Configure ArgoCD to preserve admin password across redeployments

Ensure admin password persists through helm uninstall/install cycles by managing argocd-secret outside of Helm's control. Changes: - Set configs.secret.createSecret: false in values.yaml - Create argocd-secret.yaml with default admin password - Update Justfile to apply secret before helm install - Secret is now managed by kubectl, not Helm - Default password: "argocd-admin-default" (change after first login) Benefits: - Admin password survives helm uninstall/install - Password changes via UI/CLI are preserved - No random password regeneration on redeployments - Secret has no Helm annotations (not managed by Helm) The argocd-secret will persist across redeployments unless explicitly deleted. PVC and admin password are now both persistent. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
author: Paul Buetow <paul@buetow.org> 2025-12-30 11:38:48 +0200
committer: Paul Buetow <paul@buetow.org> 2025-12-30 11:38:48 +0200
commit: 8945a45a183b337eb05b3d263e57cd2dafe0f726 (patch)
tree: a4e5ded0682e7e4c5bc026aa81ab02d8723c9a5a /f3s/argocd
parent: 8c289e400af9c430b752f82bcf82e38a453cb163 (diff)
3 files changed, 45 insertions, 4 deletions
diff --git a/f3s/argocd/Justfile b/f3s/argocd/Justfile
index 6aa7b76..3f0d487 100644
--- a/f3s/argocd/Justfile
+++ b/f3s/argocd/Justfile
@@ -9,16 +9,20 @@ install:
     helm repo update
     kubectl create namespace {{NAMESPACE}} || true
     kubectl apply -f persistent-volumes.yaml
+    kubectl apply -f argocd-secret.yaml
     helm install {{RELEASE_NAME}} argo/argo-cd --namespace {{NAMESPACE}} -f values.yaml
     @echo "Waiting for ArgoCD to be ready..."
     @sleep 10
     kubectl apply -f ingress.yaml
     @echo ""
     @echo "ArgoCD deployed successfully!"
-    @echo "Access UI at: http://argocd.f3s.buetow.org"
+    @echo "Access UI at: https://argocd.f3s.buetow.org"
     @echo ""
-    @echo "Get initial admin password with:"
-    @echo "kubectl -n {{NAMESPACE}} get secret argocd-initial-admin-secret -o jsonpath=\"{.data.password}\" | base64 -d"
+    @echo "Default admin credentials:"
+    @echo "  Username: admin"
+    @echo "  Password: argocd-admin-default"
+    @echo ""
+    @echo "IMPORTANT: Change the password after first login!"
 
 upgrade:
     helm upgrade {{RELEASE_NAME}} argo/argo-cd --namespace {{NAMESPACE}} -f values.yaml
@@ -27,7 +31,10 @@ upgrade:
 uninstall:
     kubectl delete -f ingress.yaml || true
     helm uninstall {{RELEASE_NAME}} --namespace {{NAMESPACE}} || true
-    kubectl delete -f persistent-volumes.yaml || true
+    @echo ""
+    @echo "NOTE: argocd-secret is preserved to keep your admin password"
+    @echo "      To fully remove: kubectl delete secret argocd-secret -n {{NAMESPACE}}"
+    @echo "      To remove PV: kubectl delete -f persistent-volumes.yaml"
 
 status:
     kubectl get pods -n {{NAMESPACE}} -l app.kubernetes.io/name=argocd-server
diff --git a/f3s/argocd/argocd-secret.yaml b/f3s/argocd/argocd-secret.yaml
new file mode 100644
index 0000000..1c7c1ef
--- /dev/null
+++ b/f3s/argocd/argocd-secret.yaml
@@ -0,0 +1,28 @@
+# ArgoCD Secret - Managed manually (not by Helm)
+# This preserves admin password changes across helm uninstall/install cycles
+#
+# Default admin password: "argocd-admin-default"
+# Change this after first login via: argocd account update-password
+#
+# To generate a new password hash:
+#   htpasswd -nbBC 10 "" "your-password" | tr -d ':\n' | sed 's/$2y/$2a/'
+#   echo -n "hash-output" | base64
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: argocd-secret
+  namespace: cicd
+  labels:
+    app.kubernetes.io/name: argocd-secret
+    app.kubernetes.io/part-of: argocd
+type: Opaque
+data:
+  # admin.password: bcrypt hash of "argocd-admin-default"
+  # Generated with: htpasswd -nbBC 10 "" "argocd-admin-default" | tr -d ':\n' | sed 's/$2y/$2a/'
+  admin.password: JDJhJDEwJDhKdlRveW5tb1NTZkMvMndZZGxDN09RVTZyUVJjTHJPT054WkllZ3poWmVpc0hmdnpETjUy
+  # admin.passwordMtime: modification time (ISO 8601 format)
+  admin.passwordMtime: MjAyNS0xMi0zMFQwOTozMDowMFo=
+  # server.secretkey: auto-generated or set your own (base64 encoded random string)
+  # Generated with: openssl rand -base64 32
+  server.secretkey: WjJRMU1rWXlSMjFoTlZOSUsyeEpRamRNTDNkcEwxUndPRkJGVjBkNGJtOUxLMGxGWVhoM2FtcG9kejA9
diff --git a/f3s/argocd/values.yaml b/f3s/argocd/values.yaml
index 2a8e7b6..fb97755 100644
--- a/f3s/argocd/values.yaml
+++ b/f3s/argocd/values.yaml
@@ -103,3 +103,9 @@ crds:
 configs:
   params:
     server.insecure: true
+  # Secret configuration - don't let Helm manage the secret
+  # This preserves admin password changes across redeployments
+  secret:
+    createSecret: false
+    # Note: argocd-secret must be created manually before first install
+    # See argocd-secret.yaml for the secret template
author	Paul Buetow <paul@buetow.org>	2025-12-30 11:38:48 +0200
committer	Paul Buetow <paul@buetow.org>	2025-12-30 11:38:48 +0200
commit	8945a45a183b337eb05b3d263e57cd2dafe0f726 (patch)
tree	a4e5ded0682e7e4c5bc026aa81ab02d8723c9a5a /f3s/argocd
parent	8c289e400af9c430b752f82bcf82e38a453cb163 (diff)