Skip to content

Secretgen-controller generates invalid empty auth entries in .dockerconfigjson causing “Unsupported Auth config” errors #710

New issue
New issue
Open
Open
Secretgen-controller generates invalid empty auth entries in .dockerconfigjson causing “Unsupported Auth config” errors#710
Labels
bugThis issue describes a defect or unexpected behaviorcarvel-triageThis issue has not yet been reviewed for validity
@devanshuVmware

Description

@devanshuVmware
devanshuVmware
opened on Nov 25, 2025

What steps did you take:

  1. Create a secret of type kubernetes.io/dockerconfigjson in kube-system with content such as:
    {
    "auths": {
    "harbor.internal": {}
    }
    }

  2. Export the secret to all namespaces via SecretExport.

apiVersion: secretgen.carvel.dev/v1alpha1
kind: SecretExport
metadata:
  name: image-registry-credentials
  namespace: kube-system
spec:
  toNamespaces:
  - "*"

  1. Deploy a kapp-controller PackageInstall that requires registry credentials (image or imgpkg fetch). kapp-controller will create placeholder secrets, which secretgen-controller populates.

  2. Inspect the autogenerated secret — it will contain:

{
  "auths": {
    "harbor.internal": {
      "username": "",
      "password": "",
      "auth": ""
    }
  }
}
  1. Attempt to pull the image → results in: Unsupported Auth config

What happened:
We use a cluster-wide secret image-registry-credentials (type kubernetes.io/dockerconfigjson) exported via SecretExport to all namespaces.
It contains registry hostname and certificate chain, and sometimes credentials.

When the registry does not require credentials, the source dockerconfigjson contains only the registry entry + certs, but no auth fields.

secretgen-controller merges this and produces e.g.

{
  "auths": {
    "harbor.internal": {
      "username": "",
      "password": "",
      "auth": ""
    }
  }
}

This is incorrect because the auths field is not empty, but the username, password, and auth fields are empty.
Kapp-controller then uses this placeholder secret for image pull, registry rejects it with:
Unsupported Auth config

What did you expect:
Image fetch to succeed

Anything else you would like to add:
Manually patching the generated secret to:
{"auths": {}} fixes the issue.

Environment:

  • secretgen-controller version : v0.19.2 (latest)
  • Kubernetes version : any

Vote on this request

This is an invitation to the community to vote on issues, to help us prioritize our backlog. Use the "smiley face" up to the right of this comment to vote.

👍 "I would like to see this addressed as soon as possible"
👎 "There are other more important things to focus on right now"

We are also happy to receive and review Pull Requests if you want to help working on this issue.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugThis issue describes a defect or unexpected behaviorcarvel-triageThis issue has not yet been reviewed for validity

    Type

    No type

    Projects

    Carvel

    Status

    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions