add JWT based authentication for the registry

[nr-b]

Description

Currently, the registry for GitOps based deployments is protected with basic authentication. Basic authentication is simple, but may not be the best choice for multi user environments since it doesn't seem to work properly if the user doesn't have the config:read permission (and giving that permission to arbitrary non-admins seems like a bad idea).

This PR depends on changes in the operator to use Token Authentication in the distribution registry. This PR implements a "Authorization service" (see link above) in the Kubero UI. This delegates the registry authorization to Kubero and allows us to grant minimal privileges to each build job.

The authentication for build jobs works like this:

• when a build job is created, a RegistryUser is created with a randomly generated password and stored in the database
  • this is done in makeTemporaryPushCredentialsForImage()
• these credentials are stored in a kubernetes secret
• build job starts, buildah builds and finally tries to push the image to the registry
• the registry will reply with 401 Unauthorized and ask buildah to call back to the Kubero UI
• buildah will supply the credentials from the kubernetes secret above
• Kubero UI checks username, password and permissions. if everything is OK, it issues a JWT authorizing access
• the registry validates the JWT and grants access if everything is OK

For the JWT to work, the registry needs access to the public part of the JWK used to sign the JWT. This is done in onApplicationBootstrap of the RegistryService.

In addition, we also need a credential authorizing kubernetes to pull images for spinning up pods. This is also created in onApplicationBootstrap.

The PR is currently marked as draft to solicit feedback on the approach. It is missing:

• I think trivy image scans are broken now, but that should be easy enough to fix
• some naming isn't ideal yet
• RegistryUsers don't expire
• issued JWTs aren't clamped to the user's expiration date
• kubernetes secrets with RegistryUsers should be deleted when a build is done

Type of change

• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

Marking as a breaking change since existing registry with basic authentication would stop working and need to be migrated. However, token authentication is very flexible and in the future we could add a UI to create arbitrary registry users if that is a known use case we don't want to break.

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration

I have build the operator with my changes, deployed it in a kind cluster and kicked off a build which worked fine.

• I've built the image and tested it on a kubernetes cluster

Test Configuration:

• Operator Version - requires operator changes see PR there
• Kubernetes Version: 1.34.0
• Kubero CLI Version (if applicable): n/a

Checklist:

• I removed unnecessary debug logs
• My code follows the style guidelines of this project
• I have performed a self-review of my code
• I documented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings