Rename catalog funcs and update their godocs.

Signed-off-by: Milos Gajdos <milosgajdos83@gmail.com>

.dockerignore

@@ -1 +0,0 @@
-bin/

.github/CODE_OF_CONDUCT.md

@@ -0,0 +1,3 @@
+## Docker Distribution Community Code of Conduct
+
+Docker Distribution follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).

.github/workflows/build.yml

@@ -1,134 +0,0 @@
-name: build
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-on:
-  push:
-    branches:
-      - 'main'
-      - 'release/*'
-    tags:
-      - 'v*'
-  pull_request:
-
-env:
-  DOCKERHUB_SLUG: distribution/distribution
-
-permissions:
-  contents: read # to fetch code (actions/checkout)
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        go:
-          - 1.18
-          - 1.19.10
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v3
-      -
-        name: Set up Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: ${{ matrix.go }}
-      -
-        name: Test
-        run: |
-          make coverage
-      -
-        name: Codecov
-        uses: codecov/codecov-action@v3
-        with:
-          directory: ./
-
-  build:
-    permissions:
-      contents: write # to create GitHub release (softprops/action-gh-release)
-
-    runs-on: ubuntu-latest
-    needs:
-      - test
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-      -
-        name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v4
-        with:
-          images: |
-            ${{ env.DOCKERHUB_SLUG }}
-          ### versioning strategy
-          ### push semver tag v3.2.1 on main (default branch)
-          # distribution/distribution:3.2.1
-          # distribution/distribution:3.2
-          # distribution/distribution:3
-          # distribution/distribution:latest
-          ### push semver prelease tag v3.0.0-beta.1 on main (default branch)
-          # distribution/distribution:3.0.0-beta.1
-          ### push on main
-          # distribution/distribution:edge
-          tags: |
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=semver,pattern={{major}}
-            type=ref,event=pr
-            type=edge
-          labels: |
-            org.opencontainers.image.title=Distribution
-            org.opencontainers.image.description=The toolkit to pack, ship, store, and deliver container content
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-      -
-        name: Login to DockerHub
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      -
-        name: Build artifacts
-        uses: docker/bake-action@v2
-        with:
-          targets: artifact-all
-      -
-        name: Move artifacts
-        run: |
-          mv ./bin/**/* ./bin/
-      -
-        name: Upload artifacts
-        uses: actions/upload-artifact@v3
-        with:
-          name: registry
-          path: ./bin/*
-          if-no-files-found: error
-      -
-        name: Build image
-        uses: docker/bake-action@v2
-        with:
-          files: |
-            ./docker-bake.hcl
-            ${{ steps.meta.outputs.bake-file }}
-          targets: image-all
-          push: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') }}
-      -
-        name: GitHub Release
-        uses: softprops/action-gh-release@v1
-        if: startsWith(github.ref, 'refs/tags/')
-        with:
-          draft: true
-          files: |
-            bin/*.tar.gz
-            bin/*.sha256
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/ci.yml

@@ -0,0 +1,55 @@
+name: CI
+
+
+on:
+  push:
+    branches:
+    - main
+  pull_request:
+    branches:
+    - main
+
+jobs:
+
+  build:
+    runs-on: ubuntu-latest
+    env:
+      DOCKER_BUILDTAGS: "include_oss include_gcs"
+      CGO_ENABLED: 1
+      GO111MODULE: "auto"
+      GOPATH: ${{ github.workspace }}
+      GOOS: linux
+      COMMIT_RANGE: ${{ github.event_name == 'pull_request' && format('{0}..{1}',github.event.pull_request.base.sha, github.event.pull_request.head.sha) || format('{0}..{1}', github.event.before, github.event.after) }}
+
+    steps:
+    - uses: actions/checkout@v2
+      with:
+        path: src/github.com/distribution/distribution
+        fetch-depth: 50
+
+    - name: Set up Go
+      uses: actions/setup-go@v2
+      with:
+        go-version: 1.15.*
+
+    - name: Dependencies
+      run: |
+          sudo apt-get -q update
+          sudo -E apt-get -yq --no-install-suggests --no-install-recommends install python2-minimal
+          cd /tmp && go get -u github.com/vbatts/git-validation
+
+    - name: Build
+      working-directory: ./src/github.com/distribution/distribution
+      run: |
+        DCO_VERBOSITY=-q script/validate/dco
+        GO111MODULE=on script/setup/install-dev-tools
+        script/validate/vendor
+        go build -i .
+        make check
+        make build
+        make binaries
+        if [ "$GOOS" = "linux" ]; then make coverage ; fi
+
+    - uses: codecov/codecov-action@v1
+      with:
+        directory: ./src/github.com/distribution/distribution

.github/workflows/codeql-analysis.yml

@@ -1,55 +1,63 @@
-name: CodeQL
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
 
 on:
-  schedule:
-    - cron: '0 12 * * 6'
   push:
-    branches:
-      - 'main'
-      - 'release/*'
-    tags:
-      - 'v*'
+    branches: [ main ]
   pull_request:
-
-permissions:
-  contents: read # to fetch code (actions/checkout)
+    # The branches below must be a subset of the branches above
+    branches: [ main ]
+  schedule:
+    - cron: '41 13 * * 1'
 
 jobs:
   analyze:
-    permissions:
-      contents: read # to fetch code (actions/checkout)
-      security-events: write # to upload SARIF results (github/codeql-action/analyze)
-
     name: Analyze
     runs-on: ubuntu-latest
+
     strategy:
       fail-fast: false
       matrix:
-        language:
-          - go
+        language: [ 'go' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
+        # Learn more:
+        # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
+
     steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-      -
-        name: Checkout HEAD on PR
-        if: ${{ github.event_name == 'pull_request' }}
-        run: |
-          git checkout HEAD^2
-      -
-        name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+    - name: Checkout repository
+      uses: actions/checkout@v2
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
       with:
         languages: ${{ matrix.language }}
-      -
-        name: Autobuild
-        uses: github/codeql-action/autobuild@v2
-      -
-        name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1

.github/workflows/conformance.yml

@@ -1,56 +0,0 @@
-name: conformance
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-on:
-  pull_request:
-  push:
-
-permissions:
-  contents: read # to fetch code (actions/checkout)
-
-jobs:
-  run-conformance-test:
-    runs-on: ubuntu-latest
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-      -
-        name: Build image
-        uses: docker/bake-action@v2
-        with:
-          targets: image-local
-      -
-        name: Start distribution server
-        run: |
-          IP=`hostname -I | awk '{print $1}'`
-          echo "IP=$IP" >> $GITHUB_ENV
-          echo "OCI_ROOT_URL=http://$IP:5000" >> $GITHUB_ENV
-          DISTRIBUTION_REF="registry:local"
-          docker run --rm -p 5000:5000 -e REGISTRY_STORAGE_DELETE_ENABLED=true -idt "registry:local"
-      -
-        name: Run OCI Distribution Spec conformance tests
-        uses: opencontainers/distribution-spec@v1.0.1
-        env:
-          OCI_ROOT_URL: ${{ env.OCI_ROOT_URL }}
-          OCI_NAMESPACE: oci-conformance/distribution-test
-          OCI_TEST_PULL: 1
-          OCI_TEST_PUSH: 1
-          OCI_TEST_CONTENT_DISCOVERY: 1
-          OCI_TEST_CONTENT_MANAGEMENT: 1
-          OCI_HIDE_SKIPPED_WORKFLOWS: 1
-      -
-        name: Move test results
-        run: mkdir -p .out/ && mv {report.html,junit.xml} .out/
-      -
-        name: Upload test results
-        uses: actions/upload-artifact@v3
-        with:
-          name: oci-test-results-${{ github.sha }}
-          path: .out/
-          if-no-files-found: error

.github/workflows/e2e.yml

@@ -1,42 +1,39 @@
 name: e2e
 
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
 on:
   push:
     branches:
-      - 'main'
-      - 'release/*'
+      - main
   pull_request:
-
-permissions:
-  contents: read # to fetch code (actions/checkout)
+    branches:
+      - main
 
 jobs:
-  run-e2e-test:
+  run:
     runs-on: ubuntu-latest
     steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v3
+      - name: set up docker
+        uses: docker-practice/actions-setup-docker@0.0.1
         with:
-          fetch-depth: 0
-      -
-        name: Build image
-        uses: docker/bake-action@v2
+          docker_version: 18.09
+          docker_channel: stable
+
+      - name: checkout distribution
+        uses: actions/checkout@master
         with:
-          targets: image-local
-      -
-        name: Start distribution server
+          path: main
+
+      - name: start distribution server
         run: |
           IP=`hostname -I | awk '{print $1}'`
           echo "IP=$IP" >> $GITHUB_ENV
           echo '{"insecure-registries" : ["'$IP':5000"]}' | sudo tee /etc/docker/daemon.json
           sudo service docker restart
-          docker run --rm -p 5000:5000 -p 5001:5001 -idt "registry:local"
-      -
-        name: Tests
+          DISTRIBUTION_REF="local-distribution:v$(date +%Y%m%d%H%M%S)"
+          cd ./main
+          docker build -f ./Dockerfile -t "${DISTRIBUTION_REF}" .
+          docker run --rm -p 5000:5000 -p 5001:5001 -idt "${DISTRIBUTION_REF}"
+
+      - name: script
         run: |
-          bash ./tests/push.sh $IP
+          bash ./main/tests/push.sh $IP

.github/workflows/fossa.yml

@@ -1,25 +0,0 @@
-name: FOSSA License Scanning
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-on:
-  - pull_request
-  - push
-
-permissions:
-  contents: read # to fetch code (actions/checkout)
-
-jobs:
-  scan-license:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      - name: Run FOSSA scan and upload build data
-        uses: fossa-contrib/fossa-action@v2
-        with:
-          fossa-api-key: cac3dc8d4f2ba86142f6c0f2199a160f

.github/workflows/release.yaml

@@ -0,0 +1,60 @@
+name: Release docker image
+
+on:
+  push:
+    tags:
+      - "*"
+
+jobs:
+  publish:
+    name: Build and publish docker image
+    runs-on: ubuntu-latest
+    env:
+      DOCKER_BUILDTAGS: "include_oss include_gcs"
+      CGO_ENABLED: 1
+      GO111MODULE: "auto"
+      GOPATH: ${{ github.workspace }}
+      GOOS: linux
+      COMMIT_RANGE: ${{ github.event_name == 'pull_request' && format('{0}..{1}',github.event.pull_request.base.sha, github.event.pull_request.head.sha) || format('{0}..{1}', github.event.before, github.event.after) }}
+
+    steps:
+      - name: Get git tag
+        id: get_git_tag
+        run: echo ::set-output name=git_tag::${GITHUB_REF#refs/tags/}
+
+      - name: Verify git tag
+        env:
+          GIT_TAG: ${{ steps.get_git_tag.outputs.git_tag }}
+        # NOTE: this is a simple Regexp, following the current versioning scheme
+        # In ideal world we should use this monstrosity:
+        # https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string
+        run: |
+          [[ ${GIT_TAG} =~ ^v[0-9]+.[0-9]+.[0-9]+ ]]
+
+      - name: Check out source code
+        if: ${{ success() }}
+        uses: actions/checkout@v2
+        with:
+          ref: ${{ steps.get_git_tag.outputs.git_tag }}
+
+      - name: Set image tag
+        env:
+          GIT_TAG: ${{ steps.get_git_tag.outputs.git_tag }}
+        id: get_image_tag
+        run: echo ::set-output name=docker_tag::${GIT_TAG}
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Build and push
+        if: ${{ success() }}
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64
+          push: true
+          tags: distribution/distribution:{{ steps.get_image_tag.outputs.docker_tag }}

.github/workflows/scorecards.yml

@@ -1,60 +0,0 @@
-name: Scorecards supply-chain security
-on:
-  # Only the default branch is supported.
-  branch_protection_rule:
-  schedule:
-    - cron: '26 0 * * 0'
-  push:
-    branches: [ "main" ]
-
-# Declare default permissions as read only.
-permissions: read-all
-
-jobs:
-  analysis:
-    name: Scorecards analysis
-    runs-on: ubuntu-latest
-    permissions:
-      # Needed to upload the results to code-scanning dashboard.
-      security-events: write
-      # Used to receive a badge.
-      id-token: write
-
-    steps:
-      - name: "Checkout code"
-        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0
-        with:
-          persist-credentials: false
-
-      - name: "Run analysis"
-        uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # tag=v2.0.6
-        with:
-          results_file: results.sarif
-          results_format: sarif
-          # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if:
-          # - you want to enable the Branch-Protection check on a *public* repository, or
-          # - you are installing Scorecards on a *private* repository
-          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
-          # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
-
-          # Publish the results for public repositories to enable scorecard badges. For more details, see
-          # https://github.com/ossf/scorecard-action#publishing-results.
-          # For private repositories, `publish_results` will automatically be set to `false`, regardless
-          # of the value entered here.
-          publish_results: true
-
-      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
-      # format to the repository Actions tab.
-      - name: "Upload artifact"
-        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # tag=v3.0.0
-        with:
-          name: SARIF file
-          path: results.sarif
-          retention-days: 5
-
-      # Upload the results to GitHub's code scanning dashboard.
-      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # tag=v1.0.26
-        with:
-          sarif_file: results.sarif
-

.github/workflows/validate.yml

@@ -1,38 +0,0 @@
-name: validate
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-on:
-  push:
-    branches:
-      - 'main'
-      - 'release/*'
-    tags:
-      - 'v*'
-  pull_request:
-
-permissions:
-  contents: read # to fetch code (actions/checkout)
-
-jobs:
-  validate:
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        target:
-          - lint
-          - validate-vendor
-          - validate-git
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v3
-      -
-        name: Run
-        run: |
-          make ${{ matrix.target }}
-        env:
-          COMMIT_RANGE: ${{ format('{0}..{1}', github.sha, 'HEAD') }}

.golangci.yml

@@ -1,26 +1,19 @@
 linters:
   enable:
+    - structcheck
+    - varcheck
     - staticcheck
     - unconvert
     - gofmt
     - goimports
-    - revive
+    - golint
     - ineffassign
     - vet
     - unused
     - misspell
-    - bodyclose
   disable:
     - errcheck
 
-linters-settings:
-  revive:
-    rules:
-      # TODO(thaJeztah): temporarily disabled the "unused-parameter" check.
-      # It produces many warnings, and some of those may need to be looked at.
-      - name: unused-parameter
-        disabled: true
-
 run:
   deadline: 2m
   skip-dirs:

ADOPTERS.md

@@ -1,11 +1,6 @@
 Docker Hub https://hub.docker.com/
-
 GitLab Container Registry https://docs.gitlab.com/ee/user/packages/container_registry/
-
 GitHub Container Registry https://docs.github.com/en/free-pro-team@latest/packages/guides/about-github-container-registry
-
 Harbor, CNCF Graduated project https://goharbor.io/
-
 VMware Harbor Registry https://docs.pivotal.io/partners/vmware-harbor/index.html
-
 DigitalOcean Container Registry https://www.digitalocean.com/products/container-registry/

BUILDING.md

@@ -19,29 +19,19 @@ You are expected to know your way around with go & git.
 
 If you are a casual user with no development experience, and no preliminary knowledge of go, building from source is probably not a good solution for you.
 
-## Configure the development environment
+## Build the development environment
 
 The first prerequisite of properly building distribution targets is to have a Go
 development environment setup. Please follow [How to Write Go Code](https://golang.org/doc/code.html)
 for proper setup. If done correctly, you should have a GOROOT and GOPATH set in the
 environment.
 
-Next, fetch the code from the repository using git:
+If a Go development environment is setup, one can use `go get` to install the
+`registry` command from the current latest:
 
-    git clone https://github.com/distribution/distribution
-    cd distribution
+    go get github.com/distribution/distribution/cmd/registry
 
-If you are planning to create a pull request with changes, you may want to clone directly from your [fork](https://help.github.com/en/articles/about-forks).
-
-## Build and run from source
-
-First, build the binaries:
-
-    $ make
-    + bin/registry
-    + bin/digest
-    + bin/registry-api-descriptor-template
-    + binaries
+The above will install the source repository into the `GOPATH`.
 
 Now create the directory for the registry data (this might require you to set permissions properly)
 
@@ -52,56 +42,76 @@ Now create the directory for the registry data (this might require you to set pe
 The `registry`
 binary can then be run with the following:
 
-    $ ./bin/registry --version
-    ./bin/registry github.com/distribution/distribution/v3 v2.7.0-1993-g8857a194
+    $ $GOPATH/bin/registry --version
+    $GOPATH/bin/registry github.com/distribution/distribution v2.0.0-alpha.1+unknown
 
-The registry can be run with a development config using the following
+> __NOTE:__ While you do not need to use `go get` to checkout the distribution
+> project, for these build instructions to work, the project must be checked
+> out in the correct location in the `GOPATH`. This should almost always be
+> `$GOPATH/src/github.com/distribution/distribution`.
+
+The registry can be run with the default config using the following
 incantation:
 
-    $ ./bin/registry serve cmd/registry/config-dev.yml
-    INFO[0000] debug server listening :5001
-    WARN[0000] No HTTP secret provided - generated random secret. This may cause problems with uploads if multiple registries are behind a load-balancer. To provide a shared secret, fill in http.secret in the configuration file or set the REGISTRY_HTTP_SECRET environment variable.  environment=development go.version=go1.18.3 instance.id=e837df62-a66c-4e04-a014-b063546e82e0 service=registry version=v2.7.0-1993-g8857a194
-    INFO[0000] endpoint local-5003 disabled, skipping        environment=development go.version=go1.18.3 instance.id=e837df62-a66c-4e04-a014-b063546e82e0 service=registry version=v2.7.0-1993-g8857a194
-    INFO[0000] endpoint local-8083 disabled, skipping        environment=development go.version=go1.18.3 instance.id=e837df62-a66c-4e04-a014-b063546e82e0 service=registry version=v2.7.0-1993-g8857a194
-    INFO[0000] using inmemory blob descriptor cache          environment=development go.version=go1.18.3 instance.id=e837df62-a66c-4e04-a014-b063546e82e0 service=registry version=v2.7.0-1993-g8857a194
-    INFO[0000] providing prometheus metrics on /metrics
-    INFO[0000] listening on [::]:5000                        environment=development go.version=go1.18.3 instance.id=e837df62-a66c-4e04-a014-b063546e82e0 service=registry version=v2.7.0-1993-g8857a194
+    $ $GOPATH/bin/registry serve $GOPATH/src/github.com/distribution/distribution/cmd/registry/config-example.yml
+    INFO[0000] endpoint local-5003 disabled, skipping        app.id=34bbec38-a91a-494a-9a3f-b72f9010081f version=v2.0.0-alpha.1+unknown
+    INFO[0000] endpoint local-8083 disabled, skipping        app.id=34bbec38-a91a-494a-9a3f-b72f9010081f version=v2.0.0-alpha.1+unknown
+    INFO[0000] listening on :5000                            app.id=34bbec38-a91a-494a-9a3f-b72f9010081f version=v2.0.0-alpha.1+unknown
+    INFO[0000] debug server listening localhost:5001
 
 If it is working, one should see the above log messages.
 
-### Build reference
+### Repeatable Builds
 
-The regular `go` commands, such as `go test`, should work per package.
+For the full development experience, one should `cd` into
+`$GOPATH/src/github.com/distribution/distribution`. From there, the regular `go`
+commands, such as `go test`, should work per package (please see
+[Developing](#developing) if they don't work).
 
 A `Makefile` has been provided as a convenience to support repeatable builds.
+Please install the following into `GOPATH` for it to work:
 
-Run `make` to build the binaries:
+    go get github.com/golang/lint/golint
+
+Once these commands are available in the `GOPATH`, run `make` to get a full
+build:
 
     $ make
-    + bin/registry
-    + bin/digest
-    + bin/registry-api-descriptor-template
+    + clean
+    + fmt
+    + vet
+    + lint
+    + build
+    github.com/docker/docker/vendor/src/code.google.com/p/go/src/pkg/archive/tar
+    github.com/sirupsen/logrus
+    github.com/docker/libtrust
+    ...
+    github.com/yvasiyarov/gorelic
+    github.com/distribution/distribution/registry/handlers
+    github.com/distribution/distribution/cmd/registry
+    + test
+    ...
+    ok    github.com/distribution/distribution/digest 7.875s
+    ok    github.com/distribution/distribution/manifest 0.028s
+    ok    github.com/distribution/distribution/notifications  17.322s
+    ?     github.com/distribution/distribution/registry [no test files]
+    ok    github.com/distribution/distribution/registry/api/v2  0.101s
+    ?     github.com/distribution/distribution/registry/auth  [no test files]
+    ok    github.com/distribution/distribution/registry/auth/silly  0.011s
+    ...
+    + /Users/sday/go/src/github.com/distribution/distribution/bin/registry
+    + /Users/sday/go/src/github.com/distribution/distribution/bin/registry-api-descriptor-template
     + binaries
 
 The above provides a repeatable build using the contents of the vendor
-directory. We can verify this worked by running
+directory. This includes formatting, vetting, linting, building,
+testing and generating tagged binaries. We can verify this worked by running
 the registry binary generated in the "./bin" directory:
 
     $ ./bin/registry --version
     ./bin/registry github.com/distribution/distribution v2.0.0-alpha.2-80-g16d8b2c.m
 
-Run `make test` to run all of the tests.
-
-Run `make validate` to run the validators, including the linter and vendor validation. You must have docker with the buildx plugin installed to run the validators.
-
 ### Optional build tags
 
 Optional [build tags](http://golang.org/pkg/go/build/) can be provided using
-the environment variable `BUILDTAGS`.
-
-<dl>
-<dt>noresumabledigest</dt>
-<dd>Compiles without resumable digest support</dd>
-<dt>include_gcs</dt>
-<dd>Adds support for <a href="https://cloud.google.com/storage">Google Cloud Storage</a></dd>
-</dl>
+the environment variable `DOCKER_BUILDTAGS`.

CODE-OF-CONDUCT.md

@@ -1,5 +1,36 @@
-# Code of Conduct
+This project has adopted the [CNCF Community Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md)
 
-We follow the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md).
+### Contributor Code of Conduct
 
-Please contact the [CNCF Code of Conduct Committee](mailto:conduct@cncf.io) in order to report violations of the Code of Conduct.
+As contributors and maintainers of this project, and in the interest of fostering
+an open and welcoming community, we pledge to respect all people who contribute
+through reporting issues, posting feature requests, updating documentation,
+submitting pull requests or patches, and other activities.
+
+We are committed to making participation in this project a harassment-free experience for
+everyone, regardless of level of experience, gender, gender identity and expression,
+sexual orientation, disability, personal appearance, body size, race, ethnicity, age,
+religion, or nationality.
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery
+* Personal attacks
+* Trolling or insulting/derogatory comments
+* Public or private harassment
+* Publishing others' private information, such as physical or electronic addresses,
+ without explicit permission
+* Other unethical or unprofessional conduct.
+
+Project maintainers have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are not
+aligned to this Code of Conduct. By adopting this Code of Conduct, project maintainers
+commit themselves to fairly and consistently applying these principles to every aspect
+of managing this project. Project maintainers who do not follow or enforce the Code of
+Conduct may be permanently removed from the project team.
+
+This code of conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community.
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by
+contacting a CNCF project maintainer or our mediator, Mishi Choudhary <mishi@linux.com>.

CONTRIBUTING.md

@@ -17,16 +17,16 @@
  - can't figure out something
  - are not sure what's going on or what your problem is
 
-Please ask first in the [#distribution](https://cloud-native.slack.com/archives/C01GVR8SY4R) channel on CNCF community slack.
-[Click here for an invite to the CNCF community slack](https://slack.cncf.io/)
+Please ask first in the #distribution channel on Docker community slack.
+[Click here for an invite to Docker community slack](https://dockr.ly/slack)
 
 ### Reporting security issues
 
-The maintainers take security seriously. If you discover a security
+The Docker maintainers take security seriously. If you discover a security
 issue, please bring it to their attention right away!
 
 Please **DO NOT** file a public issue, instead send your report privately to
-[cncf-distribution-security@lists.cncf.io](mailto:cncf-distribution-security@lists.cncf.io).
+[security@docker.com](mailto:security@docker.com).
 
 ## Reporting an issue properly
 
@@ -47,7 +47,7 @@ By following these simple rules you will get better and faster feedback on your
  1. create a new issue, with a succinct title that describes your issue:
    - bad title: "It doesn't work with my docker"
    - good title: "Private registry push fail: 400 error with E_INVALID_DIGEST"
- 2. copy the output of (or similar for other container tools):
+ 2. copy the output of:
    - `docker version`
    - `docker info`
    - `docker exec <registry-container> registry --version`

Dockerfile

@@ -1,59 +1,30 @@
-# syntax=docker/dockerfile:1
+ARG GO_VERSION=1.15
 
-ARG GO_VERSION=1.19.10
-ARG ALPINE_VERSION=3.18
-ARG XX_VERSION=1.2.1
+FROM golang:${GO_VERSION}-alpine3.12 AS build
 
-FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
-FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS base
-COPY --from=xx / /
-RUN apk add --no-cache bash coreutils file git
-ENV GO111MODULE=auto
-ENV CGO_ENABLED=0
-WORKDIR /src
+ENV DISTRIBUTION_DIR /go/src/github.com/distribution/distribution
+ENV BUILDTAGS include_oss include_gcs
 
-FROM base AS version
-ARG PKG=github.com/distribution/distribution/v3
-RUN --mount=target=. \
-  VERSION=$(git describe --match 'v[0-9]*' --dirty='.m' --always --tags) REVISION=$(git rev-parse HEAD)$(if ! git diff --no-ext-diff --quiet --exit-code; then echo .m; fi); \
-  echo "-X ${PKG}/version.Version=${VERSION#v} -X ${PKG}/version.Revision=${REVISION} -X ${PKG}/version.Package=${PKG}" | tee /tmp/.ldflags; \
-  echo -n "${VERSION}" | tee /tmp/.version;
+ARG GOOS=linux
+ARG GOARCH=amd64
+ARG GOARM=6
+ARG VERSION
+ARG REVISION
 
-FROM base AS build
-ARG TARGETPLATFORM
-ARG LDFLAGS="-s -w"
-ARG BUILDTAGS="include_gcs"
-RUN --mount=type=bind,target=/src,rw \
-    --mount=type=cache,target=/root/.cache/go-build \
-    --mount=target=/go/pkg/mod,type=cache \
-    --mount=type=bind,source=/tmp/.ldflags,target=/tmp/.ldflags,from=version \
-      set -x ; xx-go build -tags "${BUILDTAGS}" -trimpath -ldflags "$(cat /tmp/.ldflags) ${LDFLAGS}" -o /usr/bin/registry ./cmd/registry \
-      && xx-verify --static /usr/bin/registry
+RUN set -ex \
+    && apk add --no-cache make git file
 
-FROM scratch AS binary
-COPY --from=build /usr/bin/registry /
+WORKDIR $DISTRIBUTION_DIR
+COPY . $DISTRIBUTION_DIR
+RUN CGO_ENABLED=0 make PREFIX=/go clean binaries && file ./bin/registry | grep "statically linked"
 
-FROM base AS releaser
-ARG TARGETOS
-ARG TARGETARCH
-ARG TARGETVARIANT
-WORKDIR /work
-RUN --mount=from=binary,target=/build \
-    --mount=type=bind,target=/src \
-    --mount=type=bind,source=/tmp/.version,target=/tmp/.version,from=version \
-      VERSION=$(cat /tmp/.version) \
-      && mkdir -p /out \
-      && cp /build/registry /src/README.md /src/LICENSE . \
-      && tar -czvf "/out/registry_${VERSION#v}_${TARGETOS}_${TARGETARCH}${TARGETVARIANT}.tar.gz" * \
-      && sha256sum -z "/out/registry_${VERSION#v}_${TARGETOS}_${TARGETARCH}${TARGETVARIANT}.tar.gz" | awk '{ print $1 }' > "/out/registry_${VERSION#v}_${TARGETOS}_${TARGETARCH}${TARGETVARIANT}.tar.gz.sha256"
+FROM alpine:3.12
 
-FROM scratch AS artifact
-COPY --from=releaser /out /
+RUN set -ex \
+    && apk add --no-cache ca-certificates
 
-FROM alpine:${ALPINE_VERSION}
-RUN apk add --no-cache ca-certificates
 COPY cmd/registry/config-dev.yml /etc/docker/registry/config.yml
-COPY --from=binary /registry /bin/registry
+COPY --from=build /go/src/github.com/distribution/distribution/bin/registry /bin/registry
 VOLUME ["/var/lib/registry"]
 EXPOSE 5000
 ENTRYPOINT ["registry"]

GOVERNANCE.md

@@ -1,6 +1,6 @@
 # distribution/distribution Project Governance
 
-Distribution [Code of Conduct](./CODE-OF-CONDUCT.md) can be found here.
+Docker distribution abides by the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).
 
 For specific guidance on practical contribution steps please
 see our [CONTRIBUTING.md](./CONTRIBUTING.md) guide.

