keycloak · vmuzikar · Jun 26, 2024 · Jun 25, 2024
diff --git a/docs/guides/operator/advanced-configuration.adoc b/docs/guides/operator/advanced-configuration.adoc
@@ -118,7 +118,7 @@ The `unsupported` field of the CR contains highly experimental configuration opt
 ==== Pod Template
 
 The Pod Template is a raw API representation that is used for the Deployment Template.
-This field is a temporary workaround in case no supported field exists at the top level of the CR for your use case. 
+This field is a temporary workaround in case no supported field exists at the top level of the CR for your use case.
 
 The Operator merges the fields of the provided template with the values generated by the Operator for the specific Deployment.
 With this feature, you have access to a high level of customizations. However, no guarantee exists that the Deployment will work as expected.
@@ -204,7 +204,7 @@ It is achieved by providing certain JVM options.
 
 For more details, see <@links.server id="containers" />.
 
-== Management Interface
+=== Management Interface
 
 To change the port of the management interface, use the first-class citizen field `httpManagement.port` in the Keycloak CR.
 To change the properties of the management interface, you can do it by providing `additionalOptions` field.
@@ -225,6 +225,10 @@ spec:
       value: /management
 ----
 
+NOTE: If you are using a custom image, the Operator is *unaware* of any configuration options that might've been specified there.
+For instance, it may cause that the management interface uses the `https` schema, but the Operator accesses it via `http` when the TLS settings is specified in the custom image.
+To ensure proper TLS configuration, use the `tlsSecret` and `truststores` fields in the Keycloak CR so that the Operator can reflect that.
+
 === Truststores
 
 If you need to provide trusted certificates, the Keycloak CR provides a top level feature for configuring the server's truststore as discussed in <@links.server id="keycloak-truststore"/>.
@@ -259,7 +263,7 @@ stringData:
     ...
 ------
 
-When running on a Kubernetes or OpenShift environment well-known locations of trusted certificates are included automatically. 
-This includes /var/run/secrets/kubernetes.io/serviceaccount/ca.crt and the /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt when present.
+When running on a Kubernetes or OpenShift environment well-known locations of trusted certificates are included automatically.
+This includes `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt` and the `/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt` when present.
 
 </@tmpl.guide>
diff --git a/docs/guides/operator/customizing-keycloak.adoc b/docs/guides/operator/customizing-keycloak.adoc
@@ -43,10 +43,10 @@ spec:
     hostname: test.keycloak.org
 ----
 
-[NOTE]
-====
-With custom images, every build time option passed either through a dedicated field or the `additionalOptions` is ignored.
-====
+NOTE: With custom images, every build time option passed either through a dedicated field or the `additionalOptions` is ignored.
+
+NOTE: The Operator is *unaware* of any configuration options that are specified in a custom image.
+Use the Keycloak CR for any configuration that requires Operator awareness, namely the TLS and HTTP(S) settings reflected when configuring services and probes.
 
 === Non-optimized custom image