FROM golang:1.25 AS builder

WORKDIR /src
COPY go.mod go.sum ./
RUN go mod download

COPY . .
RUN make build

# ---- runtime image ----------------------------------------------------------
FROM debian:bookworm-slim

RUN apt-get update && apt-get install -y --no-install-recommends \
        iproute2 \
    && rm -rf /var/lib/apt/lists/*

COPY --from=builder /src/bin/healthchecker /usr/local/bin/healthchecker

# Required capabilities:
#   CAP_NET_ADMIN  — create/delete GRE tunnel interfaces via netlink
#   CAP_NET_RAW    — open raw ICMP sockets for health probing
#
# Grant these in your container runtime, e.g.:
#   docker run --cap-add NET_ADMIN --cap-add NET_RAW ...
#   or in Kubernetes via securityContext.capabilities.add

ENTRYPOINT ["/usr/local/bin/healthchecker"]