add support to push to remote registry

[vsoch]

We want to be able to (for more production experiments) push to a production registry, as opposed to bringing up/down a namespaced registry on every new kubernetes cluster (which, for a given experiment, could be many).

Usage

Instead we take the following approach:

1. Create a secret in our job/pod namespace with an ORAS_USER and ORAS_XX_PASS (for push/pull, depending on needs). This should be scoped to have only permission to packages.
2. An extra field on the oras operator CRD says "do not deploy a local registry" (saving us resources in the cluster)
3. An annotation on the pod directs to push to the remote registry, and load the secrets from the namespace.

And it works!

Benefits

• This will allow us to bring up /down many clusters without worrying about losing results - the registry does not go away.
• We don't need to plan for the registry to take up extra pod resources on our cluster
• We don't need to worry about the storage being too small
• We don't need to wait for any pod creation for the registry - it's essentially an operator that adds a mutating admission webhook!