Retrieve KOTS Config Values When the Admin Console is Unavailable

diamon_w · October 7, 2025, 7:23pm

When the KOTS Admin Console or CLI is unavailable or not functioning properly, we’ve written a tool that can be used to extract and decrypt KOTS configuration values directly from the rqlite database.

When to Use This

kotsadm pods are down or unhealthy
kubectl kots get config --decrypt fails or hangs
Admin Console is unavailable

Prerequisites

kubectl with access to your KOTS namespace
Go 1.19+ (for compiling)

Quick Start

Compile the Binary


*# Download source*

wget https://gist.githubusercontent.com/diamonwiggins/d1f4246274039a9a0b1021f69d4b0883/raw/decrypt-kots-config.go



*# Initialize module and get dependencies*

go mod init kots-decrypt

go get sigs.k8s.io/yaml

go mod tidy



*# Compile for Linux (most common)*

GOOS=linux GOARCH=amd64 go build -o kots-decrypt-config kots-decrypt-config.go



*# For macOS Intel*

GOOS=darwin GOARCH=amd64 go build -o kots-decrypt-config kots-decrypt-config.go



*# For macOS Apple Silicon*

GOOS=darwin GOARCH=arm64 go build -o kots-decrypt-config kots-decrypt-config.go

Usage


*# Basic usage*

./kots-decrypt-config -n <namespace>



*# Specific sequence*

./kots-decrypt-config -n default -s 5



*# Custom output directory*

./kots-decrypt-config -n default -o /var/backups



*# Help*

./kots-decrypt-config --help

Output

Creates two files in the output directory (default: /tmp):

kots-config-raw.yaml - Encrypted config values
kots-config-decrypted.yaml - Decrypted values in valuePlaintext fields

Example decrypted output:


apiVersion: kots.io/v1beta1
kind: ConfigValues
spec:
  values:
    database_password:
      valuePlaintext: myDecryptedPassword123  *# Decrypted!*
    database_host:
      default: postgres.example.com

How It Works

Retrieves encryption key from kotsadm-encryption secret (handles double base64 encoding)
Retrieves rqlite password from kotsadm-rqlite secret
Port-forwards to rqlite on port 4001
Queries rqlite for config values (bypasses kotsadm)
Decrypts password fields using AES-192-GCM
Outputs both raw and decrypted configs

Security Notes

The decrypted file contains plaintext passwords!


*# Secure the output*

chmod 600 /tmp/kots-config-decrypted.yaml



*# Delete when done*

rm /tmp/kots-config-*.yaml

Source Code

Complete source: kots-decrypt-config.go

Topic		Replies	Views
Retrieve KOTS application Config Values without Admin Console How do I?	0	105	December 5, 2024
How do I retrieve the previous config for an application? How do I? kots	1	231	August 5, 2022
KOTS: Optional Embedded Database Packaging an application	0	989	March 17, 2020
Resetting KOTS Admin Password Supporting your customers kots	2	1927	December 9, 2020
How can I export config options into a support bundle? How do I? kots , support-bundle , config	4	431	August 6, 2022