@@ -4,6 +4,7 @@ import (

 	"context"

 	"net/http"

+	"github.com/docker/docker/api/types/registry"

 	"github.com/sirupsen/logrus"

 )

@@ -30,7 +31,7 @@ func (c CORSMiddleware) WrapHandler(handler func(ctx context.Context, w http.Res

 		logrus.Debugf("CORS header is enabled and set to: %s", corsHeaders)

 		w.Header().Add("Access-Control-Allow-Origin", corsHeaders)

-		w.Header().Add("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, X-Registry-Auth")

+		w.Header().Add("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, "+registry.AuthHeader)

 		w.Header().Add("Access-Control-Allow-Methods", "HEAD, GET, POST, DELETE, PUT, OPTIONS")

 		return handler(ctx, w, r, vars)

 	}

@@ -13,7 +13,7 @@ import (

 	"github.com/docker/distribution/reference"

 	"github.com/docker/docker/api/server/httputils"

 	"github.com/docker/docker/api/types"

-	registrytypes "github.com/docker/docker/api/types/registry"

+	"github.com/docker/docker/api/types/registry"

 	"github.com/docker/docker/errdefs"

 	v1 "github.com/opencontainers/image-spec/specs-go/v1"

 	"github.com/pkg/errors"

@@ -28,8 +28,8 @@ func (s *distributionRouter) getDistributionInfo(ctx context.Context, w http.Res

 	var (

 		config              = &types.AuthConfig{}

-		authEncoded         = r.Header.Get("X-Registry-Auth")

-		distributionInspect registrytypes.DistributionInspect

+		authEncoded         = r.Header.Get(registry.AuthHeader)

+		distributionInspect registry.DistributionInspect

 	)

 	if authEncoded != "" {

@@ -14,6 +14,7 @@ import (

 	"github.com/docker/docker/api/server/httputils"

 	"github.com/docker/docker/api/types"

 	"github.com/docker/docker/api/types/filters"

+	"github.com/docker/docker/api/types/registry"

 	"github.com/docker/docker/api/types/versions"

 	"github.com/docker/docker/errdefs"

 	"github.com/docker/docker/image"

@@ -63,7 +64,7 @@ func (s *imageRouter) postImagesCreate(ctx context.Context, w http.ResponseWrite

 			}

 		}

-		authEncoded := r.Header.Get("X-Registry-Auth")

+		authEncoded := r.Header.Get(registry.AuthHeader)

 		authConfig := &types.AuthConfig{}

 		if authEncoded != "" {

 			authJSON := base64.NewDecoder(base64.URLEncoding, strings.NewReader(authEncoded))

@@ -100,7 +101,7 @@ func (s *imageRouter) postImagesPush(ctx context.Context, w http.ResponseWriter,

 	}

 	authConfig := &types.AuthConfig{}

-	authEncoded := r.Header.Get("X-Registry-Auth")

+	authEncoded := r.Header.Get(registry.AuthHeader)

 	if authEncoded != "" {

 		// the new format is to handle the authConfig as a header

 		authJSON := base64.NewDecoder(base64.URLEncoding, strings.NewReader(authEncoded))

@@ -360,7 +361,7 @@ func (s *imageRouter) getImagesSearch(ctx context.Context, w http.ResponseWriter

 	}

 	var (

 		config      *types.AuthConfig

-		authEncoded = r.Header.Get("X-Registry-Auth")

+		authEncoded = r.Header.Get(registry.AuthHeader)

 		headers     = map[string][]string{}

 	)

@@ -27,7 +27,7 @@ func parseHeaders(headers http.Header) (map[string][]string, *types.AuthConfig)

 	}

 	// Get X-Registry-Auth

-	authEncoded := headers.Get("X-Registry-Auth")

+	authEncoded := headers.Get(registry.AuthHeader)

 	authConfig := &types.AuthConfig{}

 	if authEncoded != "" {

 		authJSON := base64.NewDecoder(base64.URLEncoding, strings.NewReader(authEncoded))

@@ -10,6 +10,7 @@ import (

 	basictypes "github.com/docker/docker/api/types"

 	"github.com/docker/docker/api/types/backend"

