build container (AKA "docker") images from scratch inside GitLab CI

so we've had a few issues tracking this in the past, but none directly saying "i want to build containers here please".

we've had one issue to enable the container registry (gitlab#89 (closed)) and one asking for user namespaces (gitlab#90 (closed)), but both of those were either too broad or off topic, or are now irrelevant as we're running containers from podman now (#41296 (closed) and #41327 (closed)).

so this issue aims at solving the "let's build a container inside GitLab CI" problem. TPA's current documentation on the matter shows how to do this with kaniko, but as @micah explained elsewhere (https://gitlab.torproject.org/tpo/tpa/container-images/-/merge_requests/1#note_2930961):

However, to use Kaniko, we'd have to use an upstream container (gcr.io/kaniko-project/executor:v1.9.0-debug), which defeats the purpose of building our own containers.

so let's see if we can bootstrap some container trust chain here. this should probably be done inside the https://gitlab.torproject.org/tpo/tpa/container-images/ project, but that's not mandatory.

@micah i hope you don't mind me creating an actual issue for this, i feel it's better than referencing a MR...