Dockerfile

# -------- Build stage --------
FROM quay.io/keycloak/keycloak:26.5.4 as builder

# Use 'mysql' for TiDB Cloud compatibility
ENV KC_DB=mysql
# Only include build-time optimized settings here
RUN /opt/keycloak/bin/kc.sh build --db=mysql

# -------- Final runtime stage --------
FROM quay.io/keycloak/keycloak:26.5.4
COPY --from=builder /opt/keycloak/ /opt/keycloak/

# Database Configuration
ENV KC_DB=mysql
ENV KC_DB_URL="jdbc:mysql://gateway01.ap-southeast-1.prod.aws.tidbcloud.com:4000/test?sslMode=VERIFY_IDENTITY"
ENV KC_DB_USERNAME="3Wy6CVmGb7JQZZ2.root"
ENV KC_DB_PASSWORD="B3jEycGaP0uOQ6jC"

# Networking & Proxy (Hugging Face / General Reverse Proxy)
ENV KC_PROXY_HEADERS=xforwarded
ENV KC_HOSTNAME_STRICT=false
ENV KC_HTTP_ENABLED=true
ENV KC_HTTP_PORT=7860

# Operational Settings
ENV KC_DB_SCHEMA_UPDATE=migrate
ENV KC_BOOTSTRAP_ADMIN_USERNAME=admin
ENV KC_BOOTSTRAP_ADMIN_PASSWORD=admin_password_change_me

# Set memory limits to avoid Exit 137 (OOM)
ENV JAVA_OPTS="-Xms512m -Xmx2048m"

EXPOSE 7860

# --optimized tells Keycloak to use the build from the previous stage
ENTRYPOINT ["/opt/keycloak/bin/kc.sh", "start", "--optimized", "--cache=local"]