Merge pull request #532 from dmcgowan/multi-config-test

Multi configuration tests via compose
2015-05-22 16:48:40 -07:00 · 2015-05-22 16:48:40 -07:00 · cfa432f47a
commit cfa432f47a
parent 2317f721a3 0e8cf8cc47
20 changed files with 648 additions and 0 deletions
--- a/contrib/docker-integration/Makefile
+++ b/contrib/docker-integration/Makefile
@ -0,0 +1,22 @@
+.PHONY: build test
+
+build:
+	docker-compose build
+
+start: build
+	docker-compose up -d
+
+stop:
+	docker-compose stop
+
+clean:
+	docker-compose kill
+	docker-compose rm -f
+
+install:
+	sh ./install_certs.sh
+
+test: 
+	# Run tests
+
+all: build
--- a/contrib/docker-integration/README.md
+++ b/contrib/docker-integration/README.md
@ -0,0 +1,70 @@
+# Docker Registry Multi-Configuration Testing
+
+This compose configuration is intended to setup a testing environment for Docker
+using multiple registry configurations. These configurations include different
+combinations of a v1 and v2 registry as well as TLS configurations.
+
+### Limitations
+
+Currently this setup is configured to use localhost as the hostname which
+limits the ease of testing within Docker since localhost is always treated
+as an insecure registry. To treat localhost as secure the Docker code must
+be modified. Without localhost as secure, the test cases will not distinguish
+between a TLS configuration with a CA and self-signed.
+
+### Install Docker Compose
+
+1. Open a new terminal on the host with your `distribution` source.
+
+2. Get the `docker-compose` binary.
+
+		$ sudo wget https://github.com/docker/compose/releases/download/1.1.0/docker-compose-`uname  -s`-`uname -m` -O /usr/local/bin/docker-compose
+
+	This command installs the binary in the `/usr/local/bin` directory.
+
+3. Add executable permissions to the binary.
+
+		$  sudo chmod +x /usr/local/bin/docker-compose
+
+## Usage
+
+### Start compose setup
+```
+docker-compose up
+```
+
+### Install Certificates
+The certificates must be installed in /etc/docker/cert.d in order to use TLS client auth and use the CA certificate.
+```
+sudo sh ./install_certs.sh
+```
+
+### Test with Docker
+Tag an image as with any other private registry. Attempt to push the image.
+
+```
+docker pull hello-world
+docker tag hello-world localhost:5440/hello-world
+docker push localhost:5440/hello-world
+
+docker tag hello-world localhost:5441/hello-world
+docker push localhost:5441/hello-world
+# Perform login using user `testuser` and password `passpassword`
+```
+
+## Configurations
+
+Port | V2 | V1 | TLS | Authentication
+--- | --- | --- | --- | ---
+5000 | yes | yes | no | none
+5001 | no | yes | no | none
+5002 | yes | no | no | none
+5440 | yes | yes | yes | none
+5441 | yes | yes | yes | basic (testuser/passpassword)
+5442 | yes | yes | yes | TLS client
+5443 | yes | yes | yes | TLS client (no CA)
+5444 | yes | yes | yes | TLS client + basic (testuser/passpassword)
+5445 | yes | yes | yes (no CA) | none
+5446 | yes | yes | yes (no CA) | basic (testuser/passpassword)
+5447 | yes | yes | yes (no CA) | TLS client
+5448 | yes | yes | yes (SSLv3) | none
--- a/contrib/docker-integration/docker-compose.yml
+++ b/contrib/docker-integration/docker-compose.yml
@ -0,0 +1,26 @@
+nginx:
+  build: "nginx"
+  ports:
+    - "5000:5000"
+    - "5001:5001"
+    - "5002:5002"
+    - "5440:5440"
+    - "5441:5441"
+    - "5442:5442"
+    - "5443:5443"
+    - "5444:5444"
+    - "5445:5445"
+    - "5446:5446"
+    - "5447:5447"
+    - "5448:5448"
+  links:
+    - registryv1:registryv1
+    - registryv2:registryv2
+registryv1:
+  image: registry
+  ports:
+    - "5000"
+registryv2:
+  build: "../../"
