TLS Certificate Verification Failure When Using function-kcl with OCI Registry on AWS ECR in Crossplane

[Tranceh2]

What happened?

I expected the function-kcl in Crossplane to authenticate and retrieve a KCL module stored in an OCI registry on AWS ECR. This works locally without issue using kcl login. However, when deploying function-kcl in a Kubernetes cluster with Crossplane, the function fails to authenticate and returns a TLS error related to certificate verification.

In the status section of a Crossplane XRD, I receive the following error:

status:
  conditions:
    - lastTransitionTime: '2024-11-08T13:58:13Z'
      message: >
        cannot compose resources: pipeline step "normal" returned a fatal
        result: failed to run kcl function pipelines: failed to login
        'xxxxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com', please check registry,
        username and password is valid

        Get "https://xxxxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/v2/": tls:
        failed to verify certificate: x509: certificate signed by unknown
        authority

I apologize if this issue has been reported already; I searched but could not find a similar report. Additionally, apologies if I missed anything in the setup.

How can we reproduce it?

Below is the configuration used in the XR of Crossplane with kcl-function:

apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
  name: pcf-instanceec2
spec:
  writeConnectionSecretsToNamespace: crossplane
  compositeTypeRef:
    apiVersion: platform.pcfactory.cl/v1alpha1
    kind: XInstanceEc2
  mode: Pipeline
  pipeline:
    - step: normal
      functionRef:
        name: kcl-function
      input:
        apiVersion: krm.kcl.dev/v1alpha1
        kind: KCLInput
        metadata:
          name: basic
          annotations:
            krm.kcl.dev/allow-insecure-source: "true"
        spec:
          target: Resources
          source: oci://xxxxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/kcl-modules/instanceec2
          credentials:
            url: xxxxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com
            username: AWS
            password: "keygeneratedbyecr"
    - step: automatically-detect-ready-composed-resources
      functionRef:
        name: function-auto-ready

Attempts to address the issue included:

• Removing the allow-insecure-source annotation.
• Adding the module version to the source, e.g., source: oci://xxxxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/kcl-modules/instanceec2:0.0.1.
• Testing various configurations for credentials.

Additionally, a manual kcl login command was attempted inside the kcl-function pod:

kcl registry login -u AWS -p keygeneratedbyecr xxxxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com --insecure-skip-tls-verify

This resulted in a similar certificate error:

failed to login 'xxxxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com', please check registry, username and password is valid
Get "https://xxxxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority

What environment did it happen in?

Environment Variable	Version/Value
Function version	v0.10.8
Crossplane version	v1.17.2
Kubernetes version	v1.26.10
Cloud provider	AWS

[Peefy]

Hello @Tranceh2

Have you tried synchronizing this issue to the Crossplane community? Perhaps there is a way to set certificates within the function pod.

cc @zong-zhe In addition to using KCL to manage Git/OCI Sources on the client side, we also need a unified implementation or documentation for runtime (in Kubernetes Cluster) related components such as kcl-operator, flux-kcl-controller, crossplane function-kcl, etc

[kbristow]

@Peefy I am seeing the same issue using a private artifactory registry. It does not use self signed certs so normally we do not need to trust any certs. Using v0.10.0 does not seem to have this issue, but I am seeing it on v0.10.8.

I can work around it doing something like this:

apiVersion: pkg.crossplane.io/v1beta1
kind: Function
metadata:
  name: function-kcl
spec:
  package: xpkg.upbound.io/crossplane-contrib/function-kcl:v0.10.8
  runtimeConfigRef:
    name: kcl-config
---
apiVersion: pkg.crossplane.io/v1beta1
kind: DeploymentRuntimeConfig
metadata:
  name: kcl-config
spec:
  deploymentTemplate:
    spec:
      selector: {}
      template:
        spec:
          containers:
          - name: package-runtime
            volumeMounts:
            - name: custom-ca-certificates
              mountPath: /etc/ssl/certs/artifacts.crt
              subPath: artifacts.crt
          volumes:
          - name: custom-ca-certificates
            secret:
              defaultMode: 420
              secretName: custom-ca-certificates

where the artifacts.crt contains output from openssl s_client -connect my-artifactory:443 2>/dev/null </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'. I also publish my XRD's and compositions as OCI Configuration Packages which Crossplane installs fine. So from what I can see, it just seems like function-kcl is affected in this way.

[dayyeung]

I have just had a similar issue where I was trying to add a public kcl module as a dependency.

A simple fix would be to install the OS package ca-certificates by default and it would make our lives much easier.

[Peefy]

Thank you everyone. Perhaps we can open a PR for dockerfile with function-kcl and add apt-get install ca certificates and PRs are welcome! 🙏

[kbristow]

@Peefy v0.10.10 seems to resolve this issue for me. Thank you 🙏