Facing issue when trying to pull kcl packages from private registry #342
Description
Hi team!
I'm working on a Crossplane composition using function-kcl and need to pull a KCL package from a private GHCR.
I'm getting 401 authentication errors when using crossplane render with --function-credentials, even though the credentials are valid.
What I've verified:
✅ Credentials work locally with docker login and curl to GHCR
✅ Token has read:packages scope
✅ Following the official docs: https://github.com/crossplane-contrib/function-kcl?tab=readme-ov-file#source-credentials
✅ Secret format matches the documentation exactly
Error:
failed to get package with '<redacted>' from 'ghcr.io/<package path>'
failed to resolve <redacted>: GET "https://ghcr.io/v2/<redacted>":
GET "https://ghcr.io/<redacted>":
response status code 401: unauthorized: authentication required
Question: How do I properly configure credentials for KCL dependencies from private OCI registries when using crossplane render? Is there something missing in my setup?
composition.yaml
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
argocd.argoproj.io/sync-wave: "30"
labels:
crossplane.io/xrd: xexamples.crossplane.test.io
name: examples
spec:
compositeTypeRef:
apiVersion: crossplane.test.io/v1
kind: Xexample
mode: Pipeline
pipeline:
- step: kcl
functionRef:
name: function-kcl
credentials:
- name: kcl-registry
source: Secret
secretRef:
namespace: default
name: default
input:
apiVersion: krm.kcl.dev/v1alpha1
kind: KCLInput
spec:
dependencies: |-
kcllibs = { oci = "oci://ghcr.io/<path-to-kcl-package>", tag = "<tag>"}
source: |-
import kcllibs
secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: default
namespace: default
type: Opaque
data:
username: <redacted>
password: <redacted>
url: https://ghcr.ioAny insights would be greatly appreciated! 🙏