 	"github.com/docker/docker/api/types/filters"

+	"github.com/docker/docker/api/types/registry"

 	types "github.com/docker/docker/api/types/swarm"

 	"github.com/docker/docker/api/types/versions"

 	"github.com/docker/docker/errdefs"

@@ -207,7 +208,7 @@ func (sr *swarmRouter) createService(ctx context.Context, w http.ResponseWriter,

 	}

 	// Get returns "" if the header does not exist

-	encodedAuth := r.Header.Get("X-Registry-Auth")

+	encodedAuth := r.Header.Get(registry.AuthHeader)

 	queryRegistry := false

 	if v := httputils.VersionFromContext(ctx); v != "" {

 		if versions.LessThan(v, "1.30") {

@@ -240,7 +241,7 @@ func (sr *swarmRouter) updateService(ctx context.Context, w http.ResponseWriter,

 	var flags basictypes.ServiceUpdateOptions

 	// Get returns "" if the header does not exist

-	flags.EncodedRegistryAuth = r.Header.Get("X-Registry-Auth")

+	flags.EncodedRegistryAuth = r.Header.Get(registry.AuthHeader)

 	flags.RegistryAuthFrom = r.URL.Query().Get("registryAuthFrom")

 	flags.Rollback = r.URL.Query().Get("rollback")

 	queryRegistry := false

new file mode 100644

@@ -0,0 +1,5 @@

+package registry // import "github.com/docker/docker/api/types/registry"

+

+// AuthHeader is the name of the header used to send encoded registry

+// authorization credentials for registry operations (push/pull).

+const AuthHeader = "X-Registry-Auth"

@@ -5,13 +5,13 @@ import (

 	"encoding/json"

 	"net/url"

-	registrytypes "github.com/docker/docker/api/types/registry"

+	"github.com/docker/docker/api/types/registry"

 )

 // DistributionInspect returns the image digest with the full manifest.

-func (cli *Client) DistributionInspect(ctx context.Context, image, encodedRegistryAuth string) (registrytypes.DistributionInspect, error) {

+func (cli *Client) DistributionInspect(ctx context.Context, image, encodedRegistryAuth string) (registry.DistributionInspect, error) {

 	// Contact the registry to retrieve digest and platform information

-	var distributionInspect registrytypes.DistributionInspect

+	var distributionInspect registry.DistributionInspect

 	if image == "" {

 		return distributionInspect, objectNotFoundError{object: "distribution", id: image}

 	}

@@ -23,7 +23,7 @@ func (cli *Client) DistributionInspect(ctx context.Context, image, encodedRegist

 	if encodedRegistryAuth != "" {

 		headers = map[string][]string{

-			"X-Registry-Auth": {encodedRegistryAuth},

+			registry.AuthHeader: {encodedRegistryAuth},

 		}

 	}

@@ -8,6 +8,7 @@ import (

 	"github.com/docker/distribution/reference"

 	"github.com/docker/docker/api/types"

+	"github.com/docker/docker/api/types/registry"

 )

 // ImageCreate creates a new image based on the parent options.

@@ -32,6 +33,6 @@ func (cli *Client) ImageCreate(ctx context.Context, parentReference string, opti

 }

 func (cli *Client) tryImageCreate(ctx context.Context, query url.Values, registryAuth string) (serverResponse, error) {

-	headers := map[string][]string{"X-Registry-Auth": {registryAuth}}

+	headers := map[string][]string{registry.AuthHeader: {registryAuth}}

 	return cli.post(ctx, "/images/create", query, nil, headers)

 }

@@ -10,6 +10,7 @@ import (

 	"testing"

 	"github.com/docker/docker/api/types"

+	"github.com/docker/docker/api/types/registry"

 	"github.com/docker/docker/errdefs"

 )

@@ -34,9 +35,9 @@ func TestImageCreate(t *testing.T) {

 			if !strings.HasPrefix(r.URL.Path, expectedURL) {

 				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, r.URL)

 			}

-			registryAuth := r.Header.Get("X-Registry-Auth")