+  ports:
+    - "5000"
--- a/contrib/docker-integration/install_certs.sh
+++ b/contrib/docker-integration/install_certs.sh
@ -0,0 +1,34 @@
+#!/bin/sh
+
+hostname=$1
+if [ "$hostname" == "" ]; then
+	hostname="localhost"
+fi
+
+mkdir -p /etc/docker/certs.d/$hostname:5440
+cp ./nginx/ssl/registry-ca+client-ca.pem /etc/docker/certs.d/$hostname:5440/ca.crt
+
+mkdir -p /etc/docker/certs.d/$hostname:5441
+cp ./nginx/ssl/registry-ca+client-ca.pem /etc/docker/certs.d/$hostname:5441/ca.crt
+
+mkdir -p /etc/docker/certs.d/$hostname:5442
+cp ./nginx/ssl/registry-ca+client-ca.pem /etc/docker/certs.d/$hostname:5442/ca.crt
+cp ./nginx/ssl/registry-ca+client-client.pem /etc/docker/certs.d/$hostname:5442/client.cert
+cp ./nginx/ssl/registry-ca+client-client-key.pem /etc/docker/certs.d/$hostname:5442/client.key
+
+mkdir -p /etc/docker/certs.d/$hostname:5443
+cp ./nginx/ssl/registry-ca+client-ca.pem /etc/docker/certs.d/$hostname:5443/ca.crt
+cp ./nginx/ssl/registry-ca+client+bad-client.pem /etc/docker/certs.d/$hostname:5443/client.cert
+cp ./nginx/ssl/registry-ca+client+bad-client-key.pem /etc/docker/certs.d/$hostname:5443/client.key
+
+mkdir -p /etc/docker/certs.d/$hostname:5444
+cp ./nginx/ssl/registry-ca+client-ca.pem /etc/docker/certs.d/$hostname:5444/ca.crt
+cp ./nginx/ssl/registry-ca+client-client.pem /etc/docker/certs.d/$hostname:5444/client.cert
+cp ./nginx/ssl/registry-ca+client-client-key.pem /etc/docker/certs.d/$hostname:5444/client.key
+
+mkdir -p /etc/docker/certs.d/$hostname:5447
+cp ./nginx/ssl/registry-ca+client-client.pem /etc/docker/certs.d/$hostname:5447/client.cert
+cp ./nginx/ssl/registry-ca+client-client-key.pem /etc/docker/certs.d/$hostname:5447/client.key
+
+mkdir -p /etc/docker/certs.d/localhost:5448
+cp ./nginx/ssl/registry-ca+client-ca.pem /etc/docker/certs.d/localhost:5448/ca.crt
--- a/contrib/docker-integration/nginx/Dockerfile
+++ b/contrib/docker-integration/nginx/Dockerfile
@ -0,0 +1,8 @@
+FROM nginx:1.9
+
+COPY nginx.conf /etc/nginx/nginx.conf
+COPY registry.conf /etc/nginx/conf.d/registry.conf
+COPY docker-registry.conf /etc/nginx/docker-registry.conf
+COPY docker-registry-v2.conf /etc/nginx/docker-registry-v2.conf
+COPY test.passwd /etc/nginx/test.passwd
+COPY ssl /etc/nginx/ssl
--- a/contrib/docker-integration/nginx/docker-registry-v2.conf
+++ b/contrib/docker-integration/nginx/docker-registry-v2.conf
@ -0,0 +1,6 @@
+proxy_pass                          http://docker-registry-v2;
+proxy_set_header  Host              $http_host;   # required for docker client's sake
+proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
+proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
+proxy_set_header  X-Forwarded-Proto $scheme;
+proxy_read_timeout                  900;
--- a/contrib/docker-integration/nginx/docker-registry.conf
+++ b/contrib/docker-integration/nginx/docker-registry.conf
@ -0,0 +1,7 @@
+proxy_pass                          http://docker-registry;
+proxy_set_header  Host              $http_host;   # required for docker client's sake
+proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
+proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
+proxy_set_header  X-Forwarded-Proto $scheme;
+proxy_set_header  Authorization     ""; # see https://github.com/docker/docker-registry/issues/170
+proxy_read_timeout                  900;
--- a/contrib/docker-integration/nginx/nginx.conf
+++ b/contrib/docker-integration/nginx/nginx.conf
@ -0,0 +1,27 @@
+user  nginx;
+worker_processes  1;
+
+error_log /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log main;
+
+    sendfile        on;
+
+    keepalive_timeout  65;
+
