diff --git a/keycloak/build/Dockerfile b/keycloak/build/Dockerfile
new file mode 100644
index 0000000..deedd48
--- /dev/null
+++ b/keycloak/build/Dockerfile
@@ -0,0 +1,12 @@
+FROM quay.io/keycloak/keycloak:17.0.0 as builder
+
+ENV KC_METRICS_ENABLED=true
+ENV KC_FEATURES=token-exchange
+ENV KC_DB=postgres
+RUN /opt/keycloak/bin/kc.sh build
+
+FROM quay.io/keycloak/keycloak:17.0.0
+COPY --from=builder /opt/keycloak/lib/quarkus/ /opt/keycloak/lib/quarkus/
+WORKDIR /opt/keycloak
+ENV KC_LOG_LEVEL=INFO
+ENTRYPOINT ["/opt/keycloak/bin/kc.sh", "start"]
diff --git a/keycloak/hooks/postgres_database-relation-joined b/keycloak/hooks/postgres_database-relation-joined
index 672cc74..1f5c177 100755
--- a/keycloak/hooks/postgres_database-relation-joined
+++ b/keycloak/hooks/postgres_database-relation-joined
@@ -10,9 +10,8 @@ config-add "\
 services:
   $MASTER_BASE_SERVICE_NAME:
     environment:
-      DB_VENDOR: postgres
-      DB_ADDR: \"$MASTER_TARGET_SERVICE_NAME\"
-      DB_DATABASE: \"$DBNAME\"
-      DB_PASSWORD: \"$PASSWORD\"
-      DB_USER: \"$USER\"
+      KC_DB_URL: \"jdbc:postgresql://$MASTER_TARGET_SERVICE_NAME:5432/$DBNAME\"
+      KC_DB_USERNAME: \"$USER\"
+      KC_DB_PASSWORD: \"$PASSWORD\"
+      KC_DB: \"postgres\"
 "
diff --git a/keycloak/hooks/web_proxy-relation-joined b/keycloak/hooks/web_proxy-relation-joined
index 461a335..1151541 100755
--- a/keycloak/hooks/web_proxy-relation-joined
+++ b/keycloak/hooks/web_proxy-relation-joined
@@ -1,11 +1,17 @@
 #!/bin/bash
 
+DOMAIN=$(relation-get domain) || exit 1
+
 set -e
 
 config-add "\
 services:
   $MASTER_BASE_SERVICE_NAME:
     environment:
+      KC_HOSTNAME: "$DOMAIN"
       PROXY_ADDRESS_FORWARDING: \"true\"
+      KC_PROXY: edge
+      KC_HTTP_ENABLED: \"true\"
+      KC_HOSTNAME_STRICT: \"false\"
 "
 
diff --git a/keycloak/metadata.yml b/keycloak/metadata.yml
index a2db5cb..6fe7d37 100644
--- a/keycloak/metadata.yml
+++ b/keycloak/metadata.yml
@@ -1,4 +1,5 @@
-docker-image: docker.0k.io/keycloak:16.1.1  ## jboss/keycloak:16.1.1
+#docker-image: docker.0k.io/keycloak:16.1.1  ## jboss/keycloak:16.1.1
+#docker-image: quay.io/keycloak/keycloak:17.0.0
 
 default-options: