chore: replace static secrets in Keycloak realm with env vars, update Dockerfile for non-root optimization, and align .env.example with new configuration

config/docker/keycloak/Dockerfile

@@ -1,36 +1,32 @@
 # ===================================================================
 # Production-Ready Keycloak Dockerfile
 # ===================================================================
-# Based on: quay.io/keycloak/keycloak:26.5.5
+# Based on: quay.io/keycloak/keycloak:<KEYCLOAK_IMAGE_TAG>
 # Features:
-# - Pre-built optimized image (faster startup)
-# - Security hardening
-# - Health monitoring
+# - Pre-built optimized image (faster startup via --optimized)
+# - Security hardening (non-root user 1000)
+# - Health & Metrics endpoints enabled
 # ===================================================================
 ARG KEYCLOAK_IMAGE_TAG=26.5.5
-
 FROM quay.io/keycloak/keycloak:${KEYCLOAK_IMAGE_TAG}
 
-ARG KEYCLOAK_IMAGE_TAG=26.5.5
-
 LABEL maintainer="Meldestelle Development Team"
 LABEL description="Production-ready Keycloak for Meldestelle authentication"
-LABEL version="${KEYCLOAK_IMAGE_TAG}"
 
-# Set environment variables for build
+# Set environment variables for build-time optimisation
 ENV KC_HEALTH_ENABLED=true
 ENV KC_METRICS_ENABLED=true
 ENV KC_DB=postgres
 
 WORKDIR /opt/keycloak
 
-# Pre-build Keycloak for faster startup
+# Pre-build Keycloak for faster startup (--optimized flag in KC_COMMAND)
 RUN /opt/keycloak/bin/kc.sh build \
     --db=postgres \
     --health-enabled=true \
     --metrics-enabled=true
 
-# Set user
+# Run as non-root user
 USER 1000
 
 ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]

config/docker/keycloak/meldestelle-realm.json

@@ -83,7 +83,7 @@
       "enabled": true,
       "alwaysDisplayInConsole": false,
       "clientAuthenticatorType": "client-secret",
-      "secret": "K5RqonwVOaxPKaXVH4mbthSRbjRh5tOK",
+      "secret": "${KC_API_GATEWAY_CLIENT_SECRET}",
       "redirectUris": [
         "http://localhost:8081/*",
         "http://localhost:3000/*",
@@ -100,7 +100,7 @@
       "publicClient": false,
       "standardFlowEnabled": true,
       "implicitFlowEnabled": false,
-      "directAccessGrantsEnabled": true,
+      "directAccessGrantsEnabled": false,
       "serviceAccountsEnabled": true,
       "authorizationServicesEnabled": false,
       "fullScopeAllowed": true,
@@ -218,7 +218,7 @@
       "description": "Confidential client for backend testing via Postman",
       "enabled": true,
       "clientAuthenticatorType": "client-secret",
-      "secret": "postman-secret-123",
+      "secret": "${KC_POSTMAN_CLIENT_SECRET}",
       "redirectUris": [
         "https://oauth.pstmn.io/v1/callback"
       ],
@@ -287,7 +287,7 @@
       "credentials": [
         {
           "type": "password",
-          "value": "Admin#1234",
+          "value": "${KC_BOOTSTRAP_ADMIN_PASSWORD}",
           "temporary": false
         }
       ],
@@ -311,7 +311,7 @@
   "requiredCredentials": [
     "password"
   ],
-  "passwordPolicy": "length(10) and digits(1) and upperCase(1) and specialChars(1) and notUsername(undefined)",
+  "passwordPolicy": "length(10) and digits(1) and upperCase(1) and specialChars(1) and notUsername",
   "otpPolicyType": "totp",
   "otpPolicyAlgorithm": "HmacSHA1",
   "otpPolicyInitialCounter": 0,
@@ -392,7 +392,7 @@
   "clientAuthenticationFlow": "clients",
   "dockerAuthenticationFlow": "docker auth",
   "attributes": {
-    "frontendUrl": "",
+    "frontendUrl": "${KC_FRONTEND_URL}",
     "acr.loa.map": "{}",
     "clientOfflineSessionMaxLifespan": "0",
     "clientSessionIdleTimeout": "0",