MAINTAINERS

@@ -2,7 +2,7 @@
 #
 # See GOVERNANCE.md for maintainer versus reviewer roles
 #
-# MAINTAINERS (cncf-distribution-maintainers@lists.cncf.io)
+# MAINTAINERS
 # GitHub ID, Name, Email address
 "chrispat","Chris Patterson","chrispat@github.com"
 "clarkbw","Bryan Clark","clarkbw@github.com"
@@ -12,8 +12,8 @@
 "joaodrp","João Pereira","jpereira@gitlab.com"
 "justincormack","Justin Cormack","justin.cormack@docker.com"
 "squizzi","Kyle Squizzato","ksquizzato@mirantis.com"
-"milosgajdos","Milos Gajdos","milos.gajdos@docker.com"
-"sargun","Sargun Dhillon","sargun@sargun.me"
+"milosgajdos","Milos Gajdos","milos_gajdos@docker.com"
+"waynr","Wayne Warren","wwarren@digitalocean.com"
 "wy65701436","Wang Yan","wangyan@vmware.com"
 "stevelasker","Steve Lasker","steve.lasker@microsoft.com"
 #
@@ -22,5 +22,3 @@
 "dmcgowan","Derek McGowan","derek@mcgstyle.net"
 "stevvooe","Stephen Day","stevvooe@gmail.com"
 "thajeztah","Sebastiaan van Stijn","github@gone.nl"
-"DavidSpek", "David van der Spek", "vanderspek.david@gmail.com"
-"Jamstah", "James Hewitt", "james.hewitt@gmail.com"

Makefile

@@ -30,7 +30,7 @@ WHALE = "+"
 TESTFLAGS_RACE=
 GOFILES=$(shell find . -type f -name '*.go')
 GO_TAGS=$(if $(BUILDTAGS),-tags "$(BUILDTAGS)",)
-GO_LDFLAGS=-ldflags '-extldflags "-Wl,-z,now" -s -w -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -X $(PKG)/version.Package=$(PKG) $(EXTRA_LDFLAGS)'
+GO_LDFLAGS=-ldflags '-s -w -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -X $(PKG)/version.Package=$(PKG) $(EXTRA_LDFLAGS)'
 
 BINARIES=$(addprefix bin/,$(COMMANDS))
 
@@ -38,7 +38,7 @@ BINARIES=$(addprefix bin/,$(COMMANDS))
 TESTFLAGS ?= -v $(TESTFLAGS_RACE)
 TESTFLAGS_PARALLEL ?= 8
 
-.PHONY: all build binaries clean test test-race test-full integration coverage validate lint validate-git validate-vendor vendor mod-outdated
+.PHONY: all build binaries check clean test test-race test-full integration coverage
 .DEFAULT: all
 
 all: binaries
@@ -48,6 +48,10 @@ version/version.go:
 	@echo "$(WHALE) $@"
 	./version/version.sh > $@
 
+check: ## run all linters (TODO: enable "unused", "varcheck", "ineffassign", "unconvert", "staticheck", "goimports", "structcheck")
+	@echo "$(WHALE) $@"
+	@golangci-lint run
+
 test: ## run tests, except integration test with test.short
 	@echo "$(WHALE) $@"
 	@go test ${GO_TAGS} -test.short ${TESTFLAGS} $(filter-out ${INTEGRATION_PACKAGE},${PACKAGES})
@@ -84,37 +88,15 @@ FORCE:
 # Build a binary from a cmd.
 bin/%: cmd/% FORCE
 	@echo "$(WHALE) $@${BINARY_SUFFIX}"
-	@go build -buildmode=pie ${GO_GCFLAGS} ${GO_BUILD_FLAGS} -o $@${BINARY_SUFFIX} ${GO_LDFLAGS} --ldflags '-extldflags "-Wl,-z,now" -s' ${GO_TAGS}  ./$<
+	@go build ${GO_GCFLAGS} ${GO_BUILD_FLAGS} -o $@${BINARY_SUFFIX} ${GO_LDFLAGS} ${GO_TAGS}  ./$<
 
 binaries: $(BINARIES) ## build binaries
 	@echo "$(WHALE) $@"
 
 build:
 	@echo "$(WHALE) $@"
-	@go build -buildmode=pie ${GO_GCFLAGS} ${GO_BUILD_FLAGS} ${GO_LDFLAGS} --ldflags '-extldflags "-Wl,-z,now" -s' ${GO_TAGS} $(PACKAGES)
+	@go build ${GO_GCFLAGS} ${GO_BUILD_FLAGS} ${GO_LDFLAGS} ${GO_TAGS} $(PACKAGES)
 
 clean: ## clean up binaries
 	@echo "$(WHALE) $@"
 	@rm -f $(BINARIES)
-
-validate: ## run all validators
-	docker buildx bake $@
-
-lint: ## run all linters
-	docker buildx bake $@
-
-validate-git: ## validate git
-	docker buildx bake $@
-
-validate-vendor: ## validate vendor
-	docker buildx bake $@
-
-vendor: ## update vendor
-	$(eval $@_TMP_OUT := $(shell mktemp -d -t buildx-output.XXXXXXXXXX))
-	docker buildx bake --set "*.output=$($@_TMP_OUT)" update-vendor
-	rm -rf ./vendor
-	cp -R "$($@_TMP_OUT)"/out/* .
-	rm -rf $($@_TMP_OUT)/*
-
-mod-outdated: ## check outdated dependencies
-	docker buildx bake $@

README.md

@@ -1,14 +1,4 @@
-<p align="center">
-<img style="align: center; padding-left: 10px; padding-right: 10px; padding-bottom: 10px;" width="238px" height="238px" src="./distribution-logo.svg" />
-</p>
-
-[![Build Status](https://github.com/distribution/distribution/workflows/CI/badge.svg?branch=main&event=push)](https://github.com/distribution/distribution/actions?query=workflow%3ACI)
-[![GoDoc](https://img.shields.io/badge/go.dev-reference-007d9c?logo=go&logoColor=white&style=flat-square)](https://pkg.go.dev/github.com/distribution/distribution)
-[![License: Apache-2.0](https://img.shields.io/badge/License-Apache--2.0-blue.svg)](LICENSE)
-[![codecov](https://codecov.io/gh/distribution/distribution/branch/main/graph/badge.svg)](https://codecov.io/gh/distribution/distribution)
-[![FOSSA Status](https://app.fossa.com/api/projects/custom%2B162%2Fgithub.com%2Fdistribution%2Fdistribution.svg?type=shield)](https://app.fossa.com/projects/custom%2B162%2Fgithub.com%2Fdistribution%2Fdistribution?ref=badge_shield)
-[![OCI Conformance](https://github.com/distribution/distribution/workflows/conformance/badge.svg)](https://github.com/distribution/distribution/actions?query=workflow%3Aconformance)
-[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/distribution/distribution/badge)](https://api.securityscorecards.dev/projects/github.com/distribution/distribution)
+# Distribution
 
 The toolset to pack, ship, store, and deliver content.
 
@@ -21,6 +11,13 @@ It is a core library for many registry operators including Docker Hub, GitHub Co
 GitLab Container Registry and DigitalOcean Container Registry, as well as the CNCF Harbor
 Project, and VMware Harbor Registry.
 
+<img src="https://www.docker.com/sites/default/files/oyster-registry-3.png" width=200px/>
+
+[![Build Status](https://github.com/distribution/distribution/workflows/CI/badge.svg?branch=main&event=push)](https://github.com/distribution/distribution/actions?query=workflow%3ACI)
+[![GoDoc](https://img.shields.io/badge/go.dev-reference-007d9c?logo=go&logoColor=white&style=flat-square)](https://pkg.go.dev/github.com/distribution/distribution)
+[![License: Apache-2.0](https://img.shields.io/badge/License-Apache--2.0-blue.svg)](LICENSE)
+[![codecov](https://codecov.io/gh/distribution/distribution/branch/main/graph/badge.svg)](https://codecov.io/gh/distribution/distribution)
+
 This repository contains the following components:
 
 |**Component**       |Description                                                                                                                                                                                         |
@@ -32,7 +29,7 @@ This repository contains the following components:
 ### How does this integrate with Docker, containerd, and other OCI client?
 
 Clients implement against the OCI specification and communicate with the
-registry using HTTP. This project contains a client implementation which
+registry using HTTP. This project contains an client implementation which
 is currently in use by Docker, however, it is deprecated for the
 [implementation in containerd](https://github.com/containerd/containerd/tree/master/remotes/docker)
 and will not support new features.

SECURITY.md

@@ -1,17 +0,0 @@
-# Security Policy
-
-## Supported Versions
-
-These versions are currently receiving security updates.
-
-| Version      | Supported          | Notes |
-| ------------ | ------------------ | ----- |
-| 3.0.x (main) | :white_check_mark: | This is the next major version and has not yet been released. |
-| 2.8.x        | :white_check_mark: | This is the latest released version. |
-| < 2.8        | :x:                | |
-
-## Reporting a Vulnerability
-
-The maintainers take security seriously. If you discover a security issue, please bring it to their attention right away!
-
-Please DO NOT file a public issue, instead send your report privately to cncf-distribution-security@lists.cncf.io.

blobs.go

@@ -63,13 +63,13 @@ type Descriptor struct {
 	// encoded as utf-8.
 	MediaType string `json:"mediaType,omitempty"`
 
+	// Size in bytes of content.
+	Size int64 `json:"size,omitempty"`
+
 	// Digest uniquely identifies the content. A byte stream can be verified
 	// against this digest.
 	Digest digest.Digest `json:"digest,omitempty"`
 
-	// Size in bytes of content.
-	Size int64 `json:"size,omitempty"`
-
 	// URLs contains the source URLs of this content.
 	URLs []string `json:"urls,omitempty"`
 
@@ -142,18 +142,20 @@ type BlobDescriptorServiceFactory interface {
 
 // ReadSeekCloser is the primary reader type for blob data, combining
 // io.ReadSeeker with io.Closer.
-//
-// Deprecated: use [io.ReadSeekCloser].
-type ReadSeekCloser = io.ReadSeekCloser
+type ReadSeekCloser interface {
+	io.ReadSeeker
+	io.Closer
+}
 
 // BlobProvider describes operations for getting blob data.
 type BlobProvider interface {
 	// Get returns the entire blob identified by digest along with the descriptor.
 	Get(ctx context.Context, dgst digest.Digest) ([]byte, error)
 
-	// Open provides an [io.ReadSeekCloser] to the blob identified by the provided
-	// descriptor. If the blob is not known to the service, an error is returned.
-	Open(ctx context.Context, dgst digest.Digest) (io.ReadSeekCloser, error)
+	// Open provides a ReadSeekCloser to the blob identified by the provided
+	// descriptor. If the blob is not known to the service, an error will be
+	// returned.
+	Open(ctx context.Context, dgst digest.Digest) (ReadSeekCloser, error)
 }
 
 // BlobServer can serve blobs via http.

cmd/digest/main.go

@@ -62,6 +62,7 @@ func main() {
 	if flag.NArg() > 0 {
 		for _, path := range flag.Args() {
 			fp, err := os.Open(path)
+
 			if err != nil {
 				log.Printf("%s: %v", path, err)
 				fail = true

cmd/registry-api-descriptor-template/main.go

@@ -27,6 +27,7 @@ import (
 var spaceRegex = regexp.MustCompile(`\n\s*`)
 
 func main() {
+
 	if len(os.Args) != 2 {
 		log.Fatalln("please specify a template to execute.")
 	}
@@ -126,4 +127,5 @@ end:
 	}
 
 	return output
+
 }

cmd/registry/config-dev.yml

@@ -22,7 +22,7 @@ storage:
     delete:
       enabled: true
     cache:
-        blobdescriptor: inmemory
+        blobdescriptor: redis
     filesystem:
         rootdirectory: /var/lib/registry
     maintenance:

cmd/registry/main.go

@@ -12,9 +12,12 @@ import (
 	_ "github.com/distribution/distribution/v3/registry/storage/driver/filesystem"
 	_ "github.com/distribution/distribution/v3/registry/storage/driver/gcs"
 	_ "github.com/distribution/distribution/v3/registry/storage/driver/inmemory"
+	_ "github.com/distribution/distribution/v3/registry/storage/driver/middleware/alicdn"
 	_ "github.com/distribution/distribution/v3/registry/storage/driver/middleware/cloudfront"
 	_ "github.com/distribution/distribution/v3/registry/storage/driver/middleware/redirect"
+	_ "github.com/distribution/distribution/v3/registry/storage/driver/oss"
 	_ "github.com/distribution/distribution/v3/registry/storage/driver/s3-aws"
+	_ "github.com/distribution/distribution/v3/registry/storage/driver/swift"
 )
 
 func main() {

configuration/configuration.go

@@ -4,6 +4,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"net/http"
 	"reflect"
 	"strings"
@@ -42,9 +43,6 @@ type Configuration struct {
 		// Hooks allows users to configure the log hooks, to enabling the
 		// sequent handling behavior, when defined levels of log message emit.
 		Hooks []LogHook `yaml:"hooks,omitempty"`
-
-		// ReportCaller allows user to configure the log to report the caller
-		ReportCaller bool `yaml:"reportcaller,omitempty"`
 	}
 
 	// Loglevel is the level at which registry operations are logged.
@@ -131,10 +129,6 @@ type Configuration struct {
 				// Hosts specifies the hosts which are allowed to obtain Let's
 				// Encrypt certificates.
 				Hosts []string `yaml:"hosts,omitempty"`
-
-				// DirectoryURL points to the CA directory endpoint.
-				// If empty, LetsEncrypt is used.
-				DirectoryURL string `yaml:"directoryurl,omitempty"`
 			} `yaml:"letsencrypt,omitempty"`
 		} `yaml:"tls,omitempty"`
 
@@ -174,20 +168,12 @@ type Configuration struct {
 		// Addr specifies the the redis instance available to the application.
 		Addr string `yaml:"addr,omitempty"`
 
-		// Usernames can be used as a finer-grained permission control since the introduction of the redis 6.0.
-		Username string `yaml:"username,omitempty"`
-
 		// Password string to use when making a connection.
 		Password string `yaml:"password,omitempty"`
 
 		// DB specifies the database to connect to on the redis instance.
 		DB int `yaml:"db,omitempty"`
 
-		// TLS configures settings for redis in-transit encryption
-		TLS struct {
-			Enabled bool `yaml:"enabled,omitempty"`
-		} `yaml:"tls,omitempty"`
-
 		DialTimeout  time.Duration `yaml:"dialtimeout,omitempty"`  // timeout for connect
 		ReadTimeout  time.Duration `yaml:"readtimeout,omitempty"`  // timeout for reads of data
 		WriteTimeout time.Duration `yaml:"writetimeout,omitempty"` // timeout for writes of data
@@ -208,30 +194,17 @@ type Configuration struct {
 	} `yaml:"redis,omitempty"`
 
 	Health Health `yaml:"health,omitempty"`
-	Catalog Catalog `yaml:"catalog,omitempty"`
 
 	Proxy Proxy `yaml:"proxy,omitempty"`
 
 	// Compatibility is used for configurations of working with older or deprecated features.
 	Compatibility struct {
-		// Schema1 configures how schema1 manifests will be handled.
-		//
-		// Deprecated: Docker Image Manifest v2, Schema 1 is deprecated since
-		// 2015. These options should only be used if you need to provide
-		// backward compatibility.
+		// Schema1 configures how schema1 manifests will be handled
 		Schema1 struct {
 			// TrustKey is the signing key to use for adding the signature to
 			// schema1 manifests.
-			//
-			// Deprecated: Docker Image Manifest v2, Schema 1 is deprecated since
-			// 2015. These options should only be used if you need to provide
-			// backward compatibility.
 			TrustKey string `yaml:"signingkeyfile,omitempty"`
-			// Enabled determines if schema1 manifests should be pullable.
-			//
-			// Deprecated: Docker Image Manifest v2, Schema 1 is deprecated since
-			// 2015. These options should only be used if you need to provide
-			// backward compatibility.
+			// Enabled determines if schema1 manifests should be pullable
 			Enabled bool `yaml:"enabled,omitempty"`
 		} `yaml:"schema1,omitempty"`
 	} `yaml:"compatibility,omitempty"`
@@ -271,16 +244,6 @@ type Configuration struct {
 	} `yaml:"policy,omitempty"`
 }
 
-// Catalog is composed of MaxEntries.
-// Catalog endpoint (/v2/_catalog) configuration, it provides the configuration
-// options to control the maximum number of entries returned by the catalog endpoint.
-type Catalog struct {
-	// Max number of entries returned by the catalog endpoint. Requesting n entries
-	// to the catalog endpoint will return at most MaxEntries entries.
-	// An empty or a negative value will set a default of 1000 maximum entries by default.
-	MaxEntries int `yaml:"maxentries,omitempty"`
-}
-
 // LogHook is composed of hook Level and Type.
 // After hooks configuration, it can execute the next handling automatically,
 // when defined levels of log message emitted.
@@ -631,6 +594,8 @@ type Ignore struct {
 type Reporting struct {
 	// Bugsnag configures error reporting for Bugsnag (bugsnag.com).
 	Bugsnag BugsnagReporting `yaml:"bugsnag,omitempty"`
+	// NewRelic configures error reporting for NewRelic (newrelic.com)
+	NewRelic NewRelicReporting `yaml:"newrelic,omitempty"`
 }
 
 // BugsnagReporting configures error reporting for Bugsnag (bugsnag.com).
@@ -644,6 +609,16 @@ type BugsnagReporting struct {
 	Endpoint string `yaml:"endpoint,omitempty"`
 }
 
+// NewRelicReporting configures error reporting for NewRelic (newrelic.com)
+type NewRelicReporting struct {
+	// LicenseKey is the NewRelic user license key
+	LicenseKey string `yaml:"licensekey,omitempty"`
+	// Name is the component name of the registry in NewRelic
+	Name string `yaml:"name,omitempty"`
+	// Verbose configures debug output to STDOUT
+	Verbose bool `yaml:"verbose,omitempty"`
+}
+
 // Middleware configures named middlewares to be applied at injection points.
 type Middleware struct {
 	// Name the middleware registers itself as
@@ -664,11 +639,6 @@ type Proxy struct {
 
 	// Password of the hub user
 	Password string `yaml:"password"`
-
-	// TTL is the expiry time of the content and will be cleaned up when it expires
-	// if not set, defaults to 7 * 24 hours
-	// If set to zero, will never expire cache
-	TTL *time.Duration `yaml:"ttl,omitempty"`
 }
 
 // Parse parses an input configuration yaml document into a Configuration struct
@@ -679,7 +649,7 @@ type Proxy struct {
 // Configuration.Abc may be replaced by the value of REGISTRY_ABC,
 // Configuration.Abc.Xyz may be replaced by the value of REGISTRY_ABC_XYZ, and so forth
 func Parse(rd io.Reader) (*Configuration, error) {
-	in, err := io.ReadAll(rd)
+	in, err := ioutil.ReadAll(rd)
 	if err != nil {
 		return nil, err
 	}
@@ -700,11 +670,6 @@ func Parse(rd io.Reader) (*Configuration, error) {
 					if v0_1.Loglevel != Loglevel("") {
 						v0_1.Loglevel = Loglevel("")
 					}
-
-					if v0_1.Catalog.MaxEntries <= 0 {
-						v0_1.Catalog.MaxEntries = 1000
-					}
-
 					if v0_1.Storage.Type() == "" {
 						return nil, errors.New("no storage configuration provided")
 					}

configuration/configuration_test.go

@@ -9,12 +9,12 @@ import (
 	"testing"
 	"time"
 
-	"gopkg.in/check.v1"
+	. "gopkg.in/check.v1"
 	"gopkg.in/yaml.v2"
 )
 
 // Hook up gocheck into the "go test" runner
-func Test(t *testing.T) { check.TestingT(t) }
+func Test(t *testing.T) { TestingT(t) }
 
 // configStruct is a canonical example configuration, which should map to configYamlV0_1
 var configStruct = Configuration{
@@ -27,21 +27,21 @@ var configStruct = Configuration{
 		Formatter string                 `yaml:"formatter,omitempty"`
 		Fields    map[string]interface{} `yaml:"fields,omitempty"`
 		Hooks     []LogHook              `yaml:"hooks,omitempty"`
-		ReportCaller bool                   `yaml:"reportcaller,omitempty"`
 	}{
 		Level:  "info",
 		Fields: map[string]interface{}{"environment": "test"},
 	},
 	Storage: Storage{
-		"somedriver": Parameters{
-			"string1": "string-value1",
-			"string2": "string-value2",
-			"bool1":   true,
-			"bool2":   false,
-			"nil1":    nil,
-			"int1":    42,
-			"url1":    "https://foo.example.com",
-			"path1":   "/some-path",
+		"s3": Parameters{
+			"region":        "us-east-1",
+			"bucket":        "my-bucket",
+			"rootdirectory": "/registry",
+			"encrypt":       true,
+			"secure":        false,
+			"accesskey":     "SAMPLEACCESSKEY",
+			"secretkey":     "SUPERSECRET",
+			"host":          nil,
+			"port":          42,
 		},
 	},
 	Auth: Auth{
@@ -71,9 +71,6 @@ var configStruct = Configuration{
 			},
 		},
 	},
-	Catalog: Catalog{
-		MaxEntries: 1000,
-	},
 	HTTP: struct {
 		Addr         string        `yaml:"addr,omitempty"`
 		Net          string        `yaml:"net,omitempty"`
@@ -92,7 +89,6 @@ var configStruct = Configuration{
 				CacheFile string   `yaml:"cachefile,omitempty"`
 				Email     string   `yaml:"email,omitempty"`
 				Hosts     []string `yaml:"hosts,omitempty"`
-				DirectoryURL string   `yaml:"directoryurl,omitempty"`
 			} `yaml:"letsencrypt,omitempty"`
 		} `yaml:"tls,omitempty"`
 		Headers http.Header `yaml:"headers,omitempty"`
@@ -117,7 +113,6 @@ var configStruct = Configuration{
 				CacheFile string   `yaml:"cachefile,omitempty"`
 				Email     string   `yaml:"email,omitempty"`
 				Hosts     []string `yaml:"hosts,omitempty"`
-				DirectoryURL string   `yaml:"directoryurl,omitempty"`
 			} `yaml:"letsencrypt,omitempty"`
 		}{
 			ClientCAs: []string{"/path/to/ca.pem"},
@@ -131,40 +126,6 @@ var configStruct = Configuration{
 			Disabled: false,
 		},
 	},
-	Redis: struct {
-		Addr     string `yaml:"addr,omitempty"`
-		Username string `yaml:"username,omitempty"`
-		Password string `yaml:"password,omitempty"`
-		DB       int    `yaml:"db,omitempty"`
-		TLS      struct {
-			Enabled bool `yaml:"enabled,omitempty"`
-		} `yaml:"tls,omitempty"`
-		DialTimeout  time.Duration `yaml:"dialtimeout,omitempty"`
-		ReadTimeout  time.Duration `yaml:"readtimeout,omitempty"`
-		WriteTimeout time.Duration `yaml:"writetimeout,omitempty"`
-		Pool         struct {
-			MaxIdle     int           `yaml:"maxidle,omitempty"`
-			MaxActive   int           `yaml:"maxactive,omitempty"`
-			IdleTimeout time.Duration `yaml:"idletimeout,omitempty"`
-		} `yaml:"pool,omitempty"`
-	}{
-		Addr:     "localhost:6379",
-		Username: "alice",
-		Password: "123456",
-		DB:       1,
-		Pool: struct {
-			MaxIdle     int           `yaml:"maxidle,omitempty"`
-			MaxActive   int           `yaml:"maxactive,omitempty"`
-			IdleTimeout time.Duration `yaml:"idletimeout,omitempty"`
-		}{
-			MaxIdle:     16,
-			MaxActive:   64,
-			IdleTimeout: time.Second * 300,
-		},
-		DialTimeout:  time.Millisecond * 10,
-		ReadTimeout:  time.Millisecond * 10,
-		WriteTimeout: time.Millisecond * 10,
-	},
 }
 
 // configYamlV0_1 is a Version 0.1 yaml document representing configStruct
@@ -175,15 +136,16 @@ log:
   fields:
     environment: test
 storage:
-  somedriver:
-    string1: string-value1
-    string2: string-value2
-    bool1: true
-    bool2: false
-    nil1: ~
-    int1: 42
-    url1: "https://foo.example.com"
-    path1: "/some-path"
+  s3:
+    region: us-east-1
+    bucket: my-bucket
+    rootdirectory: /registry
+    encrypt: true
+    secure: false
+    accesskey: SAMPLEACCESSKEY
+    secretkey: SUPERSECRET
+    host: ~
+    port: 42
 auth:
   silly:
     realm: silly
@@ -209,18 +171,6 @@ http:
     - /path/to/ca.pem
   headers:
     X-Content-Type-Options: [nosniff]
-redis:
-  addr: localhost:6379
-  username: alice
-  password: 123456
-  db: 1
-  pool:
-    maxidle: 16
-    maxactive: 64
-    idletimeout: 300s
-  dialtimeout: 10ms
-  readtimeout: 10ms
-  writetimeout: 10ms
 `
 
 // inmemoryConfigYamlV0_1 is a Version 0.1 yaml document specifying an inmemory
@@ -256,68 +206,51 @@ type ConfigSuite struct {
 	expectedConfig *Configuration
 }
 
-var _ = check.Suite(new(ConfigSuite))
+var _ = Suite(new(ConfigSuite))
 
-func (suite *ConfigSuite) SetUpTest(c *check.C) {
+func (suite *ConfigSuite) SetUpTest(c *C) {
 	os.Clearenv()
 	suite.expectedConfig = copyConfig(configStruct)
 }
 
 // TestMarshalRoundtrip validates that configStruct can be marshaled and
 // unmarshaled without changing any parameters
-func (suite *ConfigSuite) TestMarshalRoundtrip(c *check.C) {
+func (suite *ConfigSuite) TestMarshalRoundtrip(c *C) {
 	configBytes, err := yaml.Marshal(suite.expectedConfig)
-	c.Assert(err, check.IsNil)
+	c.Assert(err, IsNil)
 	config, err := Parse(bytes.NewReader(configBytes))
 	c.Log(string(configBytes))
-	c.Assert(err, check.IsNil)
-	c.Assert(config, check.DeepEquals, suite.expectedConfig)
+	c.Assert(err, IsNil)
+	c.Assert(config, DeepEquals, suite.expectedConfig)
 }
 
 // TestParseSimple validates that configYamlV0_1 can be parsed into a struct
 // matching configStruct
-func (suite *ConfigSuite) TestParseSimple(c *check.C) {
+func (suite *ConfigSuite) TestParseSimple(c *C) {
 	config, err := Parse(bytes.NewReader([]byte(configYamlV0_1)))
-	c.Assert(err, check.IsNil)
-	c.Assert(config, check.DeepEquals, suite.expectedConfig)
+	c.Assert(err, IsNil)
+	c.Assert(config, DeepEquals, suite.expectedConfig)
 }
 
 // TestParseInmemory validates that configuration yaml with storage provided as
 // a string can be parsed into a Configuration struct with no storage parameters
-func (suite *ConfigSuite) TestParseInmemory(c *check.C) {
+func (suite *ConfigSuite) TestParseInmemory(c *C) {
 	suite.expectedConfig.Storage = Storage{"inmemory": Parameters{}}
 	suite.expectedConfig.Reporting = Reporting{}
 	suite.expectedConfig.Log.Fields = nil
-	suite.expectedConfig.Redis = struct {
-		Addr     string `yaml:"addr,omitempty"`
-		Username string `yaml:"username,omitempty"`
-		Password string `yaml:"password,omitempty"`
-		DB       int    `yaml:"db,omitempty"`
-		TLS      struct {
-			Enabled bool `yaml:"enabled,omitempty"`
-		} `yaml:"tls,omitempty"`
-		DialTimeout  time.Duration `yaml:"dialtimeout,omitempty"`
-		ReadTimeout  time.Duration `yaml:"readtimeout,omitempty"`
-		WriteTimeout time.Duration `yaml:"writetimeout,omitempty"`
-		Pool         struct {
-			MaxIdle     int           `yaml:"maxidle,omitempty"`
-			MaxActive   int           `yaml:"maxactive,omitempty"`
-			IdleTimeout time.Duration `yaml:"idletimeout,omitempty"`
-		} `yaml:"pool,omitempty"`
-	}{}
 
 	config, err := Parse(bytes.NewReader([]byte(inmemoryConfigYamlV0_1)))
-	c.Assert(err, check.IsNil)
-	c.Assert(config, check.DeepEquals, suite.expectedConfig)
+	c.Assert(err, IsNil)
+	c.Assert(config, DeepEquals, suite.expectedConfig)
 }
 
 // TestParseIncomplete validates that an incomplete yaml configuration cannot
 // be parsed without providing environment variables to fill in the missing
 // components.
-func (suite *ConfigSuite) TestParseIncomplete(c *check.C) {
+func (suite *ConfigSuite) TestParseIncomplete(c *C) {
 	incompleteConfigYaml := "version: 0.1"
 	_, err := Parse(bytes.NewReader([]byte(incompleteConfigYaml)))
-	c.Assert(err, check.NotNil)
+	c.Assert(err, NotNil)
 
 	suite.expectedConfig.Log.Fields = nil
 	suite.expectedConfig.Storage = Storage{"filesystem": Parameters{"rootdirectory": "/tmp/testroot"}}
@@ -325,23 +258,6 @@ func (suite *ConfigSuite) TestParseIncomplete(c *check.C) {
 	suite.expectedConfig.Reporting = Reporting{}
 	suite.expectedConfig.Notifications = Notifications{}
 	suite.expectedConfig.HTTP.Headers = nil
-	suite.expectedConfig.Redis = struct {
-		Addr     string `yaml:"addr,omitempty"`
-		Username string `yaml:"username,omitempty"`
-		Password string `yaml:"password,omitempty"`
-		DB       int    `yaml:"db,omitempty"`
-		TLS      struct {
-			Enabled bool `yaml:"enabled,omitempty"`
-		} `yaml:"tls,omitempty"`
-		DialTimeout  time.Duration `yaml:"dialtimeout,omitempty"`
-		ReadTimeout  time.Duration `yaml:"readtimeout,omitempty"`
-		WriteTimeout time.Duration `yaml:"writetimeout,omitempty"`
-		Pool         struct {
-			MaxIdle     int           `yaml:"maxidle,omitempty"`
-			MaxActive   int           `yaml:"maxactive,omitempty"`
-			IdleTimeout time.Duration `yaml:"idletimeout,omitempty"`
-		} `yaml:"pool,omitempty"`
-	}{}
 
 	// Note: this also tests that REGISTRY_STORAGE and
 	// REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY can be used together
@@ -351,57 +267,57 @@ func (suite *ConfigSuite) TestParseIncomplete(c *check.C) {
 	os.Setenv("REGISTRY_AUTH_SILLY_REALM", "silly")
 
 	config, err := Parse(bytes.NewReader([]byte(incompleteConfigYaml)))
-	c.Assert(err, check.IsNil)
-	c.Assert(config, check.DeepEquals, suite.expectedConfig)
+	c.Assert(err, IsNil)
+	c.Assert(config, DeepEquals, suite.expectedConfig)
 }
 
 // TestParseWithSameEnvStorage validates that providing environment variables
 // that match the given storage type will only include environment-defined
 // parameters and remove yaml-defined parameters
-func (suite *ConfigSuite) TestParseWithSameEnvStorage(c *check.C) {
-	suite.expectedConfig.Storage = Storage{"somedriver": Parameters{"region": "us-east-1"}}
+func (suite *ConfigSuite) TestParseWithSameEnvStorage(c *C) {
+	suite.expectedConfig.Storage = Storage{"s3": Parameters{"region": "us-east-1"}}
 
-	os.Setenv("REGISTRY_STORAGE", "somedriver")
-	os.Setenv("REGISTRY_STORAGE_SOMEDRIVER_REGION", "us-east-1")
+	os.Setenv("REGISTRY_STORAGE", "s3")
+	os.Setenv("REGISTRY_STORAGE_S3_REGION", "us-east-1")
 
 	config, err := Parse(bytes.NewReader([]byte(configYamlV0_1)))
-	c.Assert(err, check.IsNil)
-	c.Assert(config, check.DeepEquals, suite.expectedConfig)
+	c.Assert(err, IsNil)
+	c.Assert(config, DeepEquals, suite.expectedConfig)
 }
 