+			registryAuth := r.Header.Get(registry.AuthHeader)

 			if registryAuth != expectedRegistryAuth {

-				return nil, fmt.Errorf("X-Registry-Auth header not properly set in the request. Expected '%s', got %s", expectedRegistryAuth, registryAuth)

+				return nil, fmt.Errorf("%s header not properly set in the request. Expected '%s', got %s", registry.AuthHeader, expectedRegistryAuth, registryAuth)

 			}

 			query := r.URL.Query()

@@ -10,6 +10,7 @@ import (

 	"testing"

 	"github.com/docker/docker/api/types"

+	"github.com/docker/docker/api/types/registry"

 	"github.com/docker/docker/errdefs"

 )

@@ -83,7 +84,7 @@ func TestImagePullWithPrivilegedFuncNoError(t *testing.T) {

 			if !strings.HasPrefix(req.URL.Path, expectedURL) {

 				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)

 			}

-			auth := req.Header.Get("X-Registry-Auth")

+			auth := req.Header.Get(registry.AuthHeader)

 			if auth == "NotValid" {

 				return &http.Response{

 					StatusCode: http.StatusUnauthorized,

@@ -8,6 +8,7 @@ import (

 	"github.com/docker/distribution/reference"

 	"github.com/docker/docker/api/types"

+	"github.com/docker/docker/api/types/registry"

 	"github.com/docker/docker/errdefs"

 )

@@ -49,6 +50,6 @@ func (cli *Client) ImagePush(ctx context.Context, image string, options types.Im

 }

 func (cli *Client) tryImagePush(ctx context.Context, imageID string, query url.Values, registryAuth string) (serverResponse, error) {

-	headers := map[string][]string{"X-Registry-Auth": {registryAuth}}

+	headers := map[string][]string{registry.AuthHeader: {registryAuth}}

 	return cli.post(ctx, "/images/"+imageID+"/push", query, nil, headers)

 }

@@ -10,6 +10,7 @@ import (

 	"testing"

 	"github.com/docker/docker/api/types"

+	"github.com/docker/docker/api/types/registry"

 	"github.com/docker/docker/errdefs"

 )

@@ -88,7 +89,7 @@ func TestImagePushWithPrivilegedFuncNoError(t *testing.T) {

 			if !strings.HasPrefix(req.URL.Path, expectedURL) {

 				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)

 			}

-			auth := req.Header.Get("X-Registry-Auth")

+			auth := req.Header.Get(registry.AuthHeader)

 			if auth == "NotValid" {

 				return &http.Response{

 					StatusCode: http.StatusUnauthorized,

@@ -48,6 +48,6 @@ func (cli *Client) ImageSearch(ctx context.Context, term string, options types.I

 }

 func (cli *Client) tryImageSearch(ctx context.Context, query url.Values, registryAuth string) (serverResponse, error) {

-	headers := map[string][]string{"X-Registry-Auth": {registryAuth}}

+	headers := map[string][]string{registry.AuthHeader: {registryAuth}}

 	return cli.get(ctx, "/images/search", query, headers)

 }

@@ -73,7 +73,7 @@ func TestImageSearchWithPrivilegedFuncNoError(t *testing.T) {

 			if !strings.HasPrefix(req.URL.Path, expectedURL) {

 				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)

 			}

-			auth := req.Header.Get("X-Registry-Auth")

+			auth := req.Header.Get(registry.AuthHeader)

 			if auth == "NotValid" {

 				return &http.Response{

 					StatusCode: http.StatusUnauthorized,

@@ -8,6 +8,7 @@ import (

 	"github.com/docker/distribution/reference"

 	"github.com/docker/docker/api/types"

+	"github.com/docker/docker/api/types/registry"

 	"github.com/docker/docker/errdefs"

 	"github.com/pkg/errors"

 )

@@ -67,12 +68,12 @@ func (cli *Client) PluginInstall(ctx context.Context, name string, options types

 }

 func (cli *Client) tryPluginPrivileges(ctx context.Context, query url.Values, registryAuth string) (serverResponse, error) {

-	headers := map[string][]string{"X-Registry-Auth": {registryAuth}}

+	headers := map[string][]string{registry.AuthHeader: {registryAuth}}

 	return cli.get(ctx, "/plugins/privileges", query, headers)

