Steven Hawkins

> It makes Keycloak trust the certificates issued by the clusters CA, so it's worth putting this into the [docs](https://github.com/keycloak/keycloak/blob/eb51c03f90850beec98f88afad79738707b551a0/docs/guides/operator/advanced-configuration.adoc?plain=1#L343-L344). We added that logic for compatibility with the old operator....

> okie i will expose as a field called `automountServiceAccountToken` should i add it to the keycloak spec or some sub-spec? Main keycloak spec is good.

Another option for preventing unwanted api server access is via a network policy. It looks like we'll need to expand our usage of network policies soon, and we can easily...

The crd field should be Boolean, not boolean.

This does appear to be an edge case that isn't covered by the operator logic - no pun intended. The operator will remove the proxy option only if the proxy-headers...

@vmuzikar I had marked this as important because there isn't a clear workaround other than to keep using hostname v1 options. A possible pr was opened, but it requires a...

@vmuzikar ok, so on main we'll just remove the operator's usage of proxy completely. Do you want to consider the pr for 24/25, or just resolve this issue by relying...

@vmuzikar full hostname v1 removal isn't currently slated until KC 27 - #27731 @yelhouti the change will only remove the proxy setting if the hostname is a url - which...

> The deprecated message is [documented](https://www.keycloak.org/docs/latest/upgrading/index.html#deprecated-proxy-option). It's not just that there's a deprecation warning, it's that for this scenario you also need to set proxy=edge. > Now that v2 is...

@sathieu not the entire change, just a doc note about using proxy=edge if proxy-headers can't be used.