Merge pull request #2773 from dmcgowan/2.6-add-goarm-flag

[release/2.6] Add GOARM flag to dockerfile
Add GOARM flag to dockerfile
2018-11-29 15:14:41 -08:00 · 2018-11-28 13:51:51 -08:00 · 2018-11-27 16:48:46 -08:00 · 2018-11-27 16:42:15 -08:00 · 2018-06-21 13:58:36 -07:00 · 2018-05-22 14:41:01 -07:00
59 changed files with 1795 additions and 2690 deletions
--- a/.mailmap
+++ b/.mailmap
@ -16,3 +16,4 @@ davidli <wenquan.li@hp.com> davidli <wenquan.li@hpe.com>
 Omer Cohen <git@omer.io> Omer Cohen <git@omerc.net>
 Eric Yang <windfarer@gmail.com> Eric Yang <Windfarer@users.noreply.github.com>
 Nikita Tarasov <nikita@mygento.ru> Nikita <luckyraul@users.noreply.github.com>
 Misty Stanley-Jones <misty@docker.com>  Misty Stanley-Jones <misty@apache.org>
--- a/24
+++ b/24
@ -1,4 +1,3 @@
 a-palchikov <deemok@gmail.com>
 Aaron Lehmann <aaron.lehmann@docker.com>
 Aaron Schlesinger <aschlesinger@deis.com>
 Aaron Vinson <avinson.public@gmail.com>
@ -18,10 +17,11 @@ Andrew T Nguyen <andrew.nguyen@docker.com>
 Andrey Kostov <kostov.andrey@gmail.com>
 Andy Goldstein <agoldste@redhat.com>
 Anis Elleuch <vadmeste@gmail.com>
 Anton Tiurin <noxiouz@yandex.ru>
 Antonio Mercado <amercado@thinknode.com>
 Antonio Murdaca <runcom@redhat.com>
 Anton Tiurin <noxiouz@yandex.ru>
 Anusha Ragunathan <anusha@docker.com>
 a-palchikov <deemok@gmail.com>
 Arien Holthuizen <aholthuizen@schubergphilis.com>
 Arnaud Porterie <arnaud.porterie@docker.com>
 Arthur Baars <arthur@semmle.com>
@ -46,9 +46,9 @@ Darren Shepherd <darren@rancher.com>
 Dave Trombley <dave.trombley@gmail.com>
 Dave Tucker <dt@docker.com>
 David Lawrence <david.lawrence@docker.com>
 davidli <wenquan.li@hp.com>
 David Verhasselt <david@crowdway.com>
 David Xia <dxia@spotify.com>
 davidli <wenquan.li@hp.com>
 Dejan Golja <dejan@golja.org>
 Derek McGowan <derek@mcgstyle.net>
 Diogo Mónica <diogo.monica@gmail.com>
@ -68,8 +68,8 @@ gabriell nascimento <gabriell@bluesoft.com.br>
 Gleb Schukin <gschukin@ptsecurity.com>
 harche <p.harshal@gmail.com>
 Henri Gomez <henri.gomez@gmail.com>
 Hu Keping <hukeping@huawei.com>
 Hua Wang <wanghua.humble@gmail.com>
 Hu Keping <hukeping@huawei.com>
 HuKeping <hukeping@huawei.com>
 Ian Babrou <ibobrik@gmail.com>
 igayoso <igayoso@gmail.com>
@ -86,21 +86,21 @@ Jihoon Chung <jihoon@gmail.com>
 Joao Fernandes <joao.fernandes@docker.com>
 John Mulhausen <john@docker.com>
 John Starks <jostarks@microsoft.com>
 Jonathan Boulle <jonathanboulle@gmail.com>
 Jon Johnson <jonjohnson@google.com>
 Jon Poler <jonathan.poler@apcera.com>
 Jonathan Boulle <jonathanboulle@gmail.com>
 Jordan Liggitt <jliggitt@redhat.com>
 Josh Chorlton <josh.chorlton@docker.com>
 Josh Hawn <josh.hawn@docker.com>
 Julien Fernandez <julien.fernandez@gmail.com>
 Ke Xu <leonhartx.k@gmail.com>
 Keerthan Mala <kmala@engineyard.com>
 Kelsey Hightower <kelsey.hightower@gmail.com>
 Kenneth Lim <kennethlimcp@gmail.com>
 Kenny Leung <kleung@google.com>
-Li Yi <denverdino@gmail.com>
+Ke Xu <leonhartx.k@gmail.com>
 Liu Hua <sdu.liu@huawei.com>
 liuchang0812 <liuchang0812@gmail.com>
 Liu Hua <sdu.liu@huawei.com>
 Li Yi <denverdino@gmail.com>
 Lloyd Ramey <lnr0626@gmail.com>
 Louis Kottmann <louis.kottmann@gmail.com>
 Luke Carpenter <x@rubynerd.net>
@ -108,15 +108,14 @@ Marcus Martins <marcus@docker.com>
 Mary Anthony <mary@docker.com>
 Matt Bentley <mbentley@mbentley.net>
 Matt Duch <matt@learnmetrics.com>
 Matthew Green <greenmr@live.co.uk>
 Matt Moore <mattmoor@google.com>
 Matt Robenolt <matt@ydekproductions.com>
 Matthew Green <greenmr@live.co.uk>
 Michael Prokop <mika@grml.org>
 Michal Minar <miminar@redhat.com>
 Michal Minář <miminar@redhat.com>
 Mike Brown <brownwm@us.ibm.com>
 Miquel Sabaté <msabate@suse.com>
 Misty Stanley-Jones <misty@apache.org>
 Misty Stanley-Jones <misty@docker.com>
 Morgan Bauer <mbauer@us.ibm.com>
 moxiegirl <mary@docker.com>
@ -165,17 +164,18 @@ Tonis Tiigi <tonistiigi@gmail.com>
 Tony Holdstock-Brown <tony@docker.com>
 Trevor Pounds <trevor.pounds@gmail.com>
 Troels Thomsen <troels@thomsen.io>
 Victor Vieux <vieux@docker.com>
 Victoria Bialas <victoria.bialas@docker.com>
 Victor Vieux <vieux@docker.com>
 Vincent Batts <vbatts@redhat.com>
 Vincent Demeester <vincent@sbr.pm>
 Vincent Giersch <vincent.giersch@ovh.net>
 W. Trevor King <wking@tremily.us>
 weiyuan.yl <weiyuan.yl@alibaba-inc.com>
 W. Trevor King <wking@tremily.us>
 xg.song <xg.song@venusource.com>
 xiekeyang <xiekeyang@huawei.com>
 Yann ROBERT <yann.robert@anantaplex.fr>
 yaoyao.xyy <yaoyao.xyy@alibaba-inc.com>
 yixi zhang <yixi@memsql.com>
 yuexiao-wang <wang.yuexiao@zte.com.cn>
 yuzou <zouyu7@huawei.com>
 zhouhaibing089 <zhouhaibing089@gmail.com>
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,67 +1,75 @@
 # Changelog
-## 2.6.0-rc1 (2016-10-10)
+## 2.6.1 (2017-04-05)
 #### Storage
 - S3: fixed bug in delete due to read-after-write inconsistency
 - S3: allow EC2 IAM roles to be used when authorizing region endpoints
 - S3: add Object ACL Support
 - S3: fix delete method's notion of subpaths
 - S3: use multipart upload API in `Move` method for performance
 - S3: add v2 signature signing for legacy S3 clones
 - Swift: add simple heuristic to detect incomplete DLOs during read ops
 - Swift: support different user and tenant domains
 - Swift: bulk deletes in chunks
 - Aliyun OSS: fix delete method's notion of subpaths
 - Aliyun OSS: optimize data copy after upload finishes
 - Azure: close leaking response body
 - Fix storage drivers dropping non-EOF errors when listing repositories
 - Compare path properly when listing repositories in catalog
 - Add a foreign layer URL host whitelist
 - Improve catalog enumerate runtime
 #### Registry
-  - Override media type returned from `Stat()` for existing manifests
+- Fix `Forwarded` header handling, revert use of `X-Forwarded-Port`
-  - Export `storage.CreateOptions` in top-level package
+- Use driver `Stat` for registry health check
-  - Enable notifications to endpoints that use self-signed certificates
+
-  - Properly validate multi-URL foreign layers
+## 2.6.0 (2017-01-18)
-  - Add control over validation of URLs in pushed manifests
+
-  - Proxy mode: fix socket leak when pull is cancelled
+#### Storage
-  - Tag service: properly handle error responses on HEAD request
+- S3: fixed bug in delete due to read-after-write inconsistency
-  - Support for custom authentication URL in proxying registry
+- S3: allow EC2 IAM roles to be used when authorizing region endpoints
-  - Add configuration option to disable access logging
+- S3: add Object ACL Support
-  - Add notification filtering by target media type
+- S3: fix delete method's notion of subpaths
-  - Manifest: `References()` returns all children
+- S3: use multipart upload API in `Move` method for performance
-  - Honor `X-Forwarded-Port` and Forwarded headers
+- S3: add v2 signature signing for legacy S3 clones
-  - Reference: Preserve tag and digest in With* functions
+- Swift: add simple heuristic to detect incomplete DLOs during read ops
 - Swift: support different user and tenant domains
 - Swift: bulk deletes in chunks
 - Aliyun OSS: fix delete method's notion of subpaths
 - Aliyun OSS: optimize data copy after upload finishes
 - Azure: close leaking response body
 - Fix storage drivers dropping non-EOF errors when listing repositories
 - Compare path properly when listing repositories in catalog
 - Add a foreign layer URL host whitelist
 - Improve catalog enumerate runtime
 #### Registry
 - Export `storage.CreateOptions` in top-level package
 - Enable notifications to endpoints that use self-signed certificates
 - Properly validate multi-URL foreign layers
 - Add control over validation of URLs in pushed manifests
 - Proxy mode: fix socket leak when pull is cancelled
 - Tag service: properly handle error responses on HEAD request
 - Support for custom authentication URL in proxying registry
 - Add configuration option to disable access logging
 - Add notification filtering by target media type
 - Manifest: `References()` returns all children
 - Honor `X-Forwarded-Port` and Forwarded headers
 - Reference: Preserve tag and digest in With* functions
 - Add policy configuration for enforcing repository classes
 #### Client
-  - Changes the client Tags `All()` method to follow links
+- Changes the client Tags `All()` method to follow links
-  - Allow registry clients to connect via HTTP2
+- Allow registry clients to connect via HTTP2
-  - Better handling of OAuth errors in client
+- Better handling of OAuth errors in client
 #### Spec
-  - Manifest: clarify relationship between urls and foreign layers
+- Manifest: clarify relationship between urls and foreign layers
 - Authorization: add support for repository classes
 #### Manifest
-  - Add plugin mediatype to distribution manifest
+- Override media type returned from `Stat()` for existing manifests
 - Add plugin mediatype to distribution manifest
 #### Docs
-
+- Document `TOOMANYREQUESTS` error code
-  - Document `TOOMANYREQUESTS` error code
+- Document required Let's Encrypt port
-  - Document required Let's Encrypt port
+- Improve documentation around implementation of OAuth2
-  - Improve documentation around implementation of OAuth2
+- Improve documentation for configuration
 #### Auth
-  - Add support for registry type in scope
+- Add support for registry type in scope
-  - Add support for using v2 ping challenges for v1
+- Add support for using v2 ping challenges for v1
-  - Add leeway to JWT `nbf` and `exp` checking
+- Add leeway to JWT `nbf` and `exp` checking
-  - htpasswd: dynamically parse htpasswd file
+- htpasswd: dynamically parse htpasswd file
-  - Fix missing auth headers with PATCH HTTP request when pushing to default port
+- Fix missing auth headers with PATCH HTTP request when pushing to default port
 #### Dockerfile
-  - Update to go1.7
+- Update to go1.7
-  - Reorder Dockerfile steps for better layer caching
+- Reorder Dockerfile steps for better layer caching
 #### Notes
--- a/4
+++ b/4
@ -3,6 +3,10 @@ FROM golang:1.7-alpine
 ENV DISTRIBUTION_DIR /go/src/github.com/docker/distribution
 ENV DOCKER_BUILDTAGS include_oss include_gcs
 ARG GOOS=linux
 ARG GOARCH=amd64
 ARG GOARM=6
 RUN set -ex \
    && apk add --no-cache make git
--- a/configuration/configuration.go
+++ b/configuration/configuration.go
@ -203,6 +203,19 @@ type Configuration struct {
 			} `yaml:"urls,omitempty"`
 		} `yaml:"manifests,omitempty"`
 	} `yaml:"validation,omitempty"`
 	// Policy configures registry policy options.
 	Policy struct {
 		// Repository configures policies for repositories
 		Repository struct {
 			// Classes is a list of repository classes which the
 			// registry allows content for. This class is matched
 			// against the configuration media type inside uploaded
 			// manifests. When non-empty, the registry will enforce
 			// the class in authorized resources.
 			Classes []string `yaml:"classes"`
 		} `yaml:"repository,omitempty"`
 	} `yaml:"policy,omitempty"`
 }
 // LogHook is composed of hook Level and Type.
--- a/contrib/docker-integration/malevolent-certs/ca.pem
+++ b/contrib/docker-integration/malevolent-certs/ca.pem
@ -1,18 +1,18 @@
 -----BEGIN CERTIFICATE-----
-MIIC9TCCAd+gAwIBAgIQKQTGjKpSVBW78ef0fOcxRTALBgkqhkiG9w0BAQswJjER
+MIIC+TCCAeGgAwIBAgIQJMzVQNYVNTbh36kZUytWiDANBgkqhkiG9w0BAQsFADAm
-MA8GA1UEChMIUXVpY2tUTFMxETAPBgNVBAMTCFF1aWNrVExTMB4XDTE1MDgyMDIz
+MREwDwYDVQQKEwhRdWlja1RMUzERMA8GA1UEAxMIUXVpY2tUTFMwHhcNMTgwNTIx
-MjE0OVoXDTE4MDgwNDIzMjE0OVowJjERMA8GA1UEChMIUXVpY2tUTFMxETAPBgNV
+MjI1OTA2WhcNMjgwODI2MjI1OTA2WjAmMREwDwYDVQQKEwhRdWlja1RMUzERMA8G
-BAMTCFF1aWNrVExTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwoPM
+A1UEAxMIUXVpY2tUTFMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCe
-xiDZK6Fwy5r3waRkfJHhyZZH828Jyj+nz5UVkMyOM/xN6MgJ2w911hTj1wSXG2n3
+8rEU8xHh6BMYVRz/KhFftKSxS4dxJi2LoNN4fxzY6EgHNfBACt2MhIWaUSHf2YkF
-AohF3gTFNrDYh4j2qRZnixDrOM5GBm2/KJbyfBIYkrR45yLfjidO7MRnhaPZ5Fov
+NsS/T7qZWq23NEuIJYUUwbJRAh/iQsEhCI56eV+aJX+DGd2SQQNKdx1Pt528LNws
-l+RKwNBXP4Q2mUe7q9FM457Rm8hAcqXP04AJT20m1QSYQivDgxsDxuAQte3VEy1E
+n8Ci8rEHTe6i2/U7n/DLqa32BWF3aShsVrchRgpizXezS7GLyFmhv0hi0zRKJgDG
-0j0CwUKoFHT6MHOnDPEZbc4r1+ba34WBM1Sc5KXyV2JlbtU07J4hACYWVsD7vQCl
+JebLeqe/BUtEOsS/Oa65NQTEO/5EZBzM74+4eRo5zyp9Uvw4edmOrXRXK1fK9gP3
-VFlZNE4E35ahMDZ+ODLal9PAT8ARLdAtjvRWrT+h8qZ4Yfwt/sGF1K4CAkTP3H5p
+Fq/jz9+8b5eUd9vl0e9z/xTqMdicYZOUHuUtxM3hXAkkxcaVJqqqDe6URbJHpbaN
-uMkJG56zmqIEYeHMuwIDAQABoyMwITAOBgNVHQ8BAf8EBAMCAKQwDwYDVR0TAQH/
+8Vt/p/csFXMWj3oSokvDAgMBAAGjIzAhMA4GA1UdDwEB/wQEAwICpDAPBgNVHRMB
-BAUwAwEB/zALBgkqhkiG9w0BAQsDggEBALpieTckiPEeb3rTAWl7waDPLPOIhS5C
+Af8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCC3NiX+2Qk3WB+TRNDPCtQ7Pw+
-XHVfOm7cPmRn3pT2VuR8y74U7a1uOkYMgJnCWb8lSXhbqC89FatLnAhKqo4I9oD8
+o31SSqfF8m3fevT4mdrJqFAF4qUpDwgV9/9EkU4UBoIq03S91Dk/No0jR3VAzzRA
-2BXgYeIpP5/OWBcjzmsMnowrvokc0chAmAR0Ux6AP0eX9amC0lGMuTHdw3+is0AR
+h3+ul/7u08JriS/ZgVediodi7H8xeCz3nvZfAwCP2ZmHzDGp39Uhc3L3WFZImZuV
-lhoImOUPXvgMH7W2RimpSgnX0R5wKqfuGwMfbGa0xhWBZ+wekAKcU8b+pIHDyX0c
+fCDeSWF3c5CjJbdUuCYYFy6LwSFLPoBXZaNBL19XP9btJtjbNTm77PZJ4cELTQ+U
-EQcir2y8/lVjECXSAIlV6iasPQ3hm1sd0xq1hx4yrwYFvQb7yEhOXbK24HLr/20D
+r5Ofw9D9mCCYrapmprw7Fw9wdE+iLL9EJCHAj7L8UYshF4+7O7Jv3ZatySMWPbjS
-RRmEOuS8gg2XtUFv66z/VOw/nUleIg9GAuWDJaiu9frmIma4/tIY4qY=
+nIa2+eKl/sfvRvLZWV9dUSObVsm/bpv8bsHIKp4bYl+IDb2aoSWnw4eZQHDJ
 -----END CERTIFICATE-----
--- a/contrib/docker-integration/malevolent-certs/localregistry.cert
+++ b/contrib/docker-integration/malevolent-certs/localregistry.cert
@ -1,19 +1,19 @@
 -----BEGIN CERTIFICATE-----
-MIIDETCCAfugAwIBAgIQZRKt7OeG+TlC2riszYwQQTALBgkqhkiG9w0BAQswJjER