+    include /etc/nginx/conf.d/*.conf;
+}
+
--- a/contrib/docker-integration/nginx/registry.conf
+++ b/contrib/docker-integration/nginx/registry.conf
@ -0,0 +1,231 @@
+# Docker registry proxy for api versions 1 and 2
+
+upstream docker-registry {
+  server registryv1:5000;
+}
+
+upstream docker-registry-v2 {
+  server registryv2:5000;
+}
+
+# No client auth or TLS
+server {
+  listen 5000;
+  server_name localhost;
+
+  # disable any limits to avoid HTTP 413 for large image uploads
+  client_max_body_size 0;
+
+  # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
+  chunked_transfer_encoding on;
+
+  location /v2/ {
+    # Do not allow connections from docker 1.5 and earlier
+    # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
+    if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
+      return 404;
+    }
+    
+    include               docker-registry-v2.conf;
+  }
+
+  location / {
+    include               docker-registry.conf;
+  }
+}
+
+# No client auth or TLS (V1 Only)
+server {
+  listen 5001;
+  server_name localhost;
+
+  # disable any limits to avoid HTTP 413 for large image uploads
+  client_max_body_size 0;
+
+  # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
+  chunked_transfer_encoding on;
+
+  location / {
+    include               docker-registry.conf;
+  }
+}
+
+# No client auth or TLS (V2 Only)
+server {
+  listen 5002;
+  server_name localhost;
+
+  # disable any limits to avoid HTTP 413 for large image uploads
+  client_max_body_size 0;
+
+  # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
+  chunked_transfer_encoding on;
+
+  location / {
+    include               docker-registry-v2.conf;
+  }
+}
+
+# TLS Configuration chart
+# Username/Password: testuser/passpassword
+#      | ca  | client | basic | notes
+# 5440 | yes | no     | no    | Tests CA certificate
+# 5441 | yes | no     | yes   | Tests basic auth over TLS
+# 5442 | yes | yes    | no    | Tests client auth with client CA
+# 5443 | yes | yes    | no    | Tests client auth without client CA
+# 5444 | yes | yes    | yes   | Tests using basic auth + tls auth
+# 5445 | no  | no     | no    | Tests insecure using TLS
+# 5446 | no  | no     | yes   | Tests sending credentials to server with insecure TLS
+# 5447 | no  | yes    | no    | Tests client auth to insecure
+# 5448 | yes | no     | no    | Bad SSL version
+
+server {
+  listen 5440;
+  server_name localhost;
+  ssl on;
+  ssl_certificate /etc/nginx/ssl/registry-ca+client-cert.pem;
+  ssl_certificate_key /etc/nginx/ssl/registry-ca+client-cert-key.pem;
+  client_max_body_size 0;
+  chunked_transfer_encoding on;
+  location /v2/ {
+    include               docker-registry-v2.conf;
+  }
+  location / {
+    include               docker-registry.conf;
+  }
+}
+
+server {
+  listen 5441;
+  server_name localhost;
+  ssl on;
+  ssl_certificate /etc/nginx/ssl/registry-ca+client-cert.pem;
+  ssl_certificate_key /etc/nginx/ssl/registry-ca+client-cert-key.pem;
+  client_max_body_size 0;
+  chunked_transfer_encoding on;
+  location /v2/ {
+    auth_basic "registry.localhost";
+    auth_basic_user_file test.passwd;
+    add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;
+    include               docker-registry-v2.conf;
+  }
+  location / {
+    auth_basic "registry.localhost";
+    auth_basic_user_file test.passwd;
+    include               docker-registry.conf;
+  }
+}
+
+server {
+  listen 5442;
+  listen 5443;
+  server_name localhost;
+  ssl on;
+  ssl_certificate /etc/nginx/ssl/registry-ca+client-cert.pem;
+  ssl_certificate_key /etc/nginx/ssl/registry-ca+client-cert-key.pem;
