diff --git a/util/exec/exec.go b/util/exec/exec.go
index cfd57575c2c3f..10261f1f3170d 100644
--- a/util/exec/exec.go
+++ b/util/exec/exec.go
@@ -30,13 +30,15 @@ func Run(cmd *exec.Cmd) (string, error) {
 }
 
 func RunWithRedactor(cmd *exec.Cmd, redactor func(text string) string) (string, error) {
+	opts := argoexec.CmdOpts{Timeout: timeout}
 	span := tracing.StartSpan(fmt.Sprintf("exec %v", cmd.Args[0]))
 	span.SetBaggageItem("dir", fmt.Sprintf("%v", cmd.Dir))
-	span.SetBaggageItem("args", fmt.Sprintf("%v", cmd.Args))
-	defer span.Finish()
-	opts := argoexec.CmdOpts{Timeout: timeout}
 	if redactor != nil {
+		span.SetBaggageItem("args", redactor(fmt.Sprintf("%v", cmd.Args)))
 		opts.Redactor = redactor
+	} else {
+		span.SetBaggageItem("args", fmt.Sprintf("%v", cmd.Args))
 	}
+	defer span.Finish()
 	return argoexec.RunCommandExt(cmd, opts)
 }
diff --git a/util/exec/exec_test.go b/util/exec/exec_test.go
index dcef40759a8e4..c9c83274f1713 100644
--- a/util/exec/exec_test.go
+++ b/util/exec/exec_test.go
@@ -3,6 +3,7 @@ package exec
 import (
 	"os"
 	"os/exec"
+	"regexp"
 	"testing"
 	"time"
 
@@ -27,3 +28,14 @@ func TestRun(t *testing.T) {
 	assert.NoError(t, err)
 	assert.NotEmpty(t, out)
 }
+
+func TestHideUsernamePassword(t *testing.T) {
+	_, err := RunWithRedactor(exec.Command("helm registry login https://charts.bitnami.com/bitnami", "--username", "foo", "--password", "bar"), nil)
+	assert.NotEmpty(t, err)
+
+	var redactor = func(text string) string {
+		return regexp.MustCompile("(--username|--password) [^ ]*").ReplaceAllString(text, "$1 ******")
+	}
+	_, err = RunWithRedactor(exec.Command("helm registry login https://charts.bitnami.com/bitnami", "--username", "foo", "--password", "bar"), redactor)
+	assert.NotEmpty(t, err)
+}