Aiden Keating No matter the environment, Keycloak will need to trust the certificate of the openshift master. That makes me think it should always import the cert (or maybe the signing authority?) into its trust store.
It may not always be the case that the cert was signed by a CA that's in the trust store. For example, a company may use their own CA and sign certs with that. In that case, the companys CA will need to be imported into the truststore.

This also makes me wonder if future trust store configuration should be possible, if for example the cert is renewed (and could even change CA). In that case, the integration would stop working until the trust store is updated.

This might be a good problem & potential solution to post on keycloak-users?