Support passing credentials to composition functions

[negz]

Description of your changes

Fixes #3718

Some functions need credentials to talk to an external system, like AWS or a git repository. Today you can only pass credentials to a function by using a DeploymentRuntimeConfig to inject them as files or environment variables. This isn't ideal, as you probably want per-caller credentials, not credentials that are available to all callers.

This PR allows you to tell Crossplane what credentials to give a function when you write a Composition.

Here's an example:

apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
  name: parent
spec:
  compositeTypeRef:
    apiVersion: nop.example.org/v1alpha1
    kind: XNopResource
  mode: Pipeline
  pipeline:
  - step: example
    functionRef:
      name: function-needs-a-secret
    credentials:
    - name: credentials-for-something
      source: Secret
      secretRef:
        namespace: crossplane-system
        name: super-secret

The credentials block uses the same schema as a ProviderConfig. For now, it only supports loading credentials from a Kubernetes secret (i.e. source: Secret).

In future we might support other sources, but for now I think secrets will be a good start. I've designed both the Kubernetes and protobuf APIs to support adding other credential sources / shapes in future. I'm not sure what other sources we might support. Perhaps IRSA, if we ever relax the function spec:

A Function MUST NOT assume it is deployed in any particular way, for example that it is running as a Kubernetes Pod in the same cluster as Crossplane.

Given that we intend to remove support for external secret stores per #5522, I don't expect we'll ever have to expand this API to support loading from a secret store like Vault. Instead we'd expect people to use https://external-secrets.io (or similar) to load credentials into a Kubernetes secret.

Reading credentials looks like this in Go:

cred := req.GetCredentials()["credentials-for-something"]
switch cred.GetSource().(type) {
	case *v1beta1.Credentials_CredentialData:
		data := cred.GetCredentialData().GetData()
	default:
		// No credentials
}

In Python (I think) it looks like this:

cred = req.credentials["credentials-for-something"]
if cred.HasField("credential_data"):
  data = cred.credential_data.data

This is just the "bare" protobuf-generated code. We could add wrappers to the function SDKs if we think they'd add a better UX.

I have:

• Read and followed Crossplane's contribution process.
• Run make reviewable to ensure this PR is ready for review.
• Added or updated unit tests.
• Added or updated e2e tests.
• Linked a PR or a docs tracking issue to document this change.
• Added backport release-x.y labels to auto-backport this PR.

Need help with this checklist? See the cheat sheet.

[jbw976]

Looks good to me @negz, thanks for iterating on this support for credentials! I like where it landed 💪

Just a couple small questions from me, nothing blocking at all.

[phisco]

a few minor comments, otherwise lgtm 🙏 thanks @negz!