+MIIDFTCCAf2gAwIBAgIQfv/raCIVnmpXY74aUyohmDANBgkqhkiG9w0BAQsFADAm
-MA8GA1UEChMIUXVpY2tUTFMxETAPBgNVBAMTCFF1aWNrVExTMB4XDTE1MDgyMDIz
+MREwDwYDVQQKEwhRdWlja1RMUzERMA8GA1UEAxMIUXVpY2tUTFMwHhcNMTgwNTIx
-MjE0OVoXDTE4MDgwNDIzMjE0OVowKzERMA8GA1UEChMIUXVpY2tUTFMxFjAUBgNV
+MjI1OTA2WhcNMjgwODI2MjI1OTA2WjArMREwDwYDVQQKEwhRdWlja1RMUzEWMBQG
-BAMTDWxvY2FscmVnaXN0cnkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+A1UEAxMNbG9jYWxyZWdpc3RyeTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-AQDPdsUBStNMz4coXfQVIJIafG85VkngM4fV7hrg7AbiGLCWvq8cWOrYM50G9Wmo
+ggEBALedGn6gB0Km693mvJ8yz89wtfDs+SGjJi+XmJv0PYe6j5uToXQH2naXXIOZ
-twK1WeQ6bigYOjINgSfTxcy3adciVZIIJyXqboz6n2V0yRPWpakof939bvuAurAP
+lT9lmXd/RciZwn50aK4T6alu96D8yeLE13P+75rdrI9DWTNHsfx0jwRxUEXNazPI
-tSqQ2V5fGN0ZZn4J4IbXMSovKwo7sG3X6i4q/8DYHZ/mKjvCRMPC3MGWqunknpkm
+5Knwbf2MgGJfvHE6LjQ3FStJJ9f8JzryspIAYy5PJETuzoF7GsrUhgmcgQNqQcIx
-dzyKbIFHaDKlAqIOwTsDhHvGzm/9n3D+h4sl5ZPBobuBEV2u5GR0H5ujak4+Kczt
+d81QwOnW3EHastTPIbUxQ3cbEKZMVmvsYSY60pQuw/syN7vGcR/uJQ6HsCUWTEpk
-thCWtRkzCfnjW0TEanheSYJGu8OgCGoFjQnHotgqvOO6iHZCsrB3gf8WQeou+y9e
+LWFNJYudYnRIJ/mb6bGJ0tJhdlXKQ9+89oiEWZp9p1KMfyXesp8HeW8Jyoa06+Ri
-+OyLZv3FmqdC9SXr3b0LGQTFAgMBAAGjOjA4MA4GA1UdDwEB/wQEAwIAoDAMBgNV
+5U82r0oQgC0MI5AueueoNOmQyGsCAwEAAaM6MDgwDgYDVR0PAQH/BAQDAgWgMAwG
-HRMBAf8EAjAAMBgGA1UdEQQRMA+CDWxvY2FscmVnaXN0cnkwCwYJKoZIhvcNAQEL
+A1UdEwEB/wQCMAAwGAYDVR0RBBEwD4INbG9jYWxyZWdpc3RyeTANBgkqhkiG9w0B
-A4IBAQC/PP2Y9QVhO8t4BXML1QpNRWqXG8Gg0P1XIh6M6FoxcGIodLdbzui828YB
+AQsFAAOCAQEAGgUESvQoD/QGZQlY2NA4sauad/yMHVo7vs5TLiKxnAfJrnP1ycD6
-wm9ZlyKars+nDdgLdQWawdV7hSd6s2NeQlHYQSGLsdTAVkgIxiD7D2Tw3kAZ6Zrj
+sqcbwCu6B1GU7fqGjKKgzXWXHTi4MiLi5bnh5Y2JBTABksGmzNAU1LbQJJkwsPnE
-dPikoVAc+rBMm/BXQLzy95IAbBVOHOpBkOOgF+TYxeLnOc3GzbUqBi1Pq97DMaxr
+GBF0RgUmcw7a+4qu3TqPJABOsl+RiUQ4VDzP3DFRbyigs2li+SjLTJepahDhAke9
-DaDuywH55P/6v7qt610UIsZ6+RZ78iiRx4Q+oRxEqGT0rXI76gVxOFabbJuFr1n1
+11lU/r3pm1cov9m0AsKSHrU777Hv5B7gmyJ1FO1Os7/KnkdHKUwiIZx0VW6Ho5H+
-kEWa3u/BssJzX3KVAm7oUtaBnj2SH5fokFmvZ5lBXA4QO/5doOa8yZiFFvvQs7EY
+IiCH7iKJ1tTxe3nkwjlkSXnx7xiLOG7QK1LtTNHzBumF4COSF1kvWvIqNhJeg482
-SWDxLrvS33UCtsCcpPggjehnxKaC
+e38+Kzctl5iVbrB+JWY6roTQ26VLIdlS7A==
 -----END CERTIFICATE-----
--- a/contrib/docker-integration/malevolent-certs/localregistry.key
+++ b/contrib/docker-integration/malevolent-certs/localregistry.key
@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEAz3bFAUrTTM+HKF30FSCSGnxvOVZJ4DOH1e4a4OwG4hiwlr6v
+MIIEpQIBAAKCAQEAt50afqAHQqbr3ea8nzLPz3C18Oz5IaMmL5eYm/Q9h7qPm5Oh
-HFjq2DOdBvVpqLcCtVnkOm4oGDoyDYEn08XMt2nXIlWSCCcl6m6M+p9ldMkT1qWp
+dAfadpdcg5mVP2WZd39FyJnCfnRorhPpqW73oPzJ4sTXc/7vmt2sj0NZM0ex/HSP
-KH/d/W77gLqwD7UqkNleXxjdGWZ+CeCG1zEqLysKO7Bt1+ouKv/A2B2f5io7wkTD
+BHFQRc1rM8jkqfBt/YyAYl+8cTouNDcVK0kn1/wnOvKykgBjLk8kRO7OgXsaytSG
-wtzBlqrp5J6ZJnc8imyBR2gypQKiDsE7A4R7xs5v/Z9w/oeLJeWTwaG7gRFdruRk
+CZyBA2pBwjF3zVDA6dbcQdqy1M8htTFDdxsQpkxWa+xhJjrSlC7D+zI3u8ZxH+4l
-dB+bo2pOPinM7bYQlrUZMwn541tExGp4XkmCRrvDoAhqBY0Jx6LYKrzjuoh2QrKw
+DoewJRZMSmQtYU0li51idEgn+ZvpsYnS0mF2VcpD37z2iIRZmn2nUox/Jd6ynwd5
-d4H/FkHqLvsvXvjsi2b9xZqnQvUl6929CxkExQIDAQABAoIBAQCZjCUI7NFwwxQc
+bwnKhrTr5GLlTzavShCALQwjkC5656g06ZDIawIDAQABAoIBAQCw7oKJYkucvpyq
-m1UAogeglMJZJHUu+9SoUD8Sg34grvdbyqueBm1iMOkiclaOKU1W3b4eRNNmAwRy
+x50bCyuVCVdJQhEPiNdTJRG5tjFUiUG4+RmrZaXugQx1A5n97TllHQ9xrjjtAd+d
-nEnW4km+4hX48m5PnHHijYnIIFsd0YjeT+Pf9qtdXFvGjeWq6oIjjM3dAnD50LKu
+XzLaQkP8rZsdGfFDpXXeFZ4irxNVhtDMJMVr0oU3vip/TCaMW1Kh8LIGGZrMwPOk
-KsCB2oCHQoqjXNQfftJGvt2C1oI2/WvdOR4prnGXElVfASswX4PkP5LCfLhIx+Fr
+/S849tWeGyzycMwCRL1N8pVQl44G1aexTmlt/tjpGyQAUcGt3MtKaUhhr8mLttfL
-7ErfaRIKigLSaAWLKaw3IlL12Q/KkuGcnzYIzIRwY4VJ64ENN6M3+KknfGovQItL
+2r6wfZgvSqReURBMdn/bf+sMKnJrYnZLRv/iPz+YWhdk4v1OXPO3D4OlYwR8HwSo
-sCxceSe61THDP9AAI3Mequm8z3H0CImOWhJCge5l7ttLLMXZXqGxDCVx+3zvqlCa
+a9mOpPuC6lWBqzq8eCBU474aQw4FXaFwN08YkJKa4DqUrmadnd4o+ajvOIA4MdF5
-X0cgGSVBAoGBAOvTN3oJJx1vnh1mRj8+hqzFq1bjm4T/Wp314QWLeo++43II4uMM
+7OOsHQaBAoGBANcVQIM6vndN2MFwODGnF8RfeLhEf46VlANkZadOOa0/igyra865
-5hxUlO5ViY1sKxQrGwK+9c9ddxAvm5OAFFkzgW9EhDCu0tXUb2/vAJQ93SgqbcRu
+7IR4dREFFkSdte8bj6/iEAPeDzXgS4TRsZfr2gkhdXuc2NW4jTVeiYfWW3cgKfW+
-coXWJpk0eNW/ouk2s1X8dzs+sCs3a4H64fEEj8yhwoyovjfucspsn7t1AoGBAOE2
+7BQiHXsXCDeoZ1gXq/F5RmD8ue0TkP+IclWR52AM5e1MzfAuZzaIFNJFAoGBANqL
-ayLKx7CcWCiD/VGNvP7714MDst2isyq8reg8LEMmAaXR2IWWj5eGwKrImTQCsrjW
+Q925GxuDamcbuloxQUBarXPJgBDfTWUAXAJVISy80N3av45Y0gyoNjPaU7wHNtU9
-P37aBp1lcWuuYRKl/WEGBy6JLNdATyUoYc1Yo+8YdenekkOtOHHJerlK3OKi3ZVp
+ppnYvM47o1W4qe9AkTtuU79T1WwXFr5T+4Ehm5I8WDHQwkzWGd+WlWkDidLWuvlx
-q4HJY9wzKg/wYLcbTmjjzKj+OBIZWwig73XUHwoRAoGBAJnuIrYbp1aFdvXFvnCl
+ZkzwQGp3KOTJhO20lpOtCbnOa627Op/zLhCBQzLvAoGAFF4A0+x2KNoIUpkL2TfX
-xY6c8DwlEWx8qY+V4S2XX4bYmOnkdwSxdLplU1lGqCSRyIS/pj/imdyjK4Z7LNfY
+elMIHXrvEVN8xq11KtivgYZozjZVaSgWC51UiJ4Qs8KzfccAXklr9tHKYvGwdQ1e
-sG+RORmB5a9JTgGZSqwLm5snzmXbXA7t8P7/S+6Q25baIeKMe/7SbplTT/bFk/0h
+YeKFrSOr+l6p8eMeDBW9tE1KMAetsYW42Vc5r3RI5OxfjOoA8EbpsTl9acPWkTwc
-371MtvhhVfYuZwtnL7KFuLXJAoGBAMQ3UHKYsBC8tsZd8Pf8AL07mFHKiC04Etfa
+h5nfbSsLguMpBTt/rpxITHkCgYEAnKwwSBj25P+OXULUkuoytDcNmC+Bnxbm/hyG
-Wb5rpri+RVM+mGITgnmnavehHHHHJAWMjPetZ3P8rSv/Ww4PVsoQoXM3Cr1jh1E9
+2ak78j2eox26LAti8m35Ba1kUCz/01myQSLPIC5DByYutXWdaHTMlyI7o5Td2i6M
-dLCfWPz4l8syIscaBYKF4wnLItXGxj3mOgoy93EjlrMaYHlILjGOv4JBM4L5WmoT
+5GM6i1i1hWj6kmj+/XqPvEwsFzmXq1HvnAK0u16Xs4UAxgSr2ky35zujmFXcTmTg
-JW7IaF6xAoGAZ4K8MwU/cAah8VinMmLGxvWWuBSgTTebuY5zN603MvFLKv5necuc
+xjZU/YMCgYEAqF93h8WfckZxSUUMBgxTkNfu4MJlbsVBzIHv6TJY95VA49RcRYEK
-BZfTTxD+gOnxRT6QAh++tOsbBmsgR9HmTSlQSSgw1L7cwGyXzLCDYw+5K/03KXSU
+b7Xg+RiNQ42QGd8JBXZ50zQrIDhdd/yJ0KcytvW7WdiEEaF3ANO2QesygmI50611
-DaFdgtfcDDJO8WtjOgjyTRzEAOsqFta1ige4pIu5fTilNVMQlhts5Iw=
+R76F8Bj0xnoQUCbyPuMOLRfTwEaS1jBG7TKWQXTaN0fm4DxUU0KazxU=
 -----END RSA PRIVATE KEY-----
--- a/contrib/docker-integration/nginx/ssl/registry-ca+ca.pem
+++ b/contrib/docker-integration/nginx/ssl/registry-ca+ca.pem
@ -1,29 +1,18 @@
 -----BEGIN CERTIFICATE-----
-MIIE9TCCAt+gAwIBAgIQMsdPWoLAso/tIOvLk8R/sDALBgkqhkiG9w0BAQswJjER
+MIIC+TCCAeGgAwIBAgIQVhmtXJ4fG4BkISUkyZ65ITANBgkqhkiG9w0BAQsFADAm
-MA8GA1UEChMIUXVpY2tUTFMxETAPBgNVBAMTCFF1aWNrVExTMB4XDTE1MDUyNjIw
+MREwDwYDVQQKEwhRdWlja1RMUzERMA8GA1UEAxMIUXVpY2tUTFMwHhcNMTgwNTIx
-NTQwMVoXDTE4MDUxMDIwNTQwMVowJjERMA8GA1UEChMIUXVpY2tUTFMxETAPBgNV
+MjI1MjMwWhcNMjgwODI2MjI1MjMwWjAmMREwDwYDVQQKEwhRdWlja1RMUzERMA8G
-BAMTCFF1aWNrVExTMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1YeX
+A1UEAxMIUXVpY2tUTFMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDK
-GTvXPKlWA2lMbCvIGB9JYld/otf8aqs6euVJK1f09ngj5b6VoVlI8o1ScVcHKlKx
+J/SLv0dL7UXaNSEAdTMV8+rOFMcQNov/xLWa1mO+7zNZXHIdM+i1uQTHTdhuta6R
-BGfPMThnM7fiEmsfDSPuCIlGmTqR0t4t9dHRnLBGbZmR8JdAs7LKpP+PFYu0JTIT
+wfqkruPMZ9sqK7G9UIPi11ynkdTiZKRCvCr2VMc/uf5WuIsZE1JXXknSNee1TMmV
-wFcjXIs+45cIF2HpsYY6zkj0bmNsyYmT1U1BTW+qqmhvc0Jkr+ikElOQ93Pn7zIO
+Je8TUJsRjEyQDbxn5qUAJLi8yj/O7W8wsnVHdySKMbaLN6v75151TxiIuOoncCHQ
-cXtxdERdzdzXY5cfL3CCaoJDgXOsKPQfYrCi5Zl6sLZVBkIc6Q2fErSIjTp45+NY
+yzz10DzjXfXYajuheu+MLy/rjNGDj0gys4yQZAHlQWY9Lsiiix9rBdXQjVc3q2QT
-AjiOxfUT0MOFtA0/HzYvVp3gTNPGEWM3dF1hwzCqJ32odbw/3TiFCEeC1B82p1sR
+VM5v3pMjXcPweaIbTWJnbOgmy+267kX6kQpUfZRE55dQt6mPtPQ2idPvqPP3TXwa
-sgoFZ6Vbfy9fMhB5S7BBtbqF09Yq/PMM3drOvWIxMF4aOY55ilrtKVwmnckiB0mE
+AFH39cz/pPifIZApDfZFAgMBAAGjIzAhMA4GA1UdDwEB/wQEAwICpDAPBgNVHRMB
-CPOColUUyiWIwwvp82InYsX5ekfS4x1mX1iz8zQEuTF5QHdKiUfd4A33ZMf0Ve6p
+Af8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQB93GckXcLcfNdg9C0xMkvByPQJ
-y9SaMmos99uVQMzWlwj7nVACXjb9Ee6MY/ePRl7Z2gBxEYV41SGFRg8LNkQ//fYk
+dcy0GT991eZ/bNC39AXrmCSfn6a1FRlWoiCOSOW1NIZWQQ7jDep/T585vq2jN7KX
-o2vJ4Bp4aOh/O3ZQNv1eqEDmf/Su5lYCzURyQ2srcRRdwpteDPX+NHYn2d07knHN
+hT/z3iIdNWR+Amvo4pyJ93u2D3uG/bmmguAr62jyIgrJudQ3+Mnd+bj/J33XzAgc
-NQvOJn6EkcsDbgp0vSr6mFDv2GZWkTOAd8jZyrcErrLHAxRNm0Va+CEIKLhswf1G
+d4ZGPvCmKtn8cTKzyS8rjy1oPSUm6pZnfk41MgMWrGuS5HkC3Aa7jo/4RdgGOJpm
-Y2kFkPL1otI8OSDvdJSjZ2GjRSwXhM2Mf3PzfAkCAwEAAaMjMCEwDgYDVR0PAQH/
+nUdz2FGfW/+gwXRy2e94V7ijjz+YwpzL0wHPyXyAm7GwJ7mfvPOZrQOLLw4Z9OaK
-BAQDAgCkMA8GA1UdEwEB/wQFMAMBAf8wCwYJKoZIhvcNAQELA4ICAQDBxOHKnF9z
+R76t4NZBo5TmtvW5zQVsv3sPRnuqcmR0q6WR/fEuMafVtRVOVuDrZlSy0EtA
 PZWPNKDRmBPtmnU2IHh6JJ9HzqGALJJbBU0MUSD/aLBBkYeS0YSHgYZ1hXLsfuRU
 lm/czV41hU1FTDqS2fFpcAAGH+6/rwyfrz+GYr2K4b/ijCwOMbMrDWO54zqZT3KU
 GFBpkrh4fNyKdgUNJsy0Q0it3gOGSUmLvEQUzqxPFVz7h/pF/Cecr0/kpjbpsxna
 XQkhtDyKDIQfPCq8Ci1vox5WvBbBkdzDtyCm+KSb6VC3pCX6LV5NkS7YM7mtscTi
 QdYfLbKX05kUVG2R9SShJn5BSXzGk9M5FR5koGY0lMHwmJqaOqazXjqa1jR7UNDK
 UyExHIXSqJ+nCf4bChEsaC1uwu3Gr7PfP41Zb2U3Raf8UmFnbz6Hx0sS4zBvyJ5w
 Ntemve4M1mB7++oLZ4PkuwK82SkQ8YK0z+lGJQRjg/HP3fVETV8TlIPJAvg7bRnH
 sMrLb/V+K6iY+08kQ2rpU02itRjKnU/DLoha4KVjafY8eIcIR2lpwrYjx+KYpkcF
 AMEC7MnuzhyUfDL++GO6XGwRnx2E54MnKtkrECObMSzwuLysPmjhrEUH6YR7zGib
 KmN6vQkA4s5053R+Tu0k1JGaw90SfvcW4bxGcFjU4Kg0KqlY1y8tnt+ZiHmK0naA
 KauB3KY1NiL+Ng5DCzNdkwDkWH78ZguI2w==
 -----END CERTIFICATE-----
--- a/contrib/docker-integration/nginx/ssl/registry-ca+client-cert.pem
+++ b/contrib/docker-integration/nginx/ssl/registry-ca+client-cert.pem
@ -1,29 +1,18 @@
 -----BEGIN CERTIFICATE-----
-MIIE9TCCAt+gAwIBAgIRAKbgxG1zgQI81ISaHxqLfpcwCwYJKoZIhvcNAQELMCYx
+MIIC+TCCAeGgAwIBAgIRAMGmTKEnobjz4ymIziTsFuMwDQYJKoZIhvcNAQELBQAw
-ETAPBgNVBAoTCFF1aWNrVExTMREwDwYDVQQDEwhRdWlja1RMUzAeFw0xNTA1MjYy
+JjERMA8GA1UEChMIUXVpY2tUTFMxETAPBgNVBAMTCFF1aWNrVExTMB4XDTE4MDUy
-MDU0MjJaFw0xODA1MTAyMDU0MjJaMBMxETAPBgNVBAoTCFF1aWNrVExTMIICIjAN
+MTIyNTIzMVoXDTI4MDgyNjIyNTIzMVowEzERMA8GA1UEChMIUXVpY2tUTFMwggEi
-BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq0Pc8DQ9AyvokFzm9v4a+29TCA3/
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaFrwVi+BAvng9TebwOLg2Juzg
-oARHbx59G+GOeGkrwG6ZWSZa/oNEJf3NJcU00V04k+fQuVoYBCgBXec9TEBvXa8M
+wnW2Lv2EOqpSYmlZLLub46/W+ktqrcb+nBMBwnbON0woCbMArONuiRk7BATnmLH8
-WpLxp5U9LyYkv0AiSPfT2fJEE8mC+isMl+DbmgBcShwRXpeZQyIbEJhedS8mIjW/
+1e6I9Rax1nCaEpKhhH/b3T9PjwvzrXC+NIqeC46E7AEneAdBa4L/x27F/npLJy7X
-MgJbdTylEq1UcZSLMuky+RWv10dw02fLuN1302OgfJRZooPug9rPYHHGbTB0o7II
+PAwcH9ImvACJ9csIObjFnGXNTwtGA2SMIOCiNv3lpyb/Yx20EqBcj+etz8XBjAIS
-hGlhziLVTKV9W1RP8Aop8TamSD85OV6shDaCvmMFr1YNDjcJJ5MGMaSmq0Krq9v4
+46z0JDAtYAbJgIs7Ek2XQSrUud18jopzK9mrT9YvA4tDu9Woj70IXdZfOeb0W6Y+
-nFwmuhOo8gvw/HhzYcxyMHnqMt6EgvbVWwXOoW7xiI3BEDFV33xgTp61bFpcdCai
+aBbEoHvqFtyeG7BStNszM7n6CTcJAqpHOMlYQPeRjtMwb2Ffw86NvxkfrjoNAgMB
-gwUNzfe4/dHeCk/r3pteWOxH1bvcxUlmUB65wjRAwKuIX8Z0hC4ZlM30o+z11Aru
+AAGjNTAzMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDAjAMBgNV
-5QqKMrbSlOcd6yHT6NM1ZRyD+nbFORqB8W51g344eYl0zqQjxTQ0TNjJWDR2RWB/
+HRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQBv1MfAYTymtDeA62N86QFOwASq
-Vlp5N+WRjDpsBscR8kt2Q1My17gWzvHfijGETZpbvmo2f+Keqc9fcfzkIe/VZFoO
+ah2BQqfHvUzcM0U/H6YDEYUEKX2RFOtGwOwSBXr6v7JmU4KuE6tA6s+XWjD/lLr7
-nhRqhl2PSphcWdimk8Bwf5jC2uDAXWCdvVWvRSP4Xg8zpDwLhlsfLaWVH9n+WG3j
+CqWvJfZNP6zARL+MqbZjSmyymtuXaXH4eNVgN0aaGifhUSMDsg0qyZwG8isMN4hG
-NLQ8EmHWaZlJSeW4BiDYsXmpTAkeLmwoS+pk2WL0TSQ7+S3DyrmTeVANHipNQZeB
+kd0y1nNCn+Q3V7oe3NfjfdjviLU9PNNBQFbKRJJRQ6y267lFoWwlaHwtNyvDupVi
-twZJXIXR6Jc8hgsCAwEAAaM1MDMwDgYDVR0PAQH/BAQDAgCgMBMGA1UdJQQMMAoG
+f+JFMiuG3o+upqBF8UFUV8Of4VL6UcJI0OoF4ngTFzn3gRYaYKmkYawUmIr9vvg7
-CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwCwYJKoZIhvcNAQELA4ICAQCl0cTLbLIn
+oQccajcN1iNArnZwXK3lKSERybrUEiUZ4uZ69wVlXzE2TemhW1iYfrTU1cya
 XFuxreei+y6TlG2Z5XcxJ84mr8VLAaQMlJOLZV0O/suFBu9KqBuvPaHhGRnKE2uw
 Vxdj9qaDdvmvuzi4jYyUA/sQuqq1+wHwGTadOi9r0IsL8OxzsG16OlhuXzhoQVdw
 C9z1jad4HC7uihQ5yhl2ltAA+h5G0Sr1b9El2mx4p6BV+okmTvrqrmjshQb1GZwx
 jG6SJ/uvjGf7rn09ZyYafF9ZDTMNodNXjW8orqGlFdXZLPFJ9agUFfwWfqD2lrtm
 Fu+Ei0ZvKOtyzmh06eO2aGAHJCBTfcDM4tBKBKp0MOMoZkcQQDNpSyI12j6s1wtx
 /1dC8QDyfFpZFXTbKn3q+6MpR+u5zqVquYjwP5DqGTvX0e1sLSthv7LRiOi0qHv1
 bZ8JoWhRMNumui9mzwar5t20ExcWxGxizZY+t+OIj4kaAeRoKK6r6FrYBnTjM+iR
 +xtML5UHPOSmYfNcai0Wn4T7hwpgnCJ+K7qGYjFUCarsINppQEwkxHAvuX+asc38
 nA0wd7ByulkMJph0gP6j6LuJf28JODi6EQ7FcQItMeTuPrc+mpqJ4jP7vTTSJG7Q
 wvqXLMgFQFR+2PG0s10hbY/Y/nwZAROfAs7ADED+EcDPTl/+XjVyo/aYIeOb/07W
 SpS/cacZYUsSLgB4cWbxElcc/p7CW1PbOA==
 -----END CERTIFICATE-----
--- a/contrib/docker-integration/nginx/ssl/registry-ca+client-key.pem
+++ b/contrib/docker-integration/nginx/ssl/registry-ca+client-key.pem
@ -1,51 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIJKQIBAAKCAgEAq0Pc8DQ9AyvokFzm9v4a+29TCA3/oARHbx59G+GOeGkrwG6Z
+MIIEogIBAAKCAQEAmha8FYvgQL54PU3m8Di4Nibs4MJ1ti79hDqqUmJpWSy7m+Ov
-WSZa/oNEJf3NJcU00V04k+fQuVoYBCgBXec9TEBvXa8MWpLxp5U9LyYkv0AiSPfT
+1vpLaq3G/pwTAcJ2zjdMKAmzAKzjbokZOwQE55ix/NXuiPUWsdZwmhKSoYR/290/
-2fJEE8mC+isMl+DbmgBcShwRXpeZQyIbEJhedS8mIjW/MgJbdTylEq1UcZSLMuky
+T48L861wvjSKnguOhOwBJ3gHQWuC/8duxf56Sycu1zwMHB/SJrwAifXLCDm4xZxl
-+RWv10dw02fLuN1302OgfJRZooPug9rPYHHGbTB0o7IIhGlhziLVTKV9W1RP8Aop
+zU8LRgNkjCDgojb95acm/2MdtBKgXI/nrc/FwYwCEuOs9CQwLWAGyYCLOxJNl0Eq
-8TamSD85OV6shDaCvmMFr1YNDjcJJ5MGMaSmq0Krq9v4nFwmuhOo8gvw/HhzYcxy
+1LndfI6KcyvZq0/WLwOLQ7vVqI+9CF3WXznm9FumPmgWxKB76hbcnhuwUrTbMzO5
-MHnqMt6EgvbVWwXOoW7xiI3BEDFV33xgTp61bFpcdCaigwUNzfe4/dHeCk/r3pte
+gk3CQKqRzjJWED3kY7TMG9hX8POjb8ZH646DQIDAQABAoIBAE2SfnOWbHoLqXqr
-WOxH1bvcxUlmUB65wjRAwKuIX8Z0hC4ZlM30o+z11Aru5QqKMrbSlOcd6yHT6NM1
+WkS7OTnB1OS94Qarl2NXKWG6O3DyTSyIroBal1cITzLkncj3/lmIiyVo5J3Fa+W8
-ZRyD+nbFORqB8W51g344eYl0zqQjxTQ0TNjJWDR2RWB/Vlp5N+WRjDpsBscR8kt2
+zV/hgRqay5gOlzyJrjgvTZazHPCFRN0KABJsYEb3nNeUmehAxynxqg8VpQlxN4zO
-Q1My17gWzvHfijGETZpbvmo2f+Keqc9fcfzkIe/VZFoOnhRqhl2PSphcWdimk8Bw
+NxiZWyqODGRAEO0XVa0tMy/Wcw0guD18+U9GYiYQi3d7NEHTt5d8CX9VKY/bHKR
-f5jC2uDAXWCdvVWvRSP4Xg8zpDwLhlsfLaWVH9n+WG3jNLQ8EmHWaZlJSeW4BiDY
+ecC/lr7URnA/8FM60mKI6MAiHPxyUjJ7/6dq1goG8dDHcAtOEEIawECQtRfQ+Dn
-sXmpTAkeLmwoS+pk2WL0TSQ7+S3DyrmTeVANHipNQZeBtwZJXIXR6Jc8hgsCAwEA
+RL55nDPRYNviXRgr8u61TFm8zgkTUQy2MLRkHAyP0IBLUiMpqDdmXB4LNMQQSrsY
-AQKCAgBJcL1iR5ROMtr0ZNIp4gciALfjQVV3gb48GR/e/9b/LWI0j3i0sOzeLN3h
