feat: add bearer token support for http sync.go

[husira]

This PR adds Bearer token authentication support to vendir sync (http) command:

In addition to existing HTTP Basic Auth (username / password), users can now authenticate using a Bearer token provided via secretRef.

Exactly one authentication method is allowed per secret:
• username + password → HTTP Basic Auth
• token → Authorization: Bearer

Mixed or incomplete credentials are rejected with clear validation errors.

We are using vendir to sync files from JFrog Artifactory. Our organization enforces authentication via access tokens instead of username/password. The authentication with JFrog Artifactory is implemented using Bearer tokens.

# use of username / password
apiVersion: v1
kind: Secret
metadata:
  name: secret-ref
data:
  username: dXNlcm5hbWU=
  password: cGFzc3dvcmQ=
---
apiVersion: vendir.k14s.io/v1alpha1
kind: Config
directories:
  - path: <path>
    contents:
    - path: "."
      http:
        url: https://<url>
        secretRef:
          name: secret-ref

# use of token
apiVersion: v1
kind: Secret
metadata:
  name: secret-ref
data:
  token: dG9rZW4=
---
apiVersion: vendir.k14s.io/v1alpha1
kind: Config
directories:
  - path: <path>
    contents:
    - path: "."
      http:
        url: https://<url>
        secretRef:
          name: secret-ref

I could successfully test the implementation with our registry (JFrog Artifactory) using username/password or a Bearer token.

[joaopapereira]

Hello,
Sorry for the very very late reply but this PR felt out of my radar :(
Thanks for creating this PR.

I have some comments that would like for you to address in order to move forward with this PR
Thanks

[joaopapereira]

I know it is not the greatest policy but can the password not be empty? In this case the password is not required. maybe this is a little bit too strict.

The next check I think is ok.

[joaopapereira]

Suggested change

	if hasToken && (hasUser || hasPass) {
	if hasToken && hasUser {

There should be no password field if the user is not present. Also we already do this validation in the livens above

[joaopapereira]

Suggested change

	package http
	package http_test

[joaopapereira]

For the tests please refer to other examples like https://github.com/carvel-dev/vendir/blob/develop/pkg/vendir/fetch/cache/cache_test.go where we use github.com/stretchr/testify/require do to assertions to keep the tests consistent through the project

[husira]

Hey @joaopapereira

Thank you for the updates!

I am currently traveling until mid-April. Therefore, I am unable to continue working on it at this time.

@patrickmx, Do you find time to take a look at this?