Support narrowly scoped registry authentication

[arewm]

Global access might not be granted for an entire registry. Instead, multiple service accounts/robots may be used for narrowly scoped push/pull actions. Registry authentication should be done from most-specific to least-specific.

When checking for available credentials, the relevant repository is matched against available keys in its hierarchical order, going from most-specific to least-specific. For example, an image pull for my-registry.local/namespace/user/image:latest will result in a lookup in auth.json in the following order:

• my-registry.local/namespace/user/image
• my-registry.local/namespace/user
• my-registry.local/namespace
• my-registry.local

https://github.com/containers/image/blob/main/docs/containers-auth.json.5.md#format

This is similar to the proposed change in https://github.com/google/go-containerregistry/pull/1966.

[shizhMSFT]

Related to #836

[shizhMSFT]

This requires a redesign of the auth module, which further requires a design revisit.