# Multi-stage Keycloak build with custom configuration
# This Dockerfile creates an optimized Keycloak image with token exchange support

# =============================================================================
# Build Stage
# =============================================================================
FROM quay.io/keycloak/keycloak:latest AS builder

# Set build-time environment variables
ENV KC_HEALTH_ENABLED=true \
    KC_METRICS_ENABLED=true \
    KC_DB=postgres \
    KC_TRANSACTION_XA_ENABLED=false \
    KC_CACHE=ispn \
    KC_CACHE_STACK=tcp

# Build optimized Keycloak
RUN /opt/keycloak/bin/kc.sh build

# =============================================================================
# Runtime Stage
# =============================================================================
FROM quay.io/keycloak/keycloak:latest

# Copy optimized build from builder stage
COPY --from=builder /opt/keycloak/ /opt/keycloak/

# Create necessary directories
USER root
RUN mkdir -p /opt/keycloak/data/import \
    && mkdir -p /opt/keycloak/conf \
    && mkdir -p /opt/keycloak/themes \
    && chown -R 1000:1000 /opt/keycloak/data \
    && chown -R 1000:1000 /opt/keycloak/conf \
    && chown -R 1000:1000 /opt/keycloak/themes

# Copy configuration files
# COPY files/realm.json /opt/keycloak/data/import/
# COPY deploy/config/user-profile.json /opt/keycloak/conf/user-profile.json
COPY files/keycloak.conf /opt/keycloak/conf/keycloak.conf

# Copy custom themes (if any)
# COPY deploy/config/themes/ /opt/keycloak/themes/

# Set proper ownership
RUN chown -R 1000:1000 /opt/keycloak/data/import \
    && chown -R 1000:1000 /opt/keycloak/conf

# Switch back to keycloak user for security
USER 1000

# Set runtime environment variables (overriden by keycloak.conf or compose envs)
ENV KC_DB=postgres \
    KC_HEALTH_ENABLED=true \
    KC_METRICS_ENABLED=true \
    KC_HTTP_ENABLED=true \
    KC_HOSTNAME_STRICT=false \
    KC_HOSTNAME_STRICT_HTTPS=false \
    KC_LOG_LEVEL=INFO

# Expose ports
EXPOSE 8080 9000 8443

# Health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
    CMD curl -f http://localhost:9000/health/ready || exit 1

# Default entrypoint with import
ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]
CMD ["start", "--optimized"]