+  ssl_client_certificate /etc/nginx/ssl/registry-ca+client-ca.pem;
+  ssl_verify_client on;
+  client_max_body_size 0;
+  chunked_transfer_encoding on;
+  location /v2/ {
+    include               docker-registry-v2.conf;
+  }
+  location / {
+    include               docker-registry.conf;
+  }
+}
+
+server {
+  listen 5444;
+  server_name localhost;
+  ssl on;
+  ssl_certificate /etc/nginx/ssl/registry-ca+client-cert.pem;
+  ssl_certificate_key /etc/nginx/ssl/registry-ca+client-cert-key.pem;
+  ssl_client_certificate /etc/nginx/ssl/registry-ca+client-ca.pem;
+  ssl_verify_client on;
+  client_max_body_size 0;
+  chunked_transfer_encoding on;
+  location /v2/ {
+    auth_basic "registry.localhost";
+    auth_basic_user_file test.passwd;
+    add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;
+    include               docker-registry-v2.conf;
+  }
+  location / {
+    auth_basic "registry.localhost";
+    auth_basic_user_file test.passwd;
+    include               docker-registry.conf;
+  }
+}
+
+server {
+  listen 5445;
+  server_name localhost;
+  ssl on;
+  ssl_certificate /etc/nginx/ssl/registry-noca-cert.pem;
+  ssl_certificate_key /etc/nginx/ssl/registry-noca-cert-key.pem;
+  client_max_body_size 0;
+  chunked_transfer_encoding on;
+  location /v2/ {
+    include               docker-registry-v2.conf;
+  }
+  location / {
+    include               docker-registry.conf;
+  }
+}
+
+server {
+  listen 5446;
+  server_name localhost;
+  ssl on;
+  ssl_certificate /etc/nginx/ssl/registry-noca-cert.pem;
+  ssl_certificate_key /etc/nginx/ssl/registry-noca-cert-key.pem;
+  client_max_body_size 0;
+  chunked_transfer_encoding on;
+  location /v2/ {
+    auth_basic "registry.localhost";
+    auth_basic_user_file test.passwd;
+    add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;
+    include               docker-registry-v2.conf;
+  }
+  location / {
+    auth_basic "registry.localhost";
+    auth_basic_user_file test.passwd;
+    include               docker-registry.conf;
+  }
+}
+
+server {
+  listen 5447;
+  server_name localhost;
+  ssl on;
+  ssl_certificate /etc/nginx/ssl/registry-noca-cert.pem;
+  ssl_certificate_key /etc/nginx/ssl/registry-noca-cert-key.pem;
+  ssl_client_certificate /etc/nginx/ssl/registry-ca+client-ca.pem;
+  ssl_verify_client on;
+  client_max_body_size 0;
+  chunked_transfer_encoding on;
+  location /v2/ {
+    include               docker-registry-v2.conf;
+  }
+  location / {
+    include               docker-registry.conf;
+  }
+}
+
+server {
+  listen 5448;
+  server_name localhost;
+  ssl on;
+  ssl_certificate /etc/nginx/ssl/registry-ca+client-cert.pem;
+  ssl_certificate_key /etc/nginx/ssl/registry-ca+client-cert-key.pem;
+  ssl_protocols       SSLv3;
+  client_max_body_size 0;
+  chunked_transfer_encoding on;
+  location /v2/ {
+    include               docker-registry-v2.conf;
+  }
+  location / {
+    include               docker-registry.conf;
+  }
+}
--- a/contrib/docker-integration/nginx/ssl/registry-ca+client+bad-ca.pem
+++ b/contrib/docker-integration/nginx/ssl/registry-ca+client+bad-ca.pem
@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0jCCAbygAwIBAgIRAMr82BZHNQr+D4lvPgzaVGYwCwYJKoZIhvcNAQELMBQx
+EjAQBgNVBAoTCVRlc3QsIEluYzAeFw0xNDEwMTYxODIxMjRaFw0xNzA5MzAxODIx
+MjRaMBQxEjAQBgNVBAoTCVRlc3QsIEluYzCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAJ0Je1XCrYUmfsKneLMztW3140CvmjAWSJ/ajsGWvKZ+y0DMpmN4
+St8wdmjxMBZb3wiYedgFyUMUKlXaq1Jjl0S0B3qPHuhvdfiXB2xF3KFLC319VHj4
+xsOHKF1bQEEYsQgD+7L8FkDYbDCkzfzXlRiw7hqPR3RxQTvtxVXsdRy1j8ygBMXX
+mlVjnhj4/eS7N2d8LVtJVVC0/7I7xwQvDXrI1kdXh9tL7bHpihR5iG0+fnWSQngG
