Pods for Supervisor Services are failing with ErrImagePull status

$ kubectl get pods -n svc-cci-ns-domain-cX
NAME READY STATUS RESTARTS AGE
cci-ns-controller-manager-XX-YY 0/1 ErrImagePull 0 9m44s


$ kubectl describe pods -n svc-cci-ns-domain-cX cci-ns-controller-manager-XX-YY
Name: cci-ns-controller-manager-XX-YY
Namespace: svc-cci-ns-domain-cX
Status: Pending
Reason: ErrImagePull
Message: failed to pull images: failed to get images: Image svc-cci-ns-domain-cX/lci-service-XX-vYY has failed. Error: Failed to resolve on node esxi.local. Reason: Unsupported Auth config: ErrImagePull

2025-01-01T00:00.00Z No(5) spherelet[000]: time="2025-01-01T00:00.00.000Z" level=warning msg="requeuing \"svc-cci-ns-domain-cX/cci-ns-controller-manager-XX-YY\" due to failed sync: failed to sync pod \"svc-cci-ns-domain-cX/cci-ns-controller-manager-XX-YY\" in the provider: failed to pull images: failed to get images: Image svc-cci-ns-domain-cX/lci-service-XX-vYY has failed. Error: Failed to resolve on node esxi.local. Reason: Unsupported Auth config: ErrImagePull"

The image pull error is caused when a private registry is configured without a username/password, even if the registry configuration doesn't require username/password auth. The vSphere UI mistakenly marks these fields as optional.

The auth config can be checked from the supervisor with the following command;

k get secret -n svc-cci-ns-domain-cX consumption-interface-registry-creds -o jsonpath='{.data.\.dockerconfigjson}' | base64 -d
{"auths":{"https://private.registry.url":{"username":"","password":"","auth":""}}}

To workaround the issue, specify a dummy username/password combination for the registry in the vSphere UI.

A fix will be available in a future release of VCF 9.x.