Support cross cloud federation

[danquack]

GCP supports authenticating from different trusted identities. One possible authentication story is a user wants to auth from AWS against a GCloud Container Registry. Currently the auth code only supports querying the internal metadata url via the const GCP_TOKEN_URL.

References:
https://cloud.google.com/iam/docs/configuring-workload-identity-federation
https://cloud.google.com/iam/docs/using-workload-identity-federation#aws_3

[thejosephstevens]

I'm going to look into taking this on. I had assumed that the GCP provider operated on the standard GCP auth resolution, but as it works here you have to either pass a secret into the upstream resource (e.g. OCIRepository), or you have to be running in GCP and using a metadata endpoint for auth. I run in all 3 clouds, and wanted to distribute all artifacts from a centralized place in GCP, and I was really trying to avoid shipping service account json creds around everywhere. I don't want to use node-level permissions because that requires allowing a pod to access node permissions, which we lock down by default, and we use a custom CNI in GKE which doesn't play well with the GKE Metadata Server daemon, so that's also not an option.