From a79de3c5eeeb482d3bcf8005df37b7e5580a0038 Mon Sep 17 00:00:00 2001
From: "aleksa.radojicic" <aleksa.radojicic@outlook.com>
Date: Sun, 25 Jan 2026 11:43:02 +0100
Subject: [PATCH 1/2] feat(keycloak): add support for KC_LOG_LEVEL env variable

KC_LOG_LEVEL is defined in the [official docs](https://www.keycloak.org/server/all-config?q=log-level).
---
 .env.example                  | 3 +++
 idm/ldap-keycloak.yml         | 1 +
 testing/external-keycloak.yml | 1 +
 3 files changed, 5 insertions(+)

diff --git a/.env.example b/.env.example
index 5e725cb..428d5e8 100644
--- a/.env.example
+++ b/.env.example
@@ -322,6 +322,9 @@ KEYCLOAK_DOMAIN=
 KEYCLOAK_ADMIN=
 # Admin user login password. Defaults to "admin".
 KEYCLOAK_ADMIN_PASSWORD=
+# Configure the log level for Keycloak.
+# Possible values are "TRACE", "DEBUG", "INFO", "WARN", "ERROR", "FATAL" and "OFF". Default is "INFO".
+KC_LOG_LEVEL=
 # Keycloak Database username. Defaults to "keycloak".
 KC_DB_USERNAME=
 # Keycloak Database password. Defaults to "keycloak".
diff --git a/idm/ldap-keycloak.yml b/idm/ldap-keycloak.yml
index 038b049..d541fac 100644
--- a/idm/ldap-keycloak.yml
+++ b/idm/ldap-keycloak.yml
@@ -96,6 +96,7 @@ services:
       KC_DB_USERNAME: ${KC_DB_USERNAME:-keycloak}
       KC_DB_PASSWORD: ${KC_DB_PASSWORD:-keycloak}
       KC_FEATURES: impersonation
+      KC_LOG_LEVEL: ${KC_LOG_LEVEL:-INFO}
       KC_PROXY_HEADERS: xforwarded
       KC_HTTP_ENABLED: true
       KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN:-kcadmin}
diff --git a/testing/external-keycloak.yml b/testing/external-keycloak.yml
index 2808fa4..ed4efb7 100644
--- a/testing/external-keycloak.yml
+++ b/testing/external-keycloak.yml
@@ -32,6 +32,7 @@ services:
       KC_DB_USERNAME: ${KC_DB_USERNAME:-keycloak}
       KC_DB_PASSWORD: ${KC_DB_PASSWORD:-keycloak}
       KC_FEATURES: impersonation
+      KC_LOG_LEVEL: ${KC_LOG_LEVEL:-INFO}
       KC_PROXY_HEADERS: xforwarded
       KC_HTTP_ENABLED: true
       KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN:-kcadmin}

From 1a231fa807f552c8a7b569e18cb10971c949e888 Mon Sep 17 00:00:00 2001
From: "aleksa.radojicic" <aleksa.radojicic@outlook.com>
Date: Sun, 25 Jan 2026 11:46:52 +0100
Subject: [PATCH 2/2] fix(keycloak): prevent env vars from being printed in
 logs

The problem is credentials are displayed in the console, which poses a security risk in production. Printing the environment variables for log levels 'trace/debug' would help when debugging.
---
 config/keycloak/docker-entrypoint-override.sh | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/config/keycloak/docker-entrypoint-override.sh b/config/keycloak/docker-entrypoint-override.sh
index 4809750..9cf3eeb 100644
--- a/config/keycloak/docker-entrypoint-override.sh
+++ b/config/keycloak/docker-entrypoint-override.sh
@@ -1,5 +1,8 @@
 #!/bin/bash
-printenv
+# print env variables for trace/debug log levels
+log_level=$(printf '%s' "$KC_LOG_LEVEL" | tr '[:upper:]' '[:lower:]')
+case "$log_level" in trace|debug) printenv ;; *) ;; esac
+
 # replace openCloud domain and LDAP password in keycloak realm import
 mkdir /opt/keycloak/data/import
 sed -e "s/cloud.opencloud.test/${OC_DOMAIN}/g" -e "s/ldap-admin-password/${LDAP_ADMIN_PASSWORD:-admin}/g" /opt/keycloak/data/import-dist/openCloud-realm.json > /opt/keycloak/data/import/openCloud-realm.json