ARG OATHKEEPER_VERSION=v0.40.9
FROM oryd/oathkeeper:${OATHKEEPER_VERSION}

# Switch to root to install packages
USER root

# Install additional tools including gettext for envsubst and su-exec for user switching
RUN apk add --no-cache curl wget gettext su-exec

# Set working directory
WORKDIR /etc/oathkeeper

# Copy configuration templates
COPY config/oathkeeper.yml /etc/oathkeeper/oathkeeper.yml.template
COPY config/access-rules/django.yml /etc/oathkeeper/access-rules/django.yml.template
COPY config/access-rules/kratos-public.yml /etc/oathkeeper/access-rules/kratos-public.yml.template
COPY config/access-rules/kratos-admin.yml /etc/oathkeeper/access-rules/kratos-admin.yml.template
COPY config/id_token.jwks.json /etc/oathkeeper/id_token.jwks.json

# Copy entrypoint script
COPY scripts/entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh

# Validate configuration at build time (optional)
RUN oathkeeper help serve || true

# NOTE: Keep as root user so entrypoint can write configs
# Entrypoint will switch to ory user after processing templates

# Expose ports
EXPOSE 4455 4456

# Health check
HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
  CMD curl -f -s http://localhost:4456/health/ready > /dev/null || exit 1

# Use entrypoint to process templates
ENTRYPOINT ["/entrypoint.sh"]

# Default command
CMD ["serve", "proxy", "--config", "/etc/oathkeeper/oathkeeper.yml"]