diff --git a/keycloak.yaml b/keycloak.yaml
index b8544c0ab38..927f0a83365 100644
--- a/keycloak.yaml
+++ b/keycloak.yaml
@@ -1,6 +1,7 @@
 package:
   name: keycloak
   version: 26.0.0
+  # Review 'keycloak-patch-version' (below) when bumping major versions.
   epoch: 0
   description: Open Source Identity and Access Management For Modern Applications and Services
   copyright:
@@ -8,16 +9,13 @@ package:
   dependencies:
     runtime:
       - bash # Keycloak helper scripts require bash, aren't compatible with busybox.
-      - openjdk-17-default-jvm
+      - openjdk-21-default-jvm
 
-# Create a new major-version variable that contains only the major version
-# to use in the bitnami/compat pipeline to find out the correct folder for the image.
-# e.g. 25.0.2 will create a new var major-version=25
-var-transforms:
-  - from: ${{package.version}}
-    match: ^(\d+).*
-    replace: $1
-    to: major-version
+# Update to the latest patch versions that bitnami have published from here:
+# https://github.com/bitnami/containers/tree/main/bitnami/keycloak.
+# Sometimes, they may lag behind, i.e may only have 25/debian-12 and not 26/debian-12.
+vars:
+  keycloak-patch-version: 25
 
 environment:
   contents:
@@ -25,14 +23,15 @@ environment:
       - bash
       - busybox
       - ca-certificates-bundle
-      - nodejs-18
-      - openjdk-17
-      - openjdk-17-default-jvm
+      - nodejs-20
+      - openjdk-21
+      - openjdk-21-default-jvm
+      - pnpm
       - wolfi-base
       - wolfi-baselayout
   environment:
     LANG: en_US.UTF-8
-    JAVA_HOME: /usr/lib/jvm/java-17-openjdk
+    JAVA_HOME: /usr/lib/jvm/java-21-openjdk
 
 pipeline:
   - uses: git-checkout
@@ -86,7 +85,7 @@ subpackages:
       - uses: bitnami/compat
         with:
           image: keycloak
-          version-path: ${{vars.major-version}}/debian-12
+          version-path: ${{vars.keycloak-patch-version}}/debian-12
       - runs: |
           mkdir -p ${{targets.contextdir}}/bitnami/keycloak
           mkdir -p ${{targets.contextdir}}/opt/bitnami/keycloak
@@ -104,8 +103,8 @@ subpackages:
           cp -r ${{targets.destdir}}/usr/share/java/keycloak/* ${{targets.contextdir}}/opt/bitnami/keycloak
 
           # Replace the incorrect Java paths in the Bitnami scripts
-          sed -i 's/JAVA_HOME="\/opt\/bitnami\/java"/JAVA_HOME="\/usr\/lib\/jvm\/java-17-openjdk"/g' ${{targets.contextdir}}/opt/bitnami/scripts/keycloak-env.sh
-          sed -i 's/\/opt\/bitnami\/java\/lib\/security/\/usr\/lib\/jvm\/java-17-openjdk\/conf\/security/g' ${{targets.contextdir}}/opt/bitnami/scripts/java/postunpack.sh
+          sed -i 's/JAVA_HOME="\/opt\/bitnami\/java"/JAVA_HOME="\/usr\/lib\/jvm\/java-21-openjdk"/g' ${{targets.contextdir}}/opt/bitnami/scripts/keycloak-env.sh
+          sed -i 's/\/opt\/bitnami\/java\/lib\/security/\/usr\/lib\/jvm\/java-21-openjdk\/conf\/security/g' ${{targets.contextdir}}/opt/bitnami/scripts/java/postunpack.sh
 
           # Disable some commands used in Bitnami scripts. These commands more likely fail in this since this image take non root approach
           sed -i 's/chown -R "$KEYCLOAK_DAEMON_USER" "$dir"/# chown -R "$KEYCLOAK_DAEMON_USER" "$dir"/g' ${{targets.contextdir}}/opt/bitnami/scripts/keycloak/postunpack.sh
@@ -235,5 +234,6 @@ update:
   ignore-regex-patterns:
     - ".*nightly.*"
   enabled: true
+  manual: true
   github:
     identifier: keycloak/keycloak