kubectl get pods -A | egrep "NAME|csi"
NAMESPACE NAME READY STATUS RESTARTS AGE
vmware-system-csi vsphere-csi-controller-<ID> 5/6 CrashLoopBackOff 6294 103d
failed to create govmomi client with err: ServerFaultCode: Cannot complete login due to an incorrect user name or password.
failed to connect to VirtualCenter host: \"vcsa-01.fqdn.com\", Err: ServerFaultCode: Cannot complete login due to an incorrect user name or password.
failed to create govmomi client with err: ServerFaultCode: Cannot complete login due to an incorrect user name or password.
Cannot connect to vCenter with err: ServerFaultCode: Cannot complete login due to an incorrect user name or password
.
2024-08-12T11:50:17.780719+05:00 warning vmdird t@140178253403712: Lockout policy check - account lockout. (cn=workload_storage_management-46daxxxx-318c-4096-8f34-afxxxxxx1,cn=serviceprincipals,dc=vsphere,dc=locall)
2024-08-12T11:50:17.780767+05:00 err vmdird t@140178253403712: VdirPasswordFailEvent from user(cn=workload_storage_management-46daxxxx-318c-4096-8f34-afxxxxxx1,cn=serviceprincipals,dc=vsphere,dc=local), error(0)()
2024-08-12T11:50:17.780802+05:00 err vmdird t@140178253403712: VmDirSendLdapResult: Request (Bind), Error (LDAP_INVALID_CREDENTIALS(49)), Message ((49)(SASL step failed.)), (0) socket (127.0.0.1)
2024-08-12T11:50:17.780832+05:00 err vmdird t@140178253403712: Bind Request Failed (127.0.0.1) error 49: Protocol version: 3, Bind DN: "CN=workload_storage_management-46daxxxx-318c-4096-8f34-afxxxxxx1,cn=ServicePrincipals,dc=vsphere,dc=local", Method: SASL
2024-08-12T11:51:04.847039+05:00 err vmdird t@140178253403712: SASLSessionStep: sasl error (-13)(SASL(-13): authentication failure: client evidence does not match what we calculated. Probably a password error)
2024-08-12T11:51:04.849551+05:00 warning vmdird t@140178253403712: Lockout policy check - account lockout. (cn=workload_storage_management-46daxxxx-318c-4096-8f34-afxxxxxx1,cn=serviceprincipals,dc=vsphere,dc=local)
Workaround:
CAUTION: The below steps should be performed with a VMware Support Engineer.
Scope to determine if CSI password on vCenter matches CSI password in Supervisor Cluster Secret:
If CSI Secret on Supervisor Cluster matches the password noted in /etc/vmware/wcp/.storageUser:
# echo '[Global]
insecure-flag = "false"
ca-file = "/etc/vmware/wcp/tls/vmca.pem"
cluster-id = "domain-<id>"
supervisor-id = "supervisor-<>"
cnsregistervolumes-cleanup-intervalinmin = 720
cluster-distribution = "SupervisorCluster"
[VirtualCenter "<vcfqdn>"]
user = "workload storage management-<id>@<domain>"
password = "<password>"
datacenters = "datacenter-<id>"
port = "443"
targetvSANFileShareClusters = ""' | base64 | tr -d '\n'