 // TestParseWithDifferentEnvStorageParams validates that providing environment variables that change
 // and add to the given storage parameters will change and add parameters to the parsed
 // Configuration struct
-func (suite *ConfigSuite) TestParseWithDifferentEnvStorageParams(c *check.C) {
-	suite.expectedConfig.Storage.setParameter("string1", "us-west-1")
-	suite.expectedConfig.Storage.setParameter("bool1", true)
+func (suite *ConfigSuite) TestParseWithDifferentEnvStorageParams(c *C) {
+	suite.expectedConfig.Storage.setParameter("region", "us-west-1")
+	suite.expectedConfig.Storage.setParameter("secure", true)
 	suite.expectedConfig.Storage.setParameter("newparam", "some Value")
 
-	os.Setenv("REGISTRY_STORAGE_SOMEDRIVER_STRING1", "us-west-1")
-	os.Setenv("REGISTRY_STORAGE_SOMEDRIVER_BOOL1", "true")
-	os.Setenv("REGISTRY_STORAGE_SOMEDRIVER_NEWPARAM", "some Value")
+	os.Setenv("REGISTRY_STORAGE_S3_REGION", "us-west-1")
+	os.Setenv("REGISTRY_STORAGE_S3_SECURE", "true")
+	os.Setenv("REGISTRY_STORAGE_S3_NEWPARAM", "some Value")
 
 	config, err := Parse(bytes.NewReader([]byte(configYamlV0_1)))
-	c.Assert(err, check.IsNil)
-	c.Assert(config, check.DeepEquals, suite.expectedConfig)
+	c.Assert(err, IsNil)
+	c.Assert(config, DeepEquals, suite.expectedConfig)
 }
 
 // TestParseWithDifferentEnvStorageType validates that providing an environment variable that
 // changes the storage type will be reflected in the parsed Configuration struct
-func (suite *ConfigSuite) TestParseWithDifferentEnvStorageType(c *check.C) {
+func (suite *ConfigSuite) TestParseWithDifferentEnvStorageType(c *C) {
 	suite.expectedConfig.Storage = Storage{"inmemory": Parameters{}}
 
 	os.Setenv("REGISTRY_STORAGE", "inmemory")
 
 	config, err := Parse(bytes.NewReader([]byte(configYamlV0_1)))
-	c.Assert(err, check.IsNil)
-	c.Assert(config, check.DeepEquals, suite.expectedConfig)
+	c.Assert(err, IsNil)
+	c.Assert(config, DeepEquals, suite.expectedConfig)
 }
 
 // TestParseWithDifferentEnvStorageTypeAndParams validates that providing an environment variable
 // that changes the storage type will be reflected in the parsed Configuration struct and that
 // environment storage parameters will also be included
-func (suite *ConfigSuite) TestParseWithDifferentEnvStorageTypeAndParams(c *check.C) {
+func (suite *ConfigSuite) TestParseWithDifferentEnvStorageTypeAndParams(c *C) {
 	suite.expectedConfig.Storage = Storage{"filesystem": Parameters{}}
 	suite.expectedConfig.Storage.setParameter("rootdirectory", "/tmp/testroot")
 
@@ -409,89 +325,96 @@ func (suite *ConfigSuite) TestParseWithDifferentEnvStorageTypeAndParams(c *check
 	os.Setenv("REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY", "/tmp/testroot")
 
 	config, err := Parse(bytes.NewReader([]byte(configYamlV0_1)))
-	c.Assert(err, check.IsNil)
-	c.Assert(config, check.DeepEquals, suite.expectedConfig)
+	c.Assert(err, IsNil)
+	c.Assert(config, DeepEquals, suite.expectedConfig)
 }
 
 // TestParseWithSameEnvLoglevel validates that providing an environment variable defining the log
 // level to the same as the one provided in the yaml will not change the parsed Configuration struct
-func (suite *ConfigSuite) TestParseWithSameEnvLoglevel(c *check.C) {
+func (suite *ConfigSuite) TestParseWithSameEnvLoglevel(c *C) {
 	os.Setenv("REGISTRY_LOGLEVEL", "info")
 
 	config, err := Parse(bytes.NewReader([]byte(configYamlV0_1)))
-	c.Assert(err, check.IsNil)
-	c.Assert(config, check.DeepEquals, suite.expectedConfig)
+	c.Assert(err, IsNil)
+	c.Assert(config, DeepEquals, suite.expectedConfig)
 }
 
 // TestParseWithDifferentEnvLoglevel validates that providing an environment variable defining the
 // log level will override the value provided in the yaml document
-func (suite *ConfigSuite) TestParseWithDifferentEnvLoglevel(c *check.C) {
+func (suite *ConfigSuite) TestParseWithDifferentEnvLoglevel(c *C) {
 	suite.expectedConfig.Log.Level = "error"
 
 	os.Setenv("REGISTRY_LOG_LEVEL", "error")
 
 	config, err := Parse(bytes.NewReader([]byte(configYamlV0_1)))
-	c.Assert(err, check.IsNil)
-	c.Assert(config, check.DeepEquals, suite.expectedConfig)
+	c.Assert(err, IsNil)
+	c.Assert(config, DeepEquals, suite.expectedConfig)
 }
 
 // TestParseInvalidLoglevel validates that the parser will fail to parse a
 // configuration if the loglevel is malformed
-func (suite *ConfigSuite) TestParseInvalidLoglevel(c *check.C) {
+func (suite *ConfigSuite) TestParseInvalidLoglevel(c *C) {
 	invalidConfigYaml := "version: 0.1\nloglevel: derp\nstorage: inmemory"
 	_, err := Parse(bytes.NewReader([]byte(invalidConfigYaml)))
-	c.Assert(err, check.NotNil)
+	c.Assert(err, NotNil)
 
 	os.Setenv("REGISTRY_LOGLEVEL", "derp")
 
 	_, err = Parse(bytes.NewReader([]byte(configYamlV0_1)))
-	c.Assert(err, check.NotNil)
+	c.Assert(err, NotNil)
+
 }
 
 // TestParseWithDifferentEnvReporting validates that environment variables
 // properly override reporting parameters
-func (suite *ConfigSuite) TestParseWithDifferentEnvReporting(c *check.C) {
+func (suite *ConfigSuite) TestParseWithDifferentEnvReporting(c *C) {
 	suite.expectedConfig.Reporting.Bugsnag.APIKey = "anotherBugsnagApiKey"
 	suite.expectedConfig.Reporting.Bugsnag.Endpoint = "localhost:8080"
+	suite.expectedConfig.Reporting.NewRelic.LicenseKey = "NewRelicLicenseKey"
+	suite.expectedConfig.Reporting.NewRelic.Name = "some NewRelic NAME"
 
 	os.Setenv("REGISTRY_REPORTING_BUGSNAG_APIKEY", "anotherBugsnagApiKey")
 	os.Setenv("REGISTRY_REPORTING_BUGSNAG_ENDPOINT", "localhost:8080")
+	os.Setenv("REGISTRY_REPORTING_NEWRELIC_LICENSEKEY", "NewRelicLicenseKey")
+	os.Setenv("REGISTRY_REPORTING_NEWRELIC_NAME", "some NewRelic NAME")
 
 	config, err := Parse(bytes.NewReader([]byte(configYamlV0_1)))
-	c.Assert(err, check.IsNil)
-	c.Assert(config, check.DeepEquals, suite.expectedConfig)
+	c.Assert(err, IsNil)
+	c.Assert(config, DeepEquals, suite.expectedConfig)
 }
 
 // TestParseInvalidVersion validates that the parser will fail to parse a newer configuration
 // version than the CurrentVersion
-func (suite *ConfigSuite) TestParseInvalidVersion(c *check.C) {
+func (suite *ConfigSuite) TestParseInvalidVersion(c *C) {
 	suite.expectedConfig.Version = MajorMinorVersion(CurrentVersion.Major(), CurrentVersion.Minor()+1)
 	configBytes, err := yaml.Marshal(suite.expectedConfig)
-	c.Assert(err, check.IsNil)
+	c.Assert(err, IsNil)
 	_, err = Parse(bytes.NewReader(configBytes))
-	c.Assert(err, check.NotNil)
+	c.Assert(err, NotNil)
 }
 
 // TestParseExtraneousVars validates that environment variables referring to
 // nonexistent variables don't cause side effects.
-func (suite *ConfigSuite) TestParseExtraneousVars(c *check.C) {
+func (suite *ConfigSuite) TestParseExtraneousVars(c *C) {
 	suite.expectedConfig.Reporting.Bugsnag.Endpoint = "localhost:8080"
 
 	// A valid environment variable
 	os.Setenv("REGISTRY_REPORTING_BUGSNAG_ENDPOINT", "localhost:8080")
 
 	// Environment variables which shouldn't set config items
+	os.Setenv("registry_REPORTING_NEWRELIC_LICENSEKEY", "NewRelicLicenseKey")
+	os.Setenv("REPORTING_NEWRELIC_NAME", "some NewRelic NAME")
 	os.Setenv("REGISTRY_DUCKS", "quack")
 	os.Setenv("REGISTRY_REPORTING_ASDF", "ghjk")
 
 	config, err := Parse(bytes.NewReader([]byte(configYamlV0_1)))
-	c.Assert(err, check.IsNil)
-	c.Assert(config, check.DeepEquals, suite.expectedConfig)
+	c.Assert(err, IsNil)
+	c.Assert(config, DeepEquals, suite.expectedConfig)
 }
 
 // TestParseEnvVarImplicitMaps validates that environment variables can set
 // values in maps that don't already exist.
-func (suite *ConfigSuite) TestParseEnvVarImplicitMaps(c *check.C) {
+func (suite *ConfigSuite) TestParseEnvVarImplicitMaps(c *C) {
 	readonly := make(map[string]interface{})
 	readonly["enabled"] = true
 
@@ -503,41 +426,41 @@ func (suite *ConfigSuite) TestParseEnvVarImplicitMaps(c *check.C) {
 	os.Setenv("REGISTRY_STORAGE_MAINTENANCE_READONLY_ENABLED", "true")
 
 	config, err := Parse(bytes.NewReader([]byte(configYamlV0_1)))
-	c.Assert(err, check.IsNil)
-	c.Assert(config, check.DeepEquals, suite.expectedConfig)
+	c.Assert(err, IsNil)
+	c.Assert(config, DeepEquals, suite.expectedConfig)
 }
 
 // TestParseEnvWrongTypeMap validates that incorrectly attempting to unmarshal a
 // string over existing map fails.
-func (suite *ConfigSuite) TestParseEnvWrongTypeMap(c *check.C) {
-	os.Setenv("REGISTRY_STORAGE_SOMEDRIVER", "somestring")
+func (suite *ConfigSuite) TestParseEnvWrongTypeMap(c *C) {
+	os.Setenv("REGISTRY_STORAGE_S3", "somestring")
 
 	_, err := Parse(bytes.NewReader([]byte(configYamlV0_1)))
-	c.Assert(err, check.NotNil)
+	c.Assert(err, NotNil)
 }
 
 // TestParseEnvWrongTypeStruct validates that incorrectly attempting to
 // unmarshal a string into a struct fails.
-func (suite *ConfigSuite) TestParseEnvWrongTypeStruct(c *check.C) {
+func (suite *ConfigSuite) TestParseEnvWrongTypeStruct(c *C) {
 	os.Setenv("REGISTRY_STORAGE_LOG", "somestring")
 
 	_, err := Parse(bytes.NewReader([]byte(configYamlV0_1)))
-	c.Assert(err, check.NotNil)
+	c.Assert(err, NotNil)
 }
 
 // TestParseEnvWrongTypeSlice validates that incorrectly attempting to
 // unmarshal a string into a slice fails.
-func (suite *ConfigSuite) TestParseEnvWrongTypeSlice(c *check.C) {
+func (suite *ConfigSuite) TestParseEnvWrongTypeSlice(c *C) {
 	os.Setenv("REGISTRY_LOG_HOOKS", "somestring")
 
 	_, err := Parse(bytes.NewReader([]byte(configYamlV0_1)))
-	c.Assert(err, check.NotNil)
+	c.Assert(err, NotNil)
 }
 
 // TestParseEnvMany tests several environment variable overrides.
 // The result is not checked - the goal of this test is to detect panics
 // from misuse of reflection.
-func (suite *ConfigSuite) TestParseEnvMany(c *check.C) {
+func (suite *ConfigSuite) TestParseEnvMany(c *C) {
 	os.Setenv("REGISTRY_VERSION", "0.1")
 	os.Setenv("REGISTRY_LOG_LEVEL", "debug")
 	os.Setenv("REGISTRY_LOG_FORMATTER", "json")
@@ -545,16 +468,16 @@ func (suite *ConfigSuite) TestParseEnvMany(c *check.C) {
 	os.Setenv("REGISTRY_LOG_FIELDS", "abc: xyz")
 	os.Setenv("REGISTRY_LOG_HOOKS", "- type: asdf")
 	os.Setenv("REGISTRY_LOGLEVEL", "debug")
-	os.Setenv("REGISTRY_STORAGE", "somedriver")
+	os.Setenv("REGISTRY_STORAGE", "s3")
 	os.Setenv("REGISTRY_AUTH_PARAMS", "param1: value1")
 	os.Setenv("REGISTRY_AUTH_PARAMS_VALUE2", "value2")
 	os.Setenv("REGISTRY_AUTH_PARAMS_VALUE2", "value2")
 
 	_, err := Parse(bytes.NewReader([]byte(configYamlV0_1)))
-	c.Assert(err, check.IsNil)
+	c.Assert(err, IsNil)
 }
 
-func checkStructs(c *check.C, t reflect.Type, structsChecked map[string]struct{}) {
+func checkStructs(c *C, t reflect.Type, structsChecked map[string]struct{}) {
 	for t.Kind() == reflect.Ptr || t.Kind() == reflect.Map || t.Kind() == reflect.Slice {
 		t = t.Elem()
 	}
@@ -590,7 +513,7 @@ func checkStructs(c *check.C, t reflect.Type, structsChecked map[string]struct{}
 
 // TestValidateConfigStruct makes sure that the config struct has no members
 // with yaml tags that would be ambiguous to the environment variable parser.
-func (suite *ConfigSuite) TestValidateConfigStruct(c *check.C) {
+func (suite *ConfigSuite) TestValidateConfigStruct(c *C) {
 	structsChecked := make(map[string]struct{})
 	checkStructs(c, reflect.TypeOf(Configuration{}), structsChecked)
 }
@@ -601,7 +524,6 @@ func copyConfig(config Configuration) *Configuration {
 	configCopy.Version = MajorMinorVersion(config.Version.Major(), config.Version.Minor())
 	configCopy.Loglevel = config.Loglevel
 	configCopy.Log = config.Log
-	configCopy.Catalog = config.Catalog
 	configCopy.Log.Fields = make(map[string]interface{}, len(config.Log.Fields))
 	for k, v := range config.Log.Fields {
 		configCopy.Log.Fields[k] = v
@@ -613,6 +535,7 @@ func copyConfig(config Configuration) *Configuration {
 	}
 	configCopy.Reporting = Reporting{
 		Bugsnag:  BugsnagReporting{config.Reporting.Bugsnag.APIKey, config.Reporting.Bugsnag.ReleaseStage, config.Reporting.Bugsnag.Endpoint},
+		NewRelic: NewRelicReporting{config.Reporting.NewRelic.LicenseKey, config.Reporting.NewRelic.Name, config.Reporting.NewRelic.Verbose},
 	}
 
 	configCopy.Auth = Auth{config.Auth.Type(): Parameters{}}
@@ -628,7 +551,5 @@ func copyConfig(config Configuration) *Configuration {
 		configCopy.HTTP.Headers[k] = v
 	}
 
-	configCopy.Redis = config.Redis
-
 	return configCopy
 }

configuration/fuzz_test.go

@@ -1,15 +0,0 @@
-package configuration
-
-import (
-	"bytes"
-	"testing"
-)
-
-// ParserFuzzer implements a fuzzer that targets Parser()
-// nolint:deadcode
-func FuzzConfigurationParse(f *testing.F) {
-	f.Fuzz(func(t *testing.T, data []byte) {
-		rd := bytes.NewReader(data)
-		_, _ = Parse(rd)
-	})
-}

configuration/parser.go

@@ -23,7 +23,7 @@ func MajorMinorVersion(major, minor uint) Version {
 }
 
 func (version Version) major() (uint, error) {
-	majorPart, _, _ := strings.Cut(string(version), ".")
+	majorPart := strings.Split(string(version), ".")[0]
 	major, err := strconv.ParseUint(majorPart, 10, 0)
 	return uint(major), err
 }
@@ -35,7 +35,7 @@ func (version Version) Major() uint {
 }
 
 func (version Version) minor() (uint, error) {
-	_, minorPart, _ := strings.Cut(string(version), ".")
+	minorPart := strings.Split(string(version), ".")[1]
 	minor, err := strconv.ParseUint(minorPart, 10, 0)
 	return uint(minor), err
 }
@@ -89,8 +89,8 @@ func NewParser(prefix string, parseInfos []VersionedParseInfo) *Parser {
 	}
 
 	for _, env := range os.Environ() {
-		k, v, _ := strings.Cut(env, "=")
-		p.env = append(p.env, envVar{k, v})
+		envParts := strings.SplitN(env, "=", 2)
+		p.env = append(p.env, envVar{envParts[0], envParts[1]})
 	}
 
 	// We must sort the environment variables lexically by name so that
@@ -138,7 +138,7 @@ func (p *Parser) Parse(in []byte, v interface{}) error {
 
 			err = p.overwriteFields(parseAs, pathStr, path[1:], envVar.value)
 			if err != nil {
-				return fmt.Errorf("parsing environment variable %s: %v", pathStr, err)
+				return err
 			}
 		}
 	}
@@ -166,25 +166,6 @@ func (p *Parser) overwriteFields(v reflect.Value, fullpath string, path []string
 		return p.overwriteStruct(v, fullpath, path, payload)
 	case reflect.Map:
 		return p.overwriteMap(v, fullpath, path, payload)
-	case reflect.Slice:
-		idx, err := strconv.Atoi(path[0])
-		if err != nil {
-			panic("non-numeric index: " + path[0])
-		}
-
-		if idx > v.Len() {
-			panic("undefined index: " + path[0])
-		}
-
-		// if there is no element or the current slice length
-		// is the same as the indexed variable create a new element,
-		// append it and then set it to the passed in env var value.
-		if v.Len() == 0 || idx == v.Len() {
-			typ := v.Type().Elem()
-			elem := reflect.New(typ).Elem()
-			v.Set(reflect.Append(v, elem))
-		}
-		return p.overwriteFields(v.Index(idx), fullpath, path[1:], payload)
 	case reflect.Interface:
 		if v.NumMethod() == 0 {
 			if !v.IsNil() {

configuration/parser_test.go

@@ -4,48 +4,30 @@ import (
 	"os"
 	"reflect"
 
-	"gopkg.in/check.v1"
+	. "gopkg.in/check.v1"
 )
 
 type localConfiguration struct {
 	Version Version `yaml:"version"`
 	Log     *Log    `yaml:"log"`
-	Notifications []Notif `yaml:"notifications,omitempty"`
 }
 
 type Log struct {
 	Formatter string `yaml:"formatter,omitempty"`
 }
 
-type Notif struct {
-	Name string `yaml:"name"`
-}
-
 var expectedConfig = localConfiguration{
 	Version: "0.1",
 	Log: &Log{
 		Formatter: "json",
 	},
-	Notifications: []Notif{
-		{Name: "foo"},
-		{Name: "bar"},
-		{Name: "car"},
-	},
 }
 
-const testConfig = `version: "0.1"
-log:
-  formatter: "text"
-notifications:
-  - name: "foo"
-  - name: "bar"
-  - name: "car"`
-
 type ParserSuite struct{}
 
-var _ = check.Suite(new(ParserSuite))
+var _ = Suite(new(ParserSuite))
 
-func (suite *ParserSuite) TestParserOverwriteIninitializedPoiner(c *check.C) {
+func (suite *ParserSuite) TestParserOverwriteIninitializedPoiner(c *C) {
 	config := localConfiguration{}
 
 	os.Setenv("REGISTRY_LOG_FORMATTER", "json")
@@ -61,32 +43,17 @@ func (suite *ParserSuite) TestParserOverwriteIninitializedPoiner(c *check.C) {
 		},
 	})
 
-	err := p.Parse([]byte(testConfig), &config)
-	c.Assert(err, check.IsNil)
-	c.Assert(config, check.DeepEquals, expectedConfig)
+	err := p.Parse([]byte(`{version: "0.1", log: {formatter: "text"}}`), &config)
+	c.Assert(err, IsNil)
+	c.Assert(config, DeepEquals, expectedConfig)
 }
 
-const testConfig2 = `version: "0.1"
-log:
-  formatter: "text"
-notifications:
-  - name: "val1"
-  - name: "val2"
-  - name: "car"`
-
-func (suite *ParserSuite) TestParseOverwriteUnininitializedPoiner(c *check.C) {
+func (suite *ParserSuite) TestParseOverwriteUnininitializedPoiner(c *C) {
 	config := localConfiguration{}
 
 	os.Setenv("REGISTRY_LOG_FORMATTER", "json")
 	defer os.Unsetenv("REGISTRY_LOG_FORMATTER")
 
-	// override only first two notificationsvalues
-	// in the tetConfig: leave the last value unchanged.
-	os.Setenv("REGISTRY_NOTIFICATIONS_0_NAME", "foo")
-	defer os.Unsetenv("REGISTRY_NOTIFICATIONS_0_NAME")
-	os.Setenv("REGISTRY_NOTIFICATIONS_1_NAME", "bar")
-	defer os.Unsetenv("REGISTRY_NOTIFICATIONS_1_NAME")
-
 	p := NewParser("registry", []VersionedParseInfo{
 		{
 			Version: "0.1",
@@ -97,7 +64,7 @@ func (suite *ParserSuite) TestParseOverwriteUnininitializedPoiner(c *check.C) {
 		},
 	})
 
-	err := p.Parse([]byte(testConfig2), &config)
-	c.Assert(err, check.IsNil)
-	c.Assert(config, check.DeepEquals, expectedConfig)
+	err := p.Parse([]byte(`{version: "0.1"}`), &config)
+	c.Assert(err, IsNil)
+	c.Assert(config, DeepEquals, expectedConfig)
 }

context/doc.go

@@ -15,7 +15,7 @@
 // The above will store the version in the context and will be available to
 // the logger.
 //
-// # Logging
+// Logging
 //
 // The most useful aspect of this package is GetLogger. This function takes
 // any context.Context interface and returns the current logger from the
@@ -65,7 +65,7 @@
 // added to the request context, is unique to that context and can have
 // request scoped variables.
 //
-// # HTTP Requests
+// HTTP Requests
 //
 // This package also contains several methods for working with http requests.
 // The concepts are very similar to those described above. We simply place the

context/http.go

@@ -32,12 +32,14 @@ func parseIP(ipStr string) net.IP {
 // account proxy headers.
 func RemoteAddr(r *http.Request) string {
 	if prior := r.Header.Get("X-Forwarded-For"); prior != "" {
-		remoteAddr, _, _ := strings.Cut(prior, ",")
-		remoteAddr = strings.Trim(remoteAddr, " ")
+		proxies := strings.Split(prior, ",")
+		if len(proxies) > 0 {
+			remoteAddr := strings.Trim(proxies[0], " ")
 			if parseIP(remoteAddr) != nil {
 				return remoteAddr
 			}
 		}
+	}
 	// X-Real-Ip is less supported, but worth checking in the
 	// absence of X-Forwarded-For
 	if realIP := r.Header.Get("X-Real-Ip"); realIP != "" {
@@ -187,37 +189,49 @@ type httpRequestContext struct {
 // "request.<component>". For example, r.RequestURI
 func (ctx *httpRequestContext) Value(key interface{}) interface{} {
 	if keyStr, ok := key.(string); ok {
-		switch keyStr {
-		case "http.request":
+		if keyStr == "http.request" {
 			return ctx.r
-		case "http.request.uri":
+		}
+
+		if !strings.HasPrefix(keyStr, "http.request.") {
+			goto fallback
+		}
+
+		parts := strings.Split(keyStr, ".")
+
+		if len(parts) != 3 {
+			goto fallback
+		}
+
+		switch parts[2] {
+		case "uri":
 			return ctx.r.RequestURI
-		case "http.request.remoteaddr":
+		case "remoteaddr":
 			return RemoteAddr(ctx.r)
-		case "http.request.method":
+		case "method":
 			return ctx.r.Method
-		case "http.request.host":
+		case "host":
 			return ctx.r.Host
-		case "http.request.referer":
+		case "referer":
 			referer := ctx.r.Referer()
 			if referer != "" {
 				return referer
 			}
-		case "http.request.useragent":
+		case "useragent":
 			return ctx.r.UserAgent()
-		case "http.request.id":
+		case "id":
 			return ctx.id
-		case "http.request.startedat":
+		case "startedat":
 			return ctx.startedAt
-		case "http.request.contenttype":
-			if ct := ctx.r.Header.Get("Content-Type"); ct != "" {
+		case "contenttype":
+			ct := ctx.r.Header.Get("Content-Type")
+			if ct != "" {
 				return ct
 			}
-		default:
-			// no match; fall back to standard behavior below
 		}
 	}
 
+fallback:
 	return ctx.Context.Value(key)
 }
 
@@ -231,9 +245,12 @@ func (ctx *muxVarsContext) Value(key interface{}) interface{} {
 		if keyStr == "vars" {
 			return ctx.vars
 		}
-		// TODO(thaJeztah): this considers "vars.FOO" and "FOO" to be equal.
-		// We need to check if that's intentional (could be a bug).
-		if v, ok := ctx.vars[strings.TrimPrefix(keyStr, "vars.")]; ok {
+
+		if strings.HasPrefix(keyStr, "vars.") {
+			keyStr = strings.TrimPrefix(keyStr, "vars.")
+		}
+
+		if v, ok := ctx.vars[keyStr]; ok {
 			return v
 		}
 	}
@@ -285,25 +302,36 @@ func (irw *instrumentedResponseWriter) Flush() {
 
 func (irw *instrumentedResponseWriter) Value(key interface{}) interface{} {
 	if keyStr, ok := key.(string); ok {
-		switch keyStr {
-		case "http.response":
+		if keyStr == "http.response" {
 			return irw
-		case "http.response.written":
-			irw.mu.Lock()
-			defer irw.mu.Unlock()
-			return irw.written
-		case "http.response.status":
-			irw.mu.Lock()
-			defer irw.mu.Unlock()
-			return irw.status
-		case "http.response.contenttype":
-			if ct := irw.Header().Get("Content-Type"); ct != "" {
-				return ct
 		}
-		default:
-			// no match; fall back to standard behavior below
+
+		if !strings.HasPrefix(keyStr, "http.response.") {
+			goto fallback
+		}
+
+		parts := strings.Split(keyStr, ".")
+
+		if len(parts) != 3 {
+			goto fallback
+		}
+
+		irw.mu.Lock()
+		defer irw.mu.Unlock()
+
+		switch parts[2] {
+		case "written":
+			return irw.written
+		case "status":
+			return irw.status
+		case "contenttype":
+			contentType := irw.Header().Get("Content-Type")
+			if contentType != "" {
+				return contentType
+			}
 		}
 	}
 
+fallback:
 	return irw.Context.Value(key)
 }

context/http_test.go

@@ -14,7 +14,7 @@ func TestWithRequest(t *testing.T) {
 	var req http.Request
 
 	start := time.Now()
-	req.Method = http.MethodGet
+	req.Method = "GET"
 	req.Host = "example.com"
 	req.RequestURI = "/test-test"
 	req.Header = make(http.Header)
@@ -22,7 +22,7 @@ func TestWithRequest(t *testing.T) {
 	req.Header.Set("User-Agent", "test/0.1")
 
 	ctx := WithRequest(Background(), &req)
-	for _, tc := range []struct {
+	for _, testcase := range []struct {
 		key      string
 		expected interface{}
 	}{
@@ -61,18 +61,18 @@ func TestWithRequest(t *testing.T) {
 			key: "http.request.startedat",
 		},
 	} {
-		v := ctx.Value(tc.key)
+		v := ctx.Value(testcase.key)
 
 		if v == nil {
-			t.Fatalf("value not found for %q", tc.key)
+			t.Fatalf("value not found for %q", testcase.key)
 		}
 
-		if tc.expected != nil && v != tc.expected {
-			t.Fatalf("%s: %v != %v", tc.key, v, tc.expected)
+		if testcase.expected != nil && v != testcase.expected {
+			t.Fatalf("%s: %v != %v", testcase.key, v, testcase.expected)
 		}
 
 		// Key specific checks!
-		switch tc.key {
+		switch testcase.key {
 		case "http.request.id":
 			if _, ok := v.(string); !ok {
 				t.Fatalf("request id not a string: %v", v)
@@ -195,7 +195,7 @@ func TestWithVars(t *testing.T) {
 	}
 
 	ctx := WithVars(Background(), &req)
-	for _, tc := range []struct {
+	for _, testcase := range []struct {
 		key      string
 		expected interface{}
 	}{
@@ -212,10 +212,10 @@ func TestWithVars(t *testing.T) {
 			expected: "qwer",
 		},
 	} {
-		v := ctx.Value(tc.key)
+		v := ctx.Value(testcase.key)
 
-		if !reflect.DeepEqual(v, tc.expected) {
-			t.Fatalf("%q: %v != %v", tc.key, v, tc.expected)
+		if !reflect.DeepEqual(v, testcase.expected) {
+			t.Fatalf("%q: %v != %v", testcase.key, v, testcase.expected)
 		}
 	}
 }
@@ -253,36 +253,33 @@ func TestRemoteAddr(t *testing.T) {
 
 	// X-Forwarded-For set by proxy
 	expectedRemote = "127.0.0.1"
-	proxyReq, err := http.NewRequest(http.MethodGet, frontend.URL, nil)
+	proxyReq, err := http.NewRequest("GET", frontend.URL, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
 
-	resp, err := http.DefaultClient.Do(proxyReq)
+	_, err = http.DefaultClient.Do(proxyReq)
 	if err != nil {
 		t.Fatal(err)
 	}
-	defer resp.Body.Close()
 
 	// RemoteAddr in X-Real-Ip
-	getReq, err := http.NewRequest(http.MethodGet, backend.URL, nil)
+	getReq, err := http.NewRequest("GET", backend.URL, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
 
 	expectedRemote = "1.2.3.4"
 	getReq.Header["X-Real-ip"] = []string{expectedRemote}
-	resp, err = http.DefaultClient.Do(getReq)
+	_, err = http.DefaultClient.Do(getReq)
 	if err != nil {
 		t.Fatal(err)
 	}
-	defer resp.Body.Close()
 
