Hello!
So, I am building a Docker image of Keycloak in order to include a SPI, theme and realm inside it.
It looks like this:
FROM quay.io/keycloak/keycloak:11.0.3
COPY keycloak-spi/build/libs/*.jar /opt/jboss/keycloak/standalone/deployments/
COPY keycloak-theme/build/libs/*.jar /opt/jboss/keycloak/standalone/deployments/
COPY keycloak-infra/*.json /opt/realm/
When I run the image everything works fine. The issue is that my SPI does HTTP request towards some server where a proxy in the middle intercepts and rejects the request. I have then to import the needed certificate inside the image’s cert (as the java certs points to them). Hence, I added to the Dockerfile:
COPY keycloak-infra/*.cer /etc/pki/ca-trust/source/anchors/
RUN update-ca-trust
The problem is that as the base image switches to the USER 1000
(which is normal) but then the user does not have the rights to execute update-ca-trust
…
So I resorted to do:
USER root
COPY keycloak-infra/*.cer /etc/pki/ca-trust/source/anchors/
RUN update-ca-trust
USER 1000
It seems to work (still some more tests to do) but my feeling is that it’s kinda wrong to switch back to the root user.
Is there any other way to manage such a thing?
Thanks!