FROM quay.io/keycloak/keycloak:latest AS builder

# Build arguments
ARG KC_DB_USERNAME
ARG KC_DB_PASSWORD

# Debug-Ausgabe
RUN echo "Build ARG KC_DB_USERNAME: ${KC_DB_USERNAME}"
RUN echo "Build ARG KC_DB_PASSWORD: ${KC_DB_PASSWORD}"

# Konfiguration für Build
ENV KC_DB=postgres
ENV KC_HEALTH_ENABLED=true
ENV KC_METRICS_ENABLED=true
ENV KC_FEATURES="token-exchange,scripts,preview,admin-api"

# SSL-Konfiguration
WORKDIR /opt/keycloak
RUN keytool -genkeypair -storepass password -storetype PKCS12 -keyalg RSA -keysize 2048 \
    -dname "CN=server" -alias server -ext "SAN:c=DNS:localhost,IP:127.0.0.1" -keystore conf/server.keystore

# Optimierter Build
RUN /opt/keycloak/bin/kc.sh build

FROM quay.io/keycloak/keycloak:latest
COPY --from=builder /opt/keycloak/ /opt/keycloak/

# Runtime Konfiguration
ENV KC_DB=postgres
ENV KC_DB_URL=jdbc:postgresql://keycloak-db:5432/keycloak
ENV KC_DB_USERNAME=${KC_DB_USERNAME}
ENV KC_DB_PASSWORD=${KC_DB_PASSWORD}
ENV KC_PROXY=edge
ENV KC_PROXY_ADDRESS_FORWARDING=true
ENV KC_HTTP_ENABLED=true
ENV KC_HOSTNAME=auth.mrx8086.com
ENV KC_HOSTNAME_STRICT=false

WORKDIR /opt/keycloak
ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]