+jz63+hf5TNQzTmC4/eaJyrgzB+6O9ydBDaVbUy6RizZVa0I+ZMc/Wl+KD6TIWcGW
+QNE9br9ZqNn+vayuLwI4vwFG7hSXp4O5cpcCAwEAAaMjMCEwDgYDVR0PAQH/BAQD
+AgCkMA8GA1UdEwEB/wQFMAMBAf8wCwYJKoZIhvcNAQELA4IBAQAnrSbVYiyJFYKB
+ZgNBpMUcX9iBlBF9ZIxhFRs0Cts+IlAu+HOyrrbCYcmXf1T8E0EMicSKwvvxzl5g
+7A7homkiWTed1Twod2+YmTXoMx7rCPAaWHEF3z5GCYAu7HDv9oT2FhmK8AI8hGw5
+dw2W+iYCnzZa60dffk6v1PJ69JUwPjYW+cT+yKJhaZMXJe7rDvJkAiBx8Ok/6BDR
+HrIL1KbN6mnnYNIvK2WBWiu6oGWjxEBeaSCfAkWbG4RPNyrTGeafYlQnkp1dHcRw
+XWiNN4k4cUU5LlMQuYElbE892m9xbmsdXs2/6eULPamypR4I9K2oAoFndpSagw9w
+rfwN6qVb
+-----END CERTIFICATE-----
--- a/contrib/docker-integration/nginx/ssl/registry-ca+client+bad-client-key.pem
+++ b/contrib/docker-integration/nginx/ssl/registry-ca+client+bad-client-key.pem
@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAvC2MLvsTGT2mNCBSRb8So3wsIJCnAOBPftmsO1MCY3oIG3Og
+Jv/WCihRqgCO1vnG7wLhH45my4+/9d1EsFTg5JRSyACHnBCydFcqfXBeqJYyUfSo
+hsP0iqpF7El003D3o4uMmJXArsHa4SosBhO38/niYz7adMB12gcuRoydZ7c6PVUC
+aBMEBSbfjABiqJw552iUmcr3q0zvXXrg9FXgJuPU52rzis8uQnZ6zRZEAYWQoJX1
+YTWI0gBpyZpcxDgAzs5oEtYzbcpr1FQOzI1m4xxICY44VK8BcIbnwHx3hZjgl2+O
+j0nYRMFtmJ0uMwhToIrLqY3Jiln4TKehvPsVIQIDAQABAoIBAC9PkEgbjeCxtEC0
+w5qPgIMj7AA//gzlWHc/CONdamNSQgmM134WolypaGbCfycjY1WiNrF1Xvjc6llJ
+SUTAAk7Vz75DC9U8CXHgnGkvQE1IfdxHE7vWNnxKdQwEJ+AlLc2rfyy5sdj+Gia0
+MJ9Sg9RORhHHsqrZ3Id1eLf6EHULmEYC7+7RZXQV1Iuqo20yrVhUxXgyDN3YuQvL
+4sSF7GdN1XfV721CVvqUbWNq/Gfvcb6peZoY/Pxnvlj7AwC2E/iaQn6oMwjhQBXC
+hxb4oA2ByiOUAhOZvJNIB5qlRrars3a0H+Xcz9LSc/5qmYnVpZPNVJqd2Qs+Sw3P
+pR827/ECgYEAyMNUBux99eKwBDjKvwUYw8Fw1u0Y+y7ht5iDJM9NC+yWPcrclYuP
+xkaz55KmkEhTj2I0XEoqGcr+pu61/jPyHfd5G+AXGCP3F2OSu2kOuli18OkeXqyK
+Acnslof3bDwncHEwcUkRheBuMCyhZBiAUwba6x5KwGtvjS426h8c9eUCgYEA7/PL
+KekYmeVyY0uj5wo5ywaY3FhCmhfPDx32r2nl/yMKcZhkzViqZ4y2USsMkHy2fgCq
+Zj6jiaq48af85vsmQhI6ylPMTVjEeinl1u5aCa6GediDxhYl5aRTNQLPkY6LXe8Y
+5mYDSLfYxCDCuTVYTEXt9LYq4ZQC6lUqZhDuro0CgYEAp5+nBczpcqad7jh417rq
+rW9SxrDZ/cdsAL3fKZnIK5+S5e799AK9vYAE7+HbHna1Be+p5jCqLDT4H+sJm0BF
+9E1PGj4lKivFQAsMVVvnRyGQb6BEkimfZNTyq9DEfeNPzqtDFiM69Tuo5KIu8oMe
+ibQcjtkQ8s4BKrCeeyYVKR0CgYB4vGLto6wNQ7Za4CSIjEyoK5mexYo9nt1A7gLC
+ILbpuef3YIbYDFUx5UuXa+HWkeoBXLRg3gPLsWt9rNlEH/sQI7wRMjkKci/qiEpt
+62DCnl5r0NX9RgerlROJCPEIfIEDstsEky/z1w3rIdDZAE59knI5P7Az8RXGczPy
+R3LRwQKBgAOnC0x8h4XmpRwKlqS02SZ9PTGB/fZUwcKTbcyYnOwJwEFPPGb/dHhy
+nv2Un8m1pjPE63Pk376g68MQF4XNfPy/wAYmhJi4KomEm8rg8QuB2H3CylYC0+Cg
+ztp3XVYq/B3LWwku2+vV++2tLn3uoq1TnqSZjZphUeaOU5cBz32E
+-----END RSA PRIVATE KEY-----
--- a/contrib/docker-integration/nginx/ssl/registry-ca+client+bad-client.pem
+++ b/contrib/docker-integration/nginx/ssl/registry-ca+client+bad-client.pem
@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC3DCCAcagAwIBAgIRAOg6qTxxAC/TLMVh3yHFXrkwCwYJKoZIhvcNAQELMBQx
+EjAQBgNVBAoTCVRlc3QsIEluYzAeFw0xNDEwMTYxODIxMjZaFw0xNzA5MzAxODIx
+MjZaMBQxEjAQBgNVBAoTCVRlc3QsIEluYzCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALwtjC77Exk9pjQgUkW/EqN8LCCQpwDgT37ZrDtTAmN6CBtzoCb/
+1gooUaoAjtb5xu8C4R+OZsuPv/XdRLBU4OSUUsgAh5wQsnRXKn1wXqiWMlH0qIbD
+9IqqRexJdNNw96OLjJiVwK7B2uEqLAYTt/P54mM+2nTAddoHLkaMnWe3Oj1VAmgT
+BAUm34wAYqicOedolJnK96tM71164PRV4Cbj1Odq84rPLkJ2es0WRAGFkKCV9WE1
+iNIAacmaXMQ4AM7OaBLWM23Ka9RUDsyNZuMcSAmOOFSvAXCG58B8d4WY4Jdvjo9J
+2ETBbZidLjMIU6CKy6mNyYpZ+Eynobz7FSECAwEAAaMtMCswDgYDVR0PAQH/BAQD
+AgCgMAwGA1UdEwEB/wQCMAAwCwYDVR0RBAQwAoIAMAsGCSqGSIb3DQEBCwOCAQEA
+YyHiScRIXsEpcuRnGL5jZSetpLtaRjkckowlSJaqyCujObYmBnn73FLGV1HRcV04
+yshIIfKy0lhEDwXGBddi1dG/2qR1cM0Dm4c8C/q7ZekSXiqyKkyTlguukTqPBnvh
+MjO/QAt0wlyedGqISFs3M3mQP0fow8ga3bodn+/QkA+MfxvXu1IkkQhz6jZCUH1/
+4v9qnvyzOQ2AQy+guT3qNPfTYxG4LVbw05ikHP9+pe7pOcNTkS8f8xQqaMauq0kQ
+mStfKHYGMlU6FrHGiL30NBq5bIG8dAYR+C1yPQib9HqKR+WmpP+RioySLMLHUIIy