+0FyinIECgYEAy3eT5ZUb/ijGsWUT/DizUoetFfg8X4LV+HRLXdlxfcOYB3Elbeks
-SLda1fjzOn1Td1ma0dZwmdMUOF+hvhPDYZfzkwWLLkThXgLt/At3rMYstGWa8pN2
+JPC+Tdm33nB0lqo3hLVNPB9yqJiPOOaWQPpWBImOeitpmDRAagjwUewJwLY9RmKT
-wVUSH7sri7IHmYedP3baQdrHP/9pUsGQc+m8ASTE3i+PFcKbPe5+818HTtRrhVgN
+RD0+YyCC0SwvSDFDsWF+ncW/8XpobvetCSC6mmjX6Wr070yHkhDeeC0CgYEAwd9v
-X3oNmPKUNCmSom7ZcKer5P1+Ruum0NuDgomCdkoZgfhjeKeLrVjl/wXDSQL/AhWA
+P+TjgWVyL5YRiOJ+wjR7ZKpHCiSSxSTjIhq40hs5LtHddSk9e/+AU0otcMExzCqN
-02c4/sML7xx19nl8uf7z+Gj0ir1pvRouhRJTwnRc4KdWu+Yn7WLU8j2ZKf5St/as
+E4f/e05a6TD5CFAgmUMK7nb49ept3ENVoD+M13K3tTaTyeZghwYNNK56osDtdCgc
-zjnpYVEdCp0KSHccgXtobUZDEG2NCHmM6gR2j3qgoUAYjHyqPYlph2r5C47q+p4c
+c68jQAy81gU7iRt30xbLVV6HgGdrSrWN8D8DFWECgYABkV1RYpHBppzJVycNRX6U
-dDWkpwZwGiuYq9qpZj24X6BfppxExcX6AwOgFLZLp80IynwrMVxFsDd2J+KpKRQ1
+PzllNvF4JvDxJixCf99xAaXVQNjx/N77NeOxg+D31NQBKTSeUCtVMETY6bwIyzYT
-+ZtYPcULwInF9MNi/dv84pxGOmmOaIUyjN8Sw4eqANU4T5uvTjUj7Ou6KYyfmxgG
+MBqjlE/FvznkE1r/tivr5a65jm3wcegCmZo2d1SqufVvT/nejwrDunddK/1MBZqO
-y++vjpRN7tN1t1Hwde8SVWobvmhU+5SJVHV8INoJD7uciaevPo9pt833SQTtDXeY
+vHLTp8UqJknW4jcVOA4OzQKBgG7BdozJ9i62BcWptdq9iizoTpXzsSHaQv7dU+Tn
-PVBhOKO7thAxdUiqlU/1nGTXnf1VO6wAjaVYoTnP4tJ97WuTptwd2F5znVWHFGVh
+3y4o30IgIqQMK1PrYyQx/EOuGwTISlAeIZYP7V/K2nolTHpCEryouxHCG4D59rDV
-lzJAzmFOuyCnRnInsf4n5EmWJnT7XF2CofQqAJ8NIddrU8GnQQKCAQEAyqWAiPMK
+nWB36PtdcpClS//XNTQjeWwBS6ZQQ/DS3RB6NmcOFjT9vDabjw32MvLoIiNMFQpq
-I/dMzlS7oJGlhbKZ5R4buc+EoZqtW7/8/S+0L6IaQvpEUilD+aDQyaxXjoKiQQL+
+9RgBAoGARQnQ94oH98m/iheJpzaM9NhQhAoXSi4w19FySCtnyZTYTd0A7hjRzsSl
-0UeeSmF/zU5BsOTpB8AuJUfYoUe0N+x7hO5eIcoCB/QWYX+iC3tCN4j1Iwt6VliV
+DeoAkIGDHyy33RPK/kPtA6dxM/DQ00IkkwH4soaDDbnCmagdw4NnY8eA1Y/KSbd+
-PBYEiLUYPngSIHob/nK8UtgxrWQ3Fik9XJtWhePHrvMvDBalgCKdnyhuucGxKUjc
+XNNm+sDafoVyCojtsTA7bripKB8q5vPYo3qRLfQ7dwMeRPYblPI=
 TtPcyMFdi0z4Kt/FAm+5u/v4ZkO909Ish0FrAqQ9t5ETfvTTTYKBmzny6/LSPTK9
 0XIsHltuC1xG4vGQsES/Ph++Yj3Vn011FqvFZeBUHbfcQuB4h5wcb+90d4GU1kux
 eabsHPIZKrlN4QKCAQEA2Fs8NAN5K9i7qbxZCJPi6DJV6XMznk6JVGb+qkkChCyq
 IOXb95+c9CIpe6w2d3res3zvML3zbdz2Lyp9G0ve6tSlOaSnHeyIxZ5SRB+yQrcF
 GXtsx370bOGjCi1/NH85kwKlMuROFJKleJQv8rKpIEo5aPSPV9Cc/VsUqBpvR+O0
 U1HMv57P4yJA/ddw6imHJBl3jTmWBpK4B+LBsCbdypxdVoO8t32Lb2BqDTaPJfYU
 RJUpjn/efLLoP6CWxYtqpUlY5tc7NJGAokl8Fo1mPn02klydvs09uiXE80Li2Hoc
 /meMH07Lbt2VTw6iGNRX6VpIHEUZGZeS6rbAvO4ZawKCAQEAjOtGVPXdyWEB0kHu
 MBzYY/7tMf0b/rymWNL9Vt5NiauQu8cYSBdNR21WzdLdHkFwqbOCLX9twA7zrnna
 q+SNnfuxaShlbptls9HvKyySQMCaSRj3DJzaq3ZcM2vFgmUFQxeKPV1geeY9xOta
 LqbExDzmFq2m9F1PPmqAPDL1bt6+7mCVzb1irB9be52WysUNKrPdBP6b5V1DHYAK
 EwK1WOs/TxBusqDn/gWBjjmLqYr+ZVndaTfDvPd3sWDdzBoiKZ40QUZ15Z5lu76M
 6e2DhfHCUjGcZBEjDaI+WYc9s0REAzJajEf9Lax3ZKZUyCpWbXx5CgSdKCHB8+cP
 RTyTQQKCAQEAsxx8r5a8hocLfQ43Kvm7HH0nUHeVoRXlbOFDLNf6ZE/RnCCOxOX3
 esiZTRAZmzo2CaOBJPnr/+SwTgW/woxCBGh8TEc6LnS2GdviwRD4c3CuoRTjzhgU
 49q8Ld3SdDRrBoBnIMWOuktY/4S2WRZ9GwU3l+L2lD1Y6gmwBSa1P2+Lxnpupagk
 9CVUZpEnokM05LbMmTa2M8Tc43Je5KSYcnaWctvmrIUbnN3VjhC/2y5oQwq1d4n2
 N4eo65vXlbzAUgtxtNEz62YVdsSdHNJ8dXkVZ3+S+/VPh75i2PxjbdFSFW7Futlx
 YtvAEs3LdgC8squSDQ1LJTutXfBjiUUX9wKCAQBiCMre86tLyJu6Qb6X1cRAwO7m
 4kyGzIUtijXko6mWxb4X/usVvzhSaNVYbHbMZXjX+J5vhBOul+RmQ3EY6nw0H2z8
 9D4z/rnQVqeb0uvIeUhBPni+s4fS4bA92M6Ie5bhiOSF2JjjJr38BFnTZARE7C+7
 ZII7z2c0eQz/wAAt9fWWroAB2mIm6wxq0LNij2NoE0iq6k2xJE1/k8qhXpsN0zAv
 bjG72Q7WryBeK/eIDK9e5wGlfLVDOx2Evlcaj70oJxuoRh57e8fCYy8huJQT+Wlx
 Qw4zhxiyzAMq8SEqFsm8dVO4Bu2FwzmmehA80ieSb+si7JZU92xGDT394Im2
 -----END RSA PRIVATE KEY-----
--- a/contrib/docker-integration/nginx/ssl/registry-ca+localhost-cert.pem
+++ b/contrib/docker-integration/nginx/ssl/registry-ca+localhost-cert.pem
@ -1,29 +1,19 @@
 -----BEGIN CERTIFICATE-----
-MIIFCTCCAvOgAwIBAgIQdcXDOHrLsd2ENSfj5h8ZmjALBgkqhkiG9w0BAQswJjER
+MIIDDTCCAfWgAwIBAgIQfzdVwVz4igfdJPd6SW/ENTANBgkqhkiG9w0BAQsFADAm
-MA8GA1UEChMIUXVpY2tUTFMxETAPBgNVBAMTCFF1aWNrVExTMB4XDTE1MDUyNjIw
+MREwDwYDVQQKEwhRdWlja1RMUzERMA8GA1UEAxMIUXVpY2tUTFMwHhcNMTgwNTIx
-NTQwM1oXDTE4MDUxMDIwNTQwM1owJzERMA8GA1UEChMIUXVpY2tUTFMxEjAQBgNV
+MjI1MjMwWhcNMjgwODI2MjI1MjMwWjAnMREwDwYDVQQKEwhRdWlja1RMUzESMBAG
-BAMTCWxvY2FsaG9zdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK2K
+A1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
-saEVcHq0eldu5kABbWtZsf9keK7lz8beVIowzOqp5IHpGlggtH7xDVeigA/sLdds
+v+H3BTOGLRYjyPx+JQQcP5r8HHBmjknflE6VcrbRD5VGx8192hwsjAdlL0kz1CEq
-WTgKEOq3zsJzdgfEti5TNAjjmPqjMKkolqv3LXDJG0dZ2GZ8W/eBB6X1wB0LKr3i
+FW2KQidJieDi8iIh9BWB8lsTQ51xZGnry6CbVXxTbv1Ss8ci9r8Cm3GPjWy5gqTi
-ye3/5jb/wCZYVGGMQXj0VQxY8Qq+OHEp0effeheJqA0OYOj+RaZwi20OR/KmJRgY
+DTUUQez8xq29gUod4ZvRoJ8jl/eI7gF7MBFakv7tZQ40SHcogjQoG7nKMXG1VOhX
-wXU33bZyapuyT4krhFlFbtzXeKsKQPrT2ePWxPAceqUGUTIqyJySYIw6vb72YxjX
+D4kM120E+hW9x0U3j0SaCIYl6bG2RHIvUMlrVnj4es6JBVzqItkhAwugE6ytneOh
-FNRw6Jg7B7RqVJaVCfBrVxtAv+rCLOhUOVYmWhgWEIODPXiqOGwB0VUApAVAYqfi
+VxWQ/7e8qKW2+lVsPnH/zjNES0j/9XYgVCjwkgirxjs2eZRIS5Mg14DdYqfQ9MRQ
-TYnJIZ7QYLlQx5VPNlzZuSJTUzKmHQLtLcTqdO5HmLxfxc0WuS/ftK916wy/jpSc
+EoyQxl3xcDxjqPocMgGYHwIDAQABozYwNDAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0T
-m2DiHjIy6aAEaHKGQrNgT+no68kp30xkYAVsIs0BFpl6Q2iNr5e0uKta82A0xU1Q
+AQH/BAIwADAUBgNVHREEDTALgglsb2NhbGhvc3QwDQYJKoZIhvcNAQELBQADggEB
-we7swSHOHCevuDZfFA/CqnBptOjvNUuVytcroCeCrV/ftp75w/Fd9zOcb6LGLxM2
+ACU0E2BAdqjVvO06ZyHplxxQ4TQxK9voBCTheC2G7oFaM4VLFf48GgoMkvbsMGyd
-2UzhkSXl3II250xj74Q3q8T9TDxCLty7oiawhaYKI+8SDYc510EQ7MH46WMO+3Uq
+1JqIACCDuSJ5UVjmWm6VIDZrnRsf/BbQCTZXKQd4ONLL5DU/OPjAFKGeCpAK51yj
-JkpmmELd9POgnnZ1JrCFmf0flUKTi2CqU3wrBPpPMwFBxoFipp5iL87npACHc3DY
+OMHdw3cQmMCEpMH9HHJ+iB3XWLcDKPAxTkcsBytC9VLUgU7Q4+3eYIT/j/ug+y4G
-6uaoF4Pf9Et1Fd7HRon8RMsKkrSF92NFiBx5UvhZAgMBAAGjNjA0MA4GA1UdDwEB
+W4A0cmdDDuozwBAPXj7ZLKdVlkUFka8WjQAJesHTIifS1bfahGiSNVJbYjXbGoML
-/wQEAwIAoDAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDALBgkq
+d0IeGMd1lXlc2M+ygqZsSM2ErzndNdvDs7S6u/FIICm7uW6P2naPeMtedb2orO6Q
-hkiG9w0BAQsDggIBAC0F4ci1nqZ9KUhEEAmWmy8g89DovNNIGSC51r2WJ/COmYUX
+5O3gRtj/UQjegI0XV4YO2TQ=
 X70TONscsBL/kx5MK4xoAmb+EN6Yy8i+z9NkNJd0B+2MjXPMFBpgGb0UiPv2wEmZ
 5PAKyjwTxNIm6L/nFhkmVqfsQHfjHukXES4C0ff6fj6fuDpBfl5nTlVmc9LpP+hT
 5RAwW10qumucGxAWGNBWW+K66cf8O7n/0nQykxJxYjBx16ZB80H2uvqFDKDVFqze
 co5M4euXQq9KiXPRlcC9rab2a7FGLHd0TyPkq6TvfsqpxcryyKS4rIAz3sQh/tl/
 /qm1tBcZW2bce3UlF2Wb2dW9HqvIu1O84f6ptLqwgKcIdTbwgQZ0kbFoWE2kWJSV
 w+eAFb7tz1LDTpF3NRlz+1K27pBQWRQgcqoIRoQXpC0LfQY9Mp70QIfUQdUh6tnO
 8hmq5y623tfxiDwCxb/EOpwCmwK1Cp9cloZTDefVE1r6NkEJWeeHG79VljUGF1KT
 NKzXWrrsFtge/hU9Pj+frcZO9qExxPCcsrdZcoK7Ll8s+pjulRvbnCnJkNpeOI3P
 iz6+sdGmzKSKg2daRM67Zmy5tmlBEX/eV7kFqt+b3HsdUiLo3Ng2lyPLNNDfwUtB
 EukgYGjVJoyqLjLXgsCxLJlk7X/ogVwf8SlAnQ7p6KuxGWm02vlUpEmJp+Hq
 -----END CERTIFICATE-----
--- a/contrib/docker-integration/nginx/ssl/registry-ca+localhost-key.pem
+++ b/contrib/docker-integration/nginx/ssl/registry-ca+localhost-key.pem
@ -1,51 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIJJwIBAAKCAgEArYqxoRVwerR6V27mQAFta1mx/2R4ruXPxt5UijDM6qnkgeka
+MIIEowIBAAKCAQEAv+H3BTOGLRYjyPx+JQQcP5r8HHBmjknflE6VcrbRD5VGx819
-WCC0fvENV6KAD+wt12xZOAoQ6rfOwnN2B8S2LlM0COOY+qMwqSiWq/ctcMkbR1nY
+2hwsjAdlL0kz1CEqFW2KQidJieDi8iIh9BWB8lsTQ51xZGnry6CbVXxTbv1Ss8ci
-Znxb94EHpfXAHQsqveLJ7f/mNv/AJlhUYYxBePRVDFjxCr44cSnR5996F4moDQ5g
+9r8Cm3GPjWy5gqTiDTUUQez8xq29gUod4ZvRoJ8jl/eI7gF7MBFakv7tZQ40SHco
-6P5FpnCLbQ5H8qYlGBjBdTfdtnJqm7JPiSuEWUVu3Nd4qwpA+tPZ49bE8Bx6pQZR
+gjQoG7nKMXG1VOhXD4kM120E+hW9x0U3j0SaCIYl6bG2RHIvUMlrVnj4es6JBVzq
-MirInJJgjDq9vvZjGNcU1HDomDsHtGpUlpUJ8GtXG0C/6sIs6FQ5ViZaGBYQg4M9
+ItkhAwugE6ytneOhVxWQ/7e8qKW2+lVsPnH/zjNES0j/9XYgVCjwkgirxjs2eZRI
-eKo4bAHRVQCkBUBip+JNickhntBguVDHlU82XNm5IlNTMqYdAu0txOp07keYvF/F
+S5Mg14DdYqfQ9MRQEoyQxl3xcDxjqPocMgGYHwIDAQABAoIBABbp0ueqGXG03R0Z
-zRa5L9+0r3XrDL+OlJybYOIeMjLpoARocoZCs2BP6ejrySnfTGRgBWwizQEWmXpD
+Ga8t6Hmn9kcnHPgM1kgNgkcqkZh8yPD/FvI+vwsRrwGQikHgm/fnFsWDj4KJelBT
-aI2vl7S4q1rzYDTFTVDB7uzBIc4cJ6+4Nl8UD8KqcGm06O81S5XK1yugJ4KtX9+2
+xx4wm03nlktSt8G37FJqoWH58LSmR4P0WbaBZLxPOUc4Hob9TYkqN3sP47eN871G
-nvnD8V33M5xvosYvEzbZTOGRJeXcgjbnTGPvhDerxP1MPEIu3LuiJrCFpgoj7xIN
+rn7MbqHxnvx8sLtLLfy1dc1r58lTTZB7YL1OPV7B/VYhYFDtpkUBvadV+WJ7SJ5G
-hznXQRDswfjpYw77dSomSmaYQt3086CednUmsIWZ/R+VQpOLYKpTfCsE+k8zAUHG
+UHrBsshOUJbUI4ahmc8izi40yDw+A0LRhtj3i7aFr2Og+vCq9M8NXDjhdOu9VBkI
-gWKmnmIvzuekAIdzcNjq5qgXg9/0S3UV3sdGifxEywqStIX3Y0WIHHlS+FkCAwEA
+fvniC6worJk/GnQDJ/KT5Uqfejdd3Pq7eHp11riqwua8+/wi726zRz9perFh/3gJ
-AQKCAgAtZw3V8P/+el1PpqoCsNzpqwvQn36bc3CKvPwtM1tJQa2Q92V3DQdr9rDg
+pYjaY+ECgYEA+ssW+vJRZNHEzdf8zzIJxHqq9tOjbQK9yyIPQP5O4q9zKvDJIpnX
-7pjGkankpGorKScH4ZLseLy2h5aKRCZm9PS/DhbbCs1wrDhtO5AxeKYPGhYNiOpx
+T31aZTLGy0op+XA9GJ7X0/d1tqo3G2wNBsFYWPn3gmVVth/7iHxRznorNfmsuea7
-VvwuHQ/Pohfmdn7KgNrKrW1WIBW5CWN+2X4mq2Gk6aYLHgKZSeB3mf1st6mNRACW
+1gFm19StL2+q8PaZ4fx9vUcWwDHlALYTYlTaazms6z9FWD/KbB8kiWkCgYEAw93H
-RZg5OZKW3VMv0a/l3cVaeqooXwQ/PtUkXhMp3ILnnKly3Gulzi2gIyj3EQ5vODSe
+Pp12ND3f6p2rYbXPfHJ0aAUbrQR4wRG3ipVWXGjvn2h/CbrLAt5W1wB3iwnWwatX
-O3gND/UZOJwwgGG6Aief4fnDc7an+c1OSgBr8OVC21Ys3dfQWWV0os9gVFhymX8k
+opdbfzjxgb0wRQHSPNVj3/SOHr8E5zH/mw+eV7mOea4xlCLTSIAJNzW1320hwsbw
-2AgRf6jP93sFw2NSY34KvcGZpKG59oMDxWF1vPo8sOt17Ey0+qp3eUtB3FfE7Wtf
+FrEC5qe41PrbMUu+4LvXPkHCKVxRXaV4QX4YHEcCgYEAurjegTRM+X1cw81dwn4E
-BaLaD/x4U91izIqOEMzQ6QiZAyvmUoBkUSo125CYuIkt8C8Q1lA1KjihETWF37QR
+265g/6iO8qip2kWficpNvWTXoE7p0cMslVhFJzdo3w52teqk8mHBW2XQ1JFiuh32
-mr8LUk0A0x3SErtm4wVfeDEqVSfI9gKpk6i6rlUzuCjv58Rc0yyqoghXwBWM4CKj
+jOMC/iwN5Z3A9PpW8kVtOwemiGc9/KMXkrw0b9k+oCTJ5uITrDeq/nOhMrNzRtZJ
-5ZHYpBKAxj4bM6IrKnodAOcsyVk2c2zVTaMxPhoUj0fF7IE5Hy6YAQ/yBheZEM1v
+FFsMy+yDHBtda9kCwwFk2JECgYBQUpbu+qwK6IT3NgmeXGzmYBmUvuOGpJrQsm9O
-fhsdBFyS6OqSCnN6UinhH268QPam82lfKTFjW5lOgsSDQZ9rhiWoyamhonJTq65I
+iceMxgvel3/hgZTXbE64hRyBDFvhuF6L8v42widoSSmOYxzQjcITibruqO9d0Ic+
-nb08f4mzT6OGMwV13zq8dXio6WnUIQAhXdEYWrMBmxp5b6CxAQKCAQEA4kmwV3Nb
+E72fxBzFkcYLNezngnpFBeW75ok900+KPrUt2gJWdTmGkcWJa/7tLRJu28kSWlVi
-n3ZIzVAp2l+yGZwdg4YWzN2kcfdNkL8I+Pn8pWrOwv/uGQYmM0786ys9kB5lu4FR
+pk9E6QKBgDH2Uh61ToeNq8Gbnue3pnhUddHELRFQfwHHaa4tFrXBHuPLKqkVefKT
-TMcoEo3AaK/z8N49ro2Kl6HcTmxZgTMr+cl6iwetzqYdkRK7klxyCv5uVloDQDtc
+A58awVoPpKTECROeyqe2DJXg9EdSVzKyhg217N/07NRaunfCJ9/TSpFy+5Xls7Rl
-AulDH6RkW9BfRERpi6XtlgiFdJj5jMvXMpwGHX69JVsXb83ZSQESjI2JfO9Y8+4M
+U7zK25S1/13KZ6rGVHpmP6Q82VSnsHkPtUfDo3A29llqIQ8je43Y
 a7hNKWW/W0ZBrGCcQQPbgpysfJ+PFKUF/yF1h8SSCdetW2Kv2ix16wL5uHKINYmZ
 Y/Om+/AFnUOQlANycgThtgBI5mvg9Khq6W2i/RNcIL7bvwAzq1p+o6cGnImXo4bY
 hC4fs2/aeX17UQKCAQEAxFQHSLBYDLal5CQYbHbNZ2sLjwRUraEd/+BA8XoERVVQ
 JPihgEvTPEaHnWrFTw0qaGKgMZ5SZCZSWUIfXjYvQIUcEMhNUOHweXhJJhifO5sd
 sTuvU7bWg76F69bRKfp8KM266m7qMYv+tNlQ6Kbz/1ImsW00xb86vCK2hPfhldtN
 d/iBb4HVDu1uoATHUNuqsSGj/UvttKudQdg7MapzM4N+D4m6rPZUjQmtoMWOXt7R
 LYrqEOHWfkxXKlVHw1cL9uzUpArvnR0VcYvGfXiYJFbXWsEB07VxIoLMPEtPbpH9
 YLY37KugrthEVnsbySmZIWCRDEqQuuAaa5o8S1naiQKCAQAiU/dybMebe0A0FVMk
 E5xbEjnP+AmBbqZBu7iCmthrnNDc70UKg/TEyxAEfJkVu+uM72+TcFy6/wNvPR3R
 Q9AH3E8TKdm6gw1+wCUb2n1zWUND0Bhn3v9hQKw/2dJbJJnsc59GoTqmHmjWZgPr
 gcLSAmbYjoVqW0STmZlR6KJuxQiQdOeQwS7fASVTU9xSgi43S7/80UIFHWJnQ04y
 NIhF9CoAGuuz9ryb80CraxVrzNGdlQ5qe9OKp3/x4wjIbB0iBA3xwTwJ066jTZgs
 cVF/gr5b2a28BHMKsZbgxqPhYYZ2SfeR6CJB6W/tML9BaFcybBUa85vpAW5BtFg6
 UfThAoIBAAp1/71byBVFVimF0tdUrTUpewAv1uM5hoOvy0YSnk+jcBXIObLAV40K
 pQc6PTEtHmlZd/es2+8CK7kd0NYQRQxHC2vJgHUi1NFkG2GwRivC5B4hdAId5+g1
 KqWaWKLH+f2imKcNKeVh9Dxmp+z9mFquYelqTDmNKvADWX5URuzZNpOB5kOuw098
 TzyvhH9GdR3jEP3aIdxSmJp9jwnibyj7hKgHSq8UoQSy01GRtThQ3wxyLm6f2fH4
 11wmFyDNbpHFpL7o5kOU3SOjsvvUhSbKiccIKbTCIjkYhxFfYegeV0Xj767opjMq
 ytlgzeY2FTa2EoR5JKUQc9fv6+6H5yECggEAVVfnywPm8QXn+ByFDdUndZg3uEje
 DGyvt1M3mIz5geyRZO8ECzgsZVzKgZC8jDB4lPKz3AGgNlUl/vyGHk6CtW6V6ePA
 EXcmOkkMKJQMdopY2/cE6YlSpBGMCcnfothgL0HXxYoop4xVjb74k7tFcNrIDoRx
 zp9dSalgxx9aMeaURRbMWf8AhWLZUAjJ/359M1SmcNW619SL3p8Q95Nptvdiltww
 lWOCkBdgkjW0mel+Mi2+gY8UPmgNBMPrJ1z9b7b7529YCv5Oci8ABn/N202nhjCp
 LupADooNknOMLDyqwRorEv4g6wRjuPIYTIhI9fO5ranu089x+mmGU2tCBw==
 -----END RSA PRIVATE KEY-----
--- a/contrib/docker-integration/nginx/ssl/registry-ca+localregistry-cert.pem
+++ b/contrib/docker-integration/nginx/ssl/registry-ca+localregistry-cert.pem
@ -1,30 +1,19 @@
 -----BEGIN CERTIFICATE-----
-MIIFETCCAvugAwIBAgIQJ+iLgsp9gA0DmROqW+tHFzALBgkqhkiG9w0BAQswJjER
+MIIDFTCCAf2gAwIBAgIQM3khHYh+82EC0qR1Pelk2DANBgkqhkiG9w0BAQsFADAm
-MA8GA1UEChMIUXVpY2tUTFMxETAPBgNVBAMTCFF1aWNrVExTMB4XDTE1MDUyNjIw
+MREwDwYDVQQKEwhRdWlja1RMUzERMA8GA1UEAxMIUXVpY2tUTFMwHhcNMTgwNTIx
-NTQxNloXDTE4MDUxMDIwNTQxNlowKzERMA8GA1UEChMIUXVpY2tUTFMxFjAUBgNV
+MjI1MjMxWhcNMjgwODI2MjI1MjMxWjArMREwDwYDVQQKEwhRdWlja1RMUzEWMBQG
-BAMTDWxvY2FscmVnaXN0cnkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
+A1UEAxMNbG9jYWxyZWdpc3RyeTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-AQDHR/A6uiQ9X/Xh5ivmdjRr5XVr1D7+fU9Qu6ohArqtBuJsLr6t2RBTS9w6PIAf
+ggEBAKA8e9cUSyasRtEHw3yGW5lFCnnZIN+SSvykAOynt9LLKzU5G5ge3ekBtzsl
-xjQSMSFlrm/CY+hbfBMSgm9NeH23o3kYCgoEPhP/634A45W5xwUFno388U8/NHK7
+HE1ndeYjy/dK7XkECQBQ0csF+KSacU5QiZek8g6btH94HDwltCq1I8f1E8LQFP6k
-qwzSP1ezKXfXNvzuo1mZhT08aVdGMOrZUcZZZl8R3RPcIRw9XDSfXKVkMluH6egk
+483MKZUDeNNnHzbuK9xsMjYOCrJWGysLHnKjzK/+yfVPwTm9tmUVRqd4xjw1oYY6
-8iLdOxdIdRS58DeSI09FskWe3cIZ5kJmMqnKoIbYSJCVVeYPO0RFlIBi+zpdVyI/
+C7iCffIWn7+dQKDjHrn+KyheIy244v5y63AaxgPfjHrtvJtz1vPqxi+FyzDM7RfZ
-r9LG0r0plRdz/HJevbOitU2y93S1s9NWMNEkOFU1PFJmsF3ZzNqJFCySj00y/Hcs
+GIjklC6KaKHmxvUsB0hO4WNb9kt8FBvnxOxuDKf+rUYKTg6JK72O3TaUauiEvE2X
-jPULYwIxYdqcv16cTNmd3P6FegvuzLJLjNuGaLJGc1antv+p62P7ZdE3DyprFuxs
+SKT0vYpLoep5hc9ns/yh3BuuznECAwEAAaM6MDgwDgYDVR0PAQH/BAQDAgWgMAwG
-MJgDL9+NjDaIzoamFf0Uv7K3F7hxrrAHfvm1CMUOyQLg9J6Wl4mLsOy2ZhCbdNFs
+A1UdEwEB/wQCMAAwGAYDVR0RBBEwD4INbG9jYWxyZWdpc3RyeTANBgkqhkiG9w0B
-T6dobAUGvz4Muj9V8V5pR+nFehjmsPENSsTcs5j0e8zTWtvMFISdS+NZAkpiz0s4
+AQsFAAOCAQEAMt/lnR3Wy99X/knvjtg7wsPz5T9sZ5hGy/9sIm8sFdsqt5NZi9IY
-PV8DLgk5Rp1ZG2V5OnRPLMOTgK0nngc5GVaxf7OYCrFHbBJ8tL93MXNQptNFeBpV
+vS+eyij1yHvOU+pqOxsYQ2NG26CS0CKM3JWLJTo/w8GyiSwxL8a1/UxHmTxDnSMH
