Argo CD
Argo ProjectCI/CD3 credentials
Local Admin/User Password
argo-cd / admin-password
Argo CD local users are defined in argocd-cm and password entries are stored in argocd-secret. Argo CD docs recommend disabling the admin user after additional users or SSO are configured.
Location
argocd-secretKubernetes Secret containing admin password and local account password hashes
argocd-cm, argocd-rbac-cmArgo CD local account and RBAC configuration
Argo CD UI, API server, CLI loginGitOps manifests, Helm values, and committed bootstrap secrets
install output, kubectl commands, and authentication traces
Notes
Initial admin password behavior varies by release/deployment; treat it as generated-on-install rather than static.
API Token
argo-cd / api-token
Argo CD local accounts can have apiKey capability and issue tokens for API and CLI automation. User-management docs show local account capabilities such as apiKey and login.
Location
AuthorizationBearer token used for Argo CD API requests
Kubernetes Secrets, CI/CD variables, GitHub Actions secrets, and cloud secret managers
argocd CLI config, pipeline config, .env files, and deployment manifests
deployment scripts, tests, and accidentally committed automation tokens
CI logs, CLI traces, and API client debug output
Notes
Token privileges follow the Argo CD account and RBAC policy.
Repository / Cluster Credential
argo-cd / repository-cluster-credentials
Argo CD stores Git repository, Helm repository, cluster, and plugin credentials in Kubernetes Secrets. Secret-management docs cover handling sensitive data and GitOps workflows.
Location
Kubernetes Secrets labeled for Argo CD repositories, clusters, repo-creds, Dex/OIDC client secrets, and plugins
repository secret manifests, argocd-secret, argocd-cm, and Helm values
GitOps repos containing encrypted or plaintext Secret manifests
repo-server sync errors, plugin logs, and CI output
Notes
These secrets can grant Git, Helm registry, Kubernetes cluster, cloud, or SSO provider access depending on the secret type.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.