Cause: The registry used to append forwarded target port to redirected location urls. Registry client gets confused by the received location containing superfluous port and cannot match it against the original host. This happened when exposed with tls-termination other than passthrough.
Consequence: Client's new request to the target location lacks credentials. As a consequence, image push fails due to authorization error.
Fix: Registry was rebased to newer version which fixes forwarding processing logic.
Result: Registry now doesn't confuse its clients. Clients can push images successfully to the exposed registry using arbitrary tls-termination.