-FhjUGqVFcz+6nbFX2NsFLZnghQRs9lej4TTG33NSAYusKqhVwpYFf8CsXCcvYuU6
+cYZRsuPtdkTiAuZhoT5I1ZTsOa7MQF25HiFBL6Ei88FFhcQQjJ7+xYDNhSoddMtz
-RlkCYjr3PB+nX1UDa0eUGm0zOabf9O3D1VzHQBpDuzSHQwIDAQABozowODAOBgNV
+U8mUY6NOENmvE86QMjWjaj1PXPLO8PxPIqw482Ln/95pHzuaxAYMvxhs2aQlBS1/
-HQ8BAf8EBAMCAKAwDAYDVR0TAQH/BAIwADAYBgNVHREEETAPgg1sb2NhbHJlZ2lz
+9+vi6VOkbQna9+crmzniXjZDx5QdvMN2QwzFL4hCgqbebVg0zwjhByOwQIjtNEXE
-dHJ5MAsGCSqGSIb3DQEBCwOCAgEAaPfAs6saij4FZIPbzAb5M6ZVvfXBg+AfH52t
+gqxjLkTNOdSva6Fkk/z8BD2XSZ4L+nM3Mw==
 p3tFsnWUJCiOh9ywsc2NcmJdleKDc4/spElFMUarHqcE1ua6EH15O5GEnHWKj8EY
 PVQFrPvf30UkRGNPl8eC7afZtCNk9MLllIATAzBr5Z1i+psV7MmgBKpbZ4B0TnhR
 GXNT60QaCJ9RfUuc2z7RHJNo9XTn3Q44X7TFj+P3jHOWzTf8y6Mz6saTy2bugIUy
 AfRgRgq/bB8hRjrazg55FIlrMv7dr3J0cIuqmaHfsw7Q2ECMCXW8oQXMBzfuIT0n
 sG4u0oVxdNx4OdHsAubGjjwNDhxJvN5j8+YFqZMu03i8LbyamTwsrZg2C3QrRUq8
 SujQEEB+AmO0lpuJ24FsOOYVSYCpLy2ugrKOr2NUqbiBKZs8uBh6RGACfunMZlEw
 4BntohiO7oZ5gjvhGZNUEqzMChw7knvVjZ+DkhFk9yE4qIL7VsJSUNI2ZJym/Xeq
 jr/oT8CpP8/mFZspa6DFciPfhGLQqKcaZZohL7461pOYWY5C2vsJNR2ucBZzTFvD
 BiN/rMnIGFrxUscCCje6RLmrsZ3Lb7bfhB3W6kwzLRfr/XEygAzx6S2mlOM34kqF
 HFpKrg9TtLIpYLAKAIfuNbrLaNP1UKh7iLarhDz/qDcvRka/qJTzLD3eLeGXefAP
 KjJ1S7s=
 -----END CERTIFICATE-----
--- a/contrib/docker-integration/nginx/ssl/registry-ca+localregistry-key.pem
+++ b/contrib/docker-integration/nginx/ssl/registry-ca+localregistry-key.pem
@ -1,51 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIJKAIBAAKCAgEAx0fwOrokPV/14eYr5nY0a+V1a9Q+/n1PULuqIQK6rQbibC6+
+MIIEogIBAAKCAQEAoDx71xRLJqxG0QfDfIZbmUUKedkg35JK/KQA7Ke30ssrNTkb
-rdkQU0vcOjyAH8Y0EjEhZa5vwmPoW3wTEoJvTXh9t6N5GAoKBD4T/+t+AOOVuccF
+mB7d6QG3OyUcTWd15iPL90rteQQJAFDRywX4pJpxTlCJl6TyDpu0f3gcPCW0KrUj
-BZ6N/PFPPzRyu6sM0j9Xsyl31zb87qNZmYU9PGlXRjDq2VHGWWZfEd0T3CEcPVw0
+x/UTwtAU/qTjzcwplQN402cfNu4r3GwyNg4KslYbKwsecqPMr/7J9U/BOb22ZRVG
-n1ylZDJbh+noJPIi3TsXSHUUufA3kiNPRbJFnt3CGeZCZjKpyqCG2EiQlVXmDztE
+p3jGPDWhhjoLuIJ98hafv51AoOMeuf4rKF4jLbji/nLrcBrGA9+Meu28m3PW8+rG
-RZSAYvs6XVciP6/SxtK9KZUXc/xyXr2zorVNsvd0tbPTVjDRJDhVNTxSZrBd2cza
+L4XLMMztF9kYiOSULopooebG9SwHSE7hY1v2S3wUG+fE7G4Mp/6tRgpODokrvY7d
-iRQsko9NMvx3LIz1C2MCMWHanL9enEzZndz+hXoL7syyS4zbhmiyRnNWp7b/qetj
+NpRq6IS8TZdIpPS9ikuh6nmFz2ez/KHcG67OcQIDAQABAoIBABNXmb9ZtMSjUR0U
-+2XRNw8qaxbsbDCYAy/fjYw2iM6GphX9FL+ytxe4ca6wB375tQjFDskC4PSelpeJ
+adWTRmVW/y+8NQqn1yNuDKqEiF0Kp1mSXjFbsH/a9CpQjX0Oex3fvlRImCfeg9Ok
-i7DstmYQm3TRbE+naGwFBr8+DLo/VfFeaUfpxXoY5rDxDUrE3LOY9HvM01rbzBSE
+7d4rB1ufRQQmFqXWhF2dEAm/DvF3v6rUGNCfVdZTVeVzNAh4l6BkPeaO8SapU2QV
-nUvjWQJKYs9LOD1fAy4JOUadWRtleTp0TyzDk4CtJ54HORlWsX+zmAqxR2wSfLS/
+L250/XePi1ID0pYWDbRE9k4FZZa5je3mTctn3s1PHp6xxQdyDHfxZmCZImwZcErj
-dzFzUKbTRXgaVRYY1BqlRXM/up2xV9jbBS2Z4IUEbPZXo+E0xt9zUgGLrCqoVcKW
+joBoQldvUUfjqXCY9SgRJ/MQSNeJoJvPwXmYokpqxfv2sP+JlQgXEcO3Ihj9IkGx
-BX/ArFwnL2LlOkZZAmI69zwfp19VA2tHlBptMzmm3/Ttw9Vcx0AaQ7s0h0MCAwEA
+avMFR3yGdWWLxmE3zzypXvFI+My0E035fEjcObspVOgqxJJUCWLSwWtVAo9shFgO
-AQKCAgBd61qd4vKHdn1kzNztzdHg9BDGFA7oU9iYvQlua2HdgDwgLluxhXa7Oyp8
+fPnfv70CgYEAxqVNQ4eEf8HRDN7Ygr9yruqN5NxXKJKBqOT+OlTAiCtrm6iRFkR/
-y9y6nOgXls4dpPuJCxsMWsqGU7DvOxVNAh9lI/4ah8NXPv5wntIG73Q/dL2Ic5Yc
+WOFA3Ewjk5dxnVBvXHhTZoS2yfIVj8Pz7wbcoigfT+ia4JcAW8xQTs1CV/Xz8JsN
-vLRCHFh7klzb1HRlmsXUFmp4/yGgIil+rDlS2MZ5hdTSj3X3ricoCBfI75oHQfB/
+ChUH3ee2POue/AAxf25yDBGH3fKq34aqL9WNDmaUz+hDCo4r3/hfVZ8CgYEAzoAv
-es7s8q1ZxKqxfHSbOUqHdlq7B0zmla8QE8RBdCkvlT5YGsMBjq1RimYfwOBNRgf4
+tBxwE/VUwkmWzv40WI9J4GSh7lYo4d8Z2TR6FRSxgb0Uf3C3GiGKuLf9EMilL3ae
-y8MZbt0Q1WtPeLPH9zdTzWYnDfmjmhqINEsq+PDoeCA4aciQGxjwOCrapgZnwF/q
+i/Dsb0CVn2sfLdSNFlxj1l8V4R8JfXST2Tn4g1pv6Hs3LEXJtlncg5/1DiMtfrqW
-4q+r8HbgufXjnjGw5ERLt7BsRSYynoJiTWQ3p/wZ2VLpjFtxYxoJ5/qpQvbZMgGS
+quJtKuv8xO+5rbfqtmMYduf4ELkwg1uJJBc/we8CgYBZkUMrRbl6mXuXIAvjuEsP
-Yu3FZNC6cnbOs+JWbdm7Kg93N24cBrGdk/KdEE6lz6uQq07FTSqLtPEQWePzBiuA
+j3b3UFqEUrrf2pC+4GQHgfx9LR5uOehpvPcv3azU6Z4y3oe33BFO0lxQ5jTOo/4j
-1wfP78b2AH6vyJKq36EfMCJK2i7rpwtNz7d9NI5kiLRDB7gesqC94WJ+psEu+ErO
+Mqbc/tZPg4QB7FQfEBrNzUMywhWB0Yepmh338nh7M4p1+ehXmwcVZforGzXsn52w
-w9DbTV3xdOPs4FGGrR41Hbo8emrk6smhb8+VK2odggi8i2CLAkYupMsuobBlX3CL
+/8sgSSSkMge4hK5HyIfD5QKBgHVr6rROH2UZ8dJwqfKWFgntoKKaVoICOEkH5dje
-hyJPfWDv1aREJ1w7zWVQlJkvp5zR0oXZXpfFxjpj7Ypbp7BKxmh5+WYj8msFDfaD
+wDTQiYcuj0NQQq33OLyE0sACd/ufRdRpcOhqHyqBbT9QR9HZQ2QYuYZDcdAGxDOX
-8VQ+pqgPpdl6zElEq9m5koHjsHH57fMeJQ59HiWpWFur+kQx4QKCAQEA0Jnvbm7R
+hTqb6FqYBe2E2Yh5XKzz/hLF6g7P5vDQxCbN/fO2JS0lEbAYdUbX7PUFeRKYsEj3
-WypbPDInkIoPDIhyP9Pqv+wMzNfYEnVEG0GhEU/H5aE20a+Dm6u0bsmPm5lCSQsu
+d2e9AoGAMrejS2Ic64k2I8VyYapEJ1SUaCeNCj7yR67QVtXJWvmYeu9tsUy9bxGC
-EvylTSL3yumQZMincNIUXcPYb2Qye/ZzJnMIibCqwMKQqi4HxCXprWhiEoGPum8A
+FmZuEIUnQV5KZUCKG26GKq/0NiT0Umc38zlUSJzDVM9LUHEt5K066RhVEBp3Fds5
-fN0bTGgMYfM6JZ/Dh1eGsEvemeW+5tn5xZF4Lfp/vkT8v4FuHDydUF/lIx7F5MMi
+VIGgI1BkHeMKfhve0wwAbFECL+rzC9ihb6uNxZywlfeyfKN6ga8=
 VteS0hHnR1DuvxHqtysf0wy2l61LFr7mQCMYTNEyFB3ZfXqpxJmFmCqPbr4PQsIm
 2rqIDw+13eeoyDpJJkdi+yzHkAYDOdAsur0vOQvK/Zj1QKz9qmC1O6L4BN5yp265
 vjSE4Orvo7btEQKCAQEA9I/afLw6lHUJ4FVL0p7dH15JSFjt7nmGHocE7Wf6Yp3G
 vMp+PdGyoJ2KEQB2unnQZK1gZqUuRQLannjNl7fsIiIhHgHxMBCIiylwSUVnP868
 u9/fpJV/cSGze2zF0WAttIgXKNtXG7xMntcY2k+SAe0qjqX494KT0NGnznySt2nU
 A1YlkXm6u3KCOJrBKfbtiHXFoH39sA+ihuPiV7xcETS2ZrFdAX9M422p4yDHqe/0
 dTe18wIxJNiEX4xp/HRE//cuQ5dw/Z/QmNrzgWxHbOmXVR5C90vIJRuYY9xz0tDP
 LMnifSKfnG16l2gqg7zb8xsxYqSGndXWKPAeiq3/EwKCAQEAhCWQbWgcjmFFzNuE
 /ubG48yoe9DW/OAft8Dg68iH7bBkxd/BpbG8VZeXiw16T1i29f5f5IAFnxeX7EbD
 rTLLO1113V3ocwH3YZGa/bbBedETzo4xjc1z8asZVmQiJa1ju4+CKrvZFkDH415i
 wcZgxqbwKhQDijl1+g52Ii5iMYuXE6GGPVXcu8DVrWOk0N7+/IGpIeOQJG2KYDPh
 TOdzZ22FQKY8EeoS3gF0+SLUIDtbUIaR7/Z86iXD2HzdCemkVaZnaoYuMRBL0ybD
 sqDn5nguEObWSII0pgN5Fa3QODhS6xOSc5brfx5X0BBVn0L9VbBJ99GIL3t71jRe
 vVrL0QKCAQB+jUYZT+ncUqgWruy6g7yW89pmFqagxb/SYjn5g9m8WDq0DPDAmped
 p4f/fkbx/gEJZ/I/i3BjA7QPVyHERcdqblDGz2h4X8XYhUv2jnR8P0XIznNTHo1B
 BJh04PeIfgWIqveZC8+KqajYdSQGLDC40Ho6MMahha9p2mPEZRAi2x97zoNIQT6Q
 qxOZqPMV/RIzkAYBI9E33w9ST/AbSHw35xgQEe23zaEC+wdzYc4QMPxF/9smcdbu
 YyA0tVtO6PefoNAO5/nvNFjkEED7kwVu5X2K7Urn3w4lrZ7w5e4FhEoAukN6T4Va
 lAhg+uUtIHiM12B50/tZB4N30bFsP9eDAoIBAHc7ppfpo1aDK3bDr6zTSOU4Mn1l
 XrfhBJHDy2Wt9WkvWtcCtXr3sDpthaChueV+mGoKvfgWyzUoauO6HDDsRYriqaQB
 cXclVjyy+3atY32Opz9rnWefQkbgTOQ+oQgOzEFhxNS+11Omc6ZZ9s31N6TZi/Yz
 rgXzhGrr73DkV6uwiiwkvP8vJxg8AMWKorDIm1myr9wwlK5ogDKSku1DM/y1gvlt
 4EA39fqURyqxN9o5Yq+8K1+a/smjGx95M+P8Nke4bMs1+lb7bBXbMaVpC6DLqj8B
 eleOZ7adY2mS0CBuf0PNkJRNDwF1B5VDmGBJLubUtGLuUUoEyUbv66WfnUw=
 -----END RSA PRIVATE KEY-----
--- a/contrib/docker-integration/nginx/ssl/registry-noca+client-cert.pem
+++ b/contrib/docker-integration/nginx/ssl/registry-noca+client-cert.pem
@ -1,29 +1,18 @@
 -----BEGIN CERTIFICATE-----
-MIIE9DCCAt6gAwIBAgIQb58oJ+9SvWUCcYWA+L1oiTALBgkqhkiG9w0BAQswJjER
+MIIC+DCCAeCgAwIBAgIQTCXTJncsLpgueaMqQF6AiTANBgkqhkiG9w0BAQsFADAm
-MA8GA1UEChMIUXVpY2tUTFMxETAPBgNVBAMTCFF1aWNrVExTMB4XDTE1MDUyNjIw
+MREwDwYDVQQKEwhRdWlja1RMUzERMA8GA1UEAxMIUXVpY2tUTFMwHhcNMTgwNTIx
-NTUwMFoXDTE4MDUxMDIwNTUwMFowEzERMA8GA1UEChMIUXVpY2tUTFMwggIiMA0G
+MjI1NzI4WhcNMjgwODI2MjI1NzI4WjATMREwDwYDVQQKEwhRdWlja1RMUzCCASIw
-CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDDmOL3EhBm4So3agPMmF0z1+/nPlrE
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL0fYn9wE7phMA6CFT6gv7mDpzSB
-xoG7x0HYPk5CP3PF3TNVk3ArBPkMzge0/895a4ZEb9j+LUQEjOZa/ZwuLmSjfJSt
+LkebCxj3LfU/isdgXvtXUn+BKIolvav7oJyTyz1R0NzX5uXxEERMBUW89KWvPLPK
-9xTXI1ldp8KasyzQZjC33/bUj7FGxGzgbHyJrGGBoH2W5HdswH4WzhCnGTslyiDo
+o3d47MWMcAgiYx2+FeGZo1cjq3IRVKyg3WRVw2rO0YNL3K1QCS93A+IdA/05muwt
-VN4hklJ7gr+Geq3TPf8Eji+1L71MOrUyoNp7BaQBQT/gKxK0nV+ZuSk6eaiu+om7
+346XJ2FV0tPmETn6t+So2e9ZXh+uJjcCHq4XpJAJznCwemzzRpDe7nG5sYZqq+Oz
-slp3x4bc21o7eIMmNXggJP6p9fMDctnioKhAPcm+5ADiFYSjivLeUQ85VkMTpmdU
+zBQ/bTC8rOdqW5woH/GhQHYHcKf1taPLmDLczVPQCqS3LAEK5EOUElfpQykfkZI4
-yvq6ziK3Ls6erD+S3xLvcHYAaeu84qLd7qdPwkHMTQsDpO4vPMIwL8piMzZV+kwL
+clOZBhJ0e5zNEBTB/XRd7uuUA57Ig58l7hbX0fUPHgS9MF1z9CXJ40BSm/sCAwEA
-Bq+5xk5//FwnQH0pSo2Nr4vRn+DITZc3GKyGUJQoOUgAdfGNskTt8GXa4IsHn5iw
+AaM1MDMwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAwGA1Ud
-zr12vGaxb//GDm0RLHnh7NVbD8xxDHIJq+fJNFb7MdXa8v31PYebkWuaPhYt6HQC
+EwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggEBAHKH54KZdpvcLRIJK4yeSqwOigYp
-I/D81zwcJIOGfzNITS2ifM5tvMaUXireo4pLC2v2aSY6RrPq1owlB6jGFwGwZSAF
+0NHM9U8RlHjmf5Tp9lCtZpVrkfUtg9rXytekAXfd6GaNex7swTMNPnJBGgaQ2vA8
-O6rxSqWO1gLfhJLzqcw/NjWnO7nCZEs/iKgAa22K2CtTt3dDMTvSBYKdkRe/FYQC
+0jdtKfe6AcHTYQV1rs0qunlR8i26cNhYblKPJjYYA6FBzTTtybXhHYG9xvYpSVpo
-MCa7MFJSaH85pYRzoDN4IuVpvROrtuQmlI47oZzb64uCPoA4A8AN+k8iysqITsgK
+XcrsC81DYK6nMiQMRYuT7RO/rtI4Tzx+laYc0lYgBzf6pXUjXycgAuJ5+cWT8DDn
-1m8ePPXhbu4YlwIDAQABozUwMzAOBgNVHQ8BAf8EBAMCAKAwEwYDVR0lBAwwCgYI
+OxPXbfAxfzc6jYfsigwzdOCnuIomFogm8ad47ApTTTLFrVtqCNJAKCu7HufEbB2G
-KwYBBQUHAwIwDAYDVR0TAQH/BAIwADALBgkqhkiG9w0BAQsDggIBALSgrCdEQd3I
+OKWvl9NmTPYetS6MO5LqLAWcf/uRPn+lufHeTfBWIDD5zbJ2+ATP+mQQ2d0=
 vb/FNkNZkAwdjfBD6j7ZtPBwvjEiiyNTx9hOLBGvbey7kr0HtW0KkLWsdRmCc+3z
 ev9I5VjDOtpiqrvuAA1wRBaL3UzGyj/eFjPJpvkfJi8zjkIZ2y18QG3yJ6Eqy6dD
 0aIQAHl9hkXMOVrf364gf0p7EoOGtSlfQ56yIGDPTFKKiy+Al0S42p17lhI4coz9
 zGXE1/SiNeZgdsk4zHDqhzzBp8foZuSL1sGcIXHkG8RtqZ1WvCyIPYRyIjIKZcXd
 JCEM//EbgDzQ7VE/jm+hIlYfPjM7fmUzsfii+bIrp/0HGEU3HN++LsA6eQOwWPa/
 PrxKPP36EVXb72QK8C3lmz6y+CHhuuAm0C1b1qmYVEs4eRE21S8eB2l0KUlfOecf
 xZ1LWp1agKt6fGqRgcsR3/qO27l8W7hlbFNPeOTgr6NQQkEMRW5OxbnZ58ULXqr3
 gWh8Na3D4+3j53035UBBQUMmeeFfWCvtr5n0+6BTAi62Cwwu9QQQBM/2f9/9K+B7
 cW0xPYtczm+VwJL6/rDtNN9xPWitxab1dkZp2XcHG3VWtYvE2R2EtEoKvvCLPggx
 zcafsZfcD1wlvtQF7YjykGJnMa0SB0GBl9SQtvGc8PkP39yXHqXZhIoo3fp4qm9v
 RfbdpOr8p/Ks34ZqQPukFwpM1s/6aicF
 -----END CERTIFICATE-----
--- a/contrib/docker-integration/nginx/ssl/registry-noca+client-key.pem
+++ b/contrib/docker-integration/nginx/ssl/registry-noca+client-key.pem
@ -1,51 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIJKQIBAAKCAgEAw5ji9xIQZuEqN2oDzJhdM9fv5z5axMaBu8dB2D5OQj9zxd0z
+MIIEowIBAAKCAQEAvR9if3ATumEwDoIVPqC/uYOnNIEuR5sLGPct9T+Kx2Be+1dS
-VZNwKwT5DM4HtP/PeWuGRG/Y/i1EBIzmWv2cLi5ko3yUrfcU1yNZXafCmrMs0GYw
+f4EoiiW9q/ugnJPLPVHQ3Nfm5fEQREwFRbz0pa88s8qjd3jsxYxwCCJjHb4V4Zmj
-t9/21I+xRsRs4Gx8iaxhgaB9luR3bMB+Fs4Qpxk7Jcog6FTeIZJSe4K/hnqt0z3/
+VyOrchFUrKDdZFXDas7Rg0vcrVAJL3cD4h0D/Tma7C3fjpcnYVXS0+YROfq35KjZ
-BI4vtS+9TDq1MqDaewWkAUE/4CsStJ1fmbkpOnmorvqJu7Jad8eG3NtaO3iDJjV4
+71leH64mNwIerhekkAnOcLB6bPNGkN7ucbmxhmqr47PMFD9tMLys52pbnCgf8aFA
-ICT+qfXzA3LZ4qCoQD3JvuQA4hWEo4ry3lEPOVZDE6ZnVMr6us4ity7Onqw/kt8S
+dgdwp/W1o8uYMtzNU9AKpLcsAQrkQ5QSV+lDKR+RkjhyU5kGEnR7nM0QFMH9dF3u
-73B2AGnrvOKi3e6nT8JBzE0LA6TuLzzCMC/KYjM2VfpMCwavucZOf/xcJ0B9KUqN
+65QDnsiDnyXuFtfR9Q8eBL0wXXP0JcnjQFKb+wIDAQABAoIBAGQFxk1KFFT9c7Io
-ja+L0Z/gyE2XNxishlCUKDlIAHXxjbJE7fBl2uCLB5+YsM69drxmsW//xg5tESx5
+oF3IHL5b38HIFJbwbBUfHaJYoehCktlxXINs5ujxfvgHk/FbxSDANaunUEoKjaTh
-4ezVWw/McQxyCavnyTRW+zHV2vL99T2Hm5Frmj4WLeh0AiPw/Nc8HCSDhn8zSE0t
+Y+R3RBigroUURhI41VjBprrWnP8s+lufqyC6D8G7YsIOLikTps/FZE+Bfsv2yXTe
-onzObbzGlF4q3qOKSwtr9mkmOkaz6taMJQeoxhcBsGUgBTuq8UqljtYC34SS86nM
+CCK9X8+8eLAyrsq2LLCw+Fjzk+bKRj+zE1bUR2MqNYtRNOFizDR0DCy/f+OltmhR
-PzY1pzu5wmRLP4ioAGttitgrU7d3QzE70gWCnZEXvxWEAjAmuzBSUmh/OaWEc6Az
+MVTQgA4hAWyCXc3c07zJ3YMiVMHBIGX3hiwEGhzgKtS8vQ7isW21StGLsMQlvUgt
-eCLlab0Tq7bkJpSOO6Gc2+uLgj6AOAPADfpPIsrKiE7ICtZvHjz14W7uGJcCAwEA
+AjrVzzsacCSzuL+QZoZtZl3E7V/Mko0bKNeOz2ouoWTKxInlzget+b+zE39+1WZO
-AQKCAgBmIvmxpp8l+cH/ub5OIenZXpMJn4fqZPXtxjjd4HshIN0ln0JlF15lOG2M
+T/X54gkCgYEAx5sI73letGuk9DOopwKLokj0Qdj3f5VRb3yJqbp3YkLTeayyRAwD
-gDGKFGKUts8gAX/ACocQETtgnDnn65XlwPIqfXFGflD2FNoLyjBGinY6LhtIF9is
+3KY+NwSDGLqj/IcG5DN/ZtLbbhiI2F3oPcJG8QyVqmsfzF7aW3RaBBt6gFN6IdQ9
-aXmpHz1Q7tDjzZiHKLor8cBlzCjp+MToEMpqR5bO1Qd5M2cro/gM7Lyz9kN3S3x/
+SO0pS28bj3PVLqPqx3gXHZ3l9WRgj5mbl6yvoICiymMMKajOgKi0sTcCgYEA8o4j
-x9BCpbgwsVtYxGfEePmFkwAO159tx4WMCYvOlW2kSm5j+a7+iwmA9D7MGkVZHvNN
+0HFhxcLvPz8GCynSarMXaZe/mEImURq8ObH2KSgBogD5mCA3IHL4kQSiRyxNoAt
-A7Y/H0F8ekdVBN5pMG9Yrv/vk0ht2lugcS5YGr4eufFq0mhWdv+jhBTxLzqPMMBG
+crGr1idsR28UYfX4xprMp3okA9ujAw0hkiNhUh3jf3ZywvQXFkOoSbtwnfAFK83c
-m9oMJcj8XyXYtwpfVsqBpCqK2wnEnv4Kf0rZzBU706nI2mjPXx3dL+5qo8uQJKNp
+CmHy+c4OL9BAXsHvhsRHDCVjfKupqJQwux+9HV0CgYB+FSMmyX6V7qzqiDsPC5+S
-mxoS7vmHV5RIJgtdvyzGFHjdfu1leowhV+Jy9jWzMw4wlnmlxsfDECf5RoSf2XGt
+Kg0IDvn/QB2Jk5wNdzhz/AxC/mA4dXJ3DRedfx8kHrj5CX3D5feixqxOtfay3VaW
-SMGJb0dbJKae+W4MfNUFsgAWMZk3h3KF8AHHe44OpDbQeoh3JLnkWSG0oS3CR0ch
+tEJFfxKG7FXQrVW2kR9PGuBdcN1jwwHXL992w78f9SYC6Q2jY+sODTA1umr4KipL
-68TzCy0SZZEZ9IS+I6o5WVpwWfReCQ5NjaKipWcpiJvxg+Dc3GG3QcVXVz2gGrJh
+O4xQkRDDUJ9dLUELqgVBLwKBgQC+/CLizQgOdZv9hCmvk0FppP3j44M6wwa1QAUA
-g9v0v6eyeOJ32QGvvP7THFBjpWeeHlXT8Yz6hFcPrvErEZ029TEmhg8aLWBGfsR5
+iIblU8LZQbHobSYp+l2iXL1HjvsOkeC3RaSrLEF7AcDH3Zi0MOFiIa9IBmIVnfpI
-F1bazdbqvOSEB9vBAAaddNnEDG9Rl8EmC4WdsnVgYUw1J7gfQQKCAQEA9DKjD9eN
+Cmmv8e7Wx1pXnUCsfDt/SwLCqWI4+o/+8N8TySasiUqWEhhbQiM7Mhli6fvdzEmO
-CrUl/2YfSm2WaFhYci74XcHDVeAXN2SbOyKbMIqk3aOFQNRAsLRnwPkdiLtuqeDK
+ndAX1QKBgCKJA25iPkLKw4mFVxAaPIAZnenJXJpuHF9tGzjjcFfioGtvI/1mrePs
-BafrfLTCORHfFdYKnUzmuekESNLckN9VyLztgqOqNAv3LD6GmSHBaJEnUyniLxOL
+PhwoO1qpjzY9brtf47l+vVMSY9KrA1LvudPvTqBtyjQvG5SqsWZSLuyJL30HKeFy
-k0wMEBIsEQw7Fb4blM2REYJ3ZzMFmgpRGnIX8KcxhW9XgSrnqMLO0w6mVxjo7xzd
+hv9FCsGVcF6wu3S8wXaGC/H8kityxTqFgZQW5whl2D9axJavygKj
 813nCcNrGhySM/EzKYtTNHy2JZmMH5QFHaIj67KklO7VeEZX5U+TKveBEt4rmHqs
 Ndqf/djSs8vu1xse82pVRxMXX2mhDLmwjUjPgWYxUL92jTiyJhE7GxpVB/yHgF1J
 Ecb47MDahoNKkQKCAQEAzQzvCOA77IQpGO117GcMqcjzwEUhTytojFBT+s5mHfzk
 dYr5TyN86LQ7/GktNoJ5oRvD9UGRSul1OGneivqtWj6mv6/Zvfzacx8NXY4MYFs1
 nEr3Gr7orVFIzD2x7nMPG2G6+J6hZ1rhpnZ9Hprf5G41sHIJxHJ9wTYSUAmFh8bv
 FiJqF90bSq/E5hgjphtX6wZWeZYspzc/5+IrJ/I0nqoxV3rjUy234zlzKJAV10sV
 5oVgxLLQsUujkHp/Da+ij2aTv1Za8y3PTJ7MAHYgdpa5l/4U9MnPUEB2REBCI1NN
 TqxnViwD0xgsvxfb79UzruLJIYOCKvfOumlutXM0pwKCAQBUIMXQhWAP2kyW6mXJ
 TGvO0vDVlZz3H/Pdt/AHo19fRhLU7E7UFKupo/YNanl8H9au7nO3jrvKqwkT02o+
 IwwKB81sV7v9PGu/cvWN64MwPvZMVXojqCOlWH0icGCjV66Glh1YPpGNU1ushbYs
 wVvxp6b04sUhlSLxqMA7S2aZh8j7nX4QDEXHODLLDyIV0Cw6QViuV/GXEDiyQmK5
