New operator failing on health checks

Closes keycloak#30355 Signed-off-by: Martin Bartoš <mabartos@redhat.com>
mabartos · Jun 24, 2024 · 4f4dc37 · 4f4dc37
1 parent e30e6cb
commit 4f4dc37
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 8 deletions.
diff --git a/docs/guides/operator/advanced-configuration.adoc b/docs/guides/operator/advanced-configuration.adoc
@@ -118,7 +118,7 @@ The `unsupported` field of the CR contains highly experimental configuration opt
 ==== Pod Template
 
 The Pod Template is a raw API representation that is used for the Deployment Template.
-This field is a temporary workaround in case no supported field exists at the top level of the CR for your use case. 
+This field is a temporary workaround in case no supported field exists at the top level of the CR for your use case.
 
 The Operator merges the fields of the provided template with the values generated by the Operator for the specific Deployment.
 With this feature, you have access to a high level of customizations. However, no guarantee exists that the Deployment will work as expected.
@@ -204,7 +204,7 @@ It is achieved by providing certain JVM options.
 
 For more details, see <@links.server id="containers" />.
 
-== Management Interface
+=== Management Interface
 
 To change the port of the management interface, use the first-class citizen field `httpManagement.port` in the Keycloak CR.
 To change the properties of the management interface, you can do it by providing `additionalOptions` field.
@@ -225,6 +225,10 @@ spec:
       value: /management
 ----
 
+NOTE: Operator is unaware of any TLS settings in your `Dockerfile` when using a custom Keycloak image.
+It may cause the management interface uses the `https` schema, but the Operator accesses it via `http`.
+To ensure proper TLS configuration, use the `tlsSecret` and `truststores` properties in the Keycloak CR.
+
 === Truststores
 
 If you need to provide trusted certificates, the Keycloak CR provides a top level feature for configuring the server's truststore as discussed in <@links.server id="keycloak-truststore"/>.
@@ -259,7 +263,7 @@ stringData:
     ...
 ------
 
-When running on a Kubernetes or OpenShift environment well-known locations of trusted certificates are included automatically. 
-This includes /var/run/secrets/kubernetes.io/serviceaccount/ca.crt and the /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt when present.
+When running on a Kubernetes or OpenShift environment well-known locations of trusted certificates are included automatically.
+This includes `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt` and the `/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt` when present.
 
 </@tmpl.guide>
diff --git a/docs/guides/operator/customizing-keycloak.adoc b/docs/guides/operator/customizing-keycloak.adoc
@@ -43,10 +43,11 @@ spec:
     hostname: test.keycloak.org
 ----
 
-[NOTE]
-====
-With custom images, every build time option passed either through a dedicated field or the `additionalOptions` is ignored.
-====
+NOTE: With custom images, every build time option passed either through a dedicated field or the `additionalOptions` is ignored.
+
+NOTE: Operator is unaware of any TLS settings in your `Dockerfile` when using a custom image.
+It may cause the management interface uses the `https` schema, but the Operator accesses it via `http`.
+To ensure proper TLS configuration, use the `tlsSecret` and `truststores` properties in the Keycloak CR.
 
 === Non-optimized custom image