From 1a231fa807f552c8a7b569e18cb10971c949e888 Mon Sep 17 00:00:00 2001
From: "aleksa.radojicic" <aleksa.radojicic@outlook.com>
Date: Sun, 25 Jan 2026 11:46:52 +0100
Subject: [PATCH] fix(keycloak): prevent env vars from being printed in logs

The problem is credentials are displayed in the console, which poses a security risk in production. Printing the environment variables for log levels 'trace/debug' would help when debugging.
---
 config/keycloak/docker-entrypoint-override.sh | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/config/keycloak/docker-entrypoint-override.sh b/config/keycloak/docker-entrypoint-override.sh
index 4809750..9cf3eeb 100644
--- a/config/keycloak/docker-entrypoint-override.sh
+++ b/config/keycloak/docker-entrypoint-override.sh
@@ -1,5 +1,8 @@
 #!/bin/bash
-printenv
+# print env variables for trace/debug log levels
+log_level=$(printf '%s' "$KC_LOG_LEVEL" | tr '[:upper:]' '[:lower:]')
+case "$log_level" in trace|debug) printenv ;; *) ;; esac
+
 # replace openCloud domain and LDAP password in keycloak realm import
 mkdir /opt/keycloak/data/import
 sed -e "s/cloud.opencloud.test/${OC_DOMAIN}/g" -e "s/ldap-admin-password/${LDAP_ADMIN_PASSWORD:-admin}/g" /opt/keycloak/data/import-dist/openCloud-realm.json > /opt/keycloak/data/import/openCloud-realm.json