feat: 🎸 adding helm repo password refresh

[igaskin]

useful for ECR OCI helm repositories which require credential refresh after 12 hours

✅ Closes: #8097

Note on DCO:

If the DCO action in the integration test fails, one or more of your commits are not signed off. Please click on the Details link next to the DCO action for instructions on how to resolve this.

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• Optional. My organization is added to USERS.md.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).

[codecov]

Codecov Report

Base: 47.32% // Head: 47.28% // Decreases project coverage by -0.03% ⚠️

Coverage data is based on head (be1355d) compared to base (566d50f).
Patch coverage: 8.10% of modified lines in pull request are covered.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #11857      +/-   ##
==========================================
- Coverage   47.32%   47.28%   -0.04%     
==========================================
  Files         245      245              
  Lines       41545    41582      +37     
==========================================
+ Hits        19661    19664       +3     
- Misses      19903    19936      +33     
- Partials     1981     1982       +1     

Impacted Files	Coverage Δ
util/helm/client.go	44.04% <8.10%> (-3.48%)	⬇️
util/settings/settings.go	48.42% <0.00%> (ø)

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[igaskin]

although this is how the argo-image-updater does credential refresh, I'm not a big fan of arbitrary code execution, and it would also require the repo-server to have those binaries available on the filesystem.

[or-navon]

@igaskin Hi, I really need this feature. Is there a way I can help/Is there a standard workaround you know of?

[blakepettersson]

@or-navon have you seen #10218? There's a workaround with external-secrets there.

@igaskin would the workaround in #10218 be good enough?

[offzale]

@blakepettersson this was actually something I expected the repo-server would do by itself, as argo-image-updater already does. Since repo-server does not do so, many people might be deploying external-secrets only to do this workaround.

I understand that by supporting this, other OCI registries' custom login methods might follow. Therefore, it might make sense to take advantage of external-secrets already implementing this, so argo components can avoid implementing it. However, having it implemented in some components but not in others, where it is equally needed, is not consistent and might be a bit confusing

[moritz31]

Would be great to have this feature. Maybe one can streamline this so that u can just pass the type of registry and can easily contribute new authentication mechanism for other registries, so that someone would need an special authenticatihion for gke or something like this he can easily contribute