WIP: support multiple credentials

[imjasonh]

This is an attempt to allow our authn and transport packages to cooperate and allow for keychains (incl DefaultKeychain) to provide multiple creds, which will be tried in turn by the transport, until one succeeds.

This is not optimal so far, since each time through RoundTrip will try all the provided credentials from the start until one works, when it should "remember" which one worked for this registry+repo and reuse that if possible next time against that registry+repo.

This also doesn't support bearer auth yet, only basic auth, since bearer auth requires refreshing tokens before checking if they can be used. That should be doable though, it's just work.

This changes DefaultKeychain to provide creds for both "registry.com" and "registry.com/repo", and for backward compatibility adds an extension interface MultiAuthenticator which is an Authenticator capable of returning multiple auths.

We may also want to extend this to MultiKeychain so we can allow a multikeychain to try creds from the Docker config and then fallback to a cred helper if that first request fails -- today, we'll just fail if that first matching cred is invalid.

cc @jonjohnsonjr for 👀

https://github.com/google/go-containerregistry/issues/1329 https://github.com/google/go-containerregistry/issues/1431

@jwcesign