+/bHpU2x9O7se3evfeGvVXw==
+-----END CERTIFICATE-----
--- a/contrib/docker-integration/nginx/ssl/registry-ca+client-ca.pem
+++ b/contrib/docker-integration/nginx/ssl/registry-ca+client-ca.pem
@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0TCCAbugAwIBAgIQUS0bMOIDjWHV6FCW/cYLJjALBgkqhkiG9w0BAQswFDES
+MBAGA1UEChMJVGVzdCwgSW5jMB4XDTE0MTAxNjE4MjEyOFoXDTE3MDkzMDE4MjEy
+OFowFDESMBAGA1UEChMJVGVzdCwgSW5jMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA4OKN3dRSySSMCVA4QWOh06aocCWO49z4H1PctwVKUHe3WCfB9BNv
+8jJFZe7d5hMxOAfA5Y5wmZaQTnR5Cq8W8uaR4oozusVHgMtPGlOn65Ur5+WmlCg6
+R7Uxbs3z9KP6D1qv60W1AG2od1kU9aPrfCxp+R2h23xBLLD25r2u4vP9Wod/i4cI
+oDi+2neVZlmT4eNOMarcQaOjtwadtN8XNZFh7I5OGaDplrVLyGDjlvjZfUIH/bVJ
+eC4aC/M2+y/OinL1QfEfhLd2o9jQM7I0+RJdxWdNa+LDM7UhIUvQR16KKgKFto/J
+7FPCIoiOq9XSiifnjuEwhIlnSxsnBAyI2QIDAQABoyMwITAOBgNVHQ8BAf8EBAMC
+AKQwDwYDVR0TAQH/BAUwAwEB/zALBgkqhkiG9w0BAQsDggEBACRQw+RqBdp4yChz
+e9VeS34tZHcWM9msHUqwu0snrr+Zq6HLmROaSAOWcQNoYCA3zMD/uPFvM5y25aBk
+D6EKByf1RUOJTCcEAkosdd4XEAsmO4lLTzOiGbS3oz0RqNmYVuoXOco18abQl55I
+avrr3GTmD1S3ZyLx/YdShQfHmhf0WjMfSReI1SIrL2YOLwKc+MDHRd1iL/mxV5BL
+9QO4+51MxePG1EMyEbA1OxKdgSM1aiIlPrPu7tDsb1+LQr+U0EGr0a/cm8UQatAG
+e+fWMxJY2uJPBo+xskrOdm6ZSWDhpy/RIlK5hnuWNSV8YGqLpGGCHFdmHu1htXnn
+8MltC4w=
+-----END CERTIFICATE-----
--- a/contrib/docker-integration/nginx/ssl/registry-ca+client-cert-key.pem
+++ b/contrib/docker-integration/nginx/ssl/registry-ca+client-cert-key.pem
@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA6PKtNbZcCOWJgimXnLZt7IVfvOFs/TtDf0wViiXXUN9oDSTk
+zZISLnlUV0fUjzWTZpxFnE0CRIoqH7d3NTJw0E7I4bChqKMOOQCB9cJFtpQkdiRb
+rbHYED62i3T+ZYwUrkYaVBCe69oWAc//0vqc/nrutrqYYRhCskb1jipBKO+byi+4
+8fbAaUsbaBcmDLVpwjLTATmAnV24Pa1kheAvEsnDyWnz/SihOglTXytq21cxQ0Xl
+GH0GA7i9OdUXa7xx9hP7t7lPhnEAUJnhYPVnUCYL54kwAGbIuCWUGmJpZyjnR2cp
+AgsrD0j/BdWNShof1m2k1BROOFkCYGPIcTmvswIDAQABAoIBAB2ZEAb+F62NtK4U
+KM5ho4/k1mhCYD3AtO/MtAPskPIWoLri0CuKfsLm6Z95YfmcPhFQk8urQTmCMJ39
+Cql4sjrVd9KtRa0OorT9aoXWXFM5eXSFZByqtyBBR6JqiBRQ+yO1hozd28Nt31P1
+oLSm4SG4bvJKvSfBFGBggbzBg6v2n86aHPHcrDvXMSPQshOne37A8d7Kq0ZWbV3u
+B7BbEhiDybqEgBba8A0zetwBHMVxjsfnukVMJS25CWzmPJ3RfpCVF4tubj8dSNSi
+lZxUhWHoa5S1Q3NS43YzdmppSsi+4D3298foG2wI2SnBMUiP0Xr3jgRF76qcenWh
+CXzexPECgYEA8effsZlubez6gvQ5Hpq8kaWf1npJfYHWXLv/glGYnz91bT9Qrpg/
+MiAPoTBr+Wvj3OBdITDfcnL4aSdxyIJtn2FvPINDs1lDj1HDsI23SIoUtsH4f99E
+cOskXTGIfVBUSuaxHU8yCkOaxZMy806S8OwTaKHI0iZqZJnEBcGJnmkCgYEA9oUx
+g7QZFvs9uD2z2j3gJxWFOZduHo+n1N7RxdjTTqmNg2J2ppgBqaHv2zXJ9tgu23Ve
+0HpfHzyRv2YczEAXz5iet6A/FMvzXm3Otmhf6n8t+Gu58NN/Ke3PbAm5kv5mZXG8
+ilWbYqTAS6EbsszLhkORkt4HW/UHZK6hBHL+EbsCgYEA6CSIurpvCvacAQe1uPTt
+eSfkF8MKu3LZ7+xJ6xm6yTfwzIIyPxrDqqqx1RHOzHEJHnIBbVSlWgOS9/Zubukb
+ohOy1/NwCLDk8Kiajtewx+AauLe0baIo3+QH5ZcfUILCIY748ROLBeaSpH/6KRuC
+T8l9Zq+7NFDBUQFu58cu9eECgYEApGu71asGXPSfesX0sig42/iXjgz5DnskJm+j
+HEF81mdyEmJW3tBds4VllCCxHumbfxYucgBcd1oPn8f8hyJsfzK9EZ5Y1IcfQCkf
+CTxeVOoUgC9hqkV1+EI76UQnOOpi42BTrzRf2hAmjYrcDYpYaKmia4GZCPVJxBZR
+IMWNvccCgYEAvkjXqVSIggzuV5sr5j0w4Odcw6DvC54kf9jxkcIOiu0X3IDqxvkJ
+Z+Gb0amleMgn1qVDFOvv/f2iZPAZyuPDp2QJpDZXi0C03Oxx1IcpUzPf5Lq0rKX/
+30K/i+5uqBjc+tf7flmKPxprbTOoVqDHcfTRB8vqHKvgFzvlY9eAOqc=
+-----END RSA PRIVATE KEY-----
--- a/contrib/docker-integration/nginx/ssl/registry-ca+client-cert.pem
+++ b/contrib/docker-integration/nginx/ssl/registry-ca+client-cert.pem
@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5DCCAc6gAwIBAgIQYJR75sBkkaDfbMixd3wqtzALBgkqhkiG9w0BAQswFDES
+MBAGA1UEChMJVGVzdCwgSW5jMB4XDTE0MTAxNjE4MjEyOVoXDTE3MDkzMDE4MjEy
+OVowFDESMBAGA1UEChMJVGVzdCwgSW5jMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA6PKtNbZcCOWJgimXnLZt7IVfvOFs/TtDf0wViiXXUN9oDSTkzZIS