 gjJUNrp7i4ZExNozpeyCTIpepSde4hKVRJrCbumFFJ8M5GvRRj0asNh3TTRlTbd5
 Pb6w2KUXEwECFW+t7UQQkEBkzDrAx6YhvXRoPqoRN0p3keDNeZBtBrZPq47CccZX
 JRAhAoIBAQCJ/DgnGu54XP9i/PksGrSU1Nvi+SJPKoDyW2QIFTj22SXMS7c1oEYA
 OrlbRFPeqLK8zfhyZKsnZC8zxVqy37okTqDbwbSfezZt3emamWqOtRJAmNnsr6fY
 aii4+JNySQ9Td9LgV69549iRso7EN6iPCfMrR7J29izWBlMQdTfchOyDUqleYbZp
 7hpsVLY4o5HoYJ10uLBX3oAsxTARc5YhZ5pIqjOr18o1KIXsN/napXaZaAwUkdiK
 VsI9CZHSXezg30Bxs+UEXEFx6DKT5Oo3o3pFZAAqMlxGPvrXNv7K0tXlKXNos7nn
 Jg+GkMG6hRiAibCb0umXjKcbHrQXeu1lAoIBAQDcRBsy6cSQXMSu6+PyroH+2DvR
 4fuiMfSrUNjv+9K8gtjYLetrZUvRuFT3A/KzDrALKyTFTGJk3YlpTaC5iNKd+QK8
 6RBJRYeYV16fpX/2ak/8MgfB2gdW//pE0eFjw+qakcUXmo957m7dUXbOrw1VNAET
 LVBeVnml+2FUj0sTXGwHKcINPR78PWZ8i1ka9DptnKLBNeA+x+OMkCA88RJJegSk
 /rgDDV52z4fJHQJh9TZ7zLAXxGgDFYLGPTrdeT+D/owuPXF+SCP4pMtVnwbQgH9G
 dfQ9bb7G14vAeu/kEkFdGFEreS09BOTRbTfzFjFdDvSV4JyOXe9i/sUDxf9R
 -----END RSA PRIVATE KEY-----
--- a/contrib/docker-integration/nginx/ssl/registry-noca+localhost-cert.pem
+++ b/contrib/docker-integration/nginx/ssl/registry-noca+localhost-cert.pem
@ -1,29 +1,19 @@
 -----BEGIN CERTIFICATE-----
-MIIFCTCCAvOgAwIBAgIQPjclBRGzhznCybQzYRQTyjALBgkqhkiG9w0BAQswJjER
+MIIDDjCCAfagAwIBAgIRAI0Dt8LVd8cJPc0dv5aW+wcwDQYJKoZIhvcNAQELBQAw
-MA8GA1UEChMIUXVpY2tUTFMxETAPBgNVBAMTCFF1aWNrVExTMB4XDTE1MDUyNjIw
+JjERMA8GA1UEChMIUXVpY2tUTFMxETAPBgNVBAMTCFF1aWNrVExTMB4XDTE4MDUy
-NTQ1NloXDTE4MDUxMDIwNTQ1NlowJzERMA8GA1UEChMIUXVpY2tUTFMxEjAQBgNV
+MTIyNTcyN1oXDTI4MDgyNjIyNTcyN1owJzERMA8GA1UEChMIUXVpY2tUTFMxEjAQ
-BAMTCWxvY2FsaG9zdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALBe
+BgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-C9O6es+mStDowUd1kiM59VkinzzdHgE24LvKmGxQ6fDnnT8S9L7iyzoxcJWlvSHu
+ANr32CUXFUCW1c2oPoHjq76T8jUTH/cxPiR5NabJ1y4gMCBko2rIe+TblW9UclxH
-pfyZWvij0ZIyRZ288XemTEFYq25RK0IBGGdvYz9OqT2R3lblBQrXDjSi9WG16sGx
+911gjfpSAxFtNf+lX5kwmAMHhU8pcCc+Mjp3Ax9acFXSXvzzTDg+xj0NGig6OBk3
-60MGhM2egGMqFQ5DBfT16IKw00+RjFgCVzJ8T64Lzw82E0e7d6hl39SPybY+uvrt
+jyPuO92lM8A4qs0mBZ/T04iLkawLmdRXViRoGK/T7Df8HN+hm7UsG0VO3GxFgSST
-SID60hYGmXoOdaiC9qquivks67BZprGNfORrvyJNrCFI6oKUFWHrQ1PpGd2tOwJN
+YhhKTu6JMTADszbIFPOvBxGCUNhffXiLNyviO4AiBdcAv2v0SUadEPmSGm5Jb1DK
-1P3gkkS8pVlAif6ZQkAf+zuKu+l4j5tKxGlJAkJsafVJDLOxBKutUj5msha0g6uJ
+tfKY0jWi1k1zNSqzit/bhML/EHbVkYJ00QmH50MBTunpz60gIgHjt48nzJarLDML
-gFXUe0+G8hkNcEjd8XqUUCwIOY3pdv4WsydKBk3uH9zMnYolw53k1q0ObvoY1NXf
+oRFMppG9XIBQlUn3lo0gVwcCAwEAAaM2MDQwDgYDVR0PAQH/BAQDAgWgMAwGA1Ud
-beMxHQAtDi7nfQGlae9cuuOSymy95WuvzfhZFKdPWUe8lKN9QXFIWVoCFnOm8T3P
+EwEB/wQCMAAwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IB
-+FNCUE+p8DIWkal6Ul9THi/Kz4p7twyrUp1LwT5EtSaJ3iGAmB9I+8/1vmZT3lPi
+AQAb388owui+O9vUle+A99FXwcMDEb0OILc0lBXVWx8q5ZE73vcanxyAcfOsZYRY
-nX8P+iVGM5yOUnptrsFm0bUcJWRD6iaTK1KxpH+Is4h2kiUiSz1tC/9bKaJYN2o9
+Lh7G6VtJwC9xVjAdNwJ1gd+ak1l0/Rhs1V0JZ12/wOvAOQ7+9g2lRc1IedOh3EIh
-oy7q7+ZVfHSmIxLo8ZFYsaZBcXi96cKuuPMR3X4ISPwKDqP5irxU/QbI+YQBMshg
+d3BMI4RdDB/BnnK3XjkggYQZK3yiAOavmmsZxAOl/apzjF+5u8XjuydMmotE2NYw
-G4b0BNoMZ50g30r3Hcsifw4pzPQF0RDMOBeCiOi3AgMBAAGjNjA0MA4GA1UdDwEB
+IpM93zE5wWXqzYs/Kmyy7zAcHKfvq9xej/gMCFEvO6lopmwyslBLPpPNHwyfIVtA
-/wQEAwIAoDAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDALBgkq
+mspm2OZhdmpRJYGzkR4wK5NjoRl2O11uzlMRDckp0GSZ0x6TGxmb7ot5HK27p3ep
-hkiG9w0BAQsDggIBAFuS/VrMNUwEMyUIktDyna5ExYh/FDOE+YEYf8tsX7dSMhRK
+6LPZM1wJIwuYHIP74eH0ctQP
 wE560/AcVZcbKKAZOnZ/262a++8tparsQt+bXBJ2so6YUqsFDNdOLCI2aShjWDRe
 TNhqmLIO3FNsLRKp96WHVz+jFoiECsoYfKn0jgqTqxx+7nWFqgBaNSlF5cbCgLCH
 jQV1uQhzsw/Mh/32hXAidkv/nLeLf7FbKq08hgthtoP+XstlzZ5BxkPodjb8XWXG
 DSS49SWX971GHa1apwMKfxVGSppxn18ZwEmW1BUfQBNxtMytqA9DK3+xuoUdXkB0
 iJbm3Jc10JSRju8iyL121Xt6f8O33paVz/ndDJIWztUOjnItc89rxHsINPt5+cUt
 jix8ohwmHGDrK7ZooXBvotvmGT/xhPr2eHUAG8JuSJ/Cr09UUOwUEigz4CfgJOHm
 XukdzjOkb4r7lhNmVeGqrjRol1W0Wsc1NGH++J6xdkIeQ+i23kHwFHfQWV/J69tm
 rOn2N+qijtmbIy9YfVcrFDtUtEAzXylZ2StCVQNofd0M7tXNdrUL8yAFwlrhWGJV
 wsSP++1xH2Ie6Diupy8z6rbP383HmnmVPU/UecgLrlX2lEpt/UZkkX1Xm+6PhrrT
 HDeeULvqtUP3PD8wS0C873Pl9GXOKISqf0HKEIDUAVZhQOsGFqiZH0388M4L
 -----END CERTIFICATE-----
--- a/contrib/docker-integration/nginx/ssl/registry-noca+localhost-key.pem
+++ b/contrib/docker-integration/nginx/ssl/registry-noca+localhost-key.pem
@ -1,51 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIJKgIBAAKCAgEAsF4L07p6z6ZK0OjBR3WSIzn1WSKfPN0eATbgu8qYbFDp8Oed
+MIIEpQIBAAKCAQEA2vfYJRcVQJbVzag+geOrvpPyNRMf9zE+JHk1psnXLiAwIGSj
-PxL0vuLLOjFwlaW9Ie6l/Jla+KPRkjJFnbzxd6ZMQVirblErQgEYZ29jP06pPZHe
+ash75NuVb1RyXEf3XWCN+lIDEW01/6VfmTCYAweFTylwJz4yOncDH1pwVdJe/PNM
-VuUFCtcONKL1YbXqwbHrQwaEzZ6AYyoVDkMF9PXogrDTT5GMWAJXMnxPrgvPDzYT
+OD7GPQ0aKDo4GTePI+473aUzwDiqzSYFn9PTiIuRrAuZ1FdWJGgYr9PsN/wc36Gb
-R7t3qGXf1I/Jtj66+u1IgPrSFgaZeg51qIL2qq6K+SzrsFmmsY185Gu/Ik2sIUjq
+tSwbRU7cbEWBJJNiGEpO7okxMAOzNsgU868HEYJQ2F99eIs3K+I7gCIF1wC/a/RJ
-gpQVYetDU+kZ3a07Ak3U/eCSRLylWUCJ/plCQB/7O4q76XiPm0rEaUkCQmxp9UkM
+Rp0Q+ZIabklvUMq18pjSNaLWTXM1KrOK39uEwv8QdtWRgnTRCYfnQwFO6enPrSAi
-s7EEq61SPmayFrSDq4mAVdR7T4byGQ1wSN3xepRQLAg5jel2/hazJ0oGTe4f3Myd
+AeO3jyfMlqssMwuhEUymkb1cgFCVSfeWjSBXBwIDAQABAoIBAGQMCf4oZdV1FYs5
-iiXDneTWrQ5u+hjU1d9t4zEdAC0OLud9AaVp71y645LKbL3la6/N+FkUp09ZR7yU
+7BV86OPSxT/q1Rgkr7gKibEDWAYDPvoOAXywzarriYOsmfQADc3kZ/qPrkcwFxQP
-o31BcUhZWgIWc6bxPc/4U0JQT6nwMhaRqXpSX1MeL8rPinu3DKtSnUvBPkS1Jone
+g3aC9XGs5gQdctj7WgfMiOiycdFEpZH9uD2asQkEC4eF0kvzTrukBkZnTRXuzlud
-IYCYH0j7z/W+ZlPeU+Kdfw/6JUYznI5Sem2uwWbRtRwlZEPqJpMrUrGkf4iziHaS
+m8RDDMu+uXhadJbIsNtBlMYBllSdS+LFxXcAYm+IsvTYzmwg4+bnjvOwMHO9SMSb
-JSJLPW0L/1spolg3aj2jLurv5lV8dKYjEujxkVixpkFxeL3pwq648xHdfghI/AoO
+1dfgOLkg/A++/GTjD/kUyCV5dc4lv2I0i2pXJkD2V0Dr6Yra1U/MRKcOwTGC2q/8
-o/mKvFT9Bsj5hAEyyGAbhvQE2gxnnSDfSvcdyyJ/DinM9AXREMw4F4KI6LcCAwEA
+hZuKm9DgvGXvZsG0+yT5fsexGRwTxmByvfj+QMF3LCTDCknD4d/mmEEX0EEGPlW2
-AQKCAgEAnrHg/oD7ZMEC7PuifoRCHMRYCf5nPkLQbtNMYG2pvT0JY6VlDo4l/2Te
+I7OgKEECgYEA/LkdwnXy7ymis1Rgjumc3ydcLoCqV3ExaxXrvO50EkRpgRX/TLEk
-7NvzrBPYHSI55RKwkq4FMwFdNtP+imTulJYOm1MaE2gc52WI7jv/eNE6OQIWCWz8
+j98iVYyksiaJuMhqnxNttT6GwWJvwIXFPP9WpIGmzi4GKyqYGEX4WbyPoY9hjt/G
-8Uv4dBVWyTcos8S31rTaXWBOVejlAUgMERy+5wfWOpLQlzLYF4m0pMFJk/AReUtB
+muR67cTXg6ssiSssUCoQnWIHyuGDJfzRWqnoei0dIA2GobOwFJtXeV0CgYEA3c6u
-nmhLXlsPsB22cag/RWZmzzcXk6tT/LzVe+R5ptLkdTsUuAxjjaBKVCDiMuDAZL1m
+utbNtmbyp17Jffx01ee8Wprhnoz7Nh/dJMLngpIx3i8qQqpFB8TPNUTu+GLgGcol
-dah3h8oKIMab8l0SABumxKqYAKkyvbSJQUhSUYAT5+3c0cfJ6q7WoMk8TqvnwfpQ
+n9BDzZszoVhsxybn7Lgm/OjS/jQL4hosFoqztThkg28L8UD7QB0TyCucwgk2lgOe
-2Klbcaa4G6+79H8e/a41RWmcMVTTpLKmwzx/iMLPswLnTFbWYCsLSsml3OpmXPhG
+VxyX25kNSXzxdCYaKr1+6g2gtBAb0zPj2E+5t7MCgYEAimoA6J6dHWwaVkmiUOOW
-CKdbIWMvNMBfahZmnCP2pNcZBVY1/k/lEw25ehtnWqA7HplawT6V3gk/Bzz+3e3R
+LYprLHT/1sCCJnptEJ8xJ0gc2LxphWGH+txk+6H6GjCNQY1TCCkl7xx9xbDaMAGU
-XEpioZF70ipdW5Pb3OG/tKSNDvRRjqLPk9UWlQzmedzu7XN28V/blw/CBVcMAcc0
+E2Jt28++wjHm4wGDJ9g6uztRF1VmQ1BAgFkfEta6irzXuZDRxl4jl283gWCd6dJb
-njwAledTuqv/wQ67dtbXdcxSPZbV/Rq7y3OmpgK6RWLIFzzpOPW5gULqUZfrnxtv
+/2ILl87ZotKFqE6347Fo6WkCgYEAyDNyMMALIzTelkUO1wFUL3If5yPeuy4C3IJ8
-StxVnlZXhFoymodFobTi7AYibsLaXLkunZWXEwFwdtLfFHznfHq/rHfBmna1lcKW
+J18oeQkdq66klVF8RxvT7v/ONjGAlqaHuSzQ1jbcrifS3xp1wYsh3asELl+pziXT
-MgWRqsbaoCsqHC1nc0E4llFkn3zqGYgMQNBeqNfX6cIPI/eQzPECggEBAOk0TP8N
+X3FH7Sz+REep3tLJNMBKB6WdsuF//H09oOD1DEej342/nhd6DNPHRtiQEZZslwBC
-edIFENOrzUtpH1fB3k15heeA84SeBhj8t/xrphR3o+IVO/GtMtq9hVLeYFVPwWCi
+Cg9D0NMCgYEArNksPSQJSxXqxZsw17OTqQJnf3kNBI0SP9q6Wc8gN69r5YQcIHcr
-Mmy4KhwNUOtFeCSX4MbpiXvoPEjL3QF+Sv95HsEWsT1iBQIN4aoV0ZSv48YsRczs
+KgtfdiL4LawZFie6gcNu398ng7VYUzzkYR9j+G5qPetcqllQZeVc6cieUyR7Eul0
-tLjr96hADLTMfpCwyRq9r8XVF/hnx7vqOoOC/J1kteRhjOWRnutFpdAMfkFgzUa9
+WvtlUECCfweLFUsIhuHyEsGu1PrFYd98SlOzt24utguFss1539cEC3A=
 1unmDHsDifcT+vpxief9Q9zK9xMYvYmwFkBUjOlhC7WchZC20nrwvM+A2mMBpeLB
 WSRWsYeOqW8zcQNGdWuXXMKxsYHwv9tXbANVWxs1gz4x7BxcFoN5poIFrnT+eImY
 EwhGrKR6jZsKF00CggEBAMGbdZU0+yvxL2tAul5RGAqv9xhdUV4eg8warTQ8/RWt
 8Vef2wllBYnP48rXNDovb7ZNOjMBdjIWZ2zq2McMtHqpzP+zWQWaNT8/7Zi24JTL
 y4G75kZdGgTPG2Y71seZoZGxfOu4gf7cLKOqxiHYrNDHEDl5Pi13tJD/8qf6hYm6
 K3yALSv+QlM3mk+5oueKQ7Lj9rV81YomYSV5+K+WhszhvLmuxv0necOLKapeBWvL
 GQ5038yAq3PFdu0HXzyA6L8YdusP1d3sqwQvLbi8KAMXJCeT6WZXGYgX2Rjfbuih
 ZHUaE7Ac0EsJfMuOowSkS7oXuT81k64ngCoq5KZC5hMCggEBAKYkt9JiZG8HYuSb
 GsjmHQllup5RvN+hVF0gRFHbAq2YeBtO3Xg+DpXxAjErIuhWPCWri6bwB6LDVmTj
 68milaTke6TbTzLy0rg+Xbcppf766LlCFIYZ5l1/TE3j+4vGAC347sW/wkWY/7lj
 4GmS43zsJmqhx6/XUJuOPJOZnZSCZr0vuhL6mOoZZDJUTXy62dx0PetvZsT/O9cM
 P2fDWWTCLTEVlBqik4KMdsS4qjGsyzOeCzyZReNDDRO/nZTsRSqSSwARJhQom5Rr
 RDVQXeyqbw93KAQhmshroBSB5Rc+4YiyCE3wPTo7NWL38XPi3lbF0VSd/rk/uNH5
 6hcSCmUCggEAIPHjQFCTrRaNiyKolAQYozjuQyceAXYP11tyvcDjEB1ZRB/flemq
 15iYmpukN4J67/qUPLmy8zL8xnvwB28SBw195MUQEPP8u5aVR7dW3/sN1jWzKaYO
 F2Nmti7YjX6HD9Oz/iiXdlbhAbi9nmTQg3ZcPGt1OSd1gncLQ6pNrvIPFFB7X1EU
 2DRN/eMI5X2Rp49DG/7yF2AQh+AJgVeL+LEw/CfRlKJzBeNYY7U8Fuuoh907eAEt
 K7YeVpc6jYEiGeJ/2eAH9IuhTkT48saRyHTXoiR5QwDvR0lHmAPtS4irH4Igd4dv
 qlUi90B+XPvYJwKCc08aojf2hzZlUiVwIQKCAQEAraCoWea8hLFchxmAiBt7joIg
 nNK7a3LOHYxT1gB9H+PoVqTmzGVTeZpD8Jnis/UHmDhRYuUGqvFIefjAWbz0jJAN
 t6RMAozENCG1PoeXHf1gt2wspv14kza+8jSdpzNrzZgPZdb7Wh1UEqUkiRYwn87f
 C7DHknqCj9S2qq0DFXYz15JNPVrbvD+ZLBFJhTAjppS9TuYQVLf8JPYHpLRio/9A
 dMsyOz1VA2RRYN0u/u4ccxiN45K3PbVMCeDPbWXNm8G75YKQ7LnIuehMB1qkZy6N
 MOnNGp3l/ZkFK0JsW/pZqTQ2FqSkb0+ttTFApFI3qB04sc4s0uKPI9fa0OQtUw==
 -----END RSA PRIVATE KEY-----
--- a/contrib/docker-integration/nginx/ssl/registry-noca+localregistry-cert.pem
+++ b/contrib/docker-integration/nginx/ssl/registry-noca+localregistry-cert.pem
@ -1,30 +1,19 @@
 -----BEGIN CERTIFICATE-----
-MIIFETCCAvugAwIBAgIQCnqSQalw9ytL5bHLgHZe+jALBgkqhkiG9w0BAQswJjER
+MIIDFTCCAf2gAwIBAgIQTyBNJlm7fS0yutwdLbhG9zANBgkqhkiG9w0BAQsFADAm
-MA8GA1UEChMIUXVpY2tUTFMxETAPBgNVBAMTCFF1aWNrVExTMB4XDTE1MDUyNjIw
+MREwDwYDVQQKEwhRdWlja1RMUzERMA8GA1UEAxMIUXVpY2tUTFMwHhcNMTgwNTIx
-NTQ1OFoXDTE4MDUxMDIwNTQ1OFowKzERMA8GA1UEChMIUXVpY2tUTFMxFjAUBgNV
+MjI1NzI4WhcNMjgwODI2MjI1NzI4WjArMREwDwYDVQQKEwhRdWlja1RMUzEWMBQG
-BAMTDWxvY2FscmVnaXN0cnkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
+A1UEAxMNbG9jYWxyZWdpc3RyeTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-AQC9gvT3cwz0Ih9+7Ilv5lc15HsEiSmEMh4nOMZrSaamKgf/ydCiGo3DQapr/XDK
+ggEBANSMT7auGdwF63fFdQM9O/EqrX++gnuBQgFa4cZzC7GqsvS90uKTOLuWIA2U
-FHMLKq68AxwfOlzmEFQ4d9umpPMQ2+4GBr0VG23ppGtQApIPHgD06S0/CeHmDIXN
+ehgF548EDkZu1z6nRAvoFh5L6B5f1VjiVknzLEPlR+5uPD22kbcxgCrMCRZn+5mK
-FXcKybPX/9KbgNkXBWbbJkJy0EcsdP8VJD50Q2WH89nvgEYJNFuKEELD3iGY6bBF
+vJhTUpx18yeBXMhxtPhkGnKaKwGcgeW8O69KM7Mo4HBQqg5656pa+4wkUo7GX2v0
-jeDTle5jYA7CgBKvD2avn31g24Qhxn8n8/BdYO/U0kw0qmoy1veLOjCAW0os0jkM
+R4ZqmrS1tlwOgpld8KZKVJ1FNyGEeKQkIYGJKHqgC2/JrXsbzuSZ/4pqf8BHc6Mb
-NlKrFpyHEWNj5B3X6UgSn8EGQaVbDq17PrQwlHJYU4nih0TnD1OwvBnFnd27pXjr
+AHU85RlBFVDHFPMtQ7Rg1vrhYzgInKeqXtc2kEAe63nqyYyHxPOUd3vIQX/N4tdB
-68eGA6Zc2BbUnhNGhppWHZ46LpPxpIbafSOH3ES3N/MZAfcUKIUntLlWE2xCQgFV
+aH41ffs68Pdtp9GeocTiYyj7KuUCAwEAAaM6MDgwDgYDVR0PAQH/BAQDAgWgMAwG
-TW95WeVtP/r1aWgIHu0E2Jb2eHCE+qXYqJxSU7S4DcknmmcTS69hzyHs+92Ec+7Q
+A1UdEwEB/wQCMAAwGAYDVR0RBBEwD4INbG9jYWxyZWdpc3RyeTANBgkqhkiG9w0B
-m0aQFZ0dyPoYPwXMgZpTAIuXEGg/FKC1fiS/deTW37DyvB2jppehKW3RJY3uso7R
+AQsFAAOCAQEAkjfZvcd5WysbfqGfhPErG7ADWAFJ1bsIDlHVUaEn2/Asr68iJpfF
-o9vs6DJx1OdU5XEq9R3n7op61N7PK8Wxmn7TVYHEZHkITVvtucZZd1FNTOrOJaNJ
+fqb0fhBkBExPhiLDS+jmL1L86QRNIgyM+7zGCCagKJkl9uNBGXPdS6KxZtY8W8rV
-UnE+FuPK1Mrff+jz666Ru4zQL0CondOamX3QR5tuNK6MTqFs87wKY25qsqz7cS27
+bF/GIYnYUL5pnyrhX4pH2ZnDJpKIAJl8CAZ1VHwErQ5VqnJAX/gGO/eKgiyCciZv
-kHW+r7UNWbJY3/UQhaPZM78zCZa2IL1nBFUjsFvEA4rtYwIDAQABozowODAOBgNV
+WmmQkhcOo60FwLW+Wi9sLOYD+YAT+VnFrGfak/SDfT78wrmmfg5v05tvFXgJaZLh
-HQ8BAf8EBAMCAKAwDAYDVR0TAQH/BAIwADAYBgNVHREEETAPgg1sb2NhbHJlZ2lz
+JSxRET9D5iT3DIxb+m5GyQAqIH1djh02ybrPJ9j6/+qRQDojIe5qJUL90qIvhwO+
-dHJ5MAsGCSqGSIb3DQEBCwOCAgEAHVGMyoyX4lRzWCDkUjrXkrDZzuv03M2ojW2Q
+aSbIL/p+I6//AUMWJvcR7GbXy3xywgmaYw==
 UL61ejMkTWQW8R4gKrcPHAOJAPKVfGEVOrQH3ZMyxV2HnWrJ7egrn65zOzmLbWSh
 O7gdpL6YYjBr218fqJn/8HadXZa4k70JyympYOLojeWSLy3KP03U+y7AMcdE1uG6
 6HJI54ZjBoW/nEyWmMh/mfMz8EN+Mgek48Z9AVaOswbtHtDIXN7XO0jbB3DbY5Yh
 prVqVLYAz4sCchGTadj+aEChF5sJkKREDvAew/njC0WGS2TmMJ+V1uVhXV6354mr
 edk79YvdwzwDgeYArkprahMtn9eu1aSTfUXsmM5OP5tR4gyFV1kUmTPY1yUd/yO+
 638wV0mWtGbbf6j8dUKeUBCyt2qGg8J80OUeFdvdHMswtaUq951NApX44BinPkbK
 moBVQByZ5OEcmMidFC9SqYSUwTQ7uNyWeguhCXav+l3x900YlKnUQgRUZntPwXjs
 yc7MXv0j0E86Gme6G1O02zamwkRgr3qOTHu2oQOow/a24fM4HASayLR0Kegt0sh3
 rzk0HRF1mGonf1Ecyyj/3LpHVsgYSckwtJoZLOqtDMn+CKtOCEByssQfD+E9Qe07
 qMyvcwpXUpfqe3ZERbJ10m98Z88VeK/XGt9ptq7HY47n1KL6lx3oyXwZIw8pq928
 89dcqL0=
 -----END CERTIFICATE-----
--- a/contrib/docker-integration/nginx/ssl/registry-noca+localregistry-key.pem
+++ b/contrib/docker-integration/nginx/ssl/registry-noca+localregistry-key.pem
@ -1,51 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIJKAIBAAKCAgEAvYL093MM9CIffuyJb+ZXNeR7BIkphDIeJzjGa0mmpioH/8nQ
+MIIEpAIBAAKCAQEA1IxPtq4Z3AXrd8V1Az078Sqtf76Ce4FCAVrhxnMLsaqy9L3S
-ohqNw0Gqa/1wyhRzCyquvAMcHzpc5hBUOHfbpqTzENvuBga9FRtt6aRrUAKSDx4A
+4pM4u5YgDZR6GAXnjwQORm7XPqdEC+gWHkvoHl/VWOJWSfMsQ+VH7m48PbaRtzGA
-9OktPwnh5gyFzRV3Csmz1//Sm4DZFwVm2yZCctBHLHT/FSQ+dENlh/PZ74BGCTRb
+KswJFmf7mYq8mFNSnHXzJ4FcyHG0+GQacporAZyB5bw7r0ozsyjgcFCqDnrnqlr7
-ihBCw94hmOmwRY3g05XuY2AOwoASrw9mr599YNuEIcZ/J/PwXWDv1NJMNKpqMtb3
+jCRSjsZfa/RHhmqatLW2XA6CmV3wpkpUnUU3IYR4pCQhgYkoeqALb8mtexvO5Jn/
-izowgFtKLNI5DDZSqxachxFjY+Qd1+lIEp/BBkGlWw6tez60MJRyWFOJ4odE5w9T
+imp/wEdzoxsAdTzlGUEVUMcU8y1DtGDW+uFjOAicp6pe1zaQQB7reerJjIfE85R3
-sLwZxZ3du6V46+vHhgOmXNgW1J4TRoaaVh2eOi6T8aSG2n0jh9xEtzfzGQH3FCiF
+e8hBf83i10FofjV9+zrw922n0Z6hxOJjKPsq5QIDAQABAoIBAQCLj3Xn5XllVx29
-J7S5VhNsQkIBVU1veVnlbT/69WloCB7tBNiW9nhwhPql2KicUlO0uA3JJ5pnE0uv
+jxG+Br8NI5C4iEb1AXJtoVcODwxmpEbNHLcTvsdJpNF3GT7x9y6MYYVeCfmbUgkE
-Yc8h7PvdhHPu0JtGkBWdHcj6GD8FzIGaUwCLlxBoPxSgtX4kv3Xk1t+w8rwdo6aX
+KGgdjInlJ9fWfQdblyhBjJMmo4s6ml4jg4U8lKyC4dP6hXZALrXXtjrqfa6GjuLd
