openchoreo · mevan-karu · May 15, 2026
diff --git a/docs/_constants.mdx b/docs/_constants.mdx
@@ -9,5 +9,4 @@ export const versions = {
 
 export const defaultCredentials = {
   username: "admin@openchoreo.dev",
-  password: "Admin@123",
 };
diff --git a/docs/ai/mcp-servers.mdx b/docs/ai/mcp-servers.mdx
@@ -144,12 +144,21 @@ On first use, a browser window opens for authentication. Log in with the default
 
 Client credentials authentication uses the `service_mcp_client` OAuth application (confidential client, client_credentials grant), which is pre-created in the default ThunderID IdP. This method works with any AI agent that supports custom HTTP headers.
 
-**Step 1: Obtain an Access Token**
+**Step 1: Retrieve the MCP Client Secret**
+
+The `service_mcp_client` secret was randomly generated during installation. Retrieve it:
+
+```bash
+SERVICE_MCP_CLIENT_SECRET=$(kubectl get secret openchoreo-initial-credentials \
+  -n thunder -o jsonpath='{.data.service-mcp-client-secret}' | openssl base64 -d -A; echo)
+```
+
+**Step 2: Obtain an Access Token**
 
 ```bash
 curl -s -X POST "http://thunder.openchoreo.localhost:8080/oauth2/token" \
   -H 'Content-Type: application/x-www-form-urlencoded' \
-  -u 'service_mcp_client:service_mcp_client_secret' \
+  -u "service_mcp_client:${SERVICE_MCP_CLIENT_SECRET}" \
   -d 'grant_type=client_credentials'
 ```
 

diff --git a/docs/getting-started/quick-start-guide.mdx b/docs/getting-started/quick-start-guide.mdx
@@ -133,7 +133,15 @@ The setup uses a preconfigured Dev Container that includes all required dependen
 
     Default login credentials:
     - Username: <code>{defaultCredentials.username}</code>
-    - Password: <code>{defaultCredentials.password}</code>
+    - Password: Randomly generated during installation. Retrieve it with:
+
+    ```bash
+    kubectl get secret openchoreo-initial-credentials -n thunder -o jsonpath='{.data.admin-password}' | openssl base64 -d -A; echo
+    ```
+
+    :::tip
+    After logging in, change your password or delete the `openchoreo-initial-credentials` secret.
+    :::
 
     <img
         src={require('./qsg-backstage-ui.png').default}

diff --git a/docs/getting-started/try-it-out/on-k3d-locally.mdx b/docs/getting-started/try-it-out/on-k3d-locally.mdx
@@ -164,17 +164,15 @@ OpenChoreo uses [External Secrets Operator](https://external-secrets.io/) to man
   --wait --timeout 300s`}
 </CodeBlock>
 
-The values file runs a postStart script that configures Kubernetes auth, creates reader/writer policies, and seeds the following secrets into the store:
-
-| Secret                         | Value                          | Used By                        |
-| ------------------------------ | ------------------------------ | ------------------------------ |
-| `backstage-backend-secret`     | `local-dev-backend-secret`     | Backstage session signing      |
-| `backstage-client-secret`      | `backstage-portal-secret`      | Backstage OAuth with ThunderID |
-| `backstage-jenkins-api-key`    | `placeholder-not-in-use`       | Placeholder                    |
-| `observer-oauth-client-secret` | `openchoreo-observer-secret`   | Observer OAuth with ThunderID  |
-| `rca-oauth-client-secret`      | `openchoreo-rca-agent-secret`  | SRE Agent OAuth with ThunderID |
-| `opensearch-username`          | `admin`                        | OpenSearch access              |
-| `opensearch-password`          | `ThisIsTheOpenSearchPassword1` | OpenSearch access              |
+The `values-openbao.yaml` postStart script configures Kubernetes auth, creates reader/writer policies, and seeds the Backstage backend secret into OpenBao. The remaining secrets are generated by `generate-thunder-secrets.sh` which runs before ThunderID install and writes to the following paths:
+
+| OpenBao Path                       | Source                        | Use                               | ExternalSecret      |
+| ---------------------------------- | ----------------------------- | --------------------------------- | ------------------- |
+| `backstage-backend-secret`         | postStart (random)            | Backstage session signing         | `backstage-secrets` |
+| `backstage-client-secret`          | `generate-thunder-secrets.sh` | Backstage OAuth with ThunderID    | `backstage-secrets` |
+| `observer-oauth-client-secret`     | `generate-thunder-secrets.sh` | Observer OAuth with ThunderID     | `observer-secret`   |
+| `rca-oauth-client-secret`          | `generate-thunder-secrets.sh` | RCA Agent OAuth with ThunderID    | (created on demand) |
+| `finops-agent-oauth-client-secret` | `generate-thunder-secrets.sh` | FinOps Agent OAuth with ThunderID | (created on demand) |
 
