Add support for authenticating with Amazon ECR private registry using repository policies and/or IAM policies

[m-the-magnificent]

How to categorize this issue?

/area security
/kind enhancement

What would you like to be added:
I would like the registry cache to be able to pull and cache images where

1. the upstream registry is an Amazon ECR private registry, and,
2. access is managed by Repository policies,
3. without explicit credentials being used.

In this use case, the AWS account where the shoot is deployed, and the registry cache pod is running, already has pull access to the repositories in Amazon ECR private registry via repository policies.

Why is this needed:

• We have a large number of large shoots in AWS, where services use Amazon ECR private registry as their registry to pull images from. Access to the private registry is managed via repository policies. There are no explicit credentials being used (e.g., username / password).
• We would like to leverage the registry cache extension to cache images.

[ialidzhikov]

As we talked offline, the limitation comes from the Distribution project, see distribution/distribution#4281.

[gardener-ci-robot]

The Gardener project currently lacks enough active contributors to adequately respond to all issues.
This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Mark this issue as rotten with /lifecycle rotten
• Close this issue with /close

/lifecycle stale

[gardener-ci-robot]

The Gardener project currently lacks enough active contributors to adequately respond to all issues.
This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close

/lifecycle rotten

[gardener-ci-robot]

The Gardener project currently lacks enough active contributors to adequately respond to all issues.
This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue with /reopen
• Mark this issue as fresh with /remove-lifecycle rotten

/close

[gardener-prow]

@gardener-ci-robot: Closing this issue.

In response to this:

The Gardener project currently lacks enough active contributors to adequately respond to all issues.
This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue with /reopen
• Mark this issue as fresh with /remove-lifecycle rotten

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[ialidzhikov]

/reopen

[gardener-prow]

@ialidzhikov: Reopened this issue.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[ialidzhikov]

/remove-lifecycle rotten

[ialidzhikov]

There is now some kind of support merged in the Distribution project for exec plugins: distribution/distribution#4438