proxy: Use the provided credentials in the request against the upstream

[ialidzhikov]

Description

Kubernetes has well defined ways of providing credentials for image pulls:

• You can specify an image pull Secret (see Pull an Image from a Private Registry
• You have to configure kubelet to dynamically retrieve credentials using a credential provider plugin (see Configure a kubelet image credential provider)

When pulling an image, kubelet is providing the credentials to the CRI implementation. The CRI implementation (containerd, cri-o, ...) uses the provided credentials against the upstream registry to pull the image.

We are running the proxy (pull through cache) in a Kubernetes cluster. We configure the CRI implementation (containerd for our case) to make use of the deployed proxy in the cluster. See Registry Configuration - Introduction.

The proxy does not respect/use the authentication provided to it via containerd.
Instead, the proxy support only one set of credentials per instance (per remoteurl). See Configure the cache:

proxy:
  remoteurl: https://registry-1.docker.io
  username: [username]
  password: [password]
  ttl: 168h

This makes it unusable for many of the cases as in Kubernetes you can provide many image pull secrets for your Pods.

It would be great if the proxy can use the provided credentials in the image pull request and use them against the upstream.