Add support for authenticating with Amazon ECR private registry using repository policies and/or IAM policies

[m-the-magnificent]

How to categorize this issue?

/area security /kind enhancement

What would you like to be added: I would like the registry cache to be able to pull and cache images where

1. the upstream registry is an Amazon ECR private registry, and,
2. access is managed by Repository policies,
3. without explicit credentials being used.

In this use case, the AWS account where the shoot is deployed, and the registry cache pod is running, already has pull access to the repositories in Amazon ECR private registry via repository policies.

Why is this needed:

• We have a large number of large shoots in AWS, where services use Amazon ECR private registry as their registry to pull images from. Access to the private registry is managed via repository policies. There are no explicit credentials being used (e.g., username / password).
• We would like to leverage the registry cache extension to cache images.

[ialidzhikov]

As we talked offline, the limitation comes from the Distribution project, see https://github.com/distribution/distribution/issues/4281.