Skip to content

fix: stop printing Keycloak root password in cleartext during deploy#3217

Open
viniciusdc wants to merge 2 commits intomainfrom
fix/mask-keycloak-password-log-3216
Open

fix: stop printing Keycloak root password in cleartext during deploy#3217
viniciusdc wants to merge 2 commits intomainfrom
fix/mask-keycloak-password-log-3216

Conversation

@viniciusdc
Copy link
Copy Markdown
Contributor

@viniciusdc viniciusdc commented Apr 10, 2026
edited
Loading

Summary

Closes https://github.com/orgs/nebari-dev/discussions/3216

The deploy output was printing the Keycloak root password in cleartext, which is a security concern — especially when the password is injected via NEBARI_SECRET__ environment variables specifically to avoid having it in config files.

Changes

src/_nebari/deploy.py

  • When the password is set via NEBARI_SECRET__security__keycloak__initial_root_password env var, mask it in the deploy log with <set via env>
  • When the password comes from the config file or is auto-generated (e.g. first deploy), still print it so the user can retrieve it
  • Fix pre-existing "Kubecloak" typo → "Keycloak"

Before / After

# Before (always prints cleartext)
Keycloak master realm username=root password=MY_ACTUAL_SECRET_PASSWORD

# After (password from env var)
Keycloak master realm username=root password=<set via env>

# After (password from config or auto-generated — unchanged)
Keycloak master realm username=root password=MY_ACTUAL_SECRET_PASSWORD

@viniciusdc
fix: stop printing Keycloak root password in cleartext during deploy
c504ea8 
Closes #3216

- Replace cleartext password in deploy log output with a generic
  '<set via config/env>' hint so users know the password is configured
  without leaking it to the terminal
- Fix 'Kubecloak' typo in the log message
@viniciusdc viniciusdc requested a review from a team as a code owner April 10, 2026 12:19
@viniciusdc viniciusdc requested review from dcmcand and marcelovilla and removed request for a team April 10, 2026 12:19
@viniciusdc
fix: only mask Keycloak password when set via env var
956b6ea 
When the password is provided via NEBARI_SECRET__ env var, mask it in
the deploy output. When it comes from the config file or is
auto-generated (e.g. first deploy), still print it so the user can
retrieve it.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dcmcand dcmcand Awaiting requested review from dcmcand dcmcand is a code owner automatically assigned from nebari-dev/maintenance-team

@marcelovilla marcelovilla Awaiting requested review from marcelovilla marcelovilla is a code owner automatically assigned from nebari-dev/maintenance-team

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

🪴 Nebari Project Management
Status: New 🚦

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@viniciusdc