+LnlUV0fUjzWTZpxFnE0CRIoqH7d3NTJw0E7I4bChqKMOOQCB9cJFtpQkdiRbrbHY
+ED62i3T+ZYwUrkYaVBCe69oWAc//0vqc/nrutrqYYRhCskb1jipBKO+byi+48fbA
+aUsbaBcmDLVpwjLTATmAnV24Pa1kheAvEsnDyWnz/SihOglTXytq21cxQ0XlGH0G
+A7i9OdUXa7xx9hP7t7lPhnEAUJnhYPVnUCYL54kwAGbIuCWUGmJpZyjnR2cpAgsr
+D0j/BdWNShof1m2k1BROOFkCYGPIcTmvswIDAQABozYwNDAOBgNVHQ8BAf8EBAMC
+AKAwDAYDVR0TAQH/BAIwADAUBgNVHREEDTALgglsb2NhbGhvc3QwCwYJKoZIhvcN
+AQELA4IBAQCxlcReoNoTqsdr/CENrA/cPE7ND2bpQxDvznIelnaCWHiTyatD/t1N
+Wnw0dkEa/t2BF/uHyJHsup4jdL+jQhaNmocdW0v/o7lqktJlDvFN5Dbws0T97qbg
+ke5o/PyLWkRhuq4LOXMLb4azMqZhmXAWuEyDFN8BcVeqdrhmyS3JQIuYoKmdqoXd
+eTF5Z0y/BC2bcEOrEG66ro5KNc8qBFrg7CViU9jw+tEcMzo0JogcllcoMw7SK0zG
+QQFt0km+NJ7Vt7jWXP9+vgak+JBS4e6w3aiyARP5R3ikOcCNQBAhNyr/RqDz2bgg
+Ervse9PmrFH/5EuJ+GNUFlqadW8oM2c/
+-----END CERTIFICATE-----
--- a/contrib/docker-integration/nginx/ssl/registry-ca+client-client-key.pem
+++ b/contrib/docker-integration/nginx/ssl/registry-ca+client-client-key.pem
@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAvVvIq4NPfIb/Q3d/sA0C9Aui/ZA4y6VXj9eFDyhDQN3ntD/1
+Z+4bWI6VFULqAsqP7+h/5f3KH9jDeF3tvmahPfpnHSjQwz6Bx3MUzeB/9NE2AEYt
+Ak8bddjzAblAAHofIQQRWSQqBoWttpNTKlxit48cGhqSaS4SOPdcsqRWd0nJJ1V3
+CpFMRjuw0mfPyG71IUlQGNbypN2hevLT5NKudlDXl07dnZHULwe/cDal8LhDLa+l
+kDeWHYqKC/zcibhOGk2mnXsxxZY4H1L/SAL/hkbFqov1NrxxScMSexCPjm8gThAq
+TAotlJYRo2frfxFujbcfc3TIfmdjUmF0he5H9QIDAQABAoIBAFJDKHdSUVrA7u4p
+YOBjlq/cyk8rs3DNALAtqdF+5VCt1nYY/wzKhTjAoIWfDzhtNYC82atZyNBzA+Ar
+thfsUAoz2U3yqFbZtdmm5hfWeuApbzNJSU5ifYSB3ngWOXa7lwBp2vuF2XgB5QiX
+Eh8qCXzDACta9dYZvLLgy3WULTgeprfyR0CVxGRNv4C5BRumKIZ5hS516m5eKa79
+2n3Qusfm5GjKHpyPa1v5igPRKS5GNEG8LsQ/zF/131DiRpinCyktQ5sb6NLQEpFU
+TDAyW9LblsB7fAHRI/UZvoDKzq7klGp3ap5mzzVNfzZ3FbrA/Qt8TNs56GJU1gnC
+DS4f1wECgYEAx3l2ADnt8YSHunYDBBKXc21tX6qA3PgZp16RJkR4tIvuuc82gV8u
+qURMxvzYc8pwsc+CqLKGuk9UDPxPUza899e403FyLb1+V8RLTseG6hvfUXcWkm+S
+fOtpYCRQJVMo/+hmEHM7QFiWvfsR5AxfeEf7dIMUGqSVxfGkSfhglbUCgYEA8wR6
+5nS8FzO7twB3xQFsQNKMDUa358Lcj0DUJWEqXD344DNzPm4vvIOySzAuXE6oS3Vs
+kBmBxeCNshPz2v7cDD+J0jTg2dGKySK5zvqfKzD9L4XBryixyvN4R9iyDRTJmVoO
+zBSEiJ4GyQHhemg7QbLevaw5MQSrutQ8PHQiUUECgYBztxAu/Wv9CUa7ci45tJdL
+DJXAQ2bRyNMI9qD5NAtZoTtxarVRw2eMJeTsIk1mjm9llt1TA42IkvBNQCi8OyrQ
+E8JSVqNHyX97ZpHRN4oaUOTxm0Xq2PJ/qQjODwK3RFCqc6SRsmcS4tE/kGBGjK7t
+VcSXSFrnQcbot0744i8VaQKBgQDRyCZH1rGf3drHqTG68PWAJ8EanNeYy9AWIcKA
+2hX1NtImyINNe1TeCVnaKid7K7OAIEetRTePl7754Nt7StKuCBNzUI5huc9yvfVk
+RVktscZ+RZrjF+AS8IX+j4N0Y2N8bA+mAHhAbxowXt1EC8JLfptlZMyiEgQk7Z1q
+Gl6dgQKBgA7Wm8N5L8Bri/Ys6K8QcYOVwvHVPh5WTCT+lJqoEQoeIejfg3FVeH2w
+cbbUnM0OuczzEz8j4M6kD/DfMU51Szmb81Jp9+U8uVJx+9WEDvn4Vcyu7IkVyJxJ
+lr90vXhiruv+MCNXo7y0PQ/nQwLO+BYtKKLrEG7k0ZqaNQ7OE/nu
+-----END RSA PRIVATE KEY-----
--- a/contrib/docker-integration/nginx/ssl/registry-ca+client-client.pem
+++ b/contrib/docker-integration/nginx/ssl/registry-ca+client-client.pem
@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC2zCCAcWgAwIBAgIQKoeTe/O4d1JTN1PM6vpS2TALBgkqhkiG9w0BAQswFDES
+MBAGA1UEChMJVGVzdCwgSW5jMB4XDTE0MTAxNjE4MjEzMVoXDTE3MDkzMDE4MjEz
+MVowFDESMBAGA1UEChMJVGVzdCwgSW5jMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAvVvIq4NPfIb/Q3d/sA0C9Aui/ZA4y6VXj9eFDyhDQN3ntD/1Z+4b
+WI6VFULqAsqP7+h/5f3KH9jDeF3tvmahPfpnHSjQwz6Bx3MUzeB/9NE2AEYtAk8b
+ddjzAblAAHofIQQRWSQqBoWttpNTKlxit48cGhqSaS4SOPdcsqRWd0nJJ1V3CpFM
+Rjuw0mfPyG71IUlQGNbypN2hevLT5NKudlDXl07dnZHULwe/cDal8LhDLa+lkDeW
+HYqKC/zcibhOGk2mnXsxxZY4H1L/SAL/hkbFqov1NrxxScMSexCPjm8gThAqTAot
+lJYRo2frfxFujbcfc3TIfmdjUmF0he5H9QIDAQABoy0wKzAOBgNVHQ8BAf8EBAMC
+AKAwDAYDVR0TAQH/BAIwADALBgNVHREEBDACggAwCwYJKoZIhvcNAQELA4IBAQDR
+uj9ADvnuw4Ejw3r2cUI9rFxfdgaJ10AbOnmHbkror6/ImuXbcfB7DynOpe9ZATYb