-oSlt0SWN7rKO0aPb7OgycdTnVOVxKvUd5+6KetTezyvFsZp+01WBxGR5CE1b7bnG
+Fh2nkkMa08EXL/mgp4A662QzW0POLQIo1lMJc49FFPrVQneLedUdsJDowNz/HU/q
-WXdRTUzqziWjSVJxPhbjytTK33/o8+uukbuM0C9AqJ3Tmpl90EebbjSujE6hbPO8
+oD4/SsKw6inUh/A1MfSKvEhnJcVH4fiQhFQU5CdSzAHPmAYcoBeg6LjY+WScJAAs
-CmNuarKs+3Etu5B1vq+1DVmyWN/1EIWj2TO/MwmWtiC9ZwRVI7BbxAOK7WMCAwEA
+Hu5kgunbCsB5vw9WbFDQzM1HYtW1CvJj1cjNp662b06D7VQugjtawhHNImkq1/65
-AQKCAgEArwqno2uEGnbuKnjmVRInmWKpcb4TN8Rm74lUVEKaB76o1s0cxK3MJP6h
+H2ZTglchAoGBAPu0OX3tEvtic4f8VLRv/TeI9NSC3EgRAtIDncDo+nwVjR54AXID
-H8/e/vg2bqkE7indLsbkiaepcuLaYijXTcomJzDQMw+7zOOOLz/Aku/+qDg8D47c
+aePceImGUsDd5xfLuQTiYp50z0cEB5CGsWYbnjm0hliF8YXz/tpqi0V0Cr8fLLA8
-NXV5nLzn0HIPiEIF0JYJbmcR4veKxqu0Ic8K0QdCHHcn75P/x2Tuy4+twW9Vi76/
+/jG3tajbZ8xu/3p1iEcIPevYT/44bjbOyDp5peQIHhr32LZ1gZfQDRt7AoGBANgt
-v5KRuxzZ/fTtVKKj32kWWNXb3fltgCoh+GR0jH2XlVh1DVkVBEwnfT/rM5ESvWwU
+AIid1rPIyEzhhznpWVjw/ZIrtgaP0HDgKaUUCsEqEDoOJEaFS7WG4G7m8/iS4f8v
-riOah7ohT1+6QlOAPwKzwfr6FCG000eNKPb8q+p12q0ylHzMzgxtSxJwFb0X/Nzc
+XGgcoYf4TjfIwYtRQy2Bp9g4oOMiUbQKukF1DuFJpsw69y3hNNoZoUm7r2jpv3Q8
-snaboyWLjDAQ2I7LP6WmXizznvkKbE9PjW6UGYQ+2XApqp+Hn8tSC5I/gIDlBOOa
+/NY+O+BNaTVdmbOjNHmKo99MYGh1cPUPVGxuP1UfAoGBAOJ9fe5OUfJa2NLYv+/N
-psJ4fkRjr8n5+CbHbGmQG736hZcZY/z10TtOQbxeeeuri6oDQ62D4Z07GpWCG2EG
+hfFfD8/aIRXIGN2Z224nNp5JVj7AhaxuXe5oCR7W+8gI5VWIP+ihPVSQj6O7gIMQ
-sUakaytZnJkIN79PpfthPZwtStlG0KVs0i5wggH/iP2h0yAmvJ64ZRIqdvuE/aBn
+cLkMyQfr5afqfzamJAGuNbw9ex4Xk0LS33klchWLuI9Aoiszb3lbdTyv3OtJJAO1
-sdfRRlYUqmFOJsVQgtUWGKGS4WIxrGaclzT1TNxCKdiAk0glXe3sDtvBni6qDW07
+dn8Hz7qtg0mJFDy65+4PjHvZAoGAXtKmmEZ75hKdYbPPiCSGT5At+g74Yjp1GP4K
-iJzEXxrsLw6MiCDhHfDeae5JYeJXK0HlCfYHXgRmEnDFTGw8rBzwz3eXvPqZ5YNt
+5mE7Mm3L/lszqEdR5UdLbPobbB6pyTCyHOzqIeVWEfwagYzcpbposFxunhLwucO2
-j+31uHSwQjgOgEgSrXeTmRfLZsytKqndhBB/yBFmzZNrswXGackCggEBAMN5RSdW
+3X2GUGXpJ056HALcFwsFB32vPJrDoy4ZTbSwuPvbuU/cWsKtAt9AcHNlGozhRm05
-t+WWl8ghDGz/CN1oRjnk298/6L7ijluKGRgG+igwBEy+5m1EGPJT+Y5LEH4TiQJe
+//IAD8sCgYAUs6ibNtUqCFjekr10FBGFuA2ZQg+9bQYw3ti+S6uFMsxIDqYRC2bG
-Oc2XjQuM7zABX7JWWk1cL8Zlv3kcmR0lg4BWs7wDkoU1HYRkMP57vubtxFzFOsNa
+yvKhEYym/W7RwfzPWjGzuvFbZWzJnnb81WLfcI4DnrJe3h8THlnaBQhcsEObu84O
-momivEniZ/eonHm3yv0VHeenH9j3mhJ3mVDIpkH+7uhn3++c0zYh96NkjfQi1/jF
+XS/sYeVo5c6l0kTNp0I8vXbn05bExZlsLAIICMTsm5bSQZI/iCRyEw==
 P35eSAt7FgHDOt37fWXwtGeYFRN4P19ZUNiIvZwT6Q1gmegRO8BYoW6cSbLWe5Cp
 abaULds46+mjM4zJhCZRFkdWHbzP4bZHocSmwGsqcpABJ6SASTVim02GGhBIt1nj
 fkqa10X1c5Sqis0CggEBAPgxFKSHccfIJ6yht2HJjysRLN/IHlO9hDcpCWUrISN/
 hxu1uxfNGmUkd0H8zDO/O+QAJXLE8PPPB77pJniIJ8kK4swwsfufN6bNV9XJldjA
 o4vXnYt9Mpuky9cugD8LocUgWQzzKY5Y875TC4s3ldzyKQVm0NO+Wz1U3gfjogEC
 d7PhTk7Ba/ZjVGtL7HuZxlL+/TgZklMks2ulSTW2y8aqVJxaZXv0H0NX/+fpDHYw
 iljr+iqbiqZvjrzySryb0XWMtzP9oyDEXTXrWnG+kOIZW3BZ9FLxT+Te7zZ2PUbK
 vTkObsKxc8WVHIYgkt/OwWSwbYLre5nvFPvgEFbQuO8CggEAeZTlUXmbul63m5AK
 xYS/w88G1x2lMK/0mT4bY4562zoDwJlVI1MdydqwVZGryDiiUnjeIC3xcBISdZu8
 bjR8jFUvp6xuPs2ska0bA0kBCQNkmc3zBY2rBVy4KKFZdRNwrm8yhK3HL1KcIKyF
 FEK4yPBrfozy49JMecxP9aqUHu4eky/4828gl04JBUONXwC9VpuRj7dILdaAozt0
 zbXb2JSDQ7O60jCC83A4oprQMU6j+P9dVqe+Mtz9OD8ocb8eC/FiO/FTwm9aMl+u
 RMzw1GHHI3oODGLg7j6y2oilcsZxKnblePJu8N+mKWFizY5aicRg3rUkKU00Ftx7
 fn2xBQKCAQB7w7Xgie5SStyF+KrC58kuF8WB3oBJEAOjoiIeQhCnbAvK5KfkqZHV
 CAc0b8TAtUc/XldOUSk6222oZQmbJ4J3fac1Xb8TlAUjd9iqMnk3+nBT5vSYP5mC
 Bf7kUjr/tWQ5MfVWQNfjNTZvHWhvRwvDfzq3h9rxDEbhYbXKx1fdGwboO51aJpgY
 6NWLH/RQepFsh91sIUxXi8CxGF5Wm84oRn4k7esXkdgZNAPX+N4O/guvZhV9M81D
 S/QpAsYEIcuky8P7+Cplx6YXokKa4AXNyglQEHuG9PD7V7SAOxw5dhZAIpNXIThz
 OfVcaVf0pVzJQjWKCLW9QHz9UXG0aScfAoIBACdr3exVMUaMOtrAnf2NXj3hecgg
 WsWRBOOaSW5wXGt1JNlfYS4zwViafIwy31DNuMg22rj5Mq0TYMtuNYto5RoLSXeB
 uupUrENEBnt7JFrwI/NyWG0uYMM3G2MtGHGYooaT9+++wT96QxJZr5fwFYF1ddf6
 5tFeKtNt5VM0wWBHO1voUhQ0TCaooatJjMuAB0+WbvwniKxmdbqQDzY+6myBBUVo
 gBJ0JxhxakLm1XGFHDtPCsAAHX/uZ4CvH2uyWqAlx6iwGXd0wwEGrbIRB/BundxR
 oaJWswU4FIPAgOpy2LEJKnvzhcmVFtZWD5sFXA1/83QvpceLTFTD5uioBPU=
 -----END RSA PRIVATE KEY-----
--- a/contrib/token-server/main.go
+++ b/contrib/token-server/main.go
@ -18,6 +18,10 @@ import (
 	"github.com/gorilla/mux"
 )
 var (
 	enforceRepoClass bool
 )
 func main() {
 	var (
 		issuer = &TokenIssuer{}
@ -44,6 +48,8 @@ func main() {
 	flag.StringVar(&cert, "tlscert", "", "Certificate file for TLS")
 	flag.StringVar(&certKey, "tlskey", "", "Certificate key for TLS")
 	flag.BoolVar(&enforceRepoClass, "enforce-class", false, "Enforce policy for single repository class")
 	flag.Parse()
 	if debug {
@ -157,6 +163,8 @@ type tokenResponse struct {
 	ExpiresIn    int    `json:"expires_in,omitempty"`
 }
 var repositoryClassCache = map[string]string{}
 func filterAccessList(ctx context.Context, scope string, requestedAccessList []auth.Access) []auth.Access {
 	if !strings.HasSuffix(scope, "/") {
 		scope = scope + "/"
@ -168,6 +176,16 @@ func filterAccessList(ctx context.Context, scope string, requestedAccessList []a
 				context.GetLogger(ctx).Debugf("Resource scope not allowed: %s", access.Name)
 				continue
 			}
 			if enforceRepoClass {
 				if class, ok := repositoryClassCache[access.Name]; ok {
 					if class != access.Class {
 						context.GetLogger(ctx).Debugf("Different repository class: %q, previously %q", access.Class, class)
 						continue
 					}
 				} else if strings.EqualFold(access.Action, "push") {
 					repositoryClassCache[access.Name] = access.Class
 				}
 			}
 		} else if access.Type == "registry" {
 			if access.Name != "catalog" {
 				context.GetLogger(ctx).Debugf("Unknown registry resource: %s", access.Name)
--- a/contrib/token-server/token.go
+++ b/contrib/token-server/token.go
@ -7,6 +7,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
 	"regexp"
 	"strings"
 	"time"
@ -32,12 +33,18 @@ func ResolveScopeSpecifiers(ctx context.Context, scopeSpecs []string) []auth.Acc
 		resourceType, resourceName, actions := parts[0], parts[1], parts[2]
 		resourceType, resourceClass := splitResourceClass(resourceType)
 		if resourceType == "" {
 			continue
 		}
 		// Actions should be a comma-separated list of actions.
 		for _, action := range strings.Split(actions, ",") {
 			requestedAccess := auth.Access{
 				Resource: auth.Resource{
-					Type: resourceType,
+					Type:  resourceType,
-					Name: resourceName,
+					Class: resourceClass,
 					Name:  resourceName,
 				},
 				Action: action,
 			}
@ -55,6 +62,19 @@ func ResolveScopeSpecifiers(ctx context.Context, scopeSpecs []string) []auth.Acc
 	return requestedAccessList
 }
 var typeRegexp = regexp.MustCompile(`^([a-z0-9]+)(\([a-z0-9]+\))?$`)
 func splitResourceClass(t string) (string, string) {
 	matches := typeRegexp.FindStringSubmatch(t)
 	if len(matches) < 2 {
 		return "", ""
 	}
 	if len(matches) == 2 || len(matches[2]) < 2 {
 		return matches[1], ""
 	}
 	return matches[1], matches[2][1 : len(matches[2])-1]
 }
 // ResolveScopeList converts a scope list from a token request's
 // `scope` parameter into a list of standard access objects.
 func ResolveScopeList(ctx context.Context, scopeList string) []auth.Access {
@ -62,12 +82,19 @@ func ResolveScopeList(ctx context.Context, scopeList string) []auth.Access {
 	return ResolveScopeSpecifiers(ctx, scopes)
 }
 func scopeString(a auth.Access) string {
 	if a.Class != "" {
 		return fmt.Sprintf("%s(%s):%s:%s", a.Type, a.Class, a.Name, a.Action)
 	}
 	return fmt.Sprintf("%s:%s:%s", a.Type, a.Name, a.Action)
 }
 // ToScopeList converts a list of access to a
 // scope list string
 func ToScopeList(access []auth.Access) string {
 	var s []string
 	for _, a := range access {
-		s = append(s, fmt.Sprintf("%s:%s:%s", a.Type, a.Name, a.Action))
+		s = append(s, scopeString(a))
 	}
 	return strings.Join(s, ",")
 }
@ -102,6 +129,7 @@ func (issuer *TokenIssuer) CreateJWT(subject string, audience string, grantedAcc
 		accessEntries = append(accessEntries, &token.ResourceActions{
 			Type:    resource.Type,
 			Class:   resource.Class,
 			Name:    resource.Name,
 			Actions: actions,
 		})
--- a/docs/architecture.md
+++ b/docs/architecture.md
@ -0,0 +1,52 @@
 ---
 published: false
 ---
 # Architecture
 ## Design
 **TODO(stevvooe):** Discuss the architecture of the registry, internally and externally, in a few different deployment scenarios.
 ### Eventual Consistency
 > **NOTE:** This section belongs somewhere, perhaps in a design document. We
 > are leaving this here so the information is not lost.
 Running the registry on eventually consistent backends has been part of the
 design from the beginning. This section covers some of the approaches to
 dealing with this reality.
 There are a few classes of issues that we need to worry about when
 implementing something on top of the storage drivers:
 1. Read-After-Write consistency (see this [article on
   s3](http://shlomoswidler.com/2009/12/read-after-write-consistency-in-amazon.html)).
 2. [Write-Write Conflicts](http://en.wikipedia.org/wiki/Write%E2%80%93write_conflict).
 In reality, the registry must worry about these kinds of errors when doing the
 following:
 1. Accepting data into a temporary upload file may not have latest data block
   yet (read-after-write).
 2. Moving uploaded data into its blob location (write-write race).
 3. Modifying the "current" manifest for given tag (write-write race).
 4. A whole slew of operations around deletes (read-after-write, delete-write
   races, garbage collection, etc.).
 The backend path layout employs a few techniques to avoid these problems:
 1. Large writes are done to private upload directories. This alleviates most
   of the corruption potential under multiple writers by avoiding multiple
   writers.
 2. Constraints in storage driver implementations, such as support for writing
   after the end of a file to extend it.
 3. Digest verification to avoid data corruption.
 4. Manifest files are stored by digest and cannot change.
 5. All other non-content files (links, hashes, etc.) are written as an atomic
   unit. Anything that requires additions and deletions is broken out into
   separate "files". Last writer still wins.
 Unfortunately, one must play this game when trying to build something like
 this on top of eventually consistent storage systems. If we run into serious
 problems, we can wrap the storagedrivers in a shared consistency layer but
 that would increase complexity and hinder registry cluster performance.
--- a/docs/configuration.md
+++ b/docs/configuration.md
--- a/docs/spec/api.md
+++ b/docs/spec/api.md
@ -1,7 +1,7 @@
 ---
 title: "HTTP API V2"
 description: "Specification for the Registry API."
-keywords: ["registry, on-prem, images, tags, repository, distribution, api, advanced"]
+keywords: registry, on-prem, images, tags, repository, distribution, api, advanced
 ---
 # Docker Registry HTTP API V2
--- a/docs/spec/api.md.tmpl
+++ b/docs/spec/api.md.tmpl
@ -1,7 +1,7 @@
 ---
 title: "HTTP API V2"
 description: "Specification for the Registry API."
-keywords: ["registry, on-prem, images, tags, repository, distribution, api, advanced"]
+keywords: registry, on-prem, images, tags, repository, distribution, api, advanced
 ---
 # Docker Registry HTTP API V2
--- a/docs/spec/auth/index.md
+++ b/docs/spec/auth/index.md
@ -1,7 +1,7 @@
 ---
 title: "Docker Registry Token Authentication"
 description: "Docker Registry v2 authentication schema"
-keywords: ["registry, on-prem, images, tags, repository, distribution, authentication, advanced"]
+keywords: registry, on-prem, images, tags, repository, distribution, authentication, advanced
 ---
 # Docker Registry v2 authentication
--- a/docs/spec/auth/jwt.md
+++ b/docs/spec/auth/jwt.md
@ -1,7 +1,7 @@
 ---
 title: "Token Authentication Implementation"
 description: "Describe the reference implementation of the Docker Registry v2 authentication schema"
-keywords: ["registry, on-prem, images, tags, repository, distribution, JWT authentication, advanced"]
+keywords: registry, on-prem, images, tags, repository, distribution, JWT authentication, advanced
 ---
 # Docker Registry v2 Bearer token specification
--- a/docs/spec/auth/oauth.md
+++ b/docs/spec/auth/oauth.md
@ -1,7 +1,7 @@
 ---
 title: "Oauth2 Token Authentication"
 description: "Specifies the Docker Registry v2 authentication"
-keywords: ["registry, on-prem, images, tags, repository, distribution, oauth2, advanced"]
+keywords: registry, on-prem, images, tags, repository, distribution, oauth2, advanced
 ---
 # Docker Registry v2 authentication using OAuth2
--- a/docs/spec/auth/scope.md
+++ b/docs/spec/auth/scope.md
@ -1,7 +1,7 @@
 ---
 title: "Token Scope Documentation"
 description: "Describes the scope and access fields used for registry authorization tokens"
-keywords: ["registry, on-prem, images, tags, repository, distribution, advanced, access, scope"]
+keywords: registry, on-prem, images, tags, repository, distribution, advanced, access, scope
 ---
 # Docker Registry Token Scope and Access
@ -39,13 +39,23 @@ intended to represent. This type may be specific to a resource provider but must
 be understood by the authorization server in order to validate the subject
 is authorized for a specific resource.
 #### Resource Class
 The resource type might have a resource class which further classifies the
 the resource name within the resource type. A class is not required and
 is specific to the resource type.
 #### Example Resource Types
 - `repository` - represents a single repository within a registry. A
 repository may represent many manifest or content blobs, but the resource type
 is considered the collections of those items. Actions which may be performed on
 a `repository` are `pull` for accessing the collection and `push` for adding to
-it.
+it. By default the `repository` type has the class of `image`.
