services:
  keycloak:
    image: quay.io/keycloak/keycloak:26.5.4
    command: start-dev
    environment:
      KC_DB: postgres
      KC_DB_URL: jdbc:postgresql://postgres:5432/keycloak
      KC_DB_USERNAME: keycloak
      KC_DB_PASSWORD: ${KC_DB_PASSWORD:-keycloak}
      KC_HOSTNAME_STRICT: "false"
      KC_HTTP_PORT: 8080
      KC_HEALTH_ENABLED: "true"
      KC_BOOTSTRAP_ADMIN_USERNAME: ${KEYCLOAK_ADMIN:-admin}
      KC_BOOTSTRAP_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin}
    ports:
      - "8080:8080"
    networks:
      - compose
    healthcheck:
      test: ["CMD-SHELL", "exec 3<>/dev/tcp/localhost/9000 && echo -e 'GET /health/ready HTTP/1.1\\r\\nHost: localhost\\r\\nConnection: close\\r\\n\\r\\n' >&3 && cat <&3 | grep -q 'UP'"]
      interval: 15s
      timeout: 10s
      retries: 10
      start_period: 30s

  keycloak-config-cli:
    image: public.ecr.aws/bitnami/keycloak-config-cli:latest
    platform: linux/amd64
    environment:
      KEYCLOAK_URL: http://keycloak:8080
      KEYCLOAK_USER: ${KEYCLOAK_ADMIN:-admin}
      KEYCLOAK_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin}
      KEYCLOAK_AVAILABILITYCHECK_ENABLED: "true"
      KEYCLOAK_AVAILABILITYCHECK_TIMEOUT: 120s
      IMPORT_FILES_LOCATIONS: /config/*
      IMPORT_MANAGED_REALM: full
      DEMO_BACKEND_SECRET: ${DEMO_BACKEND_SECRET}
      DEMO_USER_PASSWORD: ${DEMO_USER_PASSWORD}
      BACKLOG_AGENT_SECRET: ${BACKLOG_AGENT_SECRET}
      A2A_GATEWAY_SECRET: ${A2A_GATEWAY_SECRET}
      LLM_GATEWAY_SECRET: ${LLM_GATEWAY_SECRET}
      TOOLS_GATEWAY_SECRET: ${TOOLS_GATEWAY_SECRET}
    volumes:
      - ./keycloak-config:/config:ro
    networks:
      - compose
    depends_on:
      keycloak:
        condition: service_healthy

networks:
  compose:
    external: true