 	// Valid X-Real-Ip and invalid X-Forwarded-For
 	getReq.Header["X-forwarded-for"] = []string{"1.2.3"}
-	resp, err = http.DefaultClient.Do(getReq)
+	_, err = http.DefaultClient.Do(getReq)
 	if err != nil {
 		t.Fatal(err)
 	}
-	defer resp.Body.Close()
 }

context/trace_test.go

@@ -1,6 +1,7 @@
 package context
 
 import (
+	"context"
 	"runtime"
 	"testing"
 	"time"
@@ -8,7 +9,6 @@ import (
 
 // TestWithTrace ensures that tracing has the expected values in the context.
 func TestWithTrace(t *testing.T) {
-	t.Parallel()
 	pc, file, _, _ := runtime.Caller(0) // get current caller.
 	f := runtime.FuncForPC(pc)
 
@@ -36,29 +36,12 @@ func TestWithTrace(t *testing.T) {
 	ctx, done := WithTrace(Background())
 	defer done("this will be emitted at end of test")
 
-	tests := append(base, valueTestCase{
+	checkContextForValues(ctx, t, append(base, valueTestCase{
 		key:      "trace.func",
 		expected: f.Name(),
-	})
-	for _, tc := range tests {
-		tc := tc
-		t.Run(tc.key, func(t *testing.T) {
-			t.Parallel()
-			v := ctx.Value(tc.key)
-			if tc.notnilorempty {
-				if v == nil || v == "" {
-					t.Fatalf("value was nil or empty: %#v", v)
-				}
-				return
-			}
+	}))
 
-			if v != tc.expected {
-				t.Fatalf("unexpected value: %v != %v", v, tc.expected)
-			}
-		})
-	}
-
-	tracedFn := func() {
+	traced := func() {
 		parentID := ctx.Value("trace.id") // ensure the parent trace id is correct.
 
 		pc, _, _, _ := runtime.Caller(0) // get current caller.
@@ -66,32 +49,15 @@ func TestWithTrace(t *testing.T) {
 		ctx, done := WithTrace(ctx)
 		defer done("this should be subordinate to the other trace")
 		time.Sleep(time.Second)
-		tests := append(base, valueTestCase{
+		checkContextForValues(ctx, t, append(base, valueTestCase{
 			key:      "trace.func",
 			expected: f.Name(),
 		}, valueTestCase{
 			key:      "trace.parent.id",
 			expected: parentID,
-		})
-		for _, tc := range tests {
-			tc := tc
-			t.Run(tc.key, func(t *testing.T) {
-				t.Parallel()
-				v := ctx.Value(tc.key)
-				if tc.notnilorempty {
-					if v == nil || v == "" {
-						t.Fatalf("value was nil or empty: %#v", v)
+		}))
 	}
-					return
-				}
-
-				if v != tc.expected {
-					t.Fatalf("unexpected value: %v != %v", v, tc.expected)
-				}
-			})
-		}
-	}
-	tracedFn()
+	traced()
 
 	time.Sleep(time.Second)
 }
@@ -101,3 +67,19 @@ type valueTestCase struct {
 	expected      interface{}
 	notnilorempty bool // just check not empty/not nil
 }
+
+func checkContextForValues(ctx context.Context, t *testing.T, values []valueTestCase) {
+	for _, testcase := range values {
+		v := ctx.Value(testcase.key)
+		if testcase.notnilorempty {
+			if v == nil || v == "" {
+				t.Fatalf("value was nil or empty for %q: %#v", testcase.key, v)
+			}
+			continue
+		}
+
+		if v != testcase.expected {
+			t.Fatalf("unexpected value for key %q: %v != %v", testcase.key, v, testcase.expected)
+		}
+	}
+}

contrib/apache/README.MD

@@ -0,0 +1,36 @@
+# Apache HTTPd sample for Registry v1, v2 and mirror
+
+3 containers involved 
+
+* Docker Registry v1 (registry 0.9.1)
+* Docker Registry v2 (registry 2.0.0)
+* Docker Registry v1 in mirror mode
+
+HTTP for mirror and HTTPS for v1 & v2
+
+* http://registry.example.com proxify Docker Registry 1.0 in Mirror mode
+* https://registry.example.com proxify Docker Registry 1.0 or 2.0 in Hosting mode
+
+## 3 Docker containers should be started 
+
+* Docker Registry 1.0 in Mirror mode : port 5001
+* Docker Registry 1.0 in Hosting mode : port 5000
+* Docker Registry 2.0 in Hosting mode : port 5002
+
+### Registry v1
+
+    docker run -d -e SETTINGS_FLAVOR=dev -v /var/lib/docker-registry/storage/hosting-v1:/tmp -p 5000:5000 registry:0.9.1"
+
+### Mirror
+
+    docker run -d -e SETTINGS_FLAVOR=dev -e STANDALONE=false -e MIRROR_SOURCE=https://registry-1.docker.io -e MIRROR_SOURCE_INDEX=https://index.docker.io \
+                  -e MIRROR_TAGS_CACHE_TTL=172800 -v /var/lib/docker-registry/storage/mirror:/tmp -p 5001:5000 registry:0.9.1"
+
+### Registry v2
+
+    docker run -d -e SETTINGS_FLAVOR=dev -v /var/lib/axway/docker-registry/storage/hosting2-v2:/tmp -p 5002:5000 registry:2"
+
+# For Hosting mode access
+
+* users should have account (valid-user) to be able to fetch images
+* only users using account docker-deployer will be allowed to push images

contrib/apache/apache.conf

@@ -0,0 +1,127 @@
+#
+# Sample Apache 2.x configuration where : 
+#
+
+<VirtualHost *:80>
+         
+  ServerName registry.example.com
+  ServerAlias www.registry.example.com
+
+  ProxyRequests     off
+  ProxyPreserveHost on
+
+  # no proxy for /error/ (Apache HTTPd errors messages)
+  ProxyPass /error/ !
+
+  ProxyPass        /_ping http://localhost:5001/_ping
+  ProxyPassReverse /_ping http://localhost:5001/_ping
+
+  ProxyPass        /v1 http://localhost:5001/v1
+  ProxyPassReverse /v1 http://localhost:5001/v1
+
+  # Logs
+  ErrorLog ${APACHE_LOG_DIR}/mirror_error_log
+  CustomLog ${APACHE_LOG_DIR}/mirror_access_log combined env=!dontlog
+
+</VirtualHost>
+
+
+<VirtualHost *:443>
+
+  ServerName registry.example.com
+  ServerAlias www.registry.example.com
+
+  SSLEngine on
+  SSLCertificateFile /etc/apache2/ssl/registry.example.com.crt
+  SSLCertificateKeyFile /etc/apache2/ssl/registry.example.com.key
+
+  # Higher Strength SSL Ciphers
+  SSLProtocol all -SSLv2 -SSLv3 -TLSv1 
+  SSLCipherSuite RC4-SHA:HIGH
+  SSLHonorCipherOrder on
+
+  # Logs
+  ErrorLog ${APACHE_LOG_DIR}/registry_error_ssl_log
+  CustomLog ${APACHE_LOG_DIR}/registry_access_ssl_log combined env=!dontlog
+
+  Header always set "Docker-Distribution-Api-Version" "registry/2.0"
+  Header onsuccess set "Docker-Distribution-Api-Version" "registry/2.0"
+  RequestHeader set X-Forwarded-Proto "https"
+
+  ProxyRequests     off
+  ProxyPreserveHost on
+
+  # no proxy for /error/ (Apache HTTPd errors messages)
+  ProxyPass /error/ !
+
+  #
+  # Registry v1
+  #
+
+  ProxyPass        /v1 http://localhost:5000/v1
+  ProxyPassReverse /v1 http://localhost:5000/v1
+
+  ProxyPass        /_ping http://localhost:5000/_ping
+  ProxyPassReverse /_ping http://localhost:5000/_ping
+
+  # Authentication require for push
+  <Location /v1>
+    Order deny,allow
+    Allow from all
+    AuthName "Registry Authentication"
+    AuthType basic
+    AuthUserFile "/etc/apache2/htpasswd/registry-htpasswd"
+
+    # Read access to authentified users
+    <Limit GET HEAD>
+      Require valid-user
+    </Limit>
+
+    # Write access to docker-deployer account only
+    <Limit POST PUT DELETE>
+      Require user docker-deployer
+    </Limit>
+
+  </Location>
+
+  # Allow ping to run unauthenticated.
+  <Location /v1/_ping>
+    Satisfy any
+    Allow from all
+  </Location>
+
+  # Allow ping to run unauthenticated.
+  <Location /_ping>
+    Satisfy any
+    Allow from all
+  </Location>
+
+  #
+  # Registry v2
+  #
+
+  ProxyPass        /v2 http://localhost:5002/v2
+  ProxyPassReverse /v2 http://localhost:5002/v2
+
+  <Location /v2>
+    Order deny,allow
+    Allow from all
+    AuthName "Registry Authentication"
+    AuthType basic
+    AuthUserFile "/etc/apache2/htpasswd/registry-htpasswd"
+
+    # Read access to authentified users
+    <Limit GET HEAD>
+      Require valid-user
+    </Limit>
+
+    # Write access to docker-deployer only
+    <Limit POST PUT DELETE>
+      Require user docker-deployer
+    </Limit>
+
+  </Location>
+
+
+</VirtualHost>
+

contrib/compose/README.md

@@ -0,0 +1,147 @@
+# Docker Compose V1 + V2 registry
+
+This compose configuration configures a `v1` and `v2` registry behind an `nginx`
+proxy. By default, you can access the combined registry at `localhost:5000`.
+
+The configuration does not support pushing images to `v2` and pulling from `v1`.
+If a `docker` client has a version less than 1.6, Nginx will route its requests
+to the 1.0 registry. Requests from newer clients will route to the 2.0 registry.
+
+### Install Docker Compose
+
+1. Open a new terminal on the host with your `distribution` source.
+
+2. Get the `docker-compose` binary.
+
+		$ sudo wget https://github.com/docker/compose/releases/download/1.1.0/docker-compose-`uname  -s`-`uname -m` -O /usr/local/bin/docker-compose
+
+	This command installs the binary in the `/usr/local/bin` directory. 
+	
+3. Add executable permissions to the binary.
+
+		$  sudo chmod +x /usr/local/bin/docker-compose
+		
+## Build and run with Compose
+	
+1. In your terminal, navigate to the `distribution/contrib/compose` directory
+
+	This directory includes a single `docker-compose.yml` configuration.
+	
+		nginx:
+			build: "nginx"
+			ports:
+				- "5000:5000"
+			links:
+				- registryv1:registryv1
+				- registryv2:registryv2
+		registryv1:
+			image: registry
+			ports:
+				- "5000"
+		registryv2:
+			build: "../../"
+			ports:
+				- "5000"
+
+	This configuration builds a new `nginx` image as specified by the
+	`nginx/Dockerfile` file. The 1.0 registry comes from Docker's official
+	public image. Finally, the registry 2.0 image is built from the
+	`distribution/Dockerfile` you've used previously.
+ 		
+2. Get a registry 1.0 image.
+
+		$ docker pull registry:0.9.1 
+
+	The Compose configuration looks for this image locally. If you don't do this
+	step, later steps can fail.
+	
+3. Build `nginx`, the registry 2.0 image, and 
+
+		$ docker-compose build
+		registryv1 uses an image, skipping
+		Building registryv2...
+		Step 0 : FROM golang:1.15
+		
+		...
+		
+		Removing intermediate container 9f5f5068c3f3
+		Step 4 : COPY docker-registry-v2.conf /etc/nginx/docker-registry-v2.conf
+		 ---> 74acc70fa106
+		Removing intermediate container edb84c2b40cb
+		Successfully built 74acc70fa106
+		
+	The command outputs its progress until it completes.
+
+4. Start your configuration with compose.
+
+		$ docker-compose up
+		Recreating compose_registryv1_1...
+		Recreating compose_registryv2_1...
+		Recreating compose_nginx_1...
+		Attaching to compose_registryv1_1, compose_registryv2_1, compose_nginx_1
+		...
+	
+
+5. In another terminal, display the running configuration.
+
+		$ docker ps
+		CONTAINER ID        IMAGE                       COMMAND                CREATED             STATUS              PORTS                                     NAMES
+		a81ad2557702        compose_nginx:latest        "nginx -g 'daemon of   8 minutes ago       Up 8 minutes        80/tcp, 443/tcp, 0.0.0.0:5000->5000/tcp   compose_nginx_1        
+		0618437450dd        compose_registryv2:latest   "registry cmd/regist   8 minutes ago       Up 8 minutes        0.0.0.0:32777->5000/tcp                   compose_registryv2_1   
+		aa82b1ed8e61        registry:latest             "docker-registry"      8 minutes ago       Up 8 minutes        0.0.0.0:32776->5000/tcp                   compose_registryv1_1   
+	
+### Explore a bit
+
+1. Check for TLS on your `nginx` server.
+
+		$ curl -v https://localhost:5000
+		* Rebuilt URL to: https://localhost:5000/
+		* Hostname was NOT found in DNS cache
+		*   Trying 127.0.0.1...
+		* Connected to localhost (127.0.0.1) port 5000 (#0)
+		* successfully set certificate verify locations:
+		*   CAfile: none
+			CApath: /etc/ssl/certs
+		* SSLv3, TLS handshake, Client hello (1):
+		* SSLv3, TLS handshake, Server hello (2):
+		* SSLv3, TLS handshake, CERT (11):
+		* SSLv3, TLS alert, Server hello (2):
+		* SSL certificate problem: self signed certificate
+		* Closing connection 0
+		curl: (60) SSL certificate problem: self signed certificate
+		More details here: http://curl.haxx.se/docs/sslcerts.html
+		
+2. Tag the `v1` registry image.
+
+		 $ docker tag registry:latest localhost:5000/registry_one:latest
+
+2. Push it to the localhost.
+
+		 $ docker push localhost:5000/registry_one:latest
+		
+	If you are using the 1.6 Docker client, this pushes the image the `v2 `registry.
+
+4. Use `curl` to list the image in the registry.
+
+			$ curl -v -X GET http://localhost:5000/v2/registry_one/tags/list
+			* Hostname was NOT found in DNS cache
+			*   Trying 127.0.0.1...
+			* Connected to localhost (127.0.0.1) port 32777 (#0)
+			> GET /v2/registry1/tags/list HTTP/1.1
+			> User-Agent: curl/7.36.0
+			> Host: localhost:5000
+			> Accept: */*
+			> 
+			< HTTP/1.1 200 OK
+			< Content-Type: application/json
+			< Docker-Distribution-Api-Version: registry/2.0
+			< Date: Tue, 14 Apr 2015 22:34:13 GMT
+			< Content-Length: 39
+			< 
+			{"name":"registry_one","tags":["latest"]}
+			* Connection #0 to host localhost left intact
+		
+	This example refers to the specific port assigned to the 2.0 registry. You saw
+	this port earlier, when you used `docker ps` to show your running containers.
+
+

contrib/compose/docker-compose.yml

@@ -0,0 +1,15 @@
+nginx:
+  build: "nginx"
+  ports:
+    - "5000:5000"
+  links:
+    - registryv1:registryv1
+    - registryv2:registryv2
+registryv1:
+  image: registry
+  ports:
+    - "5000"
+registryv2:
+  build: "../../"
+  ports:
+    - "5000"

contrib/compose/nginx/Dockerfile

@@ -0,0 +1,6 @@
+FROM nginx:1.7
+
+COPY nginx.conf /etc/nginx/nginx.conf
+COPY registry.conf /etc/nginx/conf.d/registry.conf
+COPY docker-registry.conf /etc/nginx/docker-registry.conf
+COPY docker-registry-v2.conf /etc/nginx/docker-registry-v2.conf

contrib/compose/nginx/docker-registry-v2.conf

@@ -0,0 +1,9 @@
+proxy_pass                          http://docker-registry-v2;
+proxy_set_header  Host              $http_host;   # required for docker client's sake
+proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
+proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
+proxy_set_header  X-Forwarded-Proto $scheme;
+proxy_read_timeout                  900;
+proxy_send_timeout                  300;
+proxy_request_buffering             off; (see issue #2292 - https://github.com/moby/moby/issues/2292)
+proxy_http_version                  1.1;

contrib/compose/nginx/docker-registry.conf

@@ -0,0 +1,7 @@
+proxy_pass                          http://docker-registry;
+proxy_set_header  Host              $http_host;   # required for docker client's sake
+proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
+proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
+proxy_set_header  X-Forwarded-Proto $scheme;
+proxy_set_header  Authorization     ""; # For basic auth through nginx in v1 to work, please comment this line
+proxy_read_timeout                  900;

contrib/compose/nginx/nginx.conf

@@ -0,0 +1,27 @@
+user  nginx;
+worker_processes  1;
+
+error_log /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log main;
+
+    sendfile        on;
+
+    keepalive_timeout  65;
+
+    include /etc/nginx/conf.d/*.conf;
+}
+

contrib/compose/nginx/registry.conf

@@ -0,0 +1,41 @@
+# Docker registry proxy for api versions 1 and 2
+
+upstream docker-registry {
+  server registryv1:5000;
+}
+
+upstream docker-registry-v2 {
+  server registryv2:5000;
+}
+
+# No client auth or TLS
+server {
+  listen 5000;
+  server_name localhost;
+
+  # disable any limits to avoid HTTP 413 for large image uploads
+  client_max_body_size 0;
+
+  # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
+  chunked_transfer_encoding on;
+
+  location /v2/ {
+    # Do not allow connections from docker 1.5 and earlier
+    # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
+    if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
+      return 404;
+    }
+
+    # To add basic authentication to v2 use auth_basic setting plus add_header
+    # auth_basic "registry.localhost";
+    # auth_basic_user_file test.password;
+    # add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;
+
+    include               docker-registry-v2.conf;
+  }
+
+  location / {
+    include               docker-registry.conf;
+  }
+}
+

contrib/docker-integration/Dockerfile

@@ -0,0 +1,9 @@
+FROM distribution/golem:0.1
+
+MAINTAINER Docker Distribution Team <distribution@docker.com>
+
+RUN apk add --no-cache git
+
+ENV TMPDIR /var/lib/docker/tmp
+
+WORKDIR /go/src/github.com/distribution/distribution/contrib/docker-integration

contrib/docker-integration/README.md

@@ -0,0 +1,63 @@
+# Docker Registry Integration Testing
+
+These integration tests cover interactions between registry clients such as
+the docker daemon and the registry server. All tests can be run using the
+[golem integration test runner](https://github.com/docker/golem)
+
+The integration tests configure components using docker compose
+(see docker-compose.yaml) and the runner can be using the golem
+configuration file (see golem.conf).
+
+## Running integration tests
+
+### Run using multiversion script
+
+The integration tests in the `contrib/docker-integration` directory can be simply
+run by executing the run script `./run_multiversion.sh`. If there is no running
+daemon to connect to, run as `./run_multiversion.sh -d`.
+
+This command will build the distribution image from the locally checked out
+version and run against multiple versions of docker defined in the script. To
+run a specific version of the registry or docker, Golem will need to be
+executed manually.
+
+### Run manually using Golem
+
+Using the golem tool directly allows running against multiple versions of
+the registry and docker. Running against multiple versions of the registry
+can be useful for testing changes in the docker daemon which are not
+covered by the default run script.
+
+#### Installing Golem
+
+Golem is distributed as an executable binary which can be installed from
+the [release page](https://github.com/docker/golem/releases/tag/v0.1).
+
+#### Running golem with docker
+
+Additionally golem can be run as a docker image requiring no additional
+installation.
+
+`docker run --privileged -v "$GOPATH/src/github.com/distribution/distribution/contrib/docker-integration:/test" -w /test distribution/golem golem -rundaemon .`
+
+#### Golem custom images
+
+Golem tests version of software by defining the docker image to test.
+
+Run with registry 2.2.1 and docker 1.10.3
+
+`golem -i golem-dind:latest,docker:1.10.3-dind,1.10.3 -i golem-distribution:latest,registry:2.2.1 .`
+
+
+#### Use golem caching for developing tests
+
+Golem allows caching image configuration to reduce test start up time.
+Using this cache will allow tests with the same set of images to start
+up quickly. This can be useful when developing tests and needing the
+test to run quickly. If there are changes which effect the image (such as
+building a new registry image), then startup time will be slower.
+
+Run this command multiple times and after the first time test runs
+should start much quicker.
+`golem -cache ~/.cache/docker/golem -i golem-dind:latest,docker:1.10.3-dind,1.10.3 -i golem-distribution:latest,registry:2.2.1 .`
+

contrib/docker-integration/docker-compose.yml

@@ -0,0 +1,91 @@
+nginx:
+  build: "nginx"
+  ports:
+    - "5000:5000"
+    - "5002:5002"
+    - "5440:5440"
+    - "5441:5441"
+    - "5442:5442"
+    - "5443:5443"
+    - "5444:5444"
+    - "5445:5445"
+    - "5446:5446"
+    - "5447:5447"
+    - "5448:5448"
+    - "5554:5554"
+    - "5555:5555"
+    - "5556:5556"
+    - "5557:5557"
+    - "5558:5558"
+    - "5559:5559"
+    - "5600:5600"
+    - "6666:6666"
+  links:
+    - registryv2:registryv2
+    - malevolent:malevolent
+    - registryv2token:registryv2token
+    - tokenserver:tokenserver
+    - registryv2tokenoauth:registryv2tokenoauth
+    - registryv2tokenoauthnotls:registryv2tokenoauthnotls
+    - tokenserveroauth:tokenserveroauth
+registryv2:
+  image: golem-distribution:latest
+  ports:
+    - "5000"
+registryv2token:
+  image: golem-distribution:latest
+  ports:
+    - "5000"
+  volumes:
+    - ./tokenserver/registry-config.yml:/etc/docker/registry/config.yml
+    - ./tokenserver/certs/localregistry.cert:/etc/docker/registry/localregistry.cert
+    - ./tokenserver/certs/localregistry.key:/etc/docker/registry/localregistry.key
+    - ./tokenserver/certs/signing.cert:/etc/docker/registry/tokenbundle.pem
+tokenserver:
+  build: "tokenserver"
+  command: "--debug -addr 0.0.0.0:5556 -issuer registry-test -passwd .htpasswd -tlscert tls.cert -tlskey tls.key -key sign.key -realm http://auth.localregistry:5556"
+  ports:
+    - "5556"
+registryv2tokenoauth:
+  image: golem-distribution:latest
+  ports:
+    - "5000"
+  volumes:
+    - ./tokenserver-oauth/registry-config.yml:/etc/docker/registry/config.yml
+    - ./tokenserver-oauth/certs/localregistry.cert:/etc/docker/registry/localregistry.cert
+    - ./tokenserver-oauth/certs/localregistry.key:/etc/docker/registry/localregistry.key
+    - ./tokenserver-oauth/certs/signing.cert:/etc/docker/registry/tokenbundle.pem
+registryv2tokenoauthnotls:
+  image: golem-distribution:latest
+  ports:
+    - "5000"
+  volumes:
+    - ./tokenserver-oauth/registry-config-notls.yml:/etc/docker/registry/config.yml
+    - ./tokenserver-oauth/certs/signing.cert:/etc/docker/registry/tokenbundle.pem
+tokenserveroauth:
+  build: "tokenserver-oauth"
+  command: "--debug -addr 0.0.0.0:5559 -issuer registry-test -passwd .htpasswd -tlscert tls.cert -tlskey tls.key -key sign.key -realm http://auth.localregistry:5559 -enforce-class"
+  ports:
+    - "5559"
+malevolent:
+  image: "dmcgowan/malevolent:0.1.0"
+  command: "-l 0.0.0.0:6666 -r http://registryv2:5000 -c /certs/localregistry.cert -k /certs/localregistry.key"
+  links:
+    - registryv2:registryv2
+  volumes:
+   - ./malevolent-certs:/certs:ro
+  ports:
+   - "6666"
+docker:
+  image: golem-dind:latest
+  container_name: dockerdaemon
+  command: "docker daemon --debug -s $DOCKER_GRAPHDRIVER"
+  privileged: true
+  environment:
+    DOCKER_GRAPHDRIVER:
+  volumes:
+    - /etc/generated_certs.d:/etc/docker/certs.d
+    - /var/lib/docker
+  links:
+    - nginx:localregistry
+    - nginx:auth.localregistry

contrib/docker-integration/golem.conf

@@ -0,0 +1,18 @@
+[[suite]]
+  dind=true
+  images=[ "nginx:1.9", "dmcgowan/token-server:simple", "dmcgowan/token-server:oauth", "dmcgowan/malevolent:0.1.0", "dmcgowan/ncat:latest" ]
+
+  [[suite.pretest]]
+    command="sh ./install_certs.sh /etc/generated_certs.d"
+  [[suite.testrunner]]
+    command="bats -t ."
+    format="tap"
+    env=["TEST_REPO=hello-world", "TEST_TAG=latest", "TEST_USER=testuser", "TEST_PASSWORD=passpassword", "TEST_REGISTRY=localregistry", "TEST_SKIP_PULL=true"]
+  [[suite.customimage]]
+    tag="golem-distribution:latest"
+    default="registry:2.2.1"
+  [[suite.customimage]]
+    tag="golem-dind:latest"
+    default="docker:1.10.1-dind"
+    version="1.10.1"
+

contrib/docker-integration/helpers.bash

@@ -0,0 +1,127 @@
+# has_digest enforces the last output line is "Digest: sha256:..."
+# the input is the output from a docker push cli command
+function has_digest() {
+	filtered=$(echo "$1" |sed -rn '/[dD]igest\: sha(256|384|512)/ p')
+	[ "$filtered" != "" ]
+	# See http://wiki.alpinelinux.org/wiki/Regex#BREs before making changes to regex
+	digest=$(expr "$filtered" : ".*\(sha[0-9]\{3,3\}:[a-z0-9]*\)")
+}
+
+# tempImage creates a new image using the provided name
+# requires bats
+function tempImage() {
+	dir=$(mktemp -d)
+	run dd if=/dev/urandom of="$dir/f" bs=1024 count=512
+	cat <<DockerFileContent > "$dir/Dockerfile"
+FROM scratch
+COPY f /f
+
+CMD []
+DockerFileContent
+
+	cp_t $dir "/tmpbuild/"
+	exec_t "cd /tmpbuild/; docker build --no-cache -t $1 .; rm -rf /tmpbuild/"
+}
+
+# skip basic auth tests with Docker 1.6, where they don't pass due to
+# certificate issues, requires bats
+function basic_auth_version_check() {
+	run sh -c 'docker version | fgrep -q "Client version: 1.6."'
+	if [ "$status" -eq 0 ]; then
+		skip "Basic auth tests don't support 1.6.x"
+	fi
+}
+
+email="a@nowhere.com"
+
+# docker_t_login calls login with email depending on version
+function docker_t_login() {
+	# Only pass email field pre 1.11, no deprecation warning
+	parse_version "$GOLEM_DIND_VERSION"
+	v=$version
+	parse_version "1.11.0"
+	if [ "$v" -lt "$version" ]; then
+		run docker_t login -e $email $@
+	else
+		run docker_t login $@
+	fi
+}
+
+# login issues a login to docker to the provided server
+# uses user, password, and email variables set outside of function
+# requies bats
+function login() {
+	rm -f /root/.docker/config.json
+
+	docker_t_login -u $user -p $password $1
+	if [ "$status" -ne 0 ]; then
+		echo $output
+	fi
+	[ "$status" -eq 0 ]
+
+	# Handle different deprecation warnings
+	parse_version "$GOLEM_DIND_VERSION"
+	v=$version
+	parse_version "1.11.0"
+	if [ "$v" -lt "$version" ]; then
+		# First line is WARNING about credential save or email deprecation (maybe both)
+		[ "${lines[2]}" = "Login Succeeded" -o "${lines[1]}" = "Login Succeeded" ]
+	else
+		[ "${lines[0]}" = "Login Succeeded" ]
+	fi
+
+}
+
+function login_oauth() {
+	login $@
+
+	tmpFile=$(mktemp)
+	get_file_t /root/.docker/config.json $tmpFile
+	run awk -v RS="" "/\"$1\": \\{[[:space:]]+\"auth\": \"[[:alnum:]]+\",[[:space:]]+\"identitytoken\"/ {exit 3}" $tmpFile
+	[ "$status" -eq 3 ]
+}
+
+function parse_version() {
+	version=$(echo "$1" | cut -d '-' -f1) # Strip anything after '-'
+	major=$(echo "$version" | cut -d . -f1)
+	minor=$(echo "$version" | cut -d . -f2)
+	rev=$(echo "$version" | cut -d . -f3)
+
+	version=$((major * 1000 * 1000 + minor * 1000 + rev))
+}
+
+function version_check() {
+	name=$1
+	checkv=$2
+	minv=$3
+	parse_version "$checkv"
+	v=$version
+	parse_version "$minv"
+	if [ "$v" -lt "$version" ]; then
+		skip "$name version \"$checkv\" does not meet required version \"$minv\""
+	fi
+}
+
+function get_file_t() {
+	docker cp dockerdaemon:$1 $2
+}
+
+function cp_t() {
+	docker cp $1 dockerdaemon:$2
+}
+
+function exec_t() {
+	docker exec dockerdaemon sh -c "$@"
+}
+
+function docker_t() {
+	docker exec dockerdaemon docker $@
+}
+
+# build creates a new docker image id from another image
+function build() {
+	docker exec -i dockerdaemon docker build --no-cache -t $1 - <<DOCKERFILE
+FROM $2
+MAINTAINER distribution@docker.com
+DOCKERFILE
+}

contrib/docker-integration/install_certs.sh

@@ -0,0 +1,50 @@
+#!/bin/sh
+set -e
+
+hostname="localregistry"
+installdir="$1"
+
+install_ca() {
+	mkdir -p $1/$hostname:$2
+	cp ./nginx/ssl/registry-ca+ca.pem $1/$hostname:$2/ca.crt
+	if [ "$3" != "" ]; then
+		cp ./nginx/ssl/registry-$3+client-cert.pem $1/$hostname:$2/client.cert
+		cp ./nginx/ssl/registry-$3+client-key.pem $1/$hostname:$2/client.key
+	fi
+}
+
+install_test_certs() {
+	install_ca $1 5440
+	install_ca $1 5441
+	install_ca $1 5442 ca
+	install_ca $1 5443 noca
+	install_ca $1 5444 ca
+	install_ca $1 5447 ca
+	# For test remove CA
+	rm $1/${hostname}:5447/ca.crt
+	install_ca $1 5448
+	install_ca $1 5600
+}
+
+install_ca_file() {
+	mkdir -p $2
+	cp $1 $2/ca.crt
+}
+
+append_ca_file() {
+	mkdir -p $2
+	cat $1 >> $2/ca.crt
+}
+
+install_test_certs $installdir
+
+# Malevolent server
+install_ca_file ./malevolent-certs/ca.pem $installdir/$hostname:6666
+
+# Token server
+install_ca_file ./tokenserver/certs/ca.pem $installdir/$hostname:5554
+install_ca_file ./tokenserver/certs/ca.pem $installdir/$hostname:5555
+install_ca_file ./tokenserver/certs/ca.pem $installdir/$hostname:5557
+install_ca_file ./tokenserver/certs/ca.pem $installdir/$hostname:5558
+append_ca_file ./tokenserver/certs/ca.pem $installdir/$hostname:5600
+

