secretgen-controller icon indicating copy to clipboard operation
secretgen-controller copied to clipboard
verified publisher icon carvel-dev

Secretgen-controller generates invalid empty auth entries in .dockerconfigjson causing “Unsupported Auth config” errors

Open devanshuVmware opened this issue 1 month ago • 0 comments

What steps did you take:

  1. Create a secret of type kubernetes.io/dockerconfigjson in kube-system with content such as: { "auths": { "harbor.internal": {} } }

  2. Export the secret to all namespaces via SecretExport.

apiVersion: secretgen.carvel.dev/v1alpha1
kind: SecretExport
metadata:
  name: image-registry-credentials
  namespace: kube-system
spec:
  toNamespaces:
  - "*"

  1. Deploy a kapp-controller PackageInstall that requires registry credentials (image or imgpkg fetch). kapp-controller will create placeholder secrets, which secretgen-controller populates.

  2. Inspect the autogenerated secret — it will contain:

{
  "auths": {
    "harbor.internal": {
      "username": "",
      "password": "",
      "auth": ""
    }
  }
}
  1. Attempt to pull the image → results in: Unsupported Auth config

What happened: We use a cluster-wide secret image-registry-credentials (type kubernetes.io/dockerconfigjson) exported via SecretExport to all namespaces. It contains registry hostname and certificate chain, and sometimes credentials.

When the registry does not require credentials, the source dockerconfigjson contains only the registry entry + certs, but no auth fields.

secretgen-controller merges this and produces e.g.

{
  "auths": {
    "harbor.internal": {
      "username": "",
      "password": "",
      "auth": ""
    }
  }
}

This is incorrect because the auths field is not empty, but the username, password, and auth fields are empty. Kapp-controller then uses this placeholder secret for image pull, registry rejects it with: Unsupported Auth config

What did you expect: Image fetch to succeed

Anything else you would like to add: Manually patching the generated secret to: {"auths": {}} fixes the issue.

Environment:

  • secretgen-controller version : v0.19.2 (latest)
  • Kubernetes version : any

Vote on this request

This is an invitation to the community to vote on issues, to help us prioritize our backlog. Use the "smiley face" up to the right of this comment to vote.

👍 "I would like to see this addressed as soon as possible" 👎 "There are other more important things to focus on right now"

We are also happy to receive and review Pull Requests if you want to help working on this issue.

devanshuVmware avatar Nov 25 '25 12:11 devanshuVmware