This patch vendors the v2 distribution registry client and uses it instead of the v2 codepath in graph/ and registry/ folders. It should not affect the v1 codepath.

Praise @dmcgowan for the good, blame me for the bad :)

Some clarifications on the value of this PR to help it get merged:

• gets rid of the v2 distribution client code from engine. This alone is HUGE, because it means the distribution team can iterate faster on improvements on both the client and the server. It also means we will have much higher test coverage, so higher quality, less risk.
• Abstracted v1 and v2 behind a Pusher and Puller interface in graph/ to show that those are two completely separate codepaths waiting to be merged and abstracted at a lower level (on the registry client level).
• rewrote ping and fallback logic. This had to be redone, because of how to bootstrap the new v2 glue code. Currently, master has a ping logic that would, on EVERY USER/API REQUEST, ping a v2 endpoint, then ping a v1 endpoint if it failed, and this is what would determine what version of the registry Docker is talking to. Now with this PR, we assume v2 hence skipping the pinging v2 part, we have a (new) notion of endpoints (called APIEndpoint in the code) that we try one after the other, if the error returned by a registry API call satisfies a typed-error fallback logic detailed in registry.WrapError: so not all errors will fallback to v1. This part will be improved in the future, for instance: allow registry endpoints to determine their fallback policies.
• Towards having one TLS logic: this code got rid of setting up certs, not on every user/api request, but on EVERY REQUEST to the registry (one user request can result in multiple registry requests). @diogomonica @NathanMcCauley please review that part, we added more constraints on ciphers. The idea for the future is to have one package that prepares ready-to-use TLSConfigs for Docker.
• As a result of the previous two, an APIEndpoint is no longer "secure" or "insecure". It's HTTP, or HTTPS with an InsecureSkipVerify flag set to true or false. Having the HTTP endpoint be a different one than the HTTPS endpoint is cleaner in the code and easier to reason about: if HTTPS fails, try HTTP (which was added to the list of endpoints, only because the registry was marked as insecure).

Big future direction: the brightest day will be when we can get rid of the v1 code. In order to get there, we will have to refactor some more. Most importantly, we will make what many hoped this PR would do: have the code in graph talk only one API, which gets dispatched to the appropriate API version codepath. We will also get rid of much of the old code in registry/, things like Endpoint will retire.