contrib/docker-integration/malevolent-certs/ca.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC+TCCAeGgAwIBAgIQJMzVQNYVNTbh36kZUytWiDANBgkqhkiG9w0BAQsFADAm
+MREwDwYDVQQKEwhRdWlja1RMUzERMA8GA1UEAxMIUXVpY2tUTFMwHhcNMTgwNTIx
+MjI1OTA2WhcNMjgwODI2MjI1OTA2WjAmMREwDwYDVQQKEwhRdWlja1RMUzERMA8G
+A1UEAxMIUXVpY2tUTFMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCe
+8rEU8xHh6BMYVRz/KhFftKSxS4dxJi2LoNN4fxzY6EgHNfBACt2MhIWaUSHf2YkF
+NsS/T7qZWq23NEuIJYUUwbJRAh/iQsEhCI56eV+aJX+DGd2SQQNKdx1Pt528LNws
+n8Ci8rEHTe6i2/U7n/DLqa32BWF3aShsVrchRgpizXezS7GLyFmhv0hi0zRKJgDG
+JebLeqe/BUtEOsS/Oa65NQTEO/5EZBzM74+4eRo5zyp9Uvw4edmOrXRXK1fK9gP3
+Fq/jz9+8b5eUd9vl0e9z/xTqMdicYZOUHuUtxM3hXAkkxcaVJqqqDe6URbJHpbaN
+8Vt/p/csFXMWj3oSokvDAgMBAAGjIzAhMA4GA1UdDwEB/wQEAwICpDAPBgNVHRMB
+Af8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCC3NiX+2Qk3WB+TRNDPCtQ7Pw+
+o31SSqfF8m3fevT4mdrJqFAF4qUpDwgV9/9EkU4UBoIq03S91Dk/No0jR3VAzzRA
+h3+ul/7u08JriS/ZgVediodi7H8xeCz3nvZfAwCP2ZmHzDGp39Uhc3L3WFZImZuV
+fCDeSWF3c5CjJbdUuCYYFy6LwSFLPoBXZaNBL19XP9btJtjbNTm77PZJ4cELTQ+U
+r5Ofw9D9mCCYrapmprw7Fw9wdE+iLL9EJCHAj7L8UYshF4+7O7Jv3ZatySMWPbjS
+nIa2+eKl/sfvRvLZWV9dUSObVsm/bpv8bsHIKp4bYl+IDb2aoSWnw4eZQHDJ
+-----END CERTIFICATE-----

contrib/docker-integration/malevolent-certs/localregistry.cert

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDFTCCAf2gAwIBAgIQfv/raCIVnmpXY74aUyohmDANBgkqhkiG9w0BAQsFADAm
+MREwDwYDVQQKEwhRdWlja1RMUzERMA8GA1UEAxMIUXVpY2tUTFMwHhcNMTgwNTIx
+MjI1OTA2WhcNMjgwODI2MjI1OTA2WjArMREwDwYDVQQKEwhRdWlja1RMUzEWMBQG
+A1UEAxMNbG9jYWxyZWdpc3RyeTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBALedGn6gB0Km693mvJ8yz89wtfDs+SGjJi+XmJv0PYe6j5uToXQH2naXXIOZ
+lT9lmXd/RciZwn50aK4T6alu96D8yeLE13P+75rdrI9DWTNHsfx0jwRxUEXNazPI
+5Knwbf2MgGJfvHE6LjQ3FStJJ9f8JzryspIAYy5PJETuzoF7GsrUhgmcgQNqQcIx
+d81QwOnW3EHastTPIbUxQ3cbEKZMVmvsYSY60pQuw/syN7vGcR/uJQ6HsCUWTEpk
+LWFNJYudYnRIJ/mb6bGJ0tJhdlXKQ9+89oiEWZp9p1KMfyXesp8HeW8Jyoa06+Ri
+5U82r0oQgC0MI5AueueoNOmQyGsCAwEAAaM6MDgwDgYDVR0PAQH/BAQDAgWgMAwG
+A1UdEwEB/wQCMAAwGAYDVR0RBBEwD4INbG9jYWxyZWdpc3RyeTANBgkqhkiG9w0B
+AQsFAAOCAQEAGgUESvQoD/QGZQlY2NA4sauad/yMHVo7vs5TLiKxnAfJrnP1ycD6
+sqcbwCu6B1GU7fqGjKKgzXWXHTi4MiLi5bnh5Y2JBTABksGmzNAU1LbQJJkwsPnE
+GBF0RgUmcw7a+4qu3TqPJABOsl+RiUQ4VDzP3DFRbyigs2li+SjLTJepahDhAke9
+11lU/r3pm1cov9m0AsKSHrU777Hv5B7gmyJ1FO1Os7/KnkdHKUwiIZx0VW6Ho5H+
+IiCH7iKJ1tTxe3nkwjlkSXnx7xiLOG7QK1LtTNHzBumF4COSF1kvWvIqNhJeg482
+e38+Kzctl5iVbrB+JWY6roTQ26VLIdlS7A==
+-----END CERTIFICATE-----

contrib/docker-integration/malevolent-certs/localregistry.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAt50afqAHQqbr3ea8nzLPz3C18Oz5IaMmL5eYm/Q9h7qPm5Oh
+dAfadpdcg5mVP2WZd39FyJnCfnRorhPpqW73oPzJ4sTXc/7vmt2sj0NZM0ex/HSP
+BHFQRc1rM8jkqfBt/YyAYl+8cTouNDcVK0kn1/wnOvKykgBjLk8kRO7OgXsaytSG
+CZyBA2pBwjF3zVDA6dbcQdqy1M8htTFDdxsQpkxWa+xhJjrSlC7D+zI3u8ZxH+4l
+DoewJRZMSmQtYU0li51idEgn+ZvpsYnS0mF2VcpD37z2iIRZmn2nUox/Jd6ynwd5
+bwnKhrTr5GLlTzavShCALQwjkC5656g06ZDIawIDAQABAoIBAQCw7oKJYkucvpyq
+x50bCyuVCVdJQhEPiNdTJRG5tjFUiUG4+RmrZaXugQx1A5n97TllHQ9xrjjtAd+d
+XzLaQkP8rZsdGfFDpXXeFZ4irxNVhtDMJMVr0oU3vip/TCaMW1Kh8LIGGZrMwPOk
+/S849tWeGyzycMwCRL1N8pVQl44G1aexTmlt/tjpGyQAUcGt3MtKaUhhr8mLttfL
+2r6wfZgvSqReURBMdn/bf+sMKnJrYnZLRv/iPz+YWhdk4v1OXPO3D4OlYwR8HwSo
+a9mOpPuC6lWBqzq8eCBU474aQw4FXaFwN08YkJKa4DqUrmadnd4o+ajvOIA4MdF5
+7OOsHQaBAoGBANcVQIM6vndN2MFwODGnF8RfeLhEf46VlANkZadOOa0/igyra865
+7IR4dREFFkSdte8bj6/iEAPeDzXgS4TRsZfr2gkhdXuc2NW4jTVeiYfWW3cgKfW+
+7BQiHXsXCDeoZ1gXq/F5RmD8ue0TkP+IclWR52AM5e1MzfAuZzaIFNJFAoGBANqL
+Q925GxuDamcbuloxQUBarXPJgBDfTWUAXAJVISy80N3av45Y0gyoNjPaU7wHNtU9
+ppnYvM47o1W4qe9AkTtuU79T1WwXFr5T+4Ehm5I8WDHQwkzWGd+WlWkDidLWuvlx
+ZkzwQGp3KOTJhO20lpOtCbnOa627Op/zLhCBQzLvAoGAFF4A0+x2KNoIUpkL2TfX
+elMIHXrvEVN8xq11KtivgYZozjZVaSgWC51UiJ4Qs8KzfccAXklr9tHKYvGwdQ1e
+YeKFrSOr+l6p8eMeDBW9tE1KMAetsYW42Vc5r3RI5OxfjOoA8EbpsTl9acPWkTwc
+h5nfbSsLguMpBTt/rpxITHkCgYEAnKwwSBj25P+OXULUkuoytDcNmC+Bnxbm/hyG
+2ak78j2eox26LAti8m35Ba1kUCz/01myQSLPIC5DByYutXWdaHTMlyI7o5Td2i6M
+5GM6i1i1hWj6kmj+/XqPvEwsFzmXq1HvnAK0u16Xs4UAxgSr2ky35zujmFXcTmTg
+xjZU/YMCgYEAqF93h8WfckZxSUUMBgxTkNfu4MJlbsVBzIHv6TJY95VA49RcRYEK
+b7Xg+RiNQ42QGd8JBXZ50zQrIDhdd/yJ0KcytvW7WdiEEaF3ANO2QesygmI50611
+R76F8Bj0xnoQUCbyPuMOLRfTwEaS1jBG7TKWQXTaN0fm4DxUU0KazxU=
+-----END RSA PRIVATE KEY-----

contrib/docker-integration/malevolent.bats

@@ -0,0 +1,192 @@
+#!/usr/bin/env bats
+
+# This tests various expected error scenarios when pulling bad content
+
+load helpers
+
+host="localregistry:6666"
+base="malevolent-test"
+
+function setup() {
+	tempImage $base:latest
+}
+
+@test "Test malevolent proxy pass through" {
+	docker_t tag $base:latest $host/$base/nochange:latest
+	run docker_t push $host/$base/nochange:latest
+	echo $output
+	[ "$status" -eq 0 ]
+	has_digest "$output"
+
+	run docker_t pull $host/$base/nochange:latest
+	echo "$output"
+	[ "$status" -eq 0 ]
+}
+
+@test "Test malevolent image name change" {
+	imagename="$host/$base/rename"
+	image="$imagename:lastest"
+	docker_t tag $base:latest $image
+	run docker_t push $image
+	[ "$status" -eq 0 ]
+	has_digest "$output"
+
+	# Pull attempt should fail to verify manifest digest
+	run docker_t pull "$imagename@$digest"
+	echo "$output"
+	[ "$status" -ne 0 ]
+}
+
+@test "Test malevolent altered layer" {
+	image="$host/$base/addfile:latest"
+	tempImage $image
+	run docker_t push $image
+	echo "$output"
+	[ "$status" -eq 0 ]
+	has_digest "$output"
+
+	# Remove image to ensure layer is pulled and digest verified
+	docker_t rmi -f $image
+
+	run docker_t pull $image
+	echo "$output"
+	[ "$status" -ne 0 ]
+}
+
+@test "Test malevolent altered layer (by digest)" {
+	imagename="$host/$base/addfile"
+	image="$imagename:latest"
+	tempImage $image
+	run docker_t push $image
+	echo "$output"
+	[ "$status" -eq 0 ]
+	has_digest "$output"
+
+	# Remove image to ensure layer is pulled and digest verified
+	docker_t rmi -f $image
+
+	run docker_t pull "$imagename@$digest"
+	echo "$output"
+	[ "$status" -ne 0 ]
+}
+
+@test "Test malevolent poisoned images" {
+        truncid="777cf9284131"
+	poison="${truncid}d77ca0863fb7f054c0a276d7e227b5e9a5d62b497979a481fa32"
+	image1="$host/$base/image1/poison:$poison"
+	tempImage $image1
+	run docker_t push $image1
+	echo "$output"
+	[ "$status" -eq 0 ]
+	has_digest "$output"
+
+	image2="$host/$base/image2/poison:$poison"
+	tempImage $image2
+	run docker_t push $image2
+	echo "$output"
+	[ "$status" -eq 0 ]
+	has_digest "$output"
+
+
+	# Remove image to ensure layer is pulled and digest verified
+	docker_t rmi -f $image1
+	docker_t rmi -f $image2
+
+	run docker_t pull $image1
+	echo "$output"
+	[ "$status" -eq 0 ]
+	run docker_t pull $image2
+	echo "$output"
+	[ "$status" -eq 0 ]
+
+	# Test if there are multiple images
+	run docker_t images
+	echo "$output"
+	[ "$status" -eq 0 ]
+
+	# Test images have same ID and not the poison
+	id1=$(docker_t inspect --format="{{.Id}}" $image1)
+	id2=$(docker_t inspect --format="{{.Id}}" $image2)
+
+	# Remove old images
+	docker_t rmi -f $image1
+	docker_t rmi -f $image2
+
+	[ "$id1" != "$id2" ]
+
+	[ "$id1" != "$truncid" ]
+
+	[ "$id2" != "$truncid" ]
+}
+
+@test "Test malevolent altered identical images" {
+        truncid1="777cf9284131"
+	poison1="${truncid1}d77ca0863fb7f054c0a276d7e227b5e9a5d62b497979a481fa32"
+        truncid2="888cf9284131"
+	poison2="${truncid2}d77ca0863fb7f054c0a276d7e227b5e9a5d62b497979a481fa64"
+
+	image1="$host/$base/image1/alteredid:$poison1"
+	tempImage $image1
+	run docker_t push $image1
+	echo "$output"
+	[ "$status" -eq 0 ]
+	has_digest "$output"
+
+	image2="$host/$base/image2/alteredid:$poison2"
+	docker_t tag $image1 $image2
+	run docker_t push $image2
+	echo "$output"
+	[ "$status" -eq 0 ]
+	has_digest "$output"
+
+
+	# Remove image to ensure layer is pulled and digest verified
+	docker_t rmi -f $image1
+	docker_t rmi -f $image2
+
+	run docker_t pull $image1
+	echo "$output"
+	[ "$status" -eq 0 ]
+	run docker_t pull $image2
+	echo "$output"
+	[ "$status" -eq 0 ]
+
+	# Test if there are multiple images
+	run docker_t images
+	echo "$output"
+	[ "$status" -eq 0 ]
+
+	# Test images have same ID and not the poison
+	id1=$(docker_t inspect --format="{{.Id}}" $image1)
+	id2=$(docker_t inspect --format="{{.Id}}" $image2)
+
+	# Remove old images
+	docker_t rmi -f $image1
+	docker_t rmi -f $image2
+
+	[ "$id1" == "$id2" ]
+
+	[ "$id1" != "$truncid1" ]
+
+	[ "$id2" != "$truncid2" ]
+}
+
+@test "Test malevolent resumeable pull" {
+	version_check docker "$GOLEM_DIND_VERSION" "1.11.0"
+	version_check registry "$GOLEM_DISTRIBUTION_VERSION" "2.3.0"
+
+	imagename="$host/$base/resumeable"
+	image="$imagename:latest"
+	tempImage $image
+	run docker_t push $image
+	echo "$output"
+	[ "$status" -eq 0 ]
+	has_digest "$output"
+
+	# Remove image to ensure layer is pulled and digest verified
+	docker_t rmi -f $image
+
+	run docker_t pull "$imagename@$digest"
+	echo "$output"
+	[ "$status" -eq 0 ]
+}

contrib/docker-integration/nginx/Dockerfile

@@ -0,0 +1,10 @@
+FROM nginx:1.9
+
+COPY nginx.conf /etc/nginx/nginx.conf
+COPY registry.conf /etc/nginx/conf.d/registry.conf
+COPY docker-registry-v2.conf /etc/nginx/docker-registry-v2.conf
+COPY registry-noauth.conf /etc/nginx/registry-noauth.conf
+COPY registry-basic.conf /etc/nginx/registry-basic.conf
+COPY test.passwd /etc/nginx/test.passwd
+COPY ssl /etc/nginx/ssl
+COPY v1 /var/www/html/v1

contrib/docker-integration/nginx/docker-registry-v2.conf

@@ -0,0 +1,6 @@
+proxy_pass                          http://docker-registry-v2;
+proxy_set_header  Host              $http_host;   # required for docker client's sake
+proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
+proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
+proxy_set_header  X-Forwarded-Proto $scheme;
+proxy_read_timeout                  900;

contrib/docker-integration/nginx/nginx.conf

@@ -0,0 +1,61 @@
+user  nginx;
+worker_processes  1;
+
+error_log /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log main;
+
+    sendfile        on;
+
+    keepalive_timeout  65;
+
+    include /etc/nginx/conf.d/*.conf;
+}
+
+# Setup TCP proxies
+stream {
+  # Malevolent proxy
+  server {
+    listen     6666;
+    proxy_pass malevolent:6666;
+  }
+
+  # Registry configured for token server
+  server {
+    listen     5554;
+    listen     5555;
+    proxy_pass registryv2token:5000;
+  }
+
+  # Token server
+  server {
+    listen     5556;
+    proxy_pass tokenserver:5556;
+  }
+
+  # Registry configured for token server with oauth
+  server {
+    listen     5557;
+    listen     5558;
+    proxy_pass registryv2tokenoauth:5000;
+  }
+
+  # Token server with oauth
+  server {
+    listen     5559;
+    proxy_pass tokenserveroauth:5559;
+  }
+}

contrib/docker-integration/nginx/registry-basic.conf

@@ -0,0 +1,8 @@
+client_max_body_size 0;
+chunked_transfer_encoding on;
+location /v2/ {
+  auth_basic "registry.localhost";
+  auth_basic_user_file test.passwd;
+  add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;
+  include               docker-registry-v2.conf;
+}

contrib/docker-integration/nginx/registry-noauth.conf

@@ -0,0 +1,5 @@
+client_max_body_size 0;
+chunked_transfer_encoding on;
+location /v2/ {
+  include               docker-registry-v2.conf;
+}

contrib/docker-integration/nginx/registry.conf

@@ -0,0 +1,260 @@
+# Docker registry proxy for api version 2
+
+upstream docker-registry-v2 {
+  server registryv2:5000;
+}
+
+# No client auth or TLS
+server {
+  listen 5000;
+  server_name localhost;
+
+  # disable any limits to avoid HTTP 413 for large image uploads
+  client_max_body_size 0;
+
+  # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
+  chunked_transfer_encoding on;
+
+  location /v2/ {
+    # Do not allow connections from docker 1.5 and earlier
+    # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
+    if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
+      return 404;
+    }
+    
+    include               docker-registry-v2.conf;
+  }
+}
+
+# No client auth or TLS (V2 Only)
+server {
+  listen 5002;
+  server_name localhost;
+
+  # disable any limits to avoid HTTP 413 for large image uploads
+  client_max_body_size 0;
+
+  # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
+  chunked_transfer_encoding on;
+
+  location / {
+    include               docker-registry-v2.conf;
+  }
+}
+
+# TLS Configuration chart
+# Username/Password: testuser/passpassword
+#      | ca  | client | basic | notes
+# 5440 | yes | no     | no    | Tests CA certificate
+# 5441 | yes | no     | yes   | Tests basic auth over TLS
+# 5442 | yes | yes    | no    | Tests client auth with client CA
+# 5443 | yes | yes    | no    | Tests client auth without client CA
+# 5444 | yes | yes    | yes   | Tests using basic auth + tls auth
+# 5445 | no  | no     | no    | Tests insecure using TLS
+# 5446 | no  | no     | yes   | Tests sending credentials to server with insecure TLS
+# 5447 | no  | yes    | no    | Tests client auth to insecure
+# 5448 | yes | no     | no    | Bad SSL version
+
+server {
+  listen 5440;
+  server_name localhost;
+  ssl on;
+  ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem;
+  ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem;
+  include registry-noauth.conf;
+}
+
+server {
+  listen 5441;
+  server_name localhost;
+  ssl on;
+  ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem;
+  ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem;
+  include registry-basic.conf;
+}
+
+server {
+  listen 5442;
+  listen 5443;
+  server_name localhost;
+  ssl on;
+  ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem;
+  ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem;
+  ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem;
+  ssl_verify_client on;
+  include registry-noauth.conf;
+}
+
+server {
+  listen 5444;
+  server_name localhost;
+  ssl on;
+  ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem;
+  ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem;
+  ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem;
+  ssl_verify_client on;
+  include registry-basic.conf;
+}
+
+server {
+  listen 5445;
+  server_name localhost;
+  ssl on;
+  ssl_certificate /etc/nginx/ssl/registry-noca+localhost-cert.pem;
+  ssl_certificate_key /etc/nginx/ssl/registry-noca+localhost-key.pem;
+  include registry-noauth.conf;
+}
+
+server {
+  listen 5446;
+  server_name localhost;
+  ssl on;
+  ssl_certificate /etc/nginx/ssl/registry-noca+localhost-cert.pem;
+  ssl_certificate_key /etc/nginx/ssl/registry-noca+localhost-key.pem;
+  include registry-basic.conf;
+}
+
+server {
+  listen 5447;
+  server_name localhost;
+  ssl on;
+  ssl_certificate /etc/nginx/ssl/registry-noca+localhost-cert.pem;
+  ssl_certificate_key /etc/nginx/ssl/registry-noca+localhost-key.pem;
+  ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem;
+  ssl_verify_client on;
+  include registry-noauth.conf;
+}
+
+server {
+  listen 5448;
+  server_name localhost;
+  ssl on;
+  ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem;
+  ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem;
+  ssl_protocols       SSLv3;
+  include registry-noauth.conf;
+}
+
+# Add configuration for localregistry server_name
+# Requires configuring /etc/hosts to use
+# Set /etc/hosts entry to external IP, not 127.0.0.1 for testing
+# Docker secure/insecure registry features
+server {
+  listen 5440;
+  server_name localregistry;
+  ssl on;
+  ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
+  ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;
+  include registry-noauth.conf;
+}
+
+server {
+  listen 5441;
+  server_name localregistry;
+  ssl on;
+  ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
+  ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;
+  include registry-basic.conf;
+}
+
+server {
+  listen 5442;
+  listen 5443;
+  server_name localregistry;
+  ssl on;
+  ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
+  ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;
+  ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem;
+  ssl_verify_client on;
+  include registry-noauth.conf;
+}
+
+server {
+  listen 5444;
+  server_name localregistry;
+  ssl on;
+  ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
+  ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;
+  ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem;
+  ssl_verify_client on;
+  include registry-basic.conf;
+}
+
+server {
+  listen 5445;
+  server_name localregistry;
+  ssl on;
+  ssl_certificate /etc/nginx/ssl/registry-noca+localregistry-cert.pem;
+  ssl_certificate_key /etc/nginx/ssl/registry-noca+localregistry-key.pem;
+  include registry-noauth.conf;
+}
+
+server {
+  listen 5446;
+  server_name localregistry;
+  ssl on;
+  ssl_certificate /etc/nginx/ssl/registry-noca+localregistry-cert.pem;
+  ssl_certificate_key /etc/nginx/ssl/registry-noca+localregistry-key.pem;
+  include registry-basic.conf;
+}
+
+server {
+  listen 5447;
+  server_name localregistry;
+  ssl on;
+  ssl_certificate /etc/nginx/ssl/registry-noca+localregistry-cert.pem;
+  ssl_certificate_key /etc/nginx/ssl/registry-noca+localregistry-key.pem;
+  ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem;
+  ssl_verify_client on;
+  include registry-noauth.conf;
+}
+
+server {
+  listen 5448;
+  server_name localregistry;
+  ssl on;
+  ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
+  ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;
+  ssl_protocols       SSLv3;
+  include registry-noauth.conf;
+}
+
+
+# V1 search test
+# Registry configured with token auth and no tls
+# TLS termination done by nginx, search results
+# served by nginx
+
+upstream docker-registry-v2-oauth {
+  server registryv2tokenoauthnotls:5000;
+}
+
+server {
+  listen 5600;
+  server_name localregistry;
+  ssl on;
+  ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
+  ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;
+
+  root /var/www/html;
+
+  client_max_body_size 0;
+  chunked_transfer_encoding on;
+  location /v2/ {
+    proxy_buffering off;
+    proxy_pass                          http://docker-registry-v2-oauth;
+    proxy_set_header  Host              $http_host;   # required for docker client's sake
+    proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
+    proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
+    proxy_set_header  X-Forwarded-Proto $scheme;
+    proxy_read_timeout                  900;
+  }
+
+  location /v1/search {
+    if ($http_authorization !~ "Bearer [a-zA-Z0-9\._-]+") {
+	return 401;
+    }
+    try_files /v1/search.json =404;
+    add_header Content-Type application/json;
+  }
+}

contrib/docker-integration/nginx/ssl/registry-ca+ca.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC+TCCAeGgAwIBAgIQVhmtXJ4fG4BkISUkyZ65ITANBgkqhkiG9w0BAQsFADAm
+MREwDwYDVQQKEwhRdWlja1RMUzERMA8GA1UEAxMIUXVpY2tUTFMwHhcNMTgwNTIx
+MjI1MjMwWhcNMjgwODI2MjI1MjMwWjAmMREwDwYDVQQKEwhRdWlja1RMUzERMA8G
+A1UEAxMIUXVpY2tUTFMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDK
+J/SLv0dL7UXaNSEAdTMV8+rOFMcQNov/xLWa1mO+7zNZXHIdM+i1uQTHTdhuta6R
+wfqkruPMZ9sqK7G9UIPi11ynkdTiZKRCvCr2VMc/uf5WuIsZE1JXXknSNee1TMmV
+Je8TUJsRjEyQDbxn5qUAJLi8yj/O7W8wsnVHdySKMbaLN6v75151TxiIuOoncCHQ
+yzz10DzjXfXYajuheu+MLy/rjNGDj0gys4yQZAHlQWY9Lsiiix9rBdXQjVc3q2QT
+VM5v3pMjXcPweaIbTWJnbOgmy+267kX6kQpUfZRE55dQt6mPtPQ2idPvqPP3TXwa
+AFH39cz/pPifIZApDfZFAgMBAAGjIzAhMA4GA1UdDwEB/wQEAwICpDAPBgNVHRMB
+Af8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQB93GckXcLcfNdg9C0xMkvByPQJ
+dcy0GT991eZ/bNC39AXrmCSfn6a1FRlWoiCOSOW1NIZWQQ7jDep/T585vq2jN7KX
+hT/z3iIdNWR+Amvo4pyJ93u2D3uG/bmmguAr62jyIgrJudQ3+Mnd+bj/J33XzAgc
+d4ZGPvCmKtn8cTKzyS8rjy1oPSUm6pZnfk41MgMWrGuS5HkC3Aa7jo/4RdgGOJpm
+nUdz2FGfW/+gwXRy2e94V7ijjz+YwpzL0wHPyXyAm7GwJ7mfvPOZrQOLLw4Z9OaK
+R76t4NZBo5TmtvW5zQVsv3sPRnuqcmR0q6WR/fEuMafVtRVOVuDrZlSy0EtA
+-----END CERTIFICATE-----

contrib/docker-integration/nginx/ssl/registry-ca+client-cert.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC+TCCAeGgAwIBAgIRAMGmTKEnobjz4ymIziTsFuMwDQYJKoZIhvcNAQELBQAw
+JjERMA8GA1UEChMIUXVpY2tUTFMxETAPBgNVBAMTCFF1aWNrVExTMB4XDTE4MDUy
+MTIyNTIzMVoXDTI4MDgyNjIyNTIzMVowEzERMA8GA1UEChMIUXVpY2tUTFMwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaFrwVi+BAvng9TebwOLg2Juzg
+wnW2Lv2EOqpSYmlZLLub46/W+ktqrcb+nBMBwnbON0woCbMArONuiRk7BATnmLH8
+1e6I9Rax1nCaEpKhhH/b3T9PjwvzrXC+NIqeC46E7AEneAdBa4L/x27F/npLJy7X
+PAwcH9ImvACJ9csIObjFnGXNTwtGA2SMIOCiNv3lpyb/Yx20EqBcj+etz8XBjAIS
+46z0JDAtYAbJgIs7Ek2XQSrUud18jopzK9mrT9YvA4tDu9Woj70IXdZfOeb0W6Y+
+aBbEoHvqFtyeG7BStNszM7n6CTcJAqpHOMlYQPeRjtMwb2Ffw86NvxkfrjoNAgMB
+AAGjNTAzMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDAjAMBgNV
+HRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQBv1MfAYTymtDeA62N86QFOwASq
+ah2BQqfHvUzcM0U/H6YDEYUEKX2RFOtGwOwSBXr6v7JmU4KuE6tA6s+XWjD/lLr7
+CqWvJfZNP6zARL+MqbZjSmyymtuXaXH4eNVgN0aaGifhUSMDsg0qyZwG8isMN4hG
+kd0y1nNCn+Q3V7oe3NfjfdjviLU9PNNBQFbKRJJRQ6y267lFoWwlaHwtNyvDupVi
+f+JFMiuG3o+upqBF8UFUV8Of4VL6UcJI0OoF4ngTFzn3gRYaYKmkYawUmIr9vvg7
+oQccajcN1iNArnZwXK3lKSERybrUEiUZ4uZ69wVlXzE2TemhW1iYfrTU1cya
+-----END CERTIFICATE-----

