A custom trusted cert can be provided for a service. In that case the custom CA needs to be trusted by clients. If customer is using a custom CA they will be trusted due to root CA being trusted automatically for of their most clients. 

The implementation should be similar to what is documented 

https://docs.openshift.com/container-platform/4.16/security/certificates/service-serving-certificate.html#add-service-certificate-configmap_service-serving-certificate

• Keycloak Operator should create the service with the annotation
• Operator's documentation is updated with instructions of how to annotate ("service.beta.openshift.io/serving-cert-secret-name" annotation can be used for OpenShift)