 - `repository(plugin)` - represents a single repository of plugins within a
 registry. A plugin repository has the same content and actions as a repository.
 - `registry` - represents the entire registry. Used for administrative actions
 or lookup operations that span an entire registry.
 ### Resource Name
@ -78,7 +88,8 @@ scopes.
 ```
 scope                   := resourcescope [ ' ' resourcescope ]*
 resourcescope           := resourcetype  ":" resourcename  ":" action [ ',' action ]*
-resourcetype            := /[a-z]*/
+resourcetype            := resourcetypevalue [ '(' resourcetypevalue ')' ]
 resourcetypevalue       := /[a-z0-9]+/
 resourcename            := [ hostname '/' ] component [ '/' component ]*
 hostname                := hostcomponent ['.' hostcomponent]* [':' port-number]
 hostcomponent           := /([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])/
--- a/docs/spec/auth/token.md
+++ b/docs/spec/auth/token.md
@ -1,14 +1,14 @@
 ---
 title: "Token Authentication Specification"
 description: "Specifies the Docker Registry v2 authentication"
-keywords: ["registry, on-prem, images, tags, repository, distribution, Bearer authentication, advanced"]
+keywords: registry, on-prem, images, tags, repository, distribution, Bearer authentication, advanced
 ---
 # Docker Registry v2 authentication via central service
 This document outlines the v2 Docker registry authentication scheme:
-![v2 registry auth](../../images/v2-registry-auth.png)
+![v2 registry auth](../images/v2-registry-auth.png)
 1. Attempt to begin a push/pull operation with the registry.
 2. If the registry requires authorization it will return a `401 Unauthorized`
--- a/docs/spec/images/v2-registry-auth.png
+++ b/docs/spec/images/v2-registry-auth.png
--- a/docs/spec/index.md
+++ b/docs/spec/index.md
@ -1,7 +1,7 @@
 ---
 title: "Reference Overview"
 description: "Explains registry JSON objects"
-keywords: ["registry, service, images, repository,  json"]
+keywords: registry, service, images, repository,  json
 ---
 # Docker Registry Reference
--- a/docs/spec/manifest-v2-1.md
+++ b/docs/spec/manifest-v2-1.md
@ -1,7 +1,7 @@
 ---
 title: "Image Manifest V 2, Schema 1 "
 description: "image manifest for the Registry."
-keywords: ["registry, on-prem, images, tags, repository, distribution, api, advanced, manifest"]
+keywords: registry, on-prem, images, tags, repository, distribution, api, advanced, manifest
 ---
 # Image Manifest Version 2, Schema 1
--- a/docs/spec/manifest-v2-2.md
+++ b/docs/spec/manifest-v2-2.md
@ -1,7 +1,7 @@
 ---
 title: "Image Manifest V 2, Schema 2 "
 description: "image manifest for the Registry."
-keywords: ["registry, on-prem, images, tags, repository, distribution, api, advanced, manifest"]
+keywords: registry, on-prem, images, tags, repository, distribution, api, advanced, manifest
 ---
 # Image Manifest Version 2, Schema 2
--- a/docs/spec/menu.md
+++ b/docs/spec/menu.md
@ -1,7 +1,7 @@
 ---
 title: "Reference"
 description: "Explains registry JSON objects"
-keywords: ["registry, service, images, repository,  json"]
+keywords: registry, service, images, repository, json
 type: "menu"
 identifier: "smn_registry_ref"
 ---
--- a/notifications/endpoint.go
+++ b/notifications/endpoint.go
@ -13,7 +13,7 @@ type EndpointConfig struct {
 	Threshold         int
 	Backoff           time.Duration
 	IgnoredMediaTypes []string
-	Transport         *http.Transport
+	Transport         *http.Transport `json:"-"`
 }
 // defaults set any zero-valued fields to a reasonable default.
--- a/notifications/metrics_test.go
+++ b/notifications/metrics_test.go
@ -0,0 +1,28 @@
 package notifications
 import (
 	"encoding/json"
 	"expvar"
 	"testing"
 )
 func TestMetricsExpvar(t *testing.T) {
 	endpointsVar := expvar.Get("registry").(*expvar.Map).Get("notifications").(*expvar.Map).Get("endpoints")
 	var v interface{}
 	if err := json.Unmarshal([]byte(endpointsVar.String()), &v); err != nil {
 		t.Fatalf("unexpected error unmarshaling endpoints: %v", err)
 	}
 	if v != nil {
 		t.Fatalf("expected nil, got %#v", v)
 	}
 	NewEndpoint("x", "y", EndpointConfig{})
 	if err := json.Unmarshal([]byte(endpointsVar.String()), &v); err != nil {
 		t.Fatalf("unexpected error unmarshaling endpoints: %v", err)
 	}
 	if slice, ok := v.([]interface{}); !ok || len(slice) != 1 {
 		t.Logf("expected one-element []interface{}, got %#v", v)
 	}
 }
--- a/registry/api/errcode/handler.go
+++ b/registry/api/errcode/handler.go
@ -36,9 +36,5 @@ func ServeJSON(w http.ResponseWriter, err error) error {
 	w.WriteHeader(sc)
-	if err := json.NewEncoder(w).Encode(err); err != nil {
+	return json.NewEncoder(w).Encode(err)
 		return err
 	}
 	return nil
 }
--- a/registry/api/v2/urls.go
+++ b/registry/api/v2/urls.go
@ -1,10 +1,8 @@
 package v2
 import (
 	"net"
 	"net/http"
 	"net/url"
 	"strconv"
 	"strings"
 	"github.com/docker/distribution/reference"
@ -48,66 +46,42 @@ func NewURLBuilderFromString(root string, relative bool) (*URLBuilder, error) {
 // NewURLBuilderFromRequest uses information from an *http.Request to
 // construct the root url.
 func NewURLBuilderFromRequest(r *http.Request, relative bool) *URLBuilder {
-	var scheme string
+	var (
 	forwardedProto := r.Header.Get("X-Forwarded-Proto")
 	// TODO: log the error
 	forwardedHeader, _, _ := parseForwardedHeader(r.Header.Get("Forwarded"))
 	switch {
 	case len(forwardedProto) > 0:
 		scheme = forwardedProto
 	case len(forwardedHeader["proto"]) > 0:
 		scheme = forwardedHeader["proto"]
 	case r.TLS != nil:
 		scheme = "https"
 	case len(r.URL.Scheme) > 0:
 		scheme = r.URL.Scheme
 	default:
 		scheme = "http"
 		host   = r.Host
 	)
 	if r.TLS != nil {
 		scheme = "https"
 	} else if len(r.URL.Scheme) > 0 {
 		scheme = r.URL.Scheme
 	}
-	host := r.Host
+	// Handle fowarded headers
-
+	// Prefer "Forwarded" header as defined by rfc7239 if given
-	if forwardedHost := r.Header.Get("X-Forwarded-Host"); len(forwardedHost) > 0 {
+	// see https://tools.ietf.org/html/rfc7239
-		// According to the Apache mod_proxy docs, X-Forwarded-Host can be a
+	if forwarded := r.Header.Get("Forwarded"); len(forwarded) > 0 {
-		// comma-separated list of hosts, to which each proxy appends the
+		forwardedHeader, _, err := parseForwardedHeader(forwarded)
-		// requested host. We want to grab the first from this comma-separated
+		if err == nil {
-		// list.
+			if fproto := forwardedHeader["proto"]; len(fproto) > 0 {
-		hosts := strings.SplitN(forwardedHost, ",", 2)
+				scheme = fproto
-		host = strings.TrimSpace(hosts[0])
+			}
-	} else if addr, exists := forwardedHeader["for"]; exists {
+			if fhost := forwardedHeader["host"]; len(fhost) > 0 {
-		host = addr
+				host = fhost
-	} else if h, exists := forwardedHeader["host"]; exists {
+			}
 		host = h
 	}
 	portLessHost, port := host, ""
 	if !isIPv6Address(portLessHost) {
 		// with go 1.6, this would treat the last part of IPv6 address as a port
 		portLessHost, port, _ = net.SplitHostPort(host)
 	}
 	if forwardedPort := r.Header.Get("X-Forwarded-Port"); len(port) == 0 && len(forwardedPort) > 0 {
 		ports := strings.SplitN(forwardedPort, ",", 2)
 		forwardedPort = strings.TrimSpace(ports[0])
 		if _, err := strconv.ParseInt(forwardedPort, 10, 32); err == nil {
 			port = forwardedPort
 		}
-	}
+	} else {
-
+		if forwardedProto := r.Header.Get("X-Forwarded-Proto"); len(forwardedProto) > 0 {
-	if len(portLessHost) > 0 {
+			scheme = forwardedProto
-		host = portLessHost
+		}
-	}
+		if forwardedHost := r.Header.Get("X-Forwarded-Host"); len(forwardedHost) > 0 {
-	if len(port) > 0 {
+			// According to the Apache mod_proxy docs, X-Forwarded-Host can be a
-		// remove enclosing brackets of ipv6 address otherwise they will be duplicated
+			// comma-separated list of hosts, to which each proxy appends the
-		if len(host) > 1 && host[0] == '[' && host[len(host)-1] == ']' {
+			// requested host. We want to grab the first from this comma-separated
-			host = host[1 : len(host)-1]
+			// list.
 			hosts := strings.SplitN(forwardedHost, ",", 2)
 			host = strings.TrimSpace(hosts[0])
 		}
 		// JoinHostPort properly encloses ipv6 addresses in square brackets
 		host = net.JoinHostPort(host, port)
 	} else if isIPv6Address(host) && host[0] != '[' {
 		// ipv6 needs to be enclosed in square brackets in urls
 		host = "[" + host + "]"
 	}
 	basePath := routeDescriptorsMap[RouteNameBase].Path
@ -287,28 +261,3 @@ func appendValues(u string, values ...url.Values) string {
 	return appendValuesURL(up, values...).String()
 }
 // isIPv6Address returns true if given string is a valid IPv6 address. No port is allowed. The address may be
 // enclosed in square brackets.
 func isIPv6Address(host string) bool {
 	if len(host) > 1 && host[0] == '[' && host[len(host)-1] == ']' {
 		host = host[1 : len(host)-1]
 	}
 	// The IPv6 scoped addressing zone identifier starts after the last percent sign.
 	if i := strings.LastIndexByte(host, '%'); i > 0 {
 		host = host[:i]
 	}
 	ip := net.ParseIP(host)
 	if ip == nil {
 		return false
 	}
 	if ip.To16() == nil {
 		return false
 	}
 	if ip.To4() == nil {
 		return true
 	}
 	// dot can be present in ipv4-mapped address, it needs to come after a colon though
 	i := strings.IndexAny(host, ":.")
 	return i >= 0 && host[i] == ':'
 }
--- a/registry/api/v2/urls_test.go
+++ b/registry/api/v2/urls_test.go
@ -179,7 +179,7 @@ func TestBuilderFromRequest(t *testing.T) {
 		{
 			name: "https protocol forwarded with a non-standard header",
 			request: &http.Request{URL: u, Host: u.Host, Header: http.Header{
-				"X-Forwarded-Proto": []string{"https"},
+				"X-Custom-Forwarded-Proto": []string{"https"},
 			}},
 			base: "http://example.com",
 		},
@ -225,6 +225,7 @@ func TestBuilderFromRequest(t *testing.T) {
 		{
 			name: "forwarded port with a non-standard header",
 			request: &http.Request{URL: u, Host: u.Host, Header: http.Header{
 				"X-Forwarded-Host": []string{"example.com:5000"},
 				"X-Forwarded-Port": []string{"5000"},
 			}},
 			base: "http://example.com:5000",
@ -234,16 +235,33 @@ func TestBuilderFromRequest(t *testing.T) {
 			request: &http.Request{URL: u, Host: u.Host, Header: http.Header{
 				"X-Forwarded-Port": []string{"443 , 5001"},
 			}},
-			base: "http://example.com:443",
+			base: "http://example.com",
 		},
 		{
 			name: "forwarded standard port with non-standard headers",
 			request: &http.Request{URL: u, Host: u.Host, Header: http.Header{
 				"X-Forwarded-Proto": []string{"https"},
 				"X-Forwarded-Host":  []string{"example.com"},
 				"X-Forwarded-Port":  []string{"443"},
 			}},
 			base: "https://example.com",
 		},
 		{
 			name: "forwarded standard port with non-standard headers and explicit port",
 			request: &http.Request{URL: u, Host: u.Host + ":443", Header: http.Header{
 				"X-Forwarded-Proto": []string{"https"},
 				"X-Forwarded-Host":  []string{u.Host + ":443"},
 				"X-Forwarded-Port":  []string{"443"},
 			}},
 			base: "https://example.com:443",
 		},
 		{
 			name: "several non-standard headers",
 			request: &http.Request{URL: u, Host: u.Host, Header: http.Header{
 				"X-Forwarded-Proto": []string{"https"},
-				"X-Forwarded-Host":  []string{" first.example.com "},
+				"X-Forwarded-Host":  []string{" first.example.com:12345 "},
 				"X-Forwarded-Port":  []string{" 12345 \t"},
 			}},
-			base: "http://first.example.com:12345",
+			base: "https://first.example.com:12345",
 		},
 		{
 			name: "forwarded host with port supplied takes priority",
@ -264,16 +282,16 @@ func TestBuilderFromRequest(t *testing.T) {
 		{
 			name: "forwarded protocol and addr using standard header",
 			request: &http.Request{URL: u, Host: u.Host, Header: http.Header{
-				"Forwarded": []string{`proto=https;for="192.168.22.30:80"`},
+				"Forwarded": []string{`proto=https;host="192.168.22.30:80"`},
 			}},
 			base: "https://192.168.22.30:80",
 		},
 		{
-			name: "forwarded addr takes priority over host",
+			name: "forwarded host takes priority over for",
 			request: &http.Request{URL: u, Host: u.Host, Header: http.Header{
-				"Forwarded": []string{`host=reg.example.com;for="192.168.22.30:5000"`},
+				"Forwarded": []string{`host="reg.example.com:5000";for="192.168.22.30"`},
 			}},
-			base: "http://192.168.22.30:5000",
+			base: "http://reg.example.com:5000",
 		},
 		{
 			name: "forwarded host and protocol using standard header",
@ -292,73 +310,26 @@ func TestBuilderFromRequest(t *testing.T) {
 		{
 			name: "process just the first list element of standard header",
 			request: &http.Request{URL: u, Host: u.Host, Header: http.Header{
-				"Forwarded": []string{`for="reg.example.com:443";proto=https, for="reg.example.com:80";proto=http`},
+				"Forwarded": []string{`host="reg.example.com:443";proto=https, host="reg.example.com:80";proto=http`},
 			}},
 			base: "https://reg.example.com:443",
 		},
 		{
-			name: "IPv6 address override port",
+			name: "IPv6 address use host",
 			request: &http.Request{URL: u, Host: u.Host, Header: http.Header{
-				"Forwarded":        []string{`for="2607:f0d0:1002:51::4"`},
+				"Forwarded":        []string{`for="2607:f0d0:1002:51::4";host="[2607:f0d0:1002:51::4]:5001"`},
-				"X-Forwarded-Port": []string{"5001"},
+				"X-Forwarded-Port": []string{"5002"},
 			}},
 			base: "http://[2607:f0d0:1002:51::4]:5001",
 		},
 		{
 			name: "IPv6 address with port",
 			request: &http.Request{URL: u, Host: u.Host, Header: http.Header{
-				"Forwarded":        []string{`for="[2607:f0d0:1002:51::4]:4000"`},
+				"Forwarded":        []string{`host="[2607:f0d0:1002:51::4]:4000"`},
 				"X-Forwarded-Port": []string{"5001"},
 			}},
 			base: "http://[2607:f0d0:1002:51::4]:4000",
 		},
 		{
 			name: "IPv6 long address override port",
 			request: &http.Request{URL: u, Host: u.Host, Header: http.Header{
 				"Forwarded":        []string{`for="2607:f0d0:1002:0051:0000:0000:0000:0004"`},
 				"X-Forwarded-Port": []string{"5001"},
 			}},
 			base: "http://[2607:f0d0:1002:0051:0000:0000:0000:0004]:5001",
 		},
 		{
 			name: "IPv6 long address enclosed in brackets - be benevolent",
 			request: &http.Request{URL: u, Host: u.Host, Header: http.Header{
 				"Forwarded":        []string{`for="[2607:f0d0:1002:0051:0000:0000:0000:0004]"`},
 				"X-Forwarded-Port": []string{"5001"},
 			}},
 			base: "http://[2607:f0d0:1002:0051:0000:0000:0000:0004]:5001",
 		},
 		{
 			name: "IPv6 long address with port",
 			request: &http.Request{URL: u, Host: u.Host, Header: http.Header{
 				"Forwarded":        []string{`for="[2607:f0d0:1002:0051:0000:0000:0000:0004]:4321"`},
 				"X-Forwarded-Port": []string{"5001"},
 			}},
 			base: "http://[2607:f0d0:1002:0051:0000:0000:0000:0004]:4321",
 		},
 		{
 			name: "IPv6 address with zone ID",
 			request: &http.Request{URL: u, Host: u.Host, Header: http.Header{
 				"Forwarded":        []string{`for="fe80::bd0f:a8bc:6480:238b%11"`},
 				"X-Forwarded-Port": []string{"5001"},
 			}},
 			base: "http://[fe80::bd0f:a8bc:6480:238b%2511]:5001",
 		},
 		{
 			name: "IPv6 address with zone ID and port",
 			request: &http.Request{URL: u, Host: u.Host, Header: http.Header{
 				"Forwarded":        []string{`for="[fe80::bd0f:a8bc:6480:238b%eth0]:12345"`},
 				"X-Forwarded-Port": []string{"5001"},
 			}},
 			base: "http://[fe80::bd0f:a8bc:6480:238b%25eth0]:12345",
 		},
 		{
 			name: "IPv6 address without port",
 			request: &http.Request{URL: u, Host: u.Host, Header: http.Header{
 				"Forwarded": []string{`for="::FFFF:129.144.52.38"`},
 			}},
 			base: "http://[::FFFF:129.144.52.38]",
 		},
 		{
 			name: "non-standard and standard forward headers",
 			request: &http.Request{URL: u, Host: u.Host, Header: http.Header{
@ -370,14 +341,34 @@ func TestBuilderFromRequest(t *testing.T) {
 			base: "https://first.example.com",
 		},
 		{
-			name: "non-standard headers take precedence over standard one",
+			name: "standard header takes precedence over non-standard headers",
 			request: &http.Request{URL: u, Host: u.Host, Header: http.Header{
 				"X-Forwarded-Proto": []string{`http`},
 				"Forwarded":         []string{`host=second.example.com; proto=https`},
 				"X-Forwarded-Host":  []string{`first.example.com`},
 				"X-Forwarded-Port":  []string{`4000`},
 			}},
-			base: "http://first.example.com:4000",
+			base: "https://second.example.com",
 		},
 		{
 			name: "incomplete standard header uses default",
 			request: &http.Request{URL: u, Host: u.Host, Header: http.Header{
 				"X-Forwarded-Proto": []string{`https`},
 				"Forwarded":         []string{`for=127.0.0.1`},
 				"X-Forwarded-Host":  []string{`first.example.com`},
 				"X-Forwarded-Port":  []string{`4000`},
 			}},
 			base: "http://" + u.Host,
 		},
 		{
 			name: "standard with just proto",
 			request: &http.Request{URL: u, Host: u.Host, Header: http.Header{
 				"X-Forwarded-Proto": []string{`https`},
 				"Forwarded":         []string{`proto=https`},
 				"X-Forwarded-Host":  []string{`first.example.com`},
 				"X-Forwarded-Port":  []string{`4000`},
 			}},
 			base: "https://" + u.Host,
 		},
 	}
@ -396,23 +387,9 @@ func TestBuilderFromRequest(t *testing.T) {
 					t.Fatalf("[relative=%t, request=%q, case=%q]: error building url: %v", relative, tr.name, testCase.description, err)
 				}
-				var expectedURL string
+				expectedURL := testCase.expectedPath
-				proto, ok := tr.request.Header["X-Forwarded-Proto"]
+				if !relative {
-				if !ok {
+					expectedURL = tr.base + expectedURL
 					expectedURL = testCase.expectedPath
 					if !relative {
 						expectedURL = tr.base + expectedURL
 					}
 				} else {
 					urlBase, err := url.Parse(tr.base)
 					if err != nil {
 						t.Fatal(err)
 					}
 					urlBase.Scheme = proto[0]
 					expectedURL = testCase.expectedPath
 					if !relative {
 						expectedURL = urlBase.String() + expectedURL
 					}
 				}
 				if buildURL != expectedURL {
@ -505,119 +482,3 @@ func TestBuilderFromRequestWithPrefix(t *testing.T) {
 		}
 	}
 }
 func TestIsIPv6Address(t *testing.T) {
 	for _, tc := range []struct {
 		name    string
 		address string
 		isIPv6  bool
 	}{
 		{
 			name:    "IPv6 short address",
 			address: `2607:f0d0:1002:51::4`,
 			isIPv6:  true,
 		},
 		{
 			name:    "IPv6 short address enclosed in brackets",
 			address: "[2607:f0d0:1002:51::4]",
 			isIPv6:  true,
 		},
 		{
 			name:    "IPv6 address",
 			address: `2607:f0d0:1002:0051:0000:0000:0000:0004`,
 			isIPv6:  true,
 		},
 		{
 			name:    "IPv6 address with numeric zone ID",
 			address: `fe80::bd0f:a8bc:6480:238b%11`,
 			isIPv6:  true,
 		},
 		{
 			name:    "IPv6 address with device name as zone ID",
 			address: `fe80::bd0f:a8bc:6480:238b%eth0`,
 			isIPv6:  true,
 		},
 		{
 			name:    "IPv6 address with device name as zone ID enclosed in brackets",
 			address: `[fe80::bd0f:a8bc:6480:238b%eth0]`,
 			isIPv6:  true,
 		},
 		{
 			name:    "IPv4-mapped address",
 			address: "::FFFF:129.144.52.38",
 			isIPv6:  true,
 		},
 		{
 			name:    "localhost",
 			address: "::1",
 			isIPv6:  true,
 		},
 		{
 			name:    "localhost",
 			address: "::1",
 			isIPv6:  true,
 		},
 		{
 			name:    "long localhost address",
 			address: "0:0:0:0:0:0:0:1",
 			isIPv6:  true,
 		},
 		{
 			name:    "IPv6 long address with port",
 			address: "[2607:f0d0:1002:0051:0000:0000:0000:0004]:4321",
 			isIPv6:  false,
 		},
 		{
 			name:    "too many groups",
 			address: "2607:f0d0:1002:0051:0000:0000:0000:0004:4321",
 			isIPv6:  false,
 		},
 		{
 			name:    "square brackets don't make an IPv6 address",
 			address: "[2607:f0d0]",
 			isIPv6:  false,
 		},
 		{
 			name:    "require two consecutive colons in localhost",
 			address: ":1",
 			isIPv6:  false,
 		},
 		{
 			name:    "more then 4 hexadecimal digits",
 			address: "2607:f0d0b:1002:0051:0000:0000:0000:0004",
 			isIPv6:  false,
 		},
 		{
 			name:    "too short address",
 			address: `2607:f0d0:1002:0000:0000:0000:0004`,
 			isIPv6:  false,
 		},
 		{
 			name:    "IPv4 address",
 			address: `192.168.100.1`,
 			isIPv6:  false,
 		},
 		{
 			name:    "unclosed bracket",
 			address: `[2607:f0d0:1002:0051:0000:0000:0000:0004`,
 			isIPv6:  false,
 		},
 		{
 			name:    "trailing bracket",
 			address: `2607:f0d0:1002:0051:0000:0000:0000:0004]`,
 			isIPv6:  false,
 		},
 		{
 			name:    "domain name",
 			address: `localhost`,
 			isIPv6:  false,
 		},
 	} {
 		isIPv6 := isIPv6Address(tc.address)
 		if isIPv6 && !tc.isIPv6 {
 			t.Errorf("[%s] address %q falsely detected as IPv6 address", tc.name, tc.address)
 		} else if !isIPv6 && tc.isIPv6 {
 			t.Errorf("[%s] address %q not recognized as IPv6", tc.name, tc.address)
 		}
 	}
 }
--- a/registry/auth/auth.go
+++ b/registry/auth/auth.go
@ -66,8 +66,9 @@ type UserInfo struct {
 // Resource describes a resource by type and name.
 type Resource struct {
-	Type string
+	Type  string
-	Name string
+	Class string
 	Name  string
 }
 // Access describes a specific action that is
@ -135,6 +136,39 @@ func (uic userInfoContext) Value(key interface{}) interface{} {
 	return uic.Context.Value(key)
 }
 // WithResources returns a context with the authorized resources.
 func WithResources(ctx context.Context, resources []Resource) context.Context {
 	return resourceContext{
 		Context:   ctx,
 		resources: resources,
 	}
 }
 type resourceContext struct {
 	context.Context
 	resources []Resource
 }
 type resourceKey struct{}
 func (rc resourceContext) Value(key interface{}) interface{} {
 	if key == (resourceKey{}) {
 		return rc.resources
 	}
 	return rc.Context.Value(key)
 }
 // AuthorizedResources returns the list of resources which have
 // been authorized for this request.
 func AuthorizedResources(ctx context.Context) []Resource {
 	if resources, ok := ctx.Value(resourceKey{}).([]Resource); ok {
 		return resources
 	}
 	return nil
 }
 // InitFunc is the type of an AccessController factory function and is used
 // to register the constructor for different AccesController backends.
 type InitFunc func(options map[string]interface{}) (AccessController, error)
--- a/registry/auth/token/accesscontroller.go
+++ b/registry/auth/token/accesscontroller.go
@ -261,6 +261,8 @@ func (ac *accessController) Authorized(ctx context.Context, accessItems ...auth.