contrib/docker-integration/nginx/ssl/registry-ca+client-key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAmha8FYvgQL54PU3m8Di4Nibs4MJ1ti79hDqqUmJpWSy7m+Ov
+1vpLaq3G/pwTAcJ2zjdMKAmzAKzjbokZOwQE55ix/NXuiPUWsdZwmhKSoYR/290/
+T48L861wvjSKnguOhOwBJ3gHQWuC/8duxf56Sycu1zwMHB/SJrwAifXLCDm4xZxl
+zU8LRgNkjCDgojb95acm/2MdtBKgXI/nrc/FwYwCEuOs9CQwLWAGyYCLOxJNl0Eq
+1LndfI6KcyvZq0/WLwOLQ7vVqI+9CF3WXznm9FumPmgWxKB76hbcnhuwUrTbMzO5
++gk3CQKqRzjJWED3kY7TMG9hX8POjb8ZH646DQIDAQABAoIBAE2SfnOWbHoLqXqr
+WkS7OTnB1OS94Qarl2NXKWG6O3DyTSyIroBal1cITzLkncj3/lmIiyVo5J3Fa+W8
+zV/hgRqay5gOlzyJrjgvTZazHPCFRN0KABJsYEb3nNeUmehAxynxqg8VpQlxN4zO
++NxiZWyqODGRAEO0XVa0tMy/Wcw0guD18+U9GYiYQi3d7NEHTt5d8CX9VKY/bHKR
++ecC/lr7URnA/8FM60mKI6MAiHPxyUjJ7/6dq1goG8dDHcAtOEEIawECQtRfQ+Dn
+RL55nDPRYNviXRgr8u61TFm8zgkTUQy2MLRkHAyP0IBLUiMpqDdmXB4LNMQQSrsY
+0FyinIECgYEAy3eT5ZUb/ijGsWUT/DizUoetFfg8X4LV+HRLXdlxfcOYB3Elbeks
+JPC+Tdm33nB0lqo3hLVNPB9yqJiPOOaWQPpWBImOeitpmDRAagjwUewJwLY9RmKT
+RD0+YyCC0SwvSDFDsWF+ncW/8XpobvetCSC6mmjX6Wr070yHkhDeeC0CgYEAwd9v
+P+TjgWVyL5YRiOJ+wjR7ZKpHCiSSxSTjIhq40hs5LtHddSk9e/+AU0otcMExzCqN
+E4f/e05a6TD5CFAgmUMK7nb49ept3ENVoD+M13K3tTaTyeZghwYNNK56osDtdCgc
+c68jQAy81gU7iRt30xbLVV6HgGdrSrWN8D8DFWECgYABkV1RYpHBppzJVycNRX6U
+PzllNvF4JvDxJixCf99xAaXVQNjx/N77NeOxg+D31NQBKTSeUCtVMETY6bwIyzYT
+MBqjlE/FvznkE1r/tivr5a65jm3wcegCmZo2d1SqufVvT/nejwrDunddK/1MBZqO
+vHLTp8UqJknW4jcVOA4OzQKBgG7BdozJ9i62BcWptdq9iizoTpXzsSHaQv7dU+Tn
+3y4o30IgIqQMK1PrYyQx/EOuGwTISlAeIZYP7V/K2nolTHpCEryouxHCG4D59rDV
+nWB36PtdcpClS//XNTQjeWwBS6ZQQ/DS3RB6NmcOFjT9vDabjw32MvLoIiNMFQpq
+9RgBAoGARQnQ94oH98m/iheJpzaM9NhQhAoXSi4w19FySCtnyZTYTd0A7hjRzsSl
+DeoAkIGDHyy33RPK/kPtA6dxM/DQ00IkkwH4soaDDbnCmagdw4NnY8eA1Y/KSbd+
+XNNm+sDafoVyCojtsTA7bripKB8q5vPYo3qRLfQ7dwMeRPYblPI=
+-----END RSA PRIVATE KEY-----

contrib/docker-integration/nginx/ssl/registry-ca+localhost-cert.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDDTCCAfWgAwIBAgIQfzdVwVz4igfdJPd6SW/ENTANBgkqhkiG9w0BAQsFADAm
+MREwDwYDVQQKEwhRdWlja1RMUzERMA8GA1UEAxMIUXVpY2tUTFMwHhcNMTgwNTIx
+MjI1MjMwWhcNMjgwODI2MjI1MjMwWjAnMREwDwYDVQQKEwhRdWlja1RMUzESMBAG
+A1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+v+H3BTOGLRYjyPx+JQQcP5r8HHBmjknflE6VcrbRD5VGx8192hwsjAdlL0kz1CEq
+FW2KQidJieDi8iIh9BWB8lsTQ51xZGnry6CbVXxTbv1Ss8ci9r8Cm3GPjWy5gqTi
+DTUUQez8xq29gUod4ZvRoJ8jl/eI7gF7MBFakv7tZQ40SHcogjQoG7nKMXG1VOhX
+D4kM120E+hW9x0U3j0SaCIYl6bG2RHIvUMlrVnj4es6JBVzqItkhAwugE6ytneOh
+VxWQ/7e8qKW2+lVsPnH/zjNES0j/9XYgVCjwkgirxjs2eZRIS5Mg14DdYqfQ9MRQ
+EoyQxl3xcDxjqPocMgGYHwIDAQABozYwNDAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0T
+AQH/BAIwADAUBgNVHREEDTALgglsb2NhbGhvc3QwDQYJKoZIhvcNAQELBQADggEB
+ACU0E2BAdqjVvO06ZyHplxxQ4TQxK9voBCTheC2G7oFaM4VLFf48GgoMkvbsMGyd
+1JqIACCDuSJ5UVjmWm6VIDZrnRsf/BbQCTZXKQd4ONLL5DU/OPjAFKGeCpAK51yj
+OMHdw3cQmMCEpMH9HHJ+iB3XWLcDKPAxTkcsBytC9VLUgU7Q4+3eYIT/j/ug+y4G
+W4A0cmdDDuozwBAPXj7ZLKdVlkUFka8WjQAJesHTIifS1bfahGiSNVJbYjXbGoML
+d0IeGMd1lXlc2M+ygqZsSM2ErzndNdvDs7S6u/FIICm7uW6P2naPeMtedb2orO6Q
+5O3gRtj/UQjegI0XV4YO2TQ=
+-----END CERTIFICATE-----

contrib/docker-integration/nginx/ssl/registry-ca+localhost-key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAv+H3BTOGLRYjyPx+JQQcP5r8HHBmjknflE6VcrbRD5VGx819
+2hwsjAdlL0kz1CEqFW2KQidJieDi8iIh9BWB8lsTQ51xZGnry6CbVXxTbv1Ss8ci
+9r8Cm3GPjWy5gqTiDTUUQez8xq29gUod4ZvRoJ8jl/eI7gF7MBFakv7tZQ40SHco
+gjQoG7nKMXG1VOhXD4kM120E+hW9x0U3j0SaCIYl6bG2RHIvUMlrVnj4es6JBVzq
+ItkhAwugE6ytneOhVxWQ/7e8qKW2+lVsPnH/zjNES0j/9XYgVCjwkgirxjs2eZRI
+S5Mg14DdYqfQ9MRQEoyQxl3xcDxjqPocMgGYHwIDAQABAoIBABbp0ueqGXG03R0Z
+Ga8t6Hmn9kcnHPgM1kgNgkcqkZh8yPD/FvI+vwsRrwGQikHgm/fnFsWDj4KJelBT
+xx4wm03nlktSt8G37FJqoWH58LSmR4P0WbaBZLxPOUc4Hob9TYkqN3sP47eN871G
+rn7MbqHxnvx8sLtLLfy1dc1r58lTTZB7YL1OPV7B/VYhYFDtpkUBvadV+WJ7SJ5G
+UHrBsshOUJbUI4ahmc8izi40yDw+A0LRhtj3i7aFr2Og+vCq9M8NXDjhdOu9VBkI
+fvniC6worJk/GnQDJ/KT5Uqfejdd3Pq7eHp11riqwua8+/wi726zRz9perFh/3gJ
+pYjaY+ECgYEA+ssW+vJRZNHEzdf8zzIJxHqq9tOjbQK9yyIPQP5O4q9zKvDJIpnX
+T31aZTLGy0op+XA9GJ7X0/d1tqo3G2wNBsFYWPn3gmVVth/7iHxRznorNfmsuea7
+1gFm19StL2+q8PaZ4fx9vUcWwDHlALYTYlTaazms6z9FWD/KbB8kiWkCgYEAw93H
+Pp12ND3f6p2rYbXPfHJ0aAUbrQR4wRG3ipVWXGjvn2h/CbrLAt5W1wB3iwnWwatX
+opdbfzjxgb0wRQHSPNVj3/SOHr8E5zH/mw+eV7mOea4xlCLTSIAJNzW1320hwsbw
+FrEC5qe41PrbMUu+4LvXPkHCKVxRXaV4QX4YHEcCgYEAurjegTRM+X1cw81dwn4E
+265g/6iO8qip2kWficpNvWTXoE7p0cMslVhFJzdo3w52teqk8mHBW2XQ1JFiuh32
+jOMC/iwN5Z3A9PpW8kVtOwemiGc9/KMXkrw0b9k+oCTJ5uITrDeq/nOhMrNzRtZJ
+FFsMy+yDHBtda9kCwwFk2JECgYBQUpbu+qwK6IT3NgmeXGzmYBmUvuOGpJrQsm9O
+iceMxgvel3/hgZTXbE64hRyBDFvhuF6L8v42widoSSmOYxzQjcITibruqO9d0Ic+
+E72fxBzFkcYLNezngnpFBeW75ok900+KPrUt2gJWdTmGkcWJa/7tLRJu28kSWlVi
+pk9E6QKBgDH2Uh61ToeNq8Gbnue3pnhUddHELRFQfwHHaa4tFrXBHuPLKqkVefKT
+A58awVoPpKTECROeyqe2DJXg9EdSVzKyhg217N/07NRaunfCJ9/TSpFy+5Xls7Rl
+U7zK25S1/13KZ6rGVHpmP6Q82VSnsHkPtUfDo3A29llqIQ8je43Y
+-----END RSA PRIVATE KEY-----

contrib/docker-integration/nginx/ssl/registry-ca+localregistry-cert.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDFTCCAf2gAwIBAgIQM3khHYh+82EC0qR1Pelk2DANBgkqhkiG9w0BAQsFADAm
+MREwDwYDVQQKEwhRdWlja1RMUzERMA8GA1UEAxMIUXVpY2tUTFMwHhcNMTgwNTIx
+MjI1MjMxWhcNMjgwODI2MjI1MjMxWjArMREwDwYDVQQKEwhRdWlja1RMUzEWMBQG
+A1UEAxMNbG9jYWxyZWdpc3RyeTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAKA8e9cUSyasRtEHw3yGW5lFCnnZIN+SSvykAOynt9LLKzU5G5ge3ekBtzsl
+HE1ndeYjy/dK7XkECQBQ0csF+KSacU5QiZek8g6btH94HDwltCq1I8f1E8LQFP6k
+483MKZUDeNNnHzbuK9xsMjYOCrJWGysLHnKjzK/+yfVPwTm9tmUVRqd4xjw1oYY6
+C7iCffIWn7+dQKDjHrn+KyheIy244v5y63AaxgPfjHrtvJtz1vPqxi+FyzDM7RfZ
+GIjklC6KaKHmxvUsB0hO4WNb9kt8FBvnxOxuDKf+rUYKTg6JK72O3TaUauiEvE2X
+SKT0vYpLoep5hc9ns/yh3BuuznECAwEAAaM6MDgwDgYDVR0PAQH/BAQDAgWgMAwG
+A1UdEwEB/wQCMAAwGAYDVR0RBBEwD4INbG9jYWxyZWdpc3RyeTANBgkqhkiG9w0B
+AQsFAAOCAQEAMt/lnR3Wy99X/knvjtg7wsPz5T9sZ5hGy/9sIm8sFdsqt5NZi9IY
+vS+eyij1yHvOU+pqOxsYQ2NG26CS0CKM3JWLJTo/w8GyiSwxL8a1/UxHmTxDnSMH
+cYZRsuPtdkTiAuZhoT5I1ZTsOa7MQF25HiFBL6Ei88FFhcQQjJ7+xYDNhSoddMtz
+U8mUY6NOENmvE86QMjWjaj1PXPLO8PxPIqw482Ln/95pHzuaxAYMvxhs2aQlBS1/
+9+vi6VOkbQna9+crmzniXjZDx5QdvMN2QwzFL4hCgqbebVg0zwjhByOwQIjtNEXE
+gqxjLkTNOdSva6Fkk/z8BD2XSZ4L+nM3Mw==
+-----END CERTIFICATE-----

contrib/docker-integration/nginx/ssl/registry-ca+localregistry-key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAoDx71xRLJqxG0QfDfIZbmUUKedkg35JK/KQA7Ke30ssrNTkb
+mB7d6QG3OyUcTWd15iPL90rteQQJAFDRywX4pJpxTlCJl6TyDpu0f3gcPCW0KrUj
+x/UTwtAU/qTjzcwplQN402cfNu4r3GwyNg4KslYbKwsecqPMr/7J9U/BOb22ZRVG
+p3jGPDWhhjoLuIJ98hafv51AoOMeuf4rKF4jLbji/nLrcBrGA9+Meu28m3PW8+rG
+L4XLMMztF9kYiOSULopooebG9SwHSE7hY1v2S3wUG+fE7G4Mp/6tRgpODokrvY7d
+NpRq6IS8TZdIpPS9ikuh6nmFz2ez/KHcG67OcQIDAQABAoIBABNXmb9ZtMSjUR0U
+adWTRmVW/y+8NQqn1yNuDKqEiF0Kp1mSXjFbsH/a9CpQjX0Oex3fvlRImCfeg9Ok
+7d4rB1ufRQQmFqXWhF2dEAm/DvF3v6rUGNCfVdZTVeVzNAh4l6BkPeaO8SapU2QV
+L250/XePi1ID0pYWDbRE9k4FZZa5je3mTctn3s1PHp6xxQdyDHfxZmCZImwZcErj
+joBoQldvUUfjqXCY9SgRJ/MQSNeJoJvPwXmYokpqxfv2sP+JlQgXEcO3Ihj9IkGx
+avMFR3yGdWWLxmE3zzypXvFI+My0E035fEjcObspVOgqxJJUCWLSwWtVAo9shFgO
+fPnfv70CgYEAxqVNQ4eEf8HRDN7Ygr9yruqN5NxXKJKBqOT+OlTAiCtrm6iRFkR/
+WOFA3Ewjk5dxnVBvXHhTZoS2yfIVj8Pz7wbcoigfT+ia4JcAW8xQTs1CV/Xz8JsN
+ChUH3ee2POue/AAxf25yDBGH3fKq34aqL9WNDmaUz+hDCo4r3/hfVZ8CgYEAzoAv
+tBxwE/VUwkmWzv40WI9J4GSh7lYo4d8Z2TR6FRSxgb0Uf3C3GiGKuLf9EMilL3ae
+i/Dsb0CVn2sfLdSNFlxj1l8V4R8JfXST2Tn4g1pv6Hs3LEXJtlncg5/1DiMtfrqW
+quJtKuv8xO+5rbfqtmMYduf4ELkwg1uJJBc/we8CgYBZkUMrRbl6mXuXIAvjuEsP
+j3b3UFqEUrrf2pC+4GQHgfx9LR5uOehpvPcv3azU6Z4y3oe33BFO0lxQ5jTOo/4j
+Mqbc/tZPg4QB7FQfEBrNzUMywhWB0Yepmh338nh7M4p1+ehXmwcVZforGzXsn52w
+/8sgSSSkMge4hK5HyIfD5QKBgHVr6rROH2UZ8dJwqfKWFgntoKKaVoICOEkH5dje
+wDTQiYcuj0NQQq33OLyE0sACd/ufRdRpcOhqHyqBbT9QR9HZQ2QYuYZDcdAGxDOX
+hTqb6FqYBe2E2Yh5XKzz/hLF6g7P5vDQxCbN/fO2JS0lEbAYdUbX7PUFeRKYsEj3
+d2e9AoGAMrejS2Ic64k2I8VyYapEJ1SUaCeNCj7yR67QVtXJWvmYeu9tsUy9bxGC
+FmZuEIUnQV5KZUCKG26GKq/0NiT0Umc38zlUSJzDVM9LUHEt5K066RhVEBp3Fds5
+VIGgI1BkHeMKfhve0wwAbFECL+rzC9ihb6uNxZywlfeyfKN6ga8=
+-----END RSA PRIVATE KEY-----

contrib/docker-integration/nginx/ssl/registry-noca+client-cert.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC+DCCAeCgAwIBAgIQTCXTJncsLpgueaMqQF6AiTANBgkqhkiG9w0BAQsFADAm
+MREwDwYDVQQKEwhRdWlja1RMUzERMA8GA1UEAxMIUXVpY2tUTFMwHhcNMTgwNTIx
+MjI1NzI4WhcNMjgwODI2MjI1NzI4WjATMREwDwYDVQQKEwhRdWlja1RMUzCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL0fYn9wE7phMA6CFT6gv7mDpzSB
+LkebCxj3LfU/isdgXvtXUn+BKIolvav7oJyTyz1R0NzX5uXxEERMBUW89KWvPLPK
+o3d47MWMcAgiYx2+FeGZo1cjq3IRVKyg3WRVw2rO0YNL3K1QCS93A+IdA/05muwt
+346XJ2FV0tPmETn6t+So2e9ZXh+uJjcCHq4XpJAJznCwemzzRpDe7nG5sYZqq+Oz
+zBQ/bTC8rOdqW5woH/GhQHYHcKf1taPLmDLczVPQCqS3LAEK5EOUElfpQykfkZI4
+clOZBhJ0e5zNEBTB/XRd7uuUA57Ig58l7hbX0fUPHgS9MF1z9CXJ40BSm/sCAwEA
+AaM1MDMwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAwGA1Ud
+EwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggEBAHKH54KZdpvcLRIJK4yeSqwOigYp
+0NHM9U8RlHjmf5Tp9lCtZpVrkfUtg9rXytekAXfd6GaNex7swTMNPnJBGgaQ2vA8
+0jdtKfe6AcHTYQV1rs0qunlR8i26cNhYblKPJjYYA6FBzTTtybXhHYG9xvYpSVpo
+XcrsC81DYK6nMiQMRYuT7RO/rtI4Tzx+laYc0lYgBzf6pXUjXycgAuJ5+cWT8DDn
+OxPXbfAxfzc6jYfsigwzdOCnuIomFogm8ad47ApTTTLFrVtqCNJAKCu7HufEbB2G
+OKWvl9NmTPYetS6MO5LqLAWcf/uRPn+lufHeTfBWIDD5zbJ2+ATP+mQQ2d0=
+-----END CERTIFICATE-----

contrib/docker-integration/nginx/ssl/registry-noca+client-key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAvR9if3ATumEwDoIVPqC/uYOnNIEuR5sLGPct9T+Kx2Be+1dS
+f4EoiiW9q/ugnJPLPVHQ3Nfm5fEQREwFRbz0pa88s8qjd3jsxYxwCCJjHb4V4Zmj
+VyOrchFUrKDdZFXDas7Rg0vcrVAJL3cD4h0D/Tma7C3fjpcnYVXS0+YROfq35KjZ
+71leH64mNwIerhekkAnOcLB6bPNGkN7ucbmxhmqr47PMFD9tMLys52pbnCgf8aFA
+dgdwp/W1o8uYMtzNU9AKpLcsAQrkQ5QSV+lDKR+RkjhyU5kGEnR7nM0QFMH9dF3u
+65QDnsiDnyXuFtfR9Q8eBL0wXXP0JcnjQFKb+wIDAQABAoIBAGQFxk1KFFT9c7Io
+oF3IHL5b38HIFJbwbBUfHaJYoehCktlxXINs5ujxfvgHk/FbxSDANaunUEoKjaTh
+Y+R3RBigroUURhI41VjBprrWnP8s+lufqyC6D8G7YsIOLikTps/FZE+Bfsv2yXTe
+CCK9X8+8eLAyrsq2LLCw+Fjzk+bKRj+zE1bUR2MqNYtRNOFizDR0DCy/f+OltmhR
+MVTQgA4hAWyCXc3c07zJ3YMiVMHBIGX3hiwEGhzgKtS8vQ7isW21StGLsMQlvUgt
+AjrVzzsacCSzuL+QZoZtZl3E7V/Mko0bKNeOz2ouoWTKxInlzget+b+zE39+1WZO
+T/X54gkCgYEAx5sI73letGuk9DOopwKLokj0Qdj3f5VRb3yJqbp3YkLTeayyRAwD
+3KY+NwSDGLqj/IcG5DN/ZtLbbhiI2F3oPcJG8QyVqmsfzF7aW3RaBBt6gFN6IdQ9
+SO0pS28bj3PVLqPqx3gXHZ3l9WRgj5mbl6yvoICiymMMKajOgKi0sTcCgYEA8o4j
++0HFhxcLvPz8GCynSarMXaZe/mEImURq8ObH2KSgBogD5mCA3IHL4kQSiRyxNoAt
+crGr1idsR28UYfX4xprMp3okA9ujAw0hkiNhUh3jf3ZywvQXFkOoSbtwnfAFK83c
+CmHy+c4OL9BAXsHvhsRHDCVjfKupqJQwux+9HV0CgYB+FSMmyX6V7qzqiDsPC5+S
+Kg0IDvn/QB2Jk5wNdzhz/AxC/mA4dXJ3DRedfx8kHrj5CX3D5feixqxOtfay3VaW
+tEJFfxKG7FXQrVW2kR9PGuBdcN1jwwHXL992w78f9SYC6Q2jY+sODTA1umr4KipL
+O4xQkRDDUJ9dLUELqgVBLwKBgQC+/CLizQgOdZv9hCmvk0FppP3j44M6wwa1QAUA
+iIblU8LZQbHobSYp+l2iXL1HjvsOkeC3RaSrLEF7AcDH3Zi0MOFiIa9IBmIVnfpI
+Cmmv8e7Wx1pXnUCsfDt/SwLCqWI4+o/+8N8TySasiUqWEhhbQiM7Mhli6fvdzEmO
+ndAX1QKBgCKJA25iPkLKw4mFVxAaPIAZnenJXJpuHF9tGzjjcFfioGtvI/1mrePs
+PhwoO1qpjzY9brtf47l+vVMSY9KrA1LvudPvTqBtyjQvG5SqsWZSLuyJL30HKeFy
+hv9FCsGVcF6wu3S8wXaGC/H8kityxTqFgZQW5whl2D9axJavygKj
+-----END RSA PRIVATE KEY-----

contrib/docker-integration/nginx/ssl/registry-noca+localhost-cert.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDDjCCAfagAwIBAgIRAI0Dt8LVd8cJPc0dv5aW+wcwDQYJKoZIhvcNAQELBQAw
+JjERMA8GA1UEChMIUXVpY2tUTFMxETAPBgNVBAMTCFF1aWNrVExTMB4XDTE4MDUy
+MTIyNTcyN1oXDTI4MDgyNjIyNTcyN1owJzERMA8GA1UEChMIUXVpY2tUTFMxEjAQ
+BgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ANr32CUXFUCW1c2oPoHjq76T8jUTH/cxPiR5NabJ1y4gMCBko2rIe+TblW9UclxH
+911gjfpSAxFtNf+lX5kwmAMHhU8pcCc+Mjp3Ax9acFXSXvzzTDg+xj0NGig6OBk3
+jyPuO92lM8A4qs0mBZ/T04iLkawLmdRXViRoGK/T7Df8HN+hm7UsG0VO3GxFgSST
+YhhKTu6JMTADszbIFPOvBxGCUNhffXiLNyviO4AiBdcAv2v0SUadEPmSGm5Jb1DK
+tfKY0jWi1k1zNSqzit/bhML/EHbVkYJ00QmH50MBTunpz60gIgHjt48nzJarLDML
+oRFMppG9XIBQlUn3lo0gVwcCAwEAAaM2MDQwDgYDVR0PAQH/BAQDAgWgMAwGA1Ud
+EwEB/wQCMAAwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IB
+AQAb388owui+O9vUle+A99FXwcMDEb0OILc0lBXVWx8q5ZE73vcanxyAcfOsZYRY
+Lh7G6VtJwC9xVjAdNwJ1gd+ak1l0/Rhs1V0JZ12/wOvAOQ7+9g2lRc1IedOh3EIh
+d3BMI4RdDB/BnnK3XjkggYQZK3yiAOavmmsZxAOl/apzjF+5u8XjuydMmotE2NYw
+IpM93zE5wWXqzYs/Kmyy7zAcHKfvq9xej/gMCFEvO6lopmwyslBLPpPNHwyfIVtA
+mspm2OZhdmpRJYGzkR4wK5NjoRl2O11uzlMRDckp0GSZ0x6TGxmb7ot5HK27p3ep
+6LPZM1wJIwuYHIP74eH0ctQP
+-----END CERTIFICATE-----

contrib/docker-integration/nginx/ssl/registry-noca+localhost-key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA2vfYJRcVQJbVzag+geOrvpPyNRMf9zE+JHk1psnXLiAwIGSj
+ash75NuVb1RyXEf3XWCN+lIDEW01/6VfmTCYAweFTylwJz4yOncDH1pwVdJe/PNM
+OD7GPQ0aKDo4GTePI+473aUzwDiqzSYFn9PTiIuRrAuZ1FdWJGgYr9PsN/wc36Gb
+tSwbRU7cbEWBJJNiGEpO7okxMAOzNsgU868HEYJQ2F99eIs3K+I7gCIF1wC/a/RJ
+Rp0Q+ZIabklvUMq18pjSNaLWTXM1KrOK39uEwv8QdtWRgnTRCYfnQwFO6enPrSAi
+AeO3jyfMlqssMwuhEUymkb1cgFCVSfeWjSBXBwIDAQABAoIBAGQMCf4oZdV1FYs5
+7BV86OPSxT/q1Rgkr7gKibEDWAYDPvoOAXywzarriYOsmfQADc3kZ/qPrkcwFxQP
+g3aC9XGs5gQdctj7WgfMiOiycdFEpZH9uD2asQkEC4eF0kvzTrukBkZnTRXuzlud
+m8RDDMu+uXhadJbIsNtBlMYBllSdS+LFxXcAYm+IsvTYzmwg4+bnjvOwMHO9SMSb
+1dfgOLkg/A++/GTjD/kUyCV5dc4lv2I0i2pXJkD2V0Dr6Yra1U/MRKcOwTGC2q/8
+hZuKm9DgvGXvZsG0+yT5fsexGRwTxmByvfj+QMF3LCTDCknD4d/mmEEX0EEGPlW2
+I7OgKEECgYEA/LkdwnXy7ymis1Rgjumc3ydcLoCqV3ExaxXrvO50EkRpgRX/TLEk
+j98iVYyksiaJuMhqnxNttT6GwWJvwIXFPP9WpIGmzi4GKyqYGEX4WbyPoY9hjt/G
+muR67cTXg6ssiSssUCoQnWIHyuGDJfzRWqnoei0dIA2GobOwFJtXeV0CgYEA3c6u
+utbNtmbyp17Jffx01ee8Wprhnoz7Nh/dJMLngpIx3i8qQqpFB8TPNUTu+GLgGcol
+n9BDzZszoVhsxybn7Lgm/OjS/jQL4hosFoqztThkg28L8UD7QB0TyCucwgk2lgOe
+VxyX25kNSXzxdCYaKr1+6g2gtBAb0zPj2E+5t7MCgYEAimoA6J6dHWwaVkmiUOOW
+LYprLHT/1sCCJnptEJ8xJ0gc2LxphWGH+txk+6H6GjCNQY1TCCkl7xx9xbDaMAGU
+E2Jt28++wjHm4wGDJ9g6uztRF1VmQ1BAgFkfEta6irzXuZDRxl4jl283gWCd6dJb
+/2ILl87ZotKFqE6347Fo6WkCgYEAyDNyMMALIzTelkUO1wFUL3If5yPeuy4C3IJ8
+J18oeQkdq66klVF8RxvT7v/ONjGAlqaHuSzQ1jbcrifS3xp1wYsh3asELl+pziXT
+X3FH7Sz+REep3tLJNMBKB6WdsuF//H09oOD1DEej342/nhd6DNPHRtiQEZZslwBC
+Cg9D0NMCgYEArNksPSQJSxXqxZsw17OTqQJnf3kNBI0SP9q6Wc8gN69r5YQcIHcr
+KgtfdiL4LawZFie6gcNu398ng7VYUzzkYR9j+G5qPetcqllQZeVc6cieUyR7Eul0
+WvtlUECCfweLFUsIhuHyEsGu1PrFYd98SlOzt24utguFss1539cEC3A=
+-----END RSA PRIVATE KEY-----

contrib/docker-integration/nginx/ssl/registry-noca+localregistry-cert.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDFTCCAf2gAwIBAgIQTyBNJlm7fS0yutwdLbhG9zANBgkqhkiG9w0BAQsFADAm
+MREwDwYDVQQKEwhRdWlja1RMUzERMA8GA1UEAxMIUXVpY2tUTFMwHhcNMTgwNTIx
+MjI1NzI4WhcNMjgwODI2MjI1NzI4WjArMREwDwYDVQQKEwhRdWlja1RMUzEWMBQG
+A1UEAxMNbG9jYWxyZWdpc3RyeTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBANSMT7auGdwF63fFdQM9O/EqrX++gnuBQgFa4cZzC7GqsvS90uKTOLuWIA2U
+ehgF548EDkZu1z6nRAvoFh5L6B5f1VjiVknzLEPlR+5uPD22kbcxgCrMCRZn+5mK
+vJhTUpx18yeBXMhxtPhkGnKaKwGcgeW8O69KM7Mo4HBQqg5656pa+4wkUo7GX2v0
+R4ZqmrS1tlwOgpld8KZKVJ1FNyGEeKQkIYGJKHqgC2/JrXsbzuSZ/4pqf8BHc6Mb
+AHU85RlBFVDHFPMtQ7Rg1vrhYzgInKeqXtc2kEAe63nqyYyHxPOUd3vIQX/N4tdB
+aH41ffs68Pdtp9GeocTiYyj7KuUCAwEAAaM6MDgwDgYDVR0PAQH/BAQDAgWgMAwG
+A1UdEwEB/wQCMAAwGAYDVR0RBBEwD4INbG9jYWxyZWdpc3RyeTANBgkqhkiG9w0B
+AQsFAAOCAQEAkjfZvcd5WysbfqGfhPErG7ADWAFJ1bsIDlHVUaEn2/Asr68iJpfF
+fqb0fhBkBExPhiLDS+jmL1L86QRNIgyM+7zGCCagKJkl9uNBGXPdS6KxZtY8W8rV
+bF/GIYnYUL5pnyrhX4pH2ZnDJpKIAJl8CAZ1VHwErQ5VqnJAX/gGO/eKgiyCciZv
+WmmQkhcOo60FwLW+Wi9sLOYD+YAT+VnFrGfak/SDfT78wrmmfg5v05tvFXgJaZLh
+JSxRET9D5iT3DIxb+m5GyQAqIH1djh02ybrPJ9j6/+qRQDojIe5qJUL90qIvhwO+
+aSbIL/p+I6//AUMWJvcR7GbXy3xywgmaYw==
+-----END CERTIFICATE-----

contrib/docker-integration/nginx/ssl/registry-noca+localregistry-key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA1IxPtq4Z3AXrd8V1Az078Sqtf76Ce4FCAVrhxnMLsaqy9L3S
+4pM4u5YgDZR6GAXnjwQORm7XPqdEC+gWHkvoHl/VWOJWSfMsQ+VH7m48PbaRtzGA
+KswJFmf7mYq8mFNSnHXzJ4FcyHG0+GQacporAZyB5bw7r0ozsyjgcFCqDnrnqlr7
+jCRSjsZfa/RHhmqatLW2XA6CmV3wpkpUnUU3IYR4pCQhgYkoeqALb8mtexvO5Jn/
+imp/wEdzoxsAdTzlGUEVUMcU8y1DtGDW+uFjOAicp6pe1zaQQB7reerJjIfE85R3
+e8hBf83i10FofjV9+zrw922n0Z6hxOJjKPsq5QIDAQABAoIBAQCLj3Xn5XllVx29
+jxG+Br8NI5C4iEb1AXJtoVcODwxmpEbNHLcTvsdJpNF3GT7x9y6MYYVeCfmbUgkE
+KGgdjInlJ9fWfQdblyhBjJMmo4s6ml4jg4U8lKyC4dP6hXZALrXXtjrqfa6GjuLd
+Fh2nkkMa08EXL/mgp4A662QzW0POLQIo1lMJc49FFPrVQneLedUdsJDowNz/HU/q
+oD4/SsKw6inUh/A1MfSKvEhnJcVH4fiQhFQU5CdSzAHPmAYcoBeg6LjY+WScJAAs
+Hu5kgunbCsB5vw9WbFDQzM1HYtW1CvJj1cjNp662b06D7VQugjtawhHNImkq1/65
+H2ZTglchAoGBAPu0OX3tEvtic4f8VLRv/TeI9NSC3EgRAtIDncDo+nwVjR54AXID
+aePceImGUsDd5xfLuQTiYp50z0cEB5CGsWYbnjm0hliF8YXz/tpqi0V0Cr8fLLA8
+/jG3tajbZ8xu/3p1iEcIPevYT/44bjbOyDp5peQIHhr32LZ1gZfQDRt7AoGBANgt
+AIid1rPIyEzhhznpWVjw/ZIrtgaP0HDgKaUUCsEqEDoOJEaFS7WG4G7m8/iS4f8v
+XGgcoYf4TjfIwYtRQy2Bp9g4oOMiUbQKukF1DuFJpsw69y3hNNoZoUm7r2jpv3Q8
+/NY+O+BNaTVdmbOjNHmKo99MYGh1cPUPVGxuP1UfAoGBAOJ9fe5OUfJa2NLYv+/N
+hfFfD8/aIRXIGN2Z224nNp5JVj7AhaxuXe5oCR7W+8gI5VWIP+ihPVSQj6O7gIMQ
+cLkMyQfr5afqfzamJAGuNbw9ex4Xk0LS33klchWLuI9Aoiszb3lbdTyv3OtJJAO1
+dn8Hz7qtg0mJFDy65+4PjHvZAoGAXtKmmEZ75hKdYbPPiCSGT5At+g74Yjp1GP4K
+5mE7Mm3L/lszqEdR5UdLbPobbB6pyTCyHOzqIeVWEfwagYzcpbposFxunhLwucO2
+3X2GUGXpJ056HALcFwsFB32vPJrDoy4ZTbSwuPvbuU/cWsKtAt9AcHNlGozhRm05
+//IAD8sCgYAUs6ibNtUqCFjekr10FBGFuA2ZQg+9bQYw3ti+S6uFMsxIDqYRC2bG
+yvKhEYym/W7RwfzPWjGzuvFbZWzJnnb81WLfcI4DnrJe3h8THlnaBQhcsEObu84O
+XS/sYeVo5c6l0kTNp0I8vXbn05bExZlsLAIICMTsm5bSQZI/iCRyEw==
+-----END RSA PRIVATE KEY-----

contrib/docker-integration/nginx/test.passwd

@@ -0,0 +1 @@
+testuser:$apr1$YmLhHjm6$AjP4z8J1WgcUNxU8J4ue5.

