Add dedicated Keycloak readiness gate to prevent Intel starting too e…

compose/compose.dedicated-keycloak.yaml

@@ -0,0 +1,25 @@
+services:
+  # Readiness gate for dedicated/external Keycloak.
+  # Intel will wait until the realm OIDC metadata endpoint responds successfully.
+  keycloak-ready:
+    image: curlimages/curl:8.6.0
+    command: ["sh", "-lc", "sleep infinity"]
+    healthcheck:
+      test: ["CMD-SHELL", "curl -fsS https://${KEYCLOAK_FQDN}/realms/${KEYCLOAK_REALM}/.well-known/openid-configuration > /dev/null || exit 1"]
+      interval: 5s
+      timeout: 3s
+      retries: 60
+      start_period: 10s
+    networks:
+      - codetogethernet
+
+  codetogether-intel:
+    depends_on:
+      cassandra:
+        condition: service_healthy
+      keycloak-ready:
+        condition: service_healthy
+
+networks:
+  codetogethernet:
+    external: true

compose/dedicated-keycloak.md

@@ -0,0 +1,28 @@
+# Dedicated / External Keycloak: startup gate for Intel
+
+This overlay assumes you already have a Keycloak instance running outside of Docker Compose.
+
+If Keycloak is **not** started by Docker Compose (dedicated/external Keycloak), Intel may start too early.
+Use the overlay `compose.dedicated-keycloak.yaml` to make Intel wait until Keycloak is reachable.
+
+## Required `.env` entries
+
+Add these to the root `.env` (same directory you pass via `--env-file`):
+
+```dotenv
+KEYCLOAK_FQDN=<KEYCLOAK_FQDN>
+KEYCLOAK_REALM=<REALM>
+```
+
+`KEYCLOAK_REALM` must match the realm used in your OIDC URLs:
+`https://<KEYCLOAK_FQDN>/realms/<REALM>/...`
+
+## Run
+
+```bash
+docker compose \
+  -f compose/compose.yaml \
+  -f compose/compose.dedicated-keycloak.yaml \
+  --env-file ./.env \
+  up --pull always --wait -d
+```