Does containerd runtime ignore imagePullSecrets?

I am observing issues where my Kubernetes cluster cannot pull images from private registries any more. This may be the case since I switched its runtime from Docker to containerd. imagePullSecret tags and the corresponding secrets are still in place.

One can find descriptions that suggest that with containerd image pull credentials have to be placed in /etc/containerd/config.toml instead.

What is the latest normative documentation for this case: Should containerd (when serving as Kubernetes container runtime) be able to pick up image pull credentials from Kubernetes secrets in the “normal” way or can these not serve with that particular runtime?

Cluster information:

Kubernetes version: 1.27.1
Cloud being used: bare-metal
Installation method: kubeadm
Host OS: Debian
CNI and version: Cilium
CRI and version: containerd 1.6.21

It looks by now as if the problem only occurs in conjunction with secrets that are backed by the Vault External Secrets Operator (ESO). So I suspect the root cause is “somehow” in the combination between containerd and ESO.