contrib/docker-integration/nginx/v1/search.json

@@ -0,0 +1 @@
+{"num_pages":1,"num_results":2,"page":1,"page_size": 25,"query":"testsearch","results":[{"description":"","is_automated":false,"is_official":false,"is_trusted":false, "name":"dmcgowan/testsearch-1","star_count":1000},{"description":"Some automated build","is_automated":true,"is_official":false,"is_trusted":false,"name":"dmcgowan/testsearch-2","star_count":10}]}

contrib/docker-integration/plugins.bats

@@ -0,0 +1,103 @@
+#!/usr/bin/env bats
+
+# This tests pushing and pulling plugins
+
+load helpers
+
+user="testuser"
+password="testpassword"
+base="hello-world"
+
+#TODO: Create plugin image
+function create_plugin() {
+	plugindir=$(mktemp -d)
+
+	cat - > $plugindir/config.json <<CONFIGJSON
+{
+	"manifestVersion": "v0",
+	"description": "A test plugin for integration tests",
+	"entrypoint": ["/usr/bin/ncat", "-l", "-U", "//run/docker/plugins/plugin.sock"],
+	"interface" : {
+		"types": ["docker.volumedriver/1.0"],
+		"socket": "plugin.sock"
+	}
+}
+CONFIGJSON
+
+	cid=$(docker create dmcgowan/ncat:latest /bin/sh)
+
+	mkdir $plugindir/rootfs
+
+	docker export $cid | tar -x -C $plugindir/rootfs
+
+	docker rm $cid
+
+	daemontmp=$(docker exec dockerdaemon mktemp -d)
+
+	tar -c -C $plugindir . | docker exec -i dockerdaemon tar -x -C $daemontmp
+
+	docker exec dockerdaemon docker plugin create $1 $daemontmp
+
+	docker exec dockerdaemon rm -rf $daemontmp
+
+	rm -rf $plugindir
+}
+
+@test "Test plugin push and pull" {
+	version_check docker "$GOLEM_DIND_VERSION" "1.13.0-rc3"
+	version_check docker "$GOLEM_DISTRIBUTION_VERSION" "2.6.0"
+
+	login_oauth localregistry:5558
+	image="localregistry:5558/testuser/plugin1"
+
+	create_plugin $image
+
+	run docker_t plugin push $image
+	echo $output
+	[ "$status" -eq 0 ]
+
+	docker_t plugin rm $image
+
+	docker_t plugin install --grant-all-permissions $image
+}
+
+@test "Test plugin push and failed image pull" {
+	version_check docker "$GOLEM_DIND_VERSION" "1.13.0-rc3"
+	version_check docker "$GOLEM_DISTRIBUTION_VERSION" "2.6.0"
+
+
+	login_oauth localregistry:5558
+	image="localregistry:5558/testuser/plugin-not-image"
+
+	create_plugin $image
+
+	run docker_t plugin push $image
+	echo $output
+	[ "$status" -eq 0 ]
+
+	docker_t plugin rm $image
+
+	run docker_t pull $image
+
+	[ "$status" -ne 0 ]
+}
+
+@test "Test image push and failed plugin pull" {
+	version_check docker "$GOLEM_DIND_VERSION" "1.13.0-rc3"
+	version_check docker "$GOLEM_DISTRIBUTION_VERSION" "2.6.0"
+
+	login_oauth localregistry:5558
+	image="localregistry:5558/testuser/image-not-plugin"
+
+	build $image "$base:latest"
+
+	run docker_t push $image
+	echo $output
+	[ "$status" -eq 0 ]
+
+	docker_t rmi $image
+
+	run docker_t plugin install --grant-all-permissions $image
+
+	[ "$status" -ne 0 ]
+}

contrib/docker-integration/run_multiversion.sh

@@ -0,0 +1,67 @@
+#!/usr/bin/env bash
+
+# Run the integration tests with multiple versions of the Docker engine
+
+set -e
+set -x
+
+DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
+
+
+if [ "$TMPDIR" != "" ] && [ ! -d "$TMPDIR" ]; then
+	mkdir -p $TMPDIR
+fi
+
+cachedir=`mktemp -t -d golem-cache.XXXXXX`
+trap "rm -rf $cachedir" EXIT
+
+if [ "$1" == "-d" ]; then
+       # Drivers to use for Docker engines the tests are going to create.
+       STORAGE_DRIVER=${STORAGE_DRIVER:-overlay}
+
+       docker daemon --log-level=panic --storage-driver="$STORAGE_DRIVER" &
+       DOCKER_PID=$!
+
+       # Wait for it to become reachable.
+       tries=10
+       until docker version &> /dev/null; do
+               (( tries-- ))
+               if [ $tries -le 0 ]; then
+                       echo >&2 "error: daemon failed to start"
+                       exit 1
+               fi
+               sleep 1
+       done
+
+       trap "kill $DOCKER_PID" EXIT
+fi
+
+distimage=$(docker build -q $DIR/../..)
+fullversion=$(git describe --match 'v[0-9]*' --dirty='.m' --always)
+distversion=${fullversion:1}
+
+echo "Testing image $distimage with distribution version $distversion"
+
+# Pull needed images before invoking golem to get pull time
+# These images are defined in golem.conf
+time docker pull nginx:1.9
+time docker pull golang:1.6
+time docker pull dmcgowan/token-server:simple
+time docker pull dmcgowan/token-server:oauth
+time docker pull distribution/golem-runner:0.1-bats
+
+time docker pull docker:1.9.1-dind
+time docker pull docker:1.10.3-dind
+time docker pull docker:1.11.1-dind
+time docker pull docker:1.12.3-dind
+time docker pull docker:1.13.0-rc5-dind
+
+golem -cache $cachedir \
+	-i "golem-distribution:latest,$distimage,$distversion" \
+	-i "golem-dind:latest,docker:1.9.1-dind,1.9.1" \
+	-i "golem-dind:latest,docker:1.10.3-dind,1.10.3" \
+	-i "golem-dind:latest,docker:1.11.1-dind,1.11.1" \
+	-i "golem-dind:latest,docker:1.12.3-dind,1.12.3" \
+	-i "golem-dind:latest,docker:1.13.0-rc5-dind,1.13.0" \
+	$DIR
+

contrib/docker-integration/tls.bats

@@ -0,0 +1,108 @@
+#!/usr/bin/env bats
+
+# Registry host name, should be set to non-localhost address and match
+# DNS name in nginx/ssl certificates and what is installed in /etc/docker/cert.d
+
+load helpers
+
+hostname="localregistry"
+base="hello-world"
+image="${base}:latest"
+
+# Login information, should match values in nginx/test.passwd
+user=${TEST_USER:-"testuser"}
+password=${TEST_PASSWORD:-"passpassword"}
+
+function setup() {
+	tempImage $image
+}
+
+@test "Test valid certificates" {
+	docker_t tag $image $hostname:5440/$image
+	run docker_t push $hostname:5440/$image
+	[ "$status" -eq 0 ]
+	has_digest "$output"
+}
+
+@test "Test basic auth" {
+	basic_auth_version_check
+	login $hostname:5441
+	docker_t tag $image $hostname:5441/$image
+	run docker_t push $hostname:5441/$image
+	[ "$status" -eq 0 ]
+	has_digest "$output"
+}
+
+@test "Test basic auth with build" {
+	basic_auth_version_check
+	login $hostname:5441
+
+	image1=$hostname:5441/$image-build
+	image2=$hostname:5441/$image-build-2
+
+	tempImage $image1
+
+	run docker_t push $image1
+	[ "$status" -eq 0 ]
+	has_digest "$output"
+
+	docker_t rmi $image1
+
+	run build $image2 $image1
+	echo $output
+	[ "$status" -eq 0 ]
+
+	run docker_t push $image2
+	echo $output
+	[ "$status" -eq 0 ]
+	has_digest "$output"
+}
+
+@test "Test TLS client auth" {
+	docker_t tag $image $hostname:5442/$image
+	run docker_t push $hostname:5442/$image
+	[ "$status" -eq 0 ]
+	has_digest "$output"
+}
+
+@test "Test TLS client with invalid certificate authority fails" {
+	docker_t tag $image $hostname:5443/$image
+	run docker_t push $hostname:5443/$image
+	[ "$status" -ne 0 ]
+}
+
+@test "Test basic auth with TLS client auth" {
+	basic_auth_version_check
+	login $hostname:5444
+	docker_t tag $image $hostname:5444/$image
+	run docker_t push $hostname:5444/$image
+	[ "$status" -eq 0 ]
+	has_digest "$output"
+}
+
+@test "Test unknown certificate authority fails" {
+	docker_t tag $image $hostname:5445/$image
+	run docker_t push $hostname:5445/$image
+	[ "$status" -ne 0 ]
+}
+
+@test "Test basic auth with unknown certificate authority fails" {
+	run login $hostname:5446
+	[ "$status" -ne 0 ]
+	docker_t tag $image $hostname:5446/$image
+	run docker_t push $hostname:5446/$image
+	[ "$status" -ne 0 ]
+}
+
+@test "Test TLS client auth to server with unknown certificate authority fails" {
+	docker_t tag $image $hostname:5447/$image
+	run docker_t push $hostname:5447/$image
+	[ "$status" -ne 0 ]
+}
+
+@test "Test failure to connect to server fails to fallback to SSLv3" {
+	docker_t tag $image $hostname:5448/$image
+	run docker_t push $hostname:5448/$image
+	[ "$status" -ne 0 ]
+}
+

contrib/docker-integration/token.bats

@@ -0,0 +1,129 @@
+#!/usr/bin/env bats
+
+# This tests contacting a registry using a token server
+
+load helpers
+
+user="testuser"
+password="testpassword"
+base="hello-world"
+
+@test "Test token server login" {
+	login localregistry:5554
+}
+
+@test "Test token server bad login" {
+	docker_t_login -u "testuser" -p "badpassword" localregistry:5554
+	[ "$status" -ne 0 ]
+
+	docker_t_login -u "baduser" -p "testpassword" localregistry:5554
+	[ "$status" -ne 0 ]
+}
+
+@test "Test push and pull with token auth" {
+	login localregistry:5555
+	image="localregistry:5555/testuser/token"
+	build $image "$base:latest"
+
+	run docker_t push $image
+	echo $output
+	[ "$status" -eq 0 ]
+
+	docker_t rmi $image
+
+	docker_t pull $image
+}
+
+@test "Test push and pull with token auth wrong namespace" {
+	login localregistry:5555
+	image="localregistry:5555/notuser/token"
+	build $image "$base:latest"
+
+	run docker_t push $image
+	[ "$status" -ne 0 ]
+}
+
+@test "Test oauth token server login" {
+	version_check docker "$GOLEM_DIND_VERSION" "1.11.0"
+
+	login_oauth localregistry:5557
+}
+
+@test "Test oauth token server bad login" {
+	version_check docker "$GOLEM_DIND_VERSION" "1.11.0"
+
+	docker_t_login -u "testuser" -p "badpassword" -e $email localregistry:5557
+	[ "$status" -ne 0 ]
+
+	docker_t_login -u "baduser" -p "testpassword" -e $email localregistry:5557
+	[ "$status" -ne 0 ]
+}
+
+@test "Test oauth push and pull with token auth" {
+	version_check docker "$GOLEM_DIND_VERSION" "1.11.0"
+
+	login_oauth localregistry:5558
+	image="localregistry:5558/testuser/token"
+	build $image "$base:latest"
+
+	run docker_t push $image
+	echo $output
+	[ "$status" -eq 0 ]
+
+	docker_t rmi $image
+
+	docker_t pull $image
+}
+
+@test "Test oauth push and build with token auth" {
+	version_check docker "$GOLEM_DIND_VERSION" "1.11.0"
+
+	login_oauth localregistry:5558
+	image="localregistry:5558/testuser/token-build"
+	tempImage $image
+
+	run docker_t push $image
+	echo $output
+	[ "$status" -eq 0 ]
+	has_digest "$output"
+
+	docker_t rmi $image
+
+	image2="localregistry:5558/testuser/token-build-2"
+	run build $image2 $image
+	echo $output
+	[ "$status" -eq 0 ]
+
+	run docker_t push $image2
+	echo $output
+	[ "$status" -eq 0 ]
+	has_digest "$output"
+
+}
+
+@test "Test oauth push and pull with token auth wrong namespace" {
+	version_check docker "$GOLEM_DIND_VERSION" "1.11.0"
+
+	login_oauth localregistry:5558
+	image="localregistry:5558/notuser/token"
+	build $image "$base:latest"
+
+	run docker_t push $image
+	[ "$status" -ne 0 ]
+}
+
+@test "Test oauth with v1 search" {
+	version_check docker "$GOLEM_DIND_VERSION" "1.12.0"
+
+	run docker_t search localregistry:5600/testsearch
+	[ "$status" -ne 0 ]
+
+	login_oauth localregistry:5600
+
+	run docker_t search localregistry:5600/testsearch
+	echo $output
+	[ "$status" -eq 0 ]
+
+	echo $output | grep "testsearch-1"
+	echo $output | grep "testsearch-2"
+}

contrib/docker-integration/tokenserver-oauth/.htpasswd

@@ -0,0 +1 @@
+testuser:$2y$05$T2MlBvkN1R/yICNnLuf1leOlOfAY0DvybctbbWUFKlojfkShVgn4m

contrib/docker-integration/tokenserver-oauth/Dockerfile

@@ -0,0 +1,8 @@
+FROM dmcgowan/token-server@sha256:5a6f76d3086cdf63249c77b521108387b49d85a30c5e1c4fe82fdf5ae3b76ba7
+
+WORKDIR /
+
+COPY ./.htpasswd /.htpasswd
+COPY ./certs/auth.localregistry.cert /tls.cert
+COPY ./certs/auth.localregistry.key /tls.key
+COPY ./certs/signing.key /sign.key

contrib/docker-integration/tokenserver-oauth/certs/auth.localregistry.cert

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHDCCAgagAwIBAgIRAKhhQMnqZx+hkOmoUYgPb+kwCwYJKoZIhvcNAQELMCYx
+ETAPBgNVBAoTCFF1aWNrVExTMREwDwYDVQQDEwhRdWlja1RMUzAeFw0xNjAxMjgw
+MDQyMzFaFw0xOTAxMTIwMDQyMzFaMDAxETAPBgNVBAoTCFF1aWNrVExTMRswGQYD
+VQQDExJhdXRoLmxvY2FscmVnaXN0cnkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQD1tUf1EghBlIRrE83yF4zDgRu7vH2Jo0kygKJUWtQQe+DfXyjjE/fg
+FdKnnoEjsIeF9hxNbTt0ldDz7/n97pbMhoiXULi9iq4jlgSzVL2XEAgrON0YSY/c
+Lmmd1KSa/pOUZr2WMAYPZ+FdQfE1W7SMNbErPefBqYdFzpZ+esAtvbajYwIjl8Vy
+9c4bidx4vgnNrR9GcFYibjC5sj8syh/OtbzzqiVGT8YcPpmMG6KNRkausa4gqpon
+NKYG8C3WDaiPCLYKcvFrFfdEWF/m2oj14eXACXT9iwp8r4bsLgXrZwqcpKOWfVRu
+qHC8aV476EYgxWCAOANExUdUaRt5wL/jAgMBAAGjPzA9MA4GA1UdDwEB/wQEAwIA
+oDAMBgNVHRMBAf8EAjAAMB0GA1UdEQQWMBSCEmF1dGgubG9jYWxyZWdpc3RyeTAL
+BgkqhkiG9w0BAQsDggEBABxPGK9FdGDxcLowNsExKnnZvmQT3H0u+Dux1gkp0AhH
+KOrmx3LUENUKLSgotzx133tgOgR5lzAWVFy7bhLwlPhOslxf2oEfztsAMd/tY8rW
+PrG2ZqYqlzEQQ9INbAc3woo5A3slN07uhP3F16jNqoMM4zRmw6Ba70CluGKT7x5+
+xVjKoWITLjWDXT5m35PnsN8CpBaFzXYcod/5p9XwCFp0s+aNxfpZECCV/3yqIr+J
+ALzroPh43FAlG96o4NyYZ2Msp63newN19R2+TgpV4nXuw2mLVDpvetP7RRqnpvj/
+qwRgt5j4hFjJWb61M0ELL7A9fA71h1ImdGCvnArdBQs=
+-----END CERTIFICATE-----

contrib/docker-integration/tokenserver-oauth/certs/auth.localregistry.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA9bVH9RIIQZSEaxPN8heMw4Ebu7x9iaNJMoCiVFrUEHvg318o
+4xP34BXSp56BI7CHhfYcTW07dJXQ8+/5/e6WzIaIl1C4vYquI5YEs1S9lxAIKzjd
+GEmP3C5pndSkmv6TlGa9ljAGD2fhXUHxNVu0jDWxKz3nwamHRc6WfnrALb22o2MC
+I5fFcvXOG4nceL4Jza0fRnBWIm4wubI/LMofzrW886olRk/GHD6ZjBuijUZGrrGu
+IKqaJzSmBvAt1g2ojwi2CnLxaxX3RFhf5tqI9eHlwAl0/YsKfK+G7C4F62cKnKSj
+ln1UbqhwvGleO+hGIMVggDgDRMVHVGkbecC/4wIDAQABAoIBAQCrsjXKRwOF8CZo
+PLqZBWPT6hBbK+f9miC4LbNBhwbRTf9hl7mWlImOCTHe95/+NIk/Ty+P21jEqzwM
+ehETJPoziX9BXaL6sEHnlBlMx1aEjStoKKA3LJBeqAAdzk4IEQVHmlO4824IreqJ
+pF7Njnunzo0zTlr4tWJVoXsAfv5z9tNtdkxYBbIa0fjfGtlqXU3gLq58FCON3mB/
+NGc0AyA1UFGp0FzpdEcwTGD4InsXbcmsl2l/VPBJuZbryITRqWs6BbK++80DRhNt
+afMhP+IzKrWSCp0rBYrqqz6AevtlKdEfQK1yXPEjN/63QLMevt8mF/1JCp//TQnf
+Z6bIQbAhAoGBAP7vFA0PcvoXt9MXvvAwrKY1s6pNw4nWPG27qY1/m+DkBwP8IQms
+4AWGv1wscZzXJYTvaLO5/qjmGUj50ohcVEvyZJioh1pKXA8Chxvd6rBA/O/Lj5E0
+3MOSA5Q0gxJ0Mhv0zGbbyN5fY8D8zhxoqQP4LoW+UdZG2Oi6JxsQ9c9dAoGBAPa8
+U3bGuM5OGA9EWP7mkB/VnjDTL1aEIN3cOHbHIKwH/loxdYcNMBE7vwxV1CzgIzXT
+wsL0iE15fQdK938u0+um8aH5QtbWNI8tdk1XVjEC/i3C7N6WVUutneCKUDb4QxiB
+9OvWCbNNiN+xTKBBM93YlwO3GYfrW9Pmm9q1+hg/AoGBALJlUS22gun50PxaIJZq
+KVcCO2DQnCYHki/j48mN4+HjD/m85M2lePrFCYIR48syTyIQer9SR5+frVAA6k/b
+9G1VCQo+3MDVSkiCp1Nb3tBKGfYgB65ARMBinDiI6rPuNeaUTrkn0g+yxtaU0hLV
+Nnj9omia/x+oYj+xjI4HN0xNAoGARy92dSJIV104m88ATip/EnAzP6ruUWu1f8z1
+jW9OAdQckjEK03f+kjpGmGx61qekAPejjVO3r4KJi/0ZAtyjz61OsYiUvB748wYO
+x6mW+HUAmHtQk7eTzE2+6vV8xx9BXGTCIPiTu+N2xfMFRIcLS8odZ7j/6LMCv1Qd
+SzCNg0kCgYBaNlEs4pK1VxZZpEWwVmFpgIxfEfxLIaGrek6wBTcCn/VA2M0oHuez
+mlMio8VY0yWPBJz30JflDiTmYIvteLPMHT0N0J6isiXLhzJSFI4+cAMLE2Q5v8rz
+W+W5/L8YZeierW0qJat1BrgStaf5ZLpiOc9pKBSwycydPH5BfVdK/A==
+-----END RSA PRIVATE KEY-----

contrib/docker-integration/tokenserver-oauth/certs/ca.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC9TCCAd+gAwIBAgIQNS9SaFSFBN7Zvwjalrf2DDALBgkqhkiG9w0BAQswJjER
+MA8GA1UEChMIUXVpY2tUTFMxETAPBgNVBAMTCFF1aWNrVExTMB4XDTE2MDEyODAw
+NDIzMFoXDTE5MDExMjAwNDIzMFowJjERMA8GA1UEChMIUXVpY2tUTFMxETAPBgNV
+BAMTCFF1aWNrVExTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu/Pf
+fQ7VUTSXs12PRyrLDVDz7kPDbGNTt0vF7FYDmTTGOU3i62xZNOGuxBezAiVSV5A3
+lopwsv4OH7DRtSaPn+XCt1JDALna2WrjT0MshypMd5o2c3jmGUfAKf5gjizgIoEl
+d4e5aqEBuOQP+QCEde+8p8N1buQW+zMy9srM2O/7BFMIaQ07CWLlj3hIiF+L5rKD
+L6dWtKT7INRmRwpuZZnThEWnBSNgayrWek6G0i3y8QYTfVA1SwA+H3grJxy5NrLp
+GYXSmu2509mu0QAHhx05t1rJhwhFz/4sG7j8AggYeDXEqfQ/VIb/bvnW9bD+vrQ2
+ZnICvxnzNMYBx23BkQIDAQABoyMwITAOBgNVHQ8BAf8EBAMCAKQwDwYDVR0TAQH/
+BAUwAwEB/zALBgkqhkiG9w0BAQsDggEBALvTi6E44Fltu83dFLVEj0kLtusI/TTH
+Tw6upoB5pRG+7A75w0Ii8bvvd2tNpBOg+L+80xyIFqaNkXhLKTN4lgtd7WiCuyb/
+w1BEuF/+RjCXhu6wQ/63ab46d6ctaQ1zjxlU2rQLQXQFALI8ntyn/TELc01HYkr2
+x3NHlbnBNlgI2CKXPeUBzvBylTCcdYGwoa+2ZPdIsFjle2aCIBoZ+WNZlIbFwgLh
+XCHwcbviC+thjqOneJpJZmRW9AxQ638ki6iGItdrJewCN/1dcL2KKjxnC5VHbpne
+SOjEPNXihY08Brl8myhFNtRRKZ55MJIYzDtVQSkCaT91Q3XX9tSZadY=
+-----END CERTIFICATE-----

contrib/docker-integration/tokenserver-oauth/certs/localregistry.cert

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDETCCAfugAwIBAgIQN7rT95eAy75c4n6/AsDJODALBgkqhkiG9w0BAQswJjER
+MA8GA1UEChMIUXVpY2tUTFMxETAPBgNVBAMTCFF1aWNrVExTMB4XDTE2MDEyODAw
+NDIzMloXDTE5MDExMjAwNDIzMlowKzERMA8GA1UEChMIUXVpY2tUTFMxFjAUBgNV
+BAMTDWxvY2FscmVnaXN0cnkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQDLi75QEkl/qekcoOJlNv9y1IXvrbU2ssl4ViJiZRjWx+/CkyCCOyf9YUpAgRLr
+Pskqde2mwhuNP8yBlOBb17Sapz7N3+hJi5j9vLBAFcamPeF3PqxjFv7j5TKkRmSI
+dFYQclREwMUd3qEH322KkqOnsEEfdmCgFqWORe+QR5AxzxQP3Pnd4OYH1yZCh0MQ
+P2pJgrxxf2I5I/m1AUgoHV1cdBbCv9LGohJPpMtwPC0dJpgMFcnf6hT37At236AY
+V437HiRruY7iPWkYFrSPWpwdslJ32MZvRN5RS163jZXjiZ7qWnQOiiDJfXe4evB/
+yQLN4m0qVQxsMz7rkY7OsqaXAgMBAAGjOjA4MA4GA1UdDwEB/wQEAwIAoDAMBgNV
+HRMBAf8EAjAAMBgGA1UdEQQRMA+CDWxvY2FscmVnaXN0cnkwCwYJKoZIhvcNAQEL
+A4IBAQAyUb3EuMaOylBeV8+4KeBiE4lxykDOwLLSk3jXRsVVtfJpX3v8l5vwo/Jf
+iG8tzzz+7uiskI96u3TsekUtVkUxujfKevMP+369K/59s7NRmwwlFMyB2fvL14B2
+oweVjWvM/8fZl6irtFdbJFXXRm7paKso5cmfImxhojAwohgcd4XTVLE/7juYa582
+AaBdRuIiyL71MU9qa1mC5+57AaSLPYaPKpahemgYYkV1Z403Kd6rXchxdQ8JIAL8
++0oYTSC+svnz1tUU/V5E5id9LQaTmDN5iIVFhNpqAaZmR45UI86woWvnkMb8Ants
+4aknwTwY3300PuTqBdQufvOFDRN5
+-----END CERTIFICATE-----

contrib/docker-integration/tokenserver-oauth/certs/localregistry.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAy4u+UBJJf6npHKDiZTb/ctSF7621NrLJeFYiYmUY1sfvwpMg
+gjsn/WFKQIES6z7JKnXtpsIbjT/MgZTgW9e0mqc+zd/oSYuY/bywQBXGpj3hdz6s
+Yxb+4+UypEZkiHRWEHJURMDFHd6hB99tipKjp7BBH3ZgoBaljkXvkEeQMc8UD9z5
+3eDmB9cmQodDED9qSYK8cX9iOSP5tQFIKB1dXHQWwr/SxqIST6TLcDwtHSaYDBXJ
+3+oU9+wLdt+gGFeN+x4ka7mO4j1pGBa0j1qcHbJSd9jGb0TeUUtet42V44me6lp0
+DoogyX13uHrwf8kCzeJtKlUMbDM+65GOzrKmlwIDAQABAoIBAF6vFMp+lz4RteSh
+Wm8m1FGAVwWVUpStOlcGClynFpTi0L88XYT3K7UMStQSttBDlqRv0ysdZF+ia+lj
+bbKLdvHyFp8CJzX/AB4YZgyJlKzEYFtuBhbaHZu5hIMyU5W+OELSTCznV0p7w4C8
+CGLLr+FTdhfCo1QU9NJn6fa9s2/XRdSClBBalAHYs0ZS7ZckaF/sPiC/VapfBMet
+qjJXNYiO6pXYriGWKF9zdAMfk2CM0BVWbnwQZkMSEQirrTcJwm3ezyloXCv2nywK
+/VzbUT1HJVyzo5oAwTd0MwDc2oEMiFzlfO028zY4LDltpia+SyWvFi5NaIqzFESc
+yLgJacECgYEA3jvH+ZQHQf42Md8TCciokaYvwWIKJdk4WRjbvE5cBZekyXAm7/3b
+/1VFDKsy2RPlfmfHP3wy9rlnjzsRveB5qaclgS8aI67AYsWd/yRgfRatl7Ve9bHl
+LY6VM5L/DZTxykcqivwjc77XoDuBfUKs6tyuSLQku+FOTbLtNYlUCHECgYEA6nkR
+lkXufyLmDhNb3093RsYvPcs1kGaIIGTnz3cxWNh485DgsyLBuYQ5ugupQkzM8YSt
+ohDTmVpggqjlXQxCg0Zw8gkEV0v8KsLGjn1CuTJg/mBArXlelq1FEeRAYC9/YfOz
+ocXegHV7wDKKtcraNZFsEc7Z0LwbC9wtzSFG44cCgYASkMX1CLPOhJE8e1lY0OWc
+PVjx++HDJbF6aAQ7aARyBygiF/d4xylw3EvHcinuTqY2eC8CE7siN3z6T0H9Ldqc
+HLWaZDf30SqLVd0MKprQ+GsKKIHFXtY5hxbZ1ybtmIrWjjl0oPnJOqFC5pW7xC0z
+9bmtozcKZxkmjpMYjN9zUQKBgQCqV6KLRerqunPgLfhE1/qTlE+l2QflDFhBEI3I
+j5NuNHZKnSphehK7sHAv1WD2Jc2OeRGb+BWCB8Ktqf5YBxwbOwW7EQnyUeW1OyP9
+SMs8uHj21P6oCNDLLr5LLUQHnPoyM1aBZLstICzziMR1JhY5bJjSpzBfEQmlKCSu
+LkrN6QKBgQCRXrBJRUxeJj7wCnCSq0Clf9NhCpQnwo4bEx8sKlj8K8ku8MvwQwoM
+3KfWc7bOl6A2/mM/k4yoHtBMM9X9xqYtsgeFhxuiWBcfTmTxWh73LQ48Kgbrgodt
+6yTccnjr7OtBidD85c6lgjAUgcL43QY8mlw0OhzXAZ2R5HWFp4ht+w==
+-----END RSA PRIVATE KEY-----