 }

 func (cli *Client) tryPluginPull(ctx context.Context, query url.Values, privileges types.PluginPrivileges, registryAuth string) (serverResponse, error) {

-	headers := map[string][]string{"X-Registry-Auth": {registryAuth}}

+	headers := map[string][]string{registry.AuthHeader: {registryAuth}}

 	return cli.post(ctx, "/plugins/pull", query, privileges, headers)

 }

@@ -3,11 +3,13 @@ package client // import "github.com/docker/docker/client"

 import (

 	"context"

 	"io"

+

+	"github.com/docker/docker/api/types/registry"

 )

 // PluginPush pushes a plugin to a registry

 func (cli *Client) PluginPush(ctx context.Context, name string, registryAuth string) (io.ReadCloser, error) {

-	headers := map[string][]string{"X-Registry-Auth": {registryAuth}}

+	headers := map[string][]string{registry.AuthHeader: {registryAuth}}

 	resp, err := cli.post(ctx, "/plugins/"+name+"/push", nil, nil, headers)

 	if err != nil {

 		return nil, err

@@ -9,6 +9,7 @@ import (

 	"strings"

 	"testing"

+	"github.com/docker/docker/api/types/registry"

 	"github.com/docker/docker/errdefs"

 )

@@ -34,9 +35,9 @@ func TestPluginPush(t *testing.T) {

 			if req.Method != http.MethodPost {

 				return nil, fmt.Errorf("expected POST method, got %s", req.Method)

 			}

-			auth := req.Header.Get("X-Registry-Auth")

+			auth := req.Header.Get(registry.AuthHeader)

 			if auth != "authtoken" {

-				return nil, fmt.Errorf("Invalid auth header : expected 'authtoken', got %s", auth)

+				return nil, fmt.Errorf("invalid auth header : expected 'authtoken', got %s", auth)

 			}

 			return &http.Response{

 				StatusCode: http.StatusOK,

@@ -7,6 +7,7 @@ import (

 	"github.com/docker/distribution/reference"

 	"github.com/docker/docker/api/types"

+	"github.com/docker/docker/api/types/registry"

 	"github.com/pkg/errors"

 )

@@ -34,6 +35,6 @@ func (cli *Client) PluginUpgrade(ctx context.Context, name string, options types

 }

 func (cli *Client) tryPluginUpgrade(ctx context.Context, query url.Values, privileges types.PluginPrivileges, name, registryAuth string) (serverResponse, error) {

-	headers := map[string][]string{"X-Registry-Auth": {registryAuth}}

+	headers := map[string][]string{registry.AuthHeader: {registryAuth}}

 	return cli.post(ctx, "/plugins/"+name+"/upgrade", query, privileges, headers)

 }

@@ -8,6 +8,7 @@ import (

 	"github.com/docker/distribution/reference"

 	"github.com/docker/docker/api/types"

+	"github.com/docker/docker/api/types/registry"

 	"github.com/docker/docker/api/types/swarm"

 	"github.com/opencontainers/go-digest"

 	"github.com/pkg/errors"

@@ -21,7 +22,7 @@ func (cli *Client) ServiceCreate(ctx context.Context, service swarm.ServiceSpec,

 	}

 	if options.EncodedRegistryAuth != "" {

-		headers["X-Registry-Auth"] = []string{options.EncodedRegistryAuth}

+		headers[registry.AuthHeader] = []string{options.EncodedRegistryAuth}

 	}

 	// Make sure containerSpec is not nil when no runtime is set or the runtime is set to container

@@ -6,6 +6,7 @@ import (

 	"net/url"

 	"github.com/docker/docker/api/types"

+	"github.com/docker/docker/api/types/registry"

 	"github.com/docker/docker/api/types/swarm"

 )

@@ -23,7 +24,7 @@ func (cli *Client) ServiceUpdate(ctx context.Context, serviceID string, version

 	}

 	if options.EncodedRegistryAuth != "" {

-		headers["X-Registry-Auth"] = []string{options.EncodedRegistryAuth}

+		headers[registry.AuthHeader] = []string{options.EncodedRegistryAuth}

 	}

 	if options.RegistryAuthFrom != "" {