Distribution changes the way it handles token validation in the next release (>v2.8.3)

[shaunco]

Distribution moved from the long archived libtrust to go-jose on Oct 19, 2023 in this change:
distribution/distribution@fe21f43

This will be in whatever release comes out after the current v2.8.3 release (from Oct 2, 2023). Looking at the changes to https://github.com/distribution/distribution/blob/main/registry/auth/token/accesscontroller.go and https://github.com/distribution/distribution/blob/main/registry/auth/token/token.go - it would appear that there is no longer a need for the libtrust style KID and that if a KID is included in the JWT, then there MUST be a JWKS file (rather than a rootcerts file ... and no support for JWKS URLs yet) set up in the config to associate each JWK with a KID for lookup.

Specifically, see:
https://github.com/distribution/distribution/blob/b8fb08e0a14646eb5439fa7915e017cb1176c173/registry/auth/token/token.go#L141-L153

The simple fix is for open-balena-registry to also also pull in the KID environment variable, add an confd template to generate a jwks from from the KID+CERT, and then update the docker-registry.yml.tmpl template to have a jwks entry pointing to the jwks file rather than a rootcertbundle line.