contrib/docker-integration/tokenserver-oauth/certs/signing.cert

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC9TCCAd+gAwIBAgIRAJ6IIisIZxL86oe3oeoAgWUwCwYJKoZIhvcNAQELMCYx
+ETAPBgNVBAoTCFF1aWNrVExTMREwDwYDVQQDEwhRdWlja1RMUzAeFw0xNjAxMjgw
+MDQyMzNaFw0xOTAxMTIwMDQyMzNaMBMxETAPBgNVBAoTCFF1aWNrVExTMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3IXUwqSdO2QTj2ET6fJPGe+KWVnt
+QCQQWjkWVpOz8L2A29BRvv9z6lYNf9sOM0Xb5IUAgoZ/s3U6LNYT/RWYFBfeo40r
+Xd/MNKAn0kFsSb6BIKmUwPqFeqc8wiPX6yY4SbF1sUTkCTkw3yFHg/AIlwmhpFH3
+9mAmV+x0kTzFR/78ZDD5CUNS59bbu+7UqB06YrJuVEwPY98YixSPXTcaKimsUe+K
+IY8FQ6yN6l27MK56wlj4hw2gYz+cyBUBCExCgYMQlOSg2ilH4qYyFvccSDUH7jTA
+NwpsIBfdoUVbI+j2ivn+ZGD614LtIStGgUu0mDDVxVOWnRvq/z7LMaa2jwIDAQAB
+ozUwMzAOBgNVHQ8BAf8EBAMCAKAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDAYDVR0T
+AQH/BAIwADALBgkqhkiG9w0BAQsDggEBAJq3JzTLrIWCF8rHLTTm1icE9PjOO0sV
+a1wrmdJ6NwRbJ66dLZ/4G/NZjVOnce9WFHYLFSEG+wx5YVUPuJXpJaSdy0h8F0Uw
+hiJwgeVsGg7vcf4G6mWHrsauDOhylnD31UtYPX1Ao/jcntyyf+gCQpY1J/B8l1yU
+LNOwvWLVLpZwZ4ehbKA/UnDXgA+3uHvpzl//cPe0cnt+Mhrgzk5mIMwVR6zCZw1G
+oVutAHpv2PXxRwTMu51J+QtSL2b2w3mGHxDLpmz8UdXOtkxdpmDT8kIOtX0T5yGL
+29F3fa81iZPs02GWjSGOfOzmCCvaA4C5KJvY/WulF7OOgwvrBpQwqTI=
+-----END CERTIFICATE-----

contrib/docker-integration/tokenserver-oauth/certs/signing.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA3IXUwqSdO2QTj2ET6fJPGe+KWVntQCQQWjkWVpOz8L2A29BR
+vv9z6lYNf9sOM0Xb5IUAgoZ/s3U6LNYT/RWYFBfeo40rXd/MNKAn0kFsSb6BIKmU
+wPqFeqc8wiPX6yY4SbF1sUTkCTkw3yFHg/AIlwmhpFH39mAmV+x0kTzFR/78ZDD5
+CUNS59bbu+7UqB06YrJuVEwPY98YixSPXTcaKimsUe+KIY8FQ6yN6l27MK56wlj4
+hw2gYz+cyBUBCExCgYMQlOSg2ilH4qYyFvccSDUH7jTANwpsIBfdoUVbI+j2ivn+
+ZGD614LtIStGgUu0mDDVxVOWnRvq/z7LMaa2jwIDAQABAoIBAD2tiNZv6DImSXo+
+sq0qQomEf/OBvWPFMnWppd/NK/TXa+UPHO4I0MjoDJqIEC6zCU+fC4d2St1MmlrT
+/X85vPFRw8mGwGxfHeRSLxEVj04I5GDYTWy0JQUrJUk/cTKp2/Bwm/RaylTyFAM0
+caYrSpvD69vjuTDFr7PDxM6iaqM53zK/vD8kCe81z+wN0UbAKsLlUOKztjH6SzL9
+uVOkekIT/j3L2xxyQhjmhfA3TuCP4uNK/+6/4ovl9Nj4pQsFomsCk4phgqy9SOm1
+4yufmVd8k7J3cppMlMPNc+7tqe2Xn593Y8QT95y3yhtkFECF70yBw64HMDDpA22p
+5b/JV9ECgYEA9H4RBXOwbdjcpCa9H3mFjHqUQCqNme1vOSGiflZh9KBCDKgdqugm
+KHpvAECADie0p6XRHpxRvufKnGFkJwedfeiKz51T+0dqgPxWncYT1TC+cAjOSzfM
+wBpUOcAyvTTviwGbg4bLanHo4remzCbcnRvHQX4YfPFCjT9GhsU+XEUCgYEA5ubz
+IlSu1wwFJpoO24ZykGUyqGUQXzR0NrXiLrpF0764qjmHyF8SPJPv1XegSxP/nUTz
+SjVfJ7wye/X9qlOpBY8mzy9qQMMKc1cQBV1yVW8IRZ7pMYQZO7qmrZD/DWTa5qWt
+pqSbIH2FKedELsKJA/SBtczKjspOdDKyh0UelsMCgYA7DyTfc0XAEy2hPXZb3wgC
+mi2rnlvcPf2rCFPvPsCkzf2GfynDehaVmpWrsuj8Al1iTezI/yvD+Mv5oJEH2JAT
+tROq+S8rOOIiTFJEBHAQBJlMCOSESPNdyD5mQOZAzEO9CWNejzYd/WwrL//Luut5
+zBcC3AngTIsuAYXw0j6xHQKBgQDamkAJep7k3W5q82OplgoUhpqFLtlnKSP1QBFZ
+J+U/6Mqv7jONEeUUEQL42H6bVd2kqUikMw9ZcSVikquLfBUDPFoDwOIZWg4k0IJM
+cgHyvGHad+5SgLva/oUawbGWnqtXvfc/U4vCINPXrimxE1/grLW4xp/mu8W24OCA
+jIG/PQKBgD/Apl+sfqiB/6ONBjjIswA4yFkEXHSZNpAgcPwhA+cO5D0afEWz2HIx
+VeOh5NjN1EL0hX8clFW4bfkK1Vr0kjvbMUXnBWaibUgpiVQl9O9WjaKQLZrp4sRu
+x2kJ07Qn6ri7f/lsqOELZwBy95iHWRdePptaAKkRGxJstHI7dgUt
+-----END RSA PRIVATE KEY-----

contrib/docker-integration/tokenserver-oauth/registry-config-notls.yml

@@ -0,0 +1,18 @@
+version: 0.1
+loglevel: debug
+storage:
+    cache:
+        blobdescriptor: inmemory
+    filesystem:
+        rootdirectory: /tmp/registry-dev
+http:
+    addr: 0.0.0.0:5000
+compatibility:
+    schema1:
+        enabled: true
+auth:
+    token:
+        realm: "https://auth.localregistry:5559/token/"
+        issuer: "registry-test"
+        service: "registry-test"
+        rootcertbundle: "/etc/docker/registry/tokenbundle.pem"

contrib/docker-integration/tokenserver-oauth/registry-config.yml

@@ -0,0 +1,21 @@
+version: 0.1
+loglevel: debug
+storage:
+    cache:
+        blobdescriptor: inmemory
+    filesystem:
+        rootdirectory: /tmp/registry-dev
+http:
+    addr: 0.0.0.0:5000
+    tls:
+        certificate: "/etc/docker/registry/localregistry.cert"
+        key: "/etc/docker/registry/localregistry.key"
+compatibility:
+    schema1:
+        enabled: true
+auth:
+    token:
+        realm: "https://auth.localregistry:5559/token/"
+        issuer: "registry-test"
+        service: "registry-test"
+        rootcertbundle: "/etc/docker/registry/tokenbundle.pem"

contrib/docker-integration/tokenserver/.htpasswd

@@ -0,0 +1 @@
+testuser:$2y$05$T2MlBvkN1R/yICNnLuf1leOlOfAY0DvybctbbWUFKlojfkShVgn4m

contrib/docker-integration/tokenserver/Dockerfile

@@ -0,0 +1,8 @@
+FROM dmcgowan/token-server@sha256:0eab50ebdff5b6b95b3addf4edbd8bd2f5b940f27b41b43c94afdf05863a81af
+
+WORKDIR /
+
+COPY ./.htpasswd /.htpasswd
+COPY ./certs/auth.localregistry.cert /tls.cert
+COPY ./certs/auth.localregistry.key /tls.key
+COPY ./certs/signing.key /sign.key

contrib/docker-integration/tokenserver/certs/auth.localregistry.cert

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHDCCAgagAwIBAgIRAKhhQMnqZx+hkOmoUYgPb+kwCwYJKoZIhvcNAQELMCYx
+ETAPBgNVBAoTCFF1aWNrVExTMREwDwYDVQQDEwhRdWlja1RMUzAeFw0xNjAxMjgw
+MDQyMzFaFw0xOTAxMTIwMDQyMzFaMDAxETAPBgNVBAoTCFF1aWNrVExTMRswGQYD
+VQQDExJhdXRoLmxvY2FscmVnaXN0cnkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQD1tUf1EghBlIRrE83yF4zDgRu7vH2Jo0kygKJUWtQQe+DfXyjjE/fg
+FdKnnoEjsIeF9hxNbTt0ldDz7/n97pbMhoiXULi9iq4jlgSzVL2XEAgrON0YSY/c
+Lmmd1KSa/pOUZr2WMAYPZ+FdQfE1W7SMNbErPefBqYdFzpZ+esAtvbajYwIjl8Vy
+9c4bidx4vgnNrR9GcFYibjC5sj8syh/OtbzzqiVGT8YcPpmMG6KNRkausa4gqpon
+NKYG8C3WDaiPCLYKcvFrFfdEWF/m2oj14eXACXT9iwp8r4bsLgXrZwqcpKOWfVRu
+qHC8aV476EYgxWCAOANExUdUaRt5wL/jAgMBAAGjPzA9MA4GA1UdDwEB/wQEAwIA
+oDAMBgNVHRMBAf8EAjAAMB0GA1UdEQQWMBSCEmF1dGgubG9jYWxyZWdpc3RyeTAL
+BgkqhkiG9w0BAQsDggEBABxPGK9FdGDxcLowNsExKnnZvmQT3H0u+Dux1gkp0AhH
+KOrmx3LUENUKLSgotzx133tgOgR5lzAWVFy7bhLwlPhOslxf2oEfztsAMd/tY8rW
+PrG2ZqYqlzEQQ9INbAc3woo5A3slN07uhP3F16jNqoMM4zRmw6Ba70CluGKT7x5+
+xVjKoWITLjWDXT5m35PnsN8CpBaFzXYcod/5p9XwCFp0s+aNxfpZECCV/3yqIr+J
+ALzroPh43FAlG96o4NyYZ2Msp63newN19R2+TgpV4nXuw2mLVDpvetP7RRqnpvj/
+qwRgt5j4hFjJWb61M0ELL7A9fA71h1ImdGCvnArdBQs=
+-----END CERTIFICATE-----

contrib/docker-integration/tokenserver/certs/auth.localregistry.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA9bVH9RIIQZSEaxPN8heMw4Ebu7x9iaNJMoCiVFrUEHvg318o
+4xP34BXSp56BI7CHhfYcTW07dJXQ8+/5/e6WzIaIl1C4vYquI5YEs1S9lxAIKzjd
+GEmP3C5pndSkmv6TlGa9ljAGD2fhXUHxNVu0jDWxKz3nwamHRc6WfnrALb22o2MC
+I5fFcvXOG4nceL4Jza0fRnBWIm4wubI/LMofzrW886olRk/GHD6ZjBuijUZGrrGu
+IKqaJzSmBvAt1g2ojwi2CnLxaxX3RFhf5tqI9eHlwAl0/YsKfK+G7C4F62cKnKSj
+ln1UbqhwvGleO+hGIMVggDgDRMVHVGkbecC/4wIDAQABAoIBAQCrsjXKRwOF8CZo
+PLqZBWPT6hBbK+f9miC4LbNBhwbRTf9hl7mWlImOCTHe95/+NIk/Ty+P21jEqzwM
+ehETJPoziX9BXaL6sEHnlBlMx1aEjStoKKA3LJBeqAAdzk4IEQVHmlO4824IreqJ
+pF7Njnunzo0zTlr4tWJVoXsAfv5z9tNtdkxYBbIa0fjfGtlqXU3gLq58FCON3mB/
+NGc0AyA1UFGp0FzpdEcwTGD4InsXbcmsl2l/VPBJuZbryITRqWs6BbK++80DRhNt
+afMhP+IzKrWSCp0rBYrqqz6AevtlKdEfQK1yXPEjN/63QLMevt8mF/1JCp//TQnf
+Z6bIQbAhAoGBAP7vFA0PcvoXt9MXvvAwrKY1s6pNw4nWPG27qY1/m+DkBwP8IQms
+4AWGv1wscZzXJYTvaLO5/qjmGUj50ohcVEvyZJioh1pKXA8Chxvd6rBA/O/Lj5E0
+3MOSA5Q0gxJ0Mhv0zGbbyN5fY8D8zhxoqQP4LoW+UdZG2Oi6JxsQ9c9dAoGBAPa8
+U3bGuM5OGA9EWP7mkB/VnjDTL1aEIN3cOHbHIKwH/loxdYcNMBE7vwxV1CzgIzXT
+wsL0iE15fQdK938u0+um8aH5QtbWNI8tdk1XVjEC/i3C7N6WVUutneCKUDb4QxiB
+9OvWCbNNiN+xTKBBM93YlwO3GYfrW9Pmm9q1+hg/AoGBALJlUS22gun50PxaIJZq
+KVcCO2DQnCYHki/j48mN4+HjD/m85M2lePrFCYIR48syTyIQer9SR5+frVAA6k/b
+9G1VCQo+3MDVSkiCp1Nb3tBKGfYgB65ARMBinDiI6rPuNeaUTrkn0g+yxtaU0hLV
+Nnj9omia/x+oYj+xjI4HN0xNAoGARy92dSJIV104m88ATip/EnAzP6ruUWu1f8z1
+jW9OAdQckjEK03f+kjpGmGx61qekAPejjVO3r4KJi/0ZAtyjz61OsYiUvB748wYO
+x6mW+HUAmHtQk7eTzE2+6vV8xx9BXGTCIPiTu+N2xfMFRIcLS8odZ7j/6LMCv1Qd
+SzCNg0kCgYBaNlEs4pK1VxZZpEWwVmFpgIxfEfxLIaGrek6wBTcCn/VA2M0oHuez
+mlMio8VY0yWPBJz30JflDiTmYIvteLPMHT0N0J6isiXLhzJSFI4+cAMLE2Q5v8rz
+W+W5/L8YZeierW0qJat1BrgStaf5ZLpiOc9pKBSwycydPH5BfVdK/A==
+-----END RSA PRIVATE KEY-----

contrib/docker-integration/tokenserver/certs/ca.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC9TCCAd+gAwIBAgIQNS9SaFSFBN7Zvwjalrf2DDALBgkqhkiG9w0BAQswJjER
+MA8GA1UEChMIUXVpY2tUTFMxETAPBgNVBAMTCFF1aWNrVExTMB4XDTE2MDEyODAw
+NDIzMFoXDTE5MDExMjAwNDIzMFowJjERMA8GA1UEChMIUXVpY2tUTFMxETAPBgNV
+BAMTCFF1aWNrVExTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu/Pf
+fQ7VUTSXs12PRyrLDVDz7kPDbGNTt0vF7FYDmTTGOU3i62xZNOGuxBezAiVSV5A3
+lopwsv4OH7DRtSaPn+XCt1JDALna2WrjT0MshypMd5o2c3jmGUfAKf5gjizgIoEl
+d4e5aqEBuOQP+QCEde+8p8N1buQW+zMy9srM2O/7BFMIaQ07CWLlj3hIiF+L5rKD
+L6dWtKT7INRmRwpuZZnThEWnBSNgayrWek6G0i3y8QYTfVA1SwA+H3grJxy5NrLp
+GYXSmu2509mu0QAHhx05t1rJhwhFz/4sG7j8AggYeDXEqfQ/VIb/bvnW9bD+vrQ2
+ZnICvxnzNMYBx23BkQIDAQABoyMwITAOBgNVHQ8BAf8EBAMCAKQwDwYDVR0TAQH/
+BAUwAwEB/zALBgkqhkiG9w0BAQsDggEBALvTi6E44Fltu83dFLVEj0kLtusI/TTH
+Tw6upoB5pRG+7A75w0Ii8bvvd2tNpBOg+L+80xyIFqaNkXhLKTN4lgtd7WiCuyb/
+w1BEuF/+RjCXhu6wQ/63ab46d6ctaQ1zjxlU2rQLQXQFALI8ntyn/TELc01HYkr2
+x3NHlbnBNlgI2CKXPeUBzvBylTCcdYGwoa+2ZPdIsFjle2aCIBoZ+WNZlIbFwgLh
+XCHwcbviC+thjqOneJpJZmRW9AxQ638ki6iGItdrJewCN/1dcL2KKjxnC5VHbpne
+SOjEPNXihY08Brl8myhFNtRRKZ55MJIYzDtVQSkCaT91Q3XX9tSZadY=
+-----END CERTIFICATE-----

contrib/docker-integration/tokenserver/certs/localregistry.cert

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDETCCAfugAwIBAgIQN7rT95eAy75c4n6/AsDJODALBgkqhkiG9w0BAQswJjER
+MA8GA1UEChMIUXVpY2tUTFMxETAPBgNVBAMTCFF1aWNrVExTMB4XDTE2MDEyODAw
+NDIzMloXDTE5MDExMjAwNDIzMlowKzERMA8GA1UEChMIUXVpY2tUTFMxFjAUBgNV
+BAMTDWxvY2FscmVnaXN0cnkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQDLi75QEkl/qekcoOJlNv9y1IXvrbU2ssl4ViJiZRjWx+/CkyCCOyf9YUpAgRLr
+Pskqde2mwhuNP8yBlOBb17Sapz7N3+hJi5j9vLBAFcamPeF3PqxjFv7j5TKkRmSI
+dFYQclREwMUd3qEH322KkqOnsEEfdmCgFqWORe+QR5AxzxQP3Pnd4OYH1yZCh0MQ
+P2pJgrxxf2I5I/m1AUgoHV1cdBbCv9LGohJPpMtwPC0dJpgMFcnf6hT37At236AY
+V437HiRruY7iPWkYFrSPWpwdslJ32MZvRN5RS163jZXjiZ7qWnQOiiDJfXe4evB/
+yQLN4m0qVQxsMz7rkY7OsqaXAgMBAAGjOjA4MA4GA1UdDwEB/wQEAwIAoDAMBgNV
+HRMBAf8EAjAAMBgGA1UdEQQRMA+CDWxvY2FscmVnaXN0cnkwCwYJKoZIhvcNAQEL
+A4IBAQAyUb3EuMaOylBeV8+4KeBiE4lxykDOwLLSk3jXRsVVtfJpX3v8l5vwo/Jf
+iG8tzzz+7uiskI96u3TsekUtVkUxujfKevMP+369K/59s7NRmwwlFMyB2fvL14B2
+oweVjWvM/8fZl6irtFdbJFXXRm7paKso5cmfImxhojAwohgcd4XTVLE/7juYa582
+AaBdRuIiyL71MU9qa1mC5+57AaSLPYaPKpahemgYYkV1Z403Kd6rXchxdQ8JIAL8
++0oYTSC+svnz1tUU/V5E5id9LQaTmDN5iIVFhNpqAaZmR45UI86woWvnkMb8Ants
+4aknwTwY3300PuTqBdQufvOFDRN5
+-----END CERTIFICATE-----

contrib/docker-integration/tokenserver/certs/localregistry.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAy4u+UBJJf6npHKDiZTb/ctSF7621NrLJeFYiYmUY1sfvwpMg
+gjsn/WFKQIES6z7JKnXtpsIbjT/MgZTgW9e0mqc+zd/oSYuY/bywQBXGpj3hdz6s
+Yxb+4+UypEZkiHRWEHJURMDFHd6hB99tipKjp7BBH3ZgoBaljkXvkEeQMc8UD9z5
+3eDmB9cmQodDED9qSYK8cX9iOSP5tQFIKB1dXHQWwr/SxqIST6TLcDwtHSaYDBXJ
+3+oU9+wLdt+gGFeN+x4ka7mO4j1pGBa0j1qcHbJSd9jGb0TeUUtet42V44me6lp0
+DoogyX13uHrwf8kCzeJtKlUMbDM+65GOzrKmlwIDAQABAoIBAF6vFMp+lz4RteSh
+Wm8m1FGAVwWVUpStOlcGClynFpTi0L88XYT3K7UMStQSttBDlqRv0ysdZF+ia+lj
+bbKLdvHyFp8CJzX/AB4YZgyJlKzEYFtuBhbaHZu5hIMyU5W+OELSTCznV0p7w4C8
+CGLLr+FTdhfCo1QU9NJn6fa9s2/XRdSClBBalAHYs0ZS7ZckaF/sPiC/VapfBMet
+qjJXNYiO6pXYriGWKF9zdAMfk2CM0BVWbnwQZkMSEQirrTcJwm3ezyloXCv2nywK
+/VzbUT1HJVyzo5oAwTd0MwDc2oEMiFzlfO028zY4LDltpia+SyWvFi5NaIqzFESc
+yLgJacECgYEA3jvH+ZQHQf42Md8TCciokaYvwWIKJdk4WRjbvE5cBZekyXAm7/3b
+/1VFDKsy2RPlfmfHP3wy9rlnjzsRveB5qaclgS8aI67AYsWd/yRgfRatl7Ve9bHl
+LY6VM5L/DZTxykcqivwjc77XoDuBfUKs6tyuSLQku+FOTbLtNYlUCHECgYEA6nkR
+lkXufyLmDhNb3093RsYvPcs1kGaIIGTnz3cxWNh485DgsyLBuYQ5ugupQkzM8YSt
+ohDTmVpggqjlXQxCg0Zw8gkEV0v8KsLGjn1CuTJg/mBArXlelq1FEeRAYC9/YfOz
+ocXegHV7wDKKtcraNZFsEc7Z0LwbC9wtzSFG44cCgYASkMX1CLPOhJE8e1lY0OWc
+PVjx++HDJbF6aAQ7aARyBygiF/d4xylw3EvHcinuTqY2eC8CE7siN3z6T0H9Ldqc
+HLWaZDf30SqLVd0MKprQ+GsKKIHFXtY5hxbZ1ybtmIrWjjl0oPnJOqFC5pW7xC0z
+9bmtozcKZxkmjpMYjN9zUQKBgQCqV6KLRerqunPgLfhE1/qTlE+l2QflDFhBEI3I
+j5NuNHZKnSphehK7sHAv1WD2Jc2OeRGb+BWCB8Ktqf5YBxwbOwW7EQnyUeW1OyP9
+SMs8uHj21P6oCNDLLr5LLUQHnPoyM1aBZLstICzziMR1JhY5bJjSpzBfEQmlKCSu
+LkrN6QKBgQCRXrBJRUxeJj7wCnCSq0Clf9NhCpQnwo4bEx8sKlj8K8ku8MvwQwoM
+3KfWc7bOl6A2/mM/k4yoHtBMM9X9xqYtsgeFhxuiWBcfTmTxWh73LQ48Kgbrgodt
+6yTccnjr7OtBidD85c6lgjAUgcL43QY8mlw0OhzXAZ2R5HWFp4ht+w==
+-----END RSA PRIVATE KEY-----

contrib/docker-integration/tokenserver/certs/signing.cert

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC9TCCAd+gAwIBAgIRAJ6IIisIZxL86oe3oeoAgWUwCwYJKoZIhvcNAQELMCYx
+ETAPBgNVBAoTCFF1aWNrVExTMREwDwYDVQQDEwhRdWlja1RMUzAeFw0xNjAxMjgw
+MDQyMzNaFw0xOTAxMTIwMDQyMzNaMBMxETAPBgNVBAoTCFF1aWNrVExTMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3IXUwqSdO2QTj2ET6fJPGe+KWVnt
+QCQQWjkWVpOz8L2A29BRvv9z6lYNf9sOM0Xb5IUAgoZ/s3U6LNYT/RWYFBfeo40r
+Xd/MNKAn0kFsSb6BIKmUwPqFeqc8wiPX6yY4SbF1sUTkCTkw3yFHg/AIlwmhpFH3
+9mAmV+x0kTzFR/78ZDD5CUNS59bbu+7UqB06YrJuVEwPY98YixSPXTcaKimsUe+K
+IY8FQ6yN6l27MK56wlj4hw2gYz+cyBUBCExCgYMQlOSg2ilH4qYyFvccSDUH7jTA
+NwpsIBfdoUVbI+j2ivn+ZGD614LtIStGgUu0mDDVxVOWnRvq/z7LMaa2jwIDAQAB
+ozUwMzAOBgNVHQ8BAf8EBAMCAKAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDAYDVR0T
+AQH/BAIwADALBgkqhkiG9w0BAQsDggEBAJq3JzTLrIWCF8rHLTTm1icE9PjOO0sV
+a1wrmdJ6NwRbJ66dLZ/4G/NZjVOnce9WFHYLFSEG+wx5YVUPuJXpJaSdy0h8F0Uw
+hiJwgeVsGg7vcf4G6mWHrsauDOhylnD31UtYPX1Ao/jcntyyf+gCQpY1J/B8l1yU
+LNOwvWLVLpZwZ4ehbKA/UnDXgA+3uHvpzl//cPe0cnt+Mhrgzk5mIMwVR6zCZw1G
+oVutAHpv2PXxRwTMu51J+QtSL2b2w3mGHxDLpmz8UdXOtkxdpmDT8kIOtX0T5yGL
+29F3fa81iZPs02GWjSGOfOzmCCvaA4C5KJvY/WulF7OOgwvrBpQwqTI=
+-----END CERTIFICATE-----

contrib/docker-integration/tokenserver/certs/signing.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA3IXUwqSdO2QTj2ET6fJPGe+KWVntQCQQWjkWVpOz8L2A29BR
+vv9z6lYNf9sOM0Xb5IUAgoZ/s3U6LNYT/RWYFBfeo40rXd/MNKAn0kFsSb6BIKmU
+wPqFeqc8wiPX6yY4SbF1sUTkCTkw3yFHg/AIlwmhpFH39mAmV+x0kTzFR/78ZDD5
+CUNS59bbu+7UqB06YrJuVEwPY98YixSPXTcaKimsUe+KIY8FQ6yN6l27MK56wlj4
+hw2gYz+cyBUBCExCgYMQlOSg2ilH4qYyFvccSDUH7jTANwpsIBfdoUVbI+j2ivn+
+ZGD614LtIStGgUu0mDDVxVOWnRvq/z7LMaa2jwIDAQABAoIBAD2tiNZv6DImSXo+
+sq0qQomEf/OBvWPFMnWppd/NK/TXa+UPHO4I0MjoDJqIEC6zCU+fC4d2St1MmlrT
+/X85vPFRw8mGwGxfHeRSLxEVj04I5GDYTWy0JQUrJUk/cTKp2/Bwm/RaylTyFAM0
+caYrSpvD69vjuTDFr7PDxM6iaqM53zK/vD8kCe81z+wN0UbAKsLlUOKztjH6SzL9
+uVOkekIT/j3L2xxyQhjmhfA3TuCP4uNK/+6/4ovl9Nj4pQsFomsCk4phgqy9SOm1
+4yufmVd8k7J3cppMlMPNc+7tqe2Xn593Y8QT95y3yhtkFECF70yBw64HMDDpA22p
+5b/JV9ECgYEA9H4RBXOwbdjcpCa9H3mFjHqUQCqNme1vOSGiflZh9KBCDKgdqugm
+KHpvAECADie0p6XRHpxRvufKnGFkJwedfeiKz51T+0dqgPxWncYT1TC+cAjOSzfM
+wBpUOcAyvTTviwGbg4bLanHo4remzCbcnRvHQX4YfPFCjT9GhsU+XEUCgYEA5ubz
+IlSu1wwFJpoO24ZykGUyqGUQXzR0NrXiLrpF0764qjmHyF8SPJPv1XegSxP/nUTz
+SjVfJ7wye/X9qlOpBY8mzy9qQMMKc1cQBV1yVW8IRZ7pMYQZO7qmrZD/DWTa5qWt
+pqSbIH2FKedELsKJA/SBtczKjspOdDKyh0UelsMCgYA7DyTfc0XAEy2hPXZb3wgC
+mi2rnlvcPf2rCFPvPsCkzf2GfynDehaVmpWrsuj8Al1iTezI/yvD+Mv5oJEH2JAT
+tROq+S8rOOIiTFJEBHAQBJlMCOSESPNdyD5mQOZAzEO9CWNejzYd/WwrL//Luut5
+zBcC3AngTIsuAYXw0j6xHQKBgQDamkAJep7k3W5q82OplgoUhpqFLtlnKSP1QBFZ
+J+U/6Mqv7jONEeUUEQL42H6bVd2kqUikMw9ZcSVikquLfBUDPFoDwOIZWg4k0IJM
+cgHyvGHad+5SgLva/oUawbGWnqtXvfc/U4vCINPXrimxE1/grLW4xp/mu8W24OCA
+jIG/PQKBgD/Apl+sfqiB/6ONBjjIswA4yFkEXHSZNpAgcPwhA+cO5D0afEWz2HIx
+VeOh5NjN1EL0hX8clFW4bfkK1Vr0kjvbMUXnBWaibUgpiVQl9O9WjaKQLZrp4sRu
+x2kJ07Qn6ri7f/lsqOELZwBy95iHWRdePptaAKkRGxJstHI7dgUt
+-----END RSA PRIVATE KEY-----