Support basic authentication for registries

[squaremo]

The image registry code assumed

• all image registries use HTTPS
• all image registries use token authentication

..but if you run your own registry in your cluster, neither of these things is likely to be true.

To support basic authentication, all we need to do is add a handler in when constructing the registry client; it will get used if the authentication challenge indicates so.

Supporting HTTP is (oddly) a bit trickier, since there's no indication from an image name (which is all we have) whether the registry uses HTTP or HTTPS. We want to use HTTPS in general, so make the user tell us which hosts to use HTTP for (so that it's at least possible to use it), and otherwise use HTTPS.

Fixes #915.

EDIT: describe alternate solution, from comment below, to HTTP vs HTTPS.

[squaremo]

One caveat: since we try HTTP first (in the expectation that we'll be redirected if HTTPS is required), if a registry accepts HTTP we might end up sending auth headers over an insecure connection. All of {index.docker.io, quay.io, gcr.io} require HTTPS, but it's possible that somebody could set up a private registry that's not in their cluster and doesn't use HTTPS. Suggestions welcome!

[squaremo]

One caveat: since we try HTTP first

An alternative would be to require people using insecure registries to tell us about them explicitly, e.g., as a command-line argument something like

--registry-insecure-host=kube-registry.kube-system.svc.cluster.local

[samb1729]

RCGW

[samb1729]

Capturing thoughts:
In general we would benefit from integration tests for this sort of thing, but I don't think it's necessary to require it here. Perhaps we should capture "integration test all the things" in its own issue since it's likely not a small task.
For now let's leave the bar at "I ran it a few times locally and it seemed to work and it also looks sane"