 #### Create the ClusterSecretStore
 
@@ -225,6 +223,13 @@ The control plane is the brain of OpenChoreo. It runs the API server, the web co
 
 [ThunderID](https://github.com/thunder-id/thunderid) handles authentication and OAuth flows. The values file includes bootstrap scripts that run on first startup and configure the organization, users, groups, and OAuth applications automatically.
 
+Before installing ThunderID, generate the required secrets:
+
+```bash
+curl -fsSL https://raw.githubusercontent.com/openchoreo/openchoreo/${versions.githubRef}/install/prerequisites/thunder/generate-thunder-secrets.sh \
+  | BAO_TOKEN=root bash
+```
+
 <CodeBlock language="bash">
   {`helm upgrade --install thunder oci://ghcr.io/asgardeo/helm-charts/thunder \\
   --namespace thunder \\
@@ -306,7 +311,14 @@ In the `thunder` namespace:
 - **thunder** handles authentication and OAuth flows
 
 :::tip[ThunderID Admin Console]
-You can browse and modify the bootstrapped identity configuration (users, groups, OAuth applications) in the ThunderID console at [http://thunder.openchoreo.localhost:8080/console](http://thunder.openchoreo.localhost:8080/console) using `admin` / `admin`. For details on what the bootstrap configured, see the [On Your Environment](on-your-environment.mdx) guide.
+You can browse and modify the bootstrapped identity configuration (users, groups, OAuth applications) in the ThunderID console at [http://thunder.openchoreo.localhost:8080/console](http://thunder.openchoreo.localhost:8080/console). Log in with username `admin` and retrieve the password using:
+
+```bash
+kubectl get secret openchoreo-initial-credentials -n thunder \
+  -o jsonpath='{.data.thunder-console-admin-password}' | openssl base64 -d -A; echo
+```
+
+For details on what the bootstrap configured, see the [On Your Environment](on-your-environment.mdx) guide.
 :::
 
 ## Step 4: Install Default Resources

diff --git a/docs/getting-started/try-it-out/on-your-environment.mdx b/docs/getting-started/try-it-out/on-your-environment.mdx
@@ -121,16 +121,15 @@ OpenChoreo uses [External Secrets Operator](https://external-secrets.io/) to man
 For production, provide your own values file with `server.dev.enabled=false` and configure proper storage and unsealing. See the [OpenBao Helm chart docs](https://github.com/openbao/openbao-helm).
 :::
 
-The values file runs a postStart script that configures Kubernetes auth, creates reader/writer policies, and seeds the following secrets into the store:
+The `values-openbao.yaml` postStart script configures Kubernetes auth, creates reader/writer policies, and seeds the Backstage backend secret into OpenBao. The remaining secrets are generated by `generate-thunder-secrets.sh` which runs before ThunderID install and writes to the following paths:
 
