added keystore support for custom functions auth

[AndrewChubatiuk]

Description of your changes

crossplane-xfn doesn't support pulling images from:

• registries such as ECR, ACR, which are using temporary credentials
• service account credentials
• kube secrets

Fixes #3868
Fixes #3717

I have:

• Read and followed Crossplane's [contribution process].
• Run make reviewable to ensure this PR is ready for review.
• Added backport release-x.y labels to auto-backport this PR if necessary.

How has this code been tested

Build container locally with precompiled crun v1.8.1 and tested in AWS EKS with and without an access to ECR

[negz]

This looks good to me at first glance. Relates loosely to #3717

Could you please fill out the "how has this been tested" section of the PR template, and sign the DCO. You'll need to do both for us to accept this PR.

[AndrewChubatiuk]

This looks good to me at first glance. Relates loosely to #3717

Could you please fill out the "how has this been tested" section of the PR template, and sign the DCO. You'll need to do both for us to accept this PR.

It's not hard to add a support for #3717 as well
Added both test section and DCO

[jbw976]

Thanks a lot @AndrewChubatiuk for taking a stab at fixing these issues that have been blocking some early adopters progress on testing composition functions! That's very helpful 🤓

made it compatible with crun 1.8.1.

Do the changes to make it compatible with crun 1.8.1 have any impact to compatibility with older versions of crun? Should we be considering pinning the version of crun we use, as suggested by @negz here?

[bobh66]

Great work @AndrewChubatiuk ! Thanks for digging into this!
Probably a good idea to pin crun to 1.8.1 as part of these changes, if that interface is going to be fragile.

[AndrewChubatiuk]

it should work with older versions, but anyway only 1.8.1 is available now for debian. I was using build container to test with older versions of crun

[negz]

Thanks @AndrewChubatiuk. A few comments, but this looks good overall.

Please squash/cleanup your git commits before we merge this (but please do keep the sysfs fix in a separate commit).

[negz]

Will NewInCluster always fail if in-cluster auth isn't supported?

Or more generally, what causes NewInCluster to fail and what causes remote.WithAuthFromKeychain to fail? It may be worth adding comments to clarify.

[AndrewChubatiuk]

@negz
Moved crun changes to #3893
In this PR additionally:

• squashed all commits
• added support for imagePullSecrets and service account credentials
• removed unused ImagePullAuth

[turkenh]

Thanks @AndrewChubatiuk, left a couple of comments!

I don't think this PR will be fixing #3718 though which is more about passing credentials for the function itself rather than pulling it image.

[turkenh]

Suggested change

	ImagePullSecrets []ContainerFunctionImagePullSecret `json:"imagePullSecrets,omitempty"`
	ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"`

Any reason not to use the same type as packagePullSecrets?

[AndrewChubatiuk]

Thanks @AndrewChubatiuk, left a couple of comments!

I don't think this PR will be fixing #3718 though which is more about passing credentials for the function itself rather than pulling it image.

it's true, removed this issue from PR

[AndrewChubatiuk]

@turkenh made changes, not sure how it's better to pass service account and namespace to RunFunction

[AndrewChubatiuk]

@turkenh @negz are there any additional changes needed?

[negz]

Sorry this review took so long! I had to switch focus for a while but I expect to be working on Composition Functions again for at least a few weeks. I do think this needs a few more changes - please ping me on Crossplane Slack when you're ready for me to take another look.

[negz]

Thanks for persisting with this @AndrewChubatiuk! It looks great. I have some ideas for small improvements, but I can open a follow-up PR for those. I'll copy you on that.