+EvGXyNb6TgAX3O2Y4Bp645TVydtmFZJQHadxgtwmUlYTxDRMZGwn0tLuOUrLD18E
+UUpLQjQ9zuLjGqb70YOhtofcshNlBWSWxHPPuuc5KUaNigBYPxjDVXUsIPMeOKBY
+K16DDIBHmGMRrDsgxu2vxZs7bHSklmLtKAr6g3IAoBVCmNEG7ot55cX4iF0eBiwp
+9KmUN/7ekS6QKmB41FIWNOB2W/j8y2J7CnQC0ig8S6g2DF2s8ZHe4FttH2tP4Psh
+12BhOB6OP5TyINJSWbEx
+-----END CERTIFICATE-----
--- a/contrib/docker-integration/nginx/ssl/registry-noca-cert-key.pem
+++ b/contrib/docker-integration/nginx/ssl/registry-noca-cert-key.pem
@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAthxWELaJGNDImbtYh1IBjZgofdBoXSnS/bGya84xaGCrTVwj
+rvI2N2hYJVdQY4wFDjQEq/Uygp24ayOAzT1sCvHEclXk2hJuVsjss5G0F17j0kwo
+l45SROf78RXYFCShOqy2FTahI1noFOgsvnY7eL9nfy3vcG5y/I7mXMrC6+RJ4gMC
+U4bqyHQXBJaFm3ijHM2naEr1B5yrU3r3KiiksknJHSxynap++pPM+ln144Keytok
+ci1b+yzr/jmoMXfRu8+GbH6H3OOJpoV1/I7bsMfNpzk4HbsLY2Pd7emKOGAOnsv7
+KnGxlxfCmwgFdTvkyIOVcHisDG2Dw+Sm3hXFPQIDAQABAoIBAQCbD/eslXCZA7W7
+SM1xs78EzMm1j049/Y3dXIAa0WA6iw1xeoIbxbuqZBuh9/3INYJcfKh5rveKRjew
+anOSzrj/fKsT29VYZhczqDP8FpVszOxZtWVe3t1oNMvOlRX+2M28AzGrUG/WhQhb
+PPJUXqH3B6tdnERjzHf2WssFudRNPAz3/j2pfgKh3Uy6jkmrhjxXmE3cKsGg1+tA
+OGTVAFwy7Uo0OUoa0wZhRsLo7WoFpcyDIy1Q4bm0bAoO1wU5rpwKaP0j1X1I8SdL
+j7WN2jBT4/Y2jTIOQ3SYbjEdxVU3owEidyLxKHyeJo4uqQ1RW2amgyMz3p5iq78w
+yrG/YORhAoGBAMT3qwNeMbxpI3jgXFxIorva6oq9zXmZQAk6+xjV2ndpDrBo6Xic
+D/m8yeAZl/a28WacJ0+rAe0PuDM2FilGLIGvJGNBsex4dIKRY1zTxmJK3IUCFz2C
+YdMtyTqL4eYK9S2Nh3n1eluUgNp0xngSFxtZqSH2BConvuLt6RVY8dc1AoGBAOyw
+yFZ9hnzckKJvprv9LB9o87B5qEMcgzbVSeZsr/pzLWSQ/qcGnNToXPAH8qlzVf0Y
+R9HKjhrE8vcA5neSOjKf7xFKTcPLBNQ4tIYR9g0FZTUCBkWWqF1rb3+ySF4K9r73
+RfBSLYVQbjatrOWZh9UXJjFwtkFXHk8CcieR5A7pAoGAKJguy8PnFkDJCcmb330s
+5PCqdCvIJG6cTwqz45t3qjKhz2Pf8nafqEXriV9c/YEY4Z//TiEdhYE+4nccPCd1
+VskFA9vvUqBEywAx7VjMQ0fQiS00Iv4zMTX3ijR4O1Q40cmgiVc5f5RsthlpKif4
+US+6dwBgPVvxsI1+A2NQfJ0CgYBMnZTb2loURNlUm0ufgn4r1K89KsQ6pRocP8Ji
+IkB8k5fX+89ShaNyj5y13fzAuSLWgGuPD0AcjjAPoGz5u423IWojcKfnfuobQBe/
+ZkT9RgfStssM742kX8iBz1X5ixcADc7H0fIGO1jRvjo/QAlmAs5MJq34TJj0/lex
+U1o9MQKBgQCPyn3FZnAhKwgirzfGVkSE0UF7NBYgLTcZKgRwGl6MXbMbQsPvxGeN
+5BcdfSk3Q9QS+53u5OaH740FoOE9UADBjCGX6l4hI9EluSpFO9xJvBC0tJFNTKNo
+Z7xGKqRefJDtFoeRG/PG5/mVQazNemHzt7nfmnLTCaq8KBVe6WIjgg==
+-----END RSA PRIVATE KEY-----
--- a/contrib/docker-integration/nginx/ssl/registry-noca-cert.pem
+++ b/contrib/docker-integration/nginx/ssl/registry-noca-cert.pem
@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5DCCAc6gAwIBAgIQUpvarzpHjk04FFl3lx40YTALBgkqhkiG9w0BAQswFDES
+MBAGA1UEChMJVGVzdCwgSW5jMB4XDTE0MTAxNjE4MjEyNVoXDTE3MDkzMDE4MjEy
+NVowFDESMBAGA1UEChMJVGVzdCwgSW5jMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAthxWELaJGNDImbtYh1IBjZgofdBoXSnS/bGya84xaGCrTVwjrvI2
+N2hYJVdQY4wFDjQEq/Uygp24ayOAzT1sCvHEclXk2hJuVsjss5G0F17j0kwol45S
+ROf78RXYFCShOqy2FTahI1noFOgsvnY7eL9nfy3vcG5y/I7mXMrC6+RJ4gMCU4bq
+yHQXBJaFm3ijHM2naEr1B5yrU3r3KiiksknJHSxynap++pPM+ln144Keytokci1b
+yzr/jmoMXfRu8+GbH6H3OOJpoV1/I7bsMfNpzk4HbsLY2Pd7emKOGAOnsv7KnGx
+lxfCmwgFdTvkyIOVcHisDG2Dw+Sm3hXFPQIDAQABozYwNDAOBgNVHQ8BAf8EBAMC
+AKAwDAYDVR0TAQH/BAIwADAUBgNVHREEDTALgglsb2NhbGhvc3QwCwYJKoZIhvcN
+AQELA4IBAQBfdYyCYeG8c/nzm9HDDFW11zS1EI9o0TjLWj/8f44lYPMyrBMn0z84
+wOJW3Gnu7OCfifj8TEFJqaXuZmNIr4bhHCLj7bFuvCJpaXDJ55mm8IN0qdkCC29w
+pcLYtB5YiRhDpkXH7fEuS4G1Ak8cgVNaIOGHxiaQsGK2ecHm2R8hVMsB+Wb2xhOf
+jfNouLJjXAbjG0atoVPoMjQ3r6zdzamnCD8f1qwFTjxAg6oJwDMfsEzgsRHub9la
+NHIYmSUunolPz5R8HMvYvGWw82uHau9KNVCQZMWJbAafaXzMpwsIDlbn9yRIf4OY
+CbOZJSLGSbUZrYAfCWd2h/2VhHjM5fNw
+-----END CERTIFICATE-----
--- a/contrib/docker-integration/nginx/test.passwd
+++ b/contrib/docker-integration/nginx/test.passwd
@ -0,0 +1 @@
+testuser:$apr1$YmLhHjm6$AjP4z8J1WgcUNxU8J4ue5.
				`@ -0,0 +1 @@`
				`testuser:$apr1$YmLhHjm6$AjP4z8J1WgcUNxU8J4ue5.`