-| Secret                         | Value                                               | Used By                        |
-| ------------------------------ | --------------------------------------------------- | ------------------------------ |
-| `backstage-backend-secret`     | `local-dev-backend-secret`                          | Backstage session signing      |
-| `backstage-client-secret`      | `backstage-portal-secret`                           | Backstage OAuth with ThunderID |
-| `backstage-jenkins-api-key`    | `placeholder-not-in-use`                            | Placeholder                    |
-| `opensearch-username`          | `admin`                                             | OpenSearch access              |
-| `opensearch-password`          | `ThisIsTheOpenSearchPassword1`                      | OpenSearch access              |
-| `observer-oauth-client-secret` | `openchoreo-observer-resource-reader-client-secret` | Observer OAuth (UID resolver)  |
+| OpenBao Path                       | Source                        | Use                               | ExternalSecret      |
+| ---------------------------------- | ----------------------------- | --------------------------------- | ------------------- |
+| `backstage-backend-secret`         | postStart (random)            | Backstage session signing         | `backstage-secrets` |
+| `backstage-client-secret`          | `generate-thunder-secrets.sh` | Backstage OAuth with ThunderID    | `backstage-secrets` |
+| `observer-oauth-client-secret`     | `generate-thunder-secrets.sh` | Observer OAuth with ThunderID     | `observer-secret`   |
+| `rca-oauth-client-secret`          | `generate-thunder-secrets.sh` | RCA Agent OAuth with ThunderID    | (created on demand) |
+| `finops-agent-oauth-client-secret` | `generate-thunder-secrets.sh` | FinOps Agent OAuth with ThunderID | (created on demand) |
 
 #### Create the ClusterSecretStore
 
@@ -310,6 +309,15 @@ kubectl wait --for=condition=Ready certificate/cp-gateway-tls \
   -n openchoreo-control-plane --timeout=60s
 ```
 
+### Generate ThunderID Secrets
+
+Before installing ThunderID, generate random passwords and client secrets. This creates the `openchoreo-initial-credentials` secret in the `thunder` namespace that ThunderID reads at startup:
+
+```bash
+curl -fsSL https://raw.githubusercontent.com/openchoreo/openchoreo/${versions.githubRef}/install/prerequisites/thunder/generate-thunder-secrets.sh \
+  | BAO_TOKEN=root bash
+```
+
 ### Install ThunderID (Identity Provider)
 
 [ThunderID](https://github.com/thunder-id/thunderid) handles authentication and OAuth flows. The setup job is a **pre-install helm hook** that bootstraps users, groups, and OAuth applications on the very first `helm install`. To change these later, uninstall ThunderID, delete the PVC, and reinstall.
@@ -341,9 +349,9 @@ You can browse and modify the ThunderID configuration at:
 echo "https://thunder.${CP_BASE_DOMAIN}/console"
 ```
 
-| Username | Password |
-| -------- | -------- |
-| `admin`  | `admin`  |
+| Username | Password Retrieval Command                                                                                                                        |
+| -------- | ------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `admin`  | `kubectl get secret openchoreo-initial-credentials -n thunder -o jsonpath='{.data.thunder-console-admin-password}' \| openssl base64 -d -A; echo` |
 
 #### Backstage Secrets
 
@@ -639,9 +647,16 @@ Open the OpenChoreo console in your browser:
 echo "https://console.${CP_BASE_DOMAIN}"
 ```
 
-| Username                                   | Password                                   |
-| ------------------------------------------ | ------------------------------------------ |
-| <code>{defaultCredentials.username}</code> | <code>{defaultCredentials.password}</code> |
+| Username                                   | Password                                         |
+| ------------------------------------------ | ------------------------------------------------ |
+| <code>{defaultCredentials.username}</code> | Randomly generated. See retrieval command below. |
+
+Retrieve your admin password:
+
+```bash
+kubectl get secret openchoreo-initial-credentials -n thunder \
+  -o jsonpath='{.data.admin-password}' | openssl base64 -d -A; echo
+```
 
 You should see the OpenChoreo console. Deploy a sample web app:
 

diff --git a/docs/platform-engineer-guide/identity-configuration.mdx b/docs/platform-engineer-guide/identity-configuration.mdx
@@ -42,9 +42,13 @@ ThunderID includes a console where you can manage users, applications, and OAuth
 **Access ThunderID console:**
 
 - URL: `<your-thunder-url>/console`
-- Default credentials:
-  - Username: `admin`
-  - Password: `admin`
+- Username: `admin`
+- Password: Retrieve from the Kubernetes secret:
+
+```bash
+kubectl get secret openchoreo-initial-credentials -n thunder \
+  -o jsonpath='{.data.thunder-console-admin-password}' | openssl base64 -d -A; echo
+```
 
 :::note
 The default ThunderID deployment is intended for development and testing. For production deployments, configure your own OAuth2/OIDC-compliant identity provider as described in the next section.