Add authorized proxy-cache repositories for all cern-users

With OTG0153808 we closed the proxy-cache repositories outside CERN by allowing only CERN IPs. Some users on other sites rely on the proxy caches we provide.

The proper fix is followed upstream.

Until we get improvements upstream, a workaround is:

Add proxy cache repositories as private and add cern-users as "Limited Guest", user will be able to log in with their personal token, there are no robot accounts for Limited Guests. We can also check if CERN secondary service accounts can work as "long lived tokens", probably they don't since harbor registry does not accept CERN credentials directly.

We need to communicate to users if this is something that it would be useful to them.

Important kv/data/kubernetes/services/kops-registry/gpn/cern/protected-repo-auth is a public rsa key in pem format generated from: kv/data/kubernetes/services/kops-registry/gpn/harbor/core#tokenKey using: openssl rsa -in tls-prod.key -pubout. To be understood what kv/data/kubernetes/services/kops-registry/gpn/harbor/core#tokenCert is.