Add k8s credential provider support

[stmcginnis]

Issue number:

Closes #1702

Description of changes:

This adds the capability to use Kubernetes image credential providers to
retrieve credentials to use when pulling images for container creation.

Initially we will only support the ecr-credential-provider, but things
are set up so we may add more providers in future updates.

---

Yet to do:

• Include ecr-credential-provider binary
• Add new config settings
• Perform full testing and verification
• Documentation on using this feature (basic docs, more detailed docs TBD)

---

Testing done:

• For ecr-credential-provider binary: Added RPM files, built and deployed instance, verified the binary was in the expected location on the filesystem.
• Addition of new settings: Build, deployed, set values by using apiclient set. Verified settings saved and available using apiclient get and viewing config settings written to filesystem.
• any-enabled template helper: Addition of unit tests to validate various input. Created small test app to execute templating code and verify expected output.
• Application of settings:
  • default cred provider config file written.
  • Setting values recreates file and restarts kubelet with correct parameters.
  • Sonobuoy quick tests pass
  • Validate use of ECR plugin for registry validation
  • Tested with Kubernetes 1.20, 1.21, 1.22, and 1.23
  • Tested with separate aws-config and aws-credentials as well as combined using only aws-config

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

[stmcginnis]

Note: right now this contains some of John's work from #2378 since that will need to merge before the addition of ecr-credential-provider. Hopefully looking at the individual commits can help isolate the relevant things if someone wants to review parts of this while it's being worked on.

[stmcginnis]

Marking as ready to review, but still performing testing/validation. Everything should be in place though, so pending any testing issues found this should be good to go.

[stmcginnis]

I believe I have addressed all comments so far. Please let me know if I have missed anything.

I've resolved all of the ones that I think were fully addressed. There are a few that either had questions or were open to further discussion which I have not resolved yet pending some sort of resolution.

[matthewdaltonfanduel]

@arnaldo2792 pinging for re-review

[stmcginnis]

Updated to resolve merge conflict in sources/Cargo.lock.

[webern]

I guess I'm a little confused about what the "service" named aws is, but assuming that is done correctly... looks good.

[webern]

Upon further reflection, I now understand why we arrived at aws.settings.* for this. It's because there's essentially one ~/.aws/ profile on the machine and it wouldn't make sense to bury that under, e.g. settings.kubernetes. Makes sense now: 👍

[stmcginnis]

Rebased and resolved merge conflicts.

stale review

[stmcginnis]

Thanks everyone!