Assignees
No one assigned
    Labels
    bug
    Type
    No type
    Projects
    os-competence-center-board
    Status
    Todo
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions