# ===================================================================
# Production-Ready Keycloak Dockerfile
# ===================================================================
# Based on: quay.io/keycloak/keycloak:<KEYCLOAK_IMAGE_TAG>
# Features:
# - Pre-built optimized image (faster startup via --optimized)
# - Security hardening (non-root user 1000)
# - Health & Metrics endpoints enabled
# ===================================================================
ARG KEYCLOAK_IMAGE_TAG=26.5.5
FROM quay.io/keycloak/keycloak:${KEYCLOAK_IMAGE_TAG}

LABEL maintainer="Meldestelle Development Team"
LABEL description="Production-ready Keycloak for Meldestelle authentication"

# Set environment variables for build-time optimisation
ENV KC_HEALTH_ENABLED=true
ENV KC_METRICS_ENABLED=true
ENV KC_DB=postgres

WORKDIR /opt/keycloak

# Pre-build Keycloak for faster startup (--optimized flag in KC_COMMAND)
RUN /opt/keycloak/bin/kc.sh build \
    --db=postgres \
    --health-enabled=true \
    --metrics-enabled=true

# Run as non-root user
USER 1000

ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]