Skip to content

Secret-based password retrieval in Kubernetes

In Kubernetes, sensitive information such as passwords or authentication tokens is typically managed using Secret objects^[400-devops__04-CI-CD-Pipelines__k8s-argocd__argocd-app-config__README.md]. When external services or applications—such as ArgoCD—are deployed into a cluster, they often generate an initial secret containing the credentials required for the first login^[400-devops__04-CI-CD-Pipelines__k8s-argocd__argocd-app-config__README.md].

To retrieve a password stored in a secret, administrators use the kubectl command-line tool combined with helper commands like base64^[400-devops__04-CI-CD-Pipelines__k8s-argocd__argocd-app-config__README.md]. This is necessary because Secret data is typically stored in an encoded format^[400-devops__04-CI-CD-Pipelines__k8s-argocd__argocd-app-config__README.md].

Retrieval methods

The standard method for retrieving a password involves identifying the specific secret object and the data key within it^[400-devops__04-CI-CD-Pipelines__k8s-argocd__argocd-app-config__README.md]. A fully qualified path can be used to output the raw data field.^[400-devops__04-CI-CD-Pipelines__k8s-argocd__argocd-app-config__README.md]

For example, the following command structure extracts the password value, decodes it from base64, and prints it to the console^[400-devops__04-CI-CD-Pipelines__k8s-argocd__argocd-app-config__README.md]:

[kubectl](<./kubectl.md>) -n <namespace> get secret <secret-name> -o jsonpath="{.data.password}" | base64 --decode && echo

Example: ArgoCD Initial Admin Password

In the context of deploying ArgoCD, an initial admin secret is automatically created upon installation^[400-devops__04-CI-CD-Pipelines__k8s-argocd__argocd-app-config__README.md]. The name of this secret is typically argocd-initial-admin-secret^[400-devops__04-CI-CD-Pipelines__k8s-argocd__argocd-app-config__README.md].

The command to retrieve the default admin password is^[400-devops__04-CI-CD-Pipelines__k8s-argocd__argocd-app-config__README.md]:

[kubectl](<./kubectl.md>) -n [ArgoCD](<./argocd.md>) get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 --decode && echo

Once retrieved, it is security best practice to delete the initial secret or change the default password, as the initial credentials are widely known and documented^[400-devops__04-CI-CD-Pipelines__k8s-argocd__argocd-app-config__README.md].

Sources

^[400-devops__04-CI-CD-Pipelines__k8s-argocd__argocd-app-config__README.md]