 		}
 	}
 	ctx = auth.WithResources(ctx, token.resources())
 	return auth.WithUser(ctx, auth.UserInfo{Name: token.Claims.Subject}), nil
 }
--- a/registry/auth/token/token.go
+++ b/registry/auth/token/token.go
@ -34,6 +34,7 @@ var (
 // ResourceActions stores allowed actions on a named and typed resource.
 type ResourceActions struct {
 	Type    string   `json:"type"`
 	Class   string   `json:"class,omitempty"`
 	Name    string   `json:"name"`
 	Actions []string `json:"actions"`
 }
@ -349,6 +350,29 @@ func (t *Token) accessSet() accessSet {
 	return accessSet
 }
 func (t *Token) resources() []auth.Resource {
 	if t.Claims == nil {
 		return nil
 	}
 	resourceSet := map[auth.Resource]struct{}{}
 	for _, resourceActions := range t.Claims.Access {
 		resource := auth.Resource{
 			Type:  resourceActions.Type,
 			Class: resourceActions.Class,
 			Name:  resourceActions.Name,
 		}
 		resourceSet[resource] = struct{}{}
 	}
 	resources := make([]auth.Resource, 0, len(resourceSet))
 	for resource := range resourceSet {
 		resources = append(resources, resource)
 	}
 	return resources
 }
 func (t *Token) compactRaw() string {
 	return fmt.Sprintf("%s.%s", t.Raw, joseBase64UrlEncode(t.Signature))
 }
--- a/registry/client/auth/session.go
+++ b/registry/client/auth/session.go
@ -147,13 +147,18 @@ type Scope interface {
 // to a repository.
 type RepositoryScope struct {
 	Repository string
 	Class      string
 	Actions    []string
 }
 // String returns the string representation of the repository
 // using the scope grammar
 func (rs RepositoryScope) String() string {
-	return fmt.Sprintf("repository:%s:%s", rs.Repository, strings.Join(rs.Actions, ","))
+	repoType := "repository"
 	if rs.Class != "" {
 		repoType = fmt.Sprintf("%s(%s)", repoType, rs.Class)
 	}
 	return fmt.Sprintf("%s:%s:%s", repoType, rs.Repository, strings.Join(rs.Actions, ","))
 }
 // RegistryScope represents a token scope for access
--- a/registry/handlers/app.go
+++ b/registry/handlers/app.go
@ -341,7 +341,7 @@ func (app *App) RegisterHealthChecks(healthRegistries ...*health.Registry) {
 		}
 		storageDriverCheck := func() error {
-			_, err := app.driver.List(app, "/") // "/" should always exist
+			_, err := app.driver.Stat(app, "/") // "/" should always exist
 			return err                          // any error will be treated as failure
 		}
--- a/registry/handlers/blobupload.go
+++ b/registry/handlers/blobupload.go
@ -179,8 +179,8 @@ func (buh *blobUploadHandler) PatchBlobData(w http.ResponseWriter, r *http.Reque
 	// TODO(dmcgowan): support Content-Range header to seek and write range
-	if err := copyFullPayload(w, r, buh.Upload, buh, "blob PATCH", &buh.Errors); err != nil {
+	if err := copyFullPayload(w, r, buh.Upload, -1, buh, "blob PATCH"); err != nil {
-		// copyFullPayload reports the error if necessary
+		buh.Errors = append(buh.Errors, errcode.ErrorCodeUnknown.WithDetail(err.Error()))
 		return
 	}
@ -218,8 +218,8 @@ func (buh *blobUploadHandler) PutBlobUploadComplete(w http.ResponseWriter, r *ht
 		return
 	}
-	if err := copyFullPayload(w, r, buh.Upload, buh, "blob PUT", &buh.Errors); err != nil {
+	if err := copyFullPayload(w, r, buh.Upload, -1, buh, "blob PUT"); err != nil {
-		// copyFullPayload reports the error if necessary
+		buh.Errors = append(buh.Errors, errcode.ErrorCodeUnknown.WithDetail(err.Error()))
 		return
 	}
--- a/registry/handlers/helpers.go
+++ b/registry/handlers/helpers.go
@ -6,7 +6,6 @@ import (
 	"net/http"
 	ctxu "github.com/docker/distribution/context"
 	"github.com/docker/distribution/registry/api/errcode"
 )
 // closeResources closes all the provided resources after running the target
@ -23,7 +22,9 @@ func closeResources(handler http.Handler, closers ...io.Closer) http.Handler {
 // copyFullPayload copies the payload of an HTTP request to destWriter. If it
 // receives less content than expected, and the client disconnected during the
 // upload, it avoids sending a 400 error to keep the logs cleaner.
-func copyFullPayload(responseWriter http.ResponseWriter, r *http.Request, destWriter io.Writer, context ctxu.Context, action string, errSlice *errcode.Errors) error {
+//
 // The copy will be limited to `limit` bytes, if limit is greater than zero.
 func copyFullPayload(responseWriter http.ResponseWriter, r *http.Request, destWriter io.Writer, limit int64, context ctxu.Context, action string) error {
 	// Get a channel that tells us if the client disconnects
 	var clientClosed <-chan bool
 	if notifier, ok := responseWriter.(http.CloseNotifier); ok {
@ -32,8 +33,13 @@ func copyFullPayload(responseWriter http.ResponseWriter, r *http.Request, destWr
 		ctxu.GetLogger(context).Warnf("the ResponseWriter does not implement CloseNotifier (type: %T)", responseWriter)
 	}
 	var body = r.Body
 	if limit > 0 {
 		body = http.MaxBytesReader(responseWriter, body, limit)
 	}
 	// Read in the data, if any.
-	copied, err := io.Copy(destWriter, r.Body)
+	copied, err := io.Copy(destWriter, body)
 	if clientClosed != nil && (err != nil || (r.ContentLength > 0 && copied < r.ContentLength)) {
 		// Didn't receive as much content as expected. Did the client
 		// disconnect during the request? If so, avoid returning a 400
@ -58,7 +64,6 @@ func copyFullPayload(responseWriter http.ResponseWriter, r *http.Request, destWr
 	if err != nil {
 		ctxu.GetLogger(context).Errorf("unknown error reading request payload: %v", err)
 		*errSlice = append(*errSlice, errcode.ErrorCodeUnknown.WithDetail(err))
 		return err
 	}
--- a/registry/handlers/images.go
+++ b/registry/handlers/images.go
@ -15,14 +15,16 @@ import (
 	"github.com/docker/distribution/reference"
 	"github.com/docker/distribution/registry/api/errcode"
 	"github.com/docker/distribution/registry/api/v2"
 	"github.com/docker/distribution/registry/auth"
 	"github.com/gorilla/handlers"
 )
 // These constants determine which architecture and OS to choose from a
 // manifest list when downconverting it to a schema1 manifest.
 const (
-	defaultArch = "amd64"
+	defaultArch         = "amd64"
-	defaultOS   = "linux"
+	defaultOS           = "linux"
 	maxManifestBodySize = 4 << 20
 )
 // imageManifestDispatcher takes the request context and builds the
@ -240,8 +242,9 @@ func (imh *imageManifestHandler) PutImageManifest(w http.ResponseWriter, r *http
 	}
 	var jsonBuf bytes.Buffer
-	if err := copyFullPayload(w, r, &jsonBuf, imh, "image manifest PUT", &imh.Errors); err != nil {
+	if err := copyFullPayload(w, r, &jsonBuf, maxManifestBodySize, imh, "image manifest PUT"); err != nil {
 		// copyFullPayload reports the error if necessary
 		imh.Errors = append(imh.Errors, v2.ErrorCodeManifestInvalid.WithDetail(err.Error()))
 		return
 	}
@ -269,6 +272,12 @@ func (imh *imageManifestHandler) PutImageManifest(w http.ResponseWriter, r *http
 	if imh.Tag != "" {
 		options = append(options, distribution.WithTag(imh.Tag))
 	}
 	if err := imh.applyResourcePolicy(manifest); err != nil {
 		imh.Errors = append(imh.Errors, err)
 		return
 	}
 	_, err = manifests.Put(imh, manifest, options...)
 	if err != nil {
 		// TODO(stevvooe): These error handling switches really need to be
@ -339,6 +348,73 @@ func (imh *imageManifestHandler) PutImageManifest(w http.ResponseWriter, r *http
 	w.WriteHeader(http.StatusCreated)
 }
 // applyResourcePolicy checks whether the resource class matches what has
 // been authorized and allowed by the policy configuration.
 func (imh *imageManifestHandler) applyResourcePolicy(manifest distribution.Manifest) error {
 	allowedClasses := imh.App.Config.Policy.Repository.Classes
 	if len(allowedClasses) == 0 {
 		return nil
 	}
 	var class string
 	switch m := manifest.(type) {
 	case *schema1.SignedManifest:
 		class = "image"
 	case *schema2.DeserializedManifest:
 		switch m.Config.MediaType {
 		case schema2.MediaTypeConfig:
 			class = "image"
 		case schema2.MediaTypePluginConfig:
 			class = "plugin"
 		default:
 			message := fmt.Sprintf("unknown manifest class for %s", m.Config.MediaType)
 			return errcode.ErrorCodeDenied.WithMessage(message)
 		}
 	}
 	if class == "" {
 		return nil
 	}
 	// Check to see if class is allowed in registry
 	var allowedClass bool
 	for _, c := range allowedClasses {
 		if class == c {
 			allowedClass = true
 			break
 		}
 	}
 	if !allowedClass {
 		message := fmt.Sprintf("registry does not allow %s manifest", class)
 		return errcode.ErrorCodeDenied.WithMessage(message)
 	}
 	resources := auth.AuthorizedResources(imh)
 	n := imh.Repository.Named().Name()
 	var foundResource bool
 	for _, r := range resources {
 		if r.Name == n {
 			if r.Class == "" {
 				r.Class = "image"
 			}
 			if r.Class == class {
 				return nil
 			}
 			foundResource = true
 		}
 	}
 	// resource was found but no matching class was found
 	if foundResource {
 		message := fmt.Sprintf("repository not authorized for %s manifest", class)
 		return errcode.ErrorCodeDenied.WithMessage(message)
 	}
 	return nil
 }
 // DeleteImageManifest removes the manifest with the given digest from the registry.
 func (imh *imageManifestHandler) DeleteImageManifest(w http.ResponseWriter, r *http.Request) {
 	ctxu.GetLogger(imh).Debug("DeleteImageManifest")
--- a/registry/proxy/proxyauth.go
+++ b/registry/proxy/proxyauth.go
@ -79,9 +79,5 @@ func ping(manager challenge.Manager, endpoint, versionHeader string) error {
 	}
 	defer resp.Body.Close()
-	if err := manager.AddResponse(resp); err != nil {
+	return manager.AddResponse(resp)
 		return err
 	}
 	return nil
 }
--- a/registry/storage/blobstore.go
+++ b/registry/storage/blobstore.go
@ -27,7 +27,7 @@ func (bs *blobStore) Get(ctx context.Context, dgst digest.Digest) ([]byte, error
 		return nil, err
 	}
-	p, err := bs.driver.GetContent(ctx, bp)
+	p, err := getContent(ctx, bs.driver, bp)
 	if err != nil {
 		switch err.(type) {
 		case driver.PathNotFoundError:
@ -37,7 +37,7 @@ func (bs *blobStore) Get(ctx context.Context, dgst digest.Digest) ([]byte, error
 		return nil, err
 	}
-	return p, err
+	return p, nil
 }
 func (bs *blobStore) Open(ctx context.Context, dgst digest.Digest) (distribution.ReadSeekCloser, error) {
--- a/registry/storage/blobwriter.go
+++ b/registry/storage/blobwriter.go
@ -98,11 +98,7 @@ func (bw *blobWriter) Cancel(ctx context.Context) error {
 		context.GetLogger(ctx).Errorf("error closing blobwriter: %s", err)
 	}
-	if err := bw.removeResources(ctx); err != nil {
+	return bw.removeResources(ctx)
 		return err
 	}
 	return nil
 }
 func (bw *blobWriter) Size() int64 {
--- a/registry/storage/driver/base/base.go
+++ b/registry/storage/driver/base/base.go
@ -137,7 +137,7 @@ func (base *Base) Stat(ctx context.Context, path string) (storagedriver.FileInfo
 	ctx, done := context.WithTrace(ctx)
 	defer done("%s.Stat(%q)", base.Name(), path)
-	if !storagedriver.PathRegexp.MatchString(path) {
+	if !storagedriver.PathRegexp.MatchString(path) && path != "/" {
 		return nil, storagedriver.InvalidPathError{Path: path, DriverName: base.StorageDriver.Name()}
 	}
--- a/registry/storage/garbagecollect.go
+++ b/registry/storage/garbagecollect.go
@ -80,7 +80,7 @@ func MarkAndSweep(ctx context.Context, storageDriver driver.StorageDriver, regis
 	})
 	if err != nil {
-		return fmt.Errorf("failed to mark: %v\n", err)
+		return fmt.Errorf("failed to mark: %v", err)
 	}
 	// sweep
@ -106,7 +106,7 @@ func MarkAndSweep(ctx context.Context, storageDriver driver.StorageDriver, regis
 		}
 		err = vacuum.RemoveBlob(string(dgst))
 		if err != nil {
-			return fmt.Errorf("failed to delete blob %s: %v\n", dgst, err)
+			return fmt.Errorf("failed to delete blob %s: %v", dgst, err)
 		}
 	}
--- a/registry/storage/io.go
+++ b/registry/storage/io.go
@ -0,0 +1,71 @@
 package storage
 import (
 	"errors"
 	"io"
 	"io/ioutil"
 	"github.com/docker/distribution/context"
 	"github.com/docker/distribution/registry/storage/driver"
 )
 const (
 	maxBlobGetSize = 4 << 20
 )
 func getContent(ctx context.Context, driver driver.StorageDriver, p string) ([]byte, error) {
 	r, err := driver.Reader(ctx, p, 0)
 	if err != nil {
 		return nil, err
 	}
 	return readAllLimited(r, maxBlobGetSize)
 }
 func readAllLimited(r io.Reader, limit int64) ([]byte, error) {
 	r = limitReader(r, limit)
 	return ioutil.ReadAll(r)
 }
 // limitReader returns a new reader limited to n bytes. Unlike io.LimitReader,
 // this returns an error when the limit reached.
 func limitReader(r io.Reader, n int64) io.Reader {
 	return &limitedReader{r: r, n: n}
 }
 // limitedReader implements a reader that errors when the limit is reached.
 //
 // Partially cribbed from net/http.MaxBytesReader.
 type limitedReader struct {
 	r   io.Reader // underlying reader
 	n   int64     // max bytes remaining
 	err error     // sticky error
 }
 func (l *limitedReader) Read(p []byte) (n int, err error) {
 	if l.err != nil {
 		return 0, l.err
 	}
 	if len(p) == 0 {
 		return 0, nil
 	}
 	// If they asked for a 32KB byte read but only 5 bytes are
 	// remaining, no need to read 32KB. 6 bytes will answer the
 	// question of the whether we hit the limit or go past it.
 	if int64(len(p)) > l.n+1 {
 		p = p[:l.n+1]
 	}
 	n, err = l.r.Read(p)
 	if int64(n) <= l.n {
 		l.n -= int64(n)
 		l.err = err
 		return n, err
 	}
 	n = int(l.n)
 	l.n = 0
 	l.err = errors.New("storage: read exceeds limit")
 	return n, l.err
 }
--- a/registry/storage/tagstore.go
+++ b/registry/storage/tagstore.go
@ -122,17 +122,20 @@ func (ts *tagStore) Untag(ctx context.Context, tag string) error {
 		name: ts.repository.Named().Name(),
 		tag:  tag,
 	})
-
+	if err != nil {
 	switch err.(type) {
 	case storagedriver.PathNotFoundError:
 		return distribution.ErrTagUnknown{Tag: tag}
 	case nil:
 		break
 	default:
 		return err
 	}
-	return ts.blobStore.driver.Delete(ctx, tagPath)
+	if err := ts.blobStore.driver.Delete(ctx, tagPath); err != nil {
 		switch err.(type) {
 		case storagedriver.PathNotFoundError:
 			return nil // Untag is idempotent, we don't care if it didn't exist
 		default:
 			return err
 		}
 	}
 	return nil
 }
 // linkedBlobStore returns the linkedBlobStore for the named tag, allowing one
@ -179,6 +182,10 @@ func (ts *tagStore) Lookup(ctx context.Context, desc distribution.Descriptor) ([
 		tagLinkPath, err := pathFor(tagLinkPathSpec)
 		tagDigest, err := ts.blobStore.readlink(ctx, tagLinkPath)
 		if err != nil {
 			switch err.(type) {
 			case storagedriver.PathNotFoundError:
 				continue
 			}
 			return nil, err
 		}
--- a/registry/storage/tagstore_test.go
+++ b/registry/storage/tagstore_test.go
@ -84,8 +84,8 @@ func TestTagStoreUnTag(t *testing.T) {
 	desc := distribution.Descriptor{Digest: "sha256:bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"}
 	err := tags.Untag(ctx, "latest")
-	if err == nil {
+	if err != nil {
-		t.Errorf("Expected error untagging non-existant tag")
+		t.Error(err)
 	}
 	err = tags.Tag(ctx, "latest", desc)
--- a/version/version.go
+++ b/version/version.go
@ -8,4 +8,4 @@ var Package = "github.com/docker/distribution"
 // the latest release tag by hand, always suffixed by "+unknown". During
 // build, it will be replaced by the actual version. The value here will be
 // used if the registry is run after a go get based install.
-var Version = "v2.6.0+unknown"
+var Version = "v2.6.2+unknown"
Author	SHA1	Message	Date
Derek McGowan	45983af554	Merge pull request #2773 from dmcgowan/2.6-add-goarm-flag [release/2.6] Add GOARM flag to dockerfile	2018-11-29 15:14:41 -08:00
Derek McGowan	ab74ab7442	Add GOARM flag to dockerfile When building with arm on alpine, GOARM should be set to 6 by default. Signed-off-by: Derek McGowan <derek@mcgstyle.net>	2018-11-28 13:51:51 -08:00
Derek McGowan	a66a4c3e63	Merge pull request #2770 from dmcgowan/goarch-dockerfile [release/2.6] Add go arguments to dockerfile	2018-11-27 16:48:46 -08:00
Derek McGowan	0db89b2b46	Add go arguments to dockerfile Signed-off-by: Derek McGowan <derek@mcgstyle.net>	2018-11-27 16:42:15 -08:00
Derek McGowan	7d2744309e	Merge pull request #2597 from dmcgowan/2.6-update-integration-test-certs [release/2.6] integration tests: update certificates	2018-06-21 13:58:36 -07:00
Derek McGowan	8dcaecc99c	Update certificates Set expiration to 10 years Signed-off-by: Derek McGowan <derek@mcgstyle.net>	2018-05-22 14:41:01 -07:00
Stephen Day	49a2291398	Merge pull request #2558 from mrueg/release/2.6 [release/2.6] Cherry-Pick commits for release 2.6.3	2018-04-06 13:42:15 -07:00
Noah Treuhaft	376cbc0cc1	notifications: fix expvar for Go 1.7 Remove EndpointConfig.Transport from the return value of the registry.notifications.endpoints expvar.Func. It results in an empty value for that expvar variable under Go 1.7 because it is a non-nil *http.Transport, which Go 1.7 can no longer encode as JSON. Signed-off-by: Noah Treuhaft <noah.treuhaft@docker.com> (cherry picked from commit `9a58c91051`)	2018-04-05 13:49:04 +02:00
Wenkai Yin	9b36527ddd	ignore path not found error when look up tags Signed-off-by: Wenkai Yin <yinw@vmware.com> (cherry picked from commit `005c6e0236`)	2018-04-05 13:49:04 +02:00
Stephen J Day	e22abf0fab	registry/storage: ignore missing tag on delete Signed-off-by: Stephen J Day <stephen.day@docker.com> (cherry picked from commit `1ba5b3b553`)	2018-04-05 13:49:04 +02:00
Stephen Day	803ff0da68	Merge pull request #2451 from stevvooe/backport-feed-the-linter [2.6] registry: feed the linter by removing redundant err check	2017-11-22 18:09:11 -08:00
Stephen J Day	22889ae085	registry: feed the linter by removing redundant err check Signed-off-by: Stephen J Day <stephen.day@docker.com> (cherry picked from commit `4abf680c76`) Signed-off-by: Stephen J Day <stephen.day@docker.com>	2017-11-22 17:17:24 -08:00
Stephen Day	b7a08ef5bb	Merge pull request #2449 from mistyhacks/fix-keywords-2.6 Fix keyword format for downstream docs	2017-11-22 16:34:19 -08:00
Misty Stanley-Jones	8efe825c70	Fix keyword format for downstream docs Signed-off-by: Misty Stanley-Jones <misty@docker.com>	2017-11-21 09:26:50 -08:00
Stephen Day	4c93564791	Merge pull request #2347 from stevvooe/backport-auth-spec-2.6 [release/2.6] Put back v2-registry-auth.png	2017-07-24 15:24:37 -07:00
Misty Stanley-Jones	326f660393	Put back v2-registry-auth.png Signed-off-by: Misty Stanley-Jones <misty@docker.com> (cherry picked from commit `1d95716792`) Signed-off-by: Stephen J Day <stephen.day@docker.com>	2017-07-24 15:08:25 -07:00
Stephen Day	48294d928c	Merge pull request #2343 from stevvooe/prepare-2.6.2 [release/2.6] release: prepare for 2.6.2 release	2017-07-20 14:12:45 -07:00
Stephen J Day	04ce68659d	release: prepare for 2.6.2 release Signed-off-by: Stephen J Day <stephen.day@docker.com>	2017-07-20 14:12:13 -07:00
Stephen Day	c829241c21	Merge pull request #2341 from stevvooe/limit-payload-size-26 [release/2.6] registry/{storage,handlers}: limit content sizes	2017-07-20 13:53:59 -07:00
Stephen J Day	29fa466deb	registry/{storage,handlers}: limit content sizes Under certain circumstances, the use of `StorageDriver.GetContent` can result in unbounded memory allocations. In particualr, this happens when accessing a layer through the manifests endpoint. This problem is mitigated by setting a 4MB limit when using to access content that may have been accepted from a user. In practice, this means setting the limit with the use of `BlobProvider.Get` by wrapping `StorageDriver.GetContent` in a helper that uses `StorageDriver.Reader` with a `limitReader` that returns an error. When mitigating this security issue, we also noticed that the size of manifests uploaded to the registry is also unlimited. We apply similar logic to the request body of payloads that are full buffered. Signed-off-by: Stephen J Day <stephen.day@docker.com> (cherry picked from commit `55ea440428`) Signed-off-by: Stephen J Day <stephen.day@docker.com>	2017-07-20 13:37:43 -07:00
Derek McGowan	42ea75ca2d	Merge pull request #2284 from mstanleyjones/release/2.6 Put architecture.md back into distribution repo	2017-05-23 13:10:44 -07:00
Misty Stanley-Jones	ed2b6867b2	Put architecture.md back into distribution repo Signed-off-by: Misty Stanley-Jones <misty@docker.com>	2017-05-23 11:26:12 -07:00
Derek McGowan	a25b9ef0c9	Update changelog for 2.6.1 Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)	2017-04-05 16:18:07 -07:00
Derek McGowan	0d39820aa7	Update changelog for 2.6.1-rc2 Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)	2017-03-21 13:13:43 -07:00
yixi zhang	abf796d17c	Use app.driver.Stat for registry health check `app.driver.List` on `"/"` is very expensive if registry contains significant amount of images. And the result isn't used anyways. In most (if not all) storage drivers, `Stat` has a cheaper implementation, so use it instead to achieve the same goal. Signed-off-by: yixi zhang <yixi@memsql.com>	2017-03-21 13:11:58 -07:00
Derek McGowan	74278cdaa6	Update release notes for 2.6.1-rc1 Release notes for forwarded header fix patch release Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)	2017-03-21 10:49:45 -07:00
Derek McGowan	5c43c3b0ee	Remove support for X-Forwarded-Port Partially reverts change adding support for X-Forwarded-Port. Changes the logic to prefer the standard Forwarded header over X-Forwarded headers. Prefer forwarded "host" over "for" since "for" represents the client and not the client's request. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)	2017-03-20 17:02:58 -07:00
Troels Thomsen	d0b7c92004	Add test for precendence with standard port Signed-off-by: Troels Thomsen <troels@thomsen.io> Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)	2017-03-20 17:01:36 -07:00
Derek McGowan	325b0804fe	Update release notes for 2.6 Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)	2017-01-17 17:15:28 -08:00
Derek McGowan	1642cd85d5	Merge pull request #2123 from mstanleyjones/configuration_changes_backport_2.6 Backport #2116 to releases/2.6	2017-01-03 19:42:42 -08:00
Misty Stanley-Jones	7f3c4b5c65	Improve formatting of configuration.md Signed-off-by: Misty Stanley-Jones <misty@docker.com> (cherry picked from commit `6ee03f5da7`) Signed-off-by: Misty Stanley-Jones <misty@docker.com>	2017-01-03 15:57:35 -08:00
Joao Fernandes	df1ddd8e46	Format configuration.md with code fences to avoid render issues Signed-off-by: Joao Fernandes <joao.fernandes@docker.com>	2017-01-03 15:13:22 -08:00
Derek McGowan	0241c48be5	Release notes for v2.6.0-rc2 Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)	2016-12-20 15:42:12 -08:00
Derek McGowan	438b8a1d4e	Update registry server to support repository class Use whitelist of allowed repository classes to enforce. By default all repository classes are allowed. Add authorized resources to context after authorization. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)	2016-12-20 15:42:12 -08:00
Derek McGowan	4d0424b470	Update contrib token server to support repository class Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)	2016-12-20 15:42:11 -08:00
Derek McGowan	07d2f1aac7	Add class to repository scope Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)	2016-12-20 15:42:11 -08:00
Derek McGowan	f982e05861	Update scope specification for resource class Update grammar to support a resource class. Add example for plugin repository class. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)	2016-12-20 15:42:11 -08:00
Derek McGowan	74c5c2fee4	Remove newlines from end of error strings Golint now checks for new lines at the end of go error strings, remove these unneeded new lines. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)	2016-12-20 15:42:11 -08:00