diff --git a/roles/run-buildset-registry/README.rst b/roles/run-buildset-registry/README.rst
index 4f937644c..bcd26de26 100644
--- a/roles/run-buildset-registry/README.rst
+++ b/roles/run-buildset-registry/README.rst
@@ -2,8 +2,7 @@ Runs a docker registry for the use of this buildset.
 
 This may be used for a single job running on a single node, or it may
 be used at the root of a job graph so that multiple jobs running for a
-single change can share the registry.  Two registry endpoints are
-provided -- one is a local registry, the second is an upstream proxy.
+single change can share the registry.
 
 **Role Variables**
 
@@ -26,10 +25,6 @@ provided -- one is a local registry, the second is an upstream proxy.
 
       The port on which the registry is listening.
 
-   .. zuul:rolevar:: proxy_port
-
-      The port on which the proxy is listening.
-
    .. zuul:rolevar:: username
 
       The username used to access the registry via HTTP basic auth.
diff --git a/roles/run-buildset-registry/tasks/main.yaml b/roles/run-buildset-registry/tasks/main.yaml
index 3a5291f34..c6297a526 100644
--- a/roles/run-buildset-registry/tasks/main.yaml
+++ b/roles/run-buildset-registry/tasks/main.yaml
@@ -3,9 +3,8 @@
   package:
     name:
       - python-docker
-      - python-openssl
+      - openssl
       - python-passlib
-      - python-bcrypt
     state: present
   when: "'python3' not in ansible_python_interpreter"
 - name: Install packages
@@ -13,94 +12,50 @@
   package:
     name:
       - python3-docker
-      - python3-openssl
+      - openssl
       - python3-passlib
-      - python3-bcrypt
     state: present
   when: "'python3' in ansible_python_interpreter"
-- name: Ensure Docker registry volume directories exists
+- name: Ensure registry volume directories exists
   file:
     state: directory
     path: "{{ buildset_registry_root }}/{{ item }}"
   loop:
-    - certs
-    - auth
-- name: Generate registry password
+    - tls
+    - conf
+- name: Generate registry secrets
   set_fact:
     registry_password: "{{ lookup('password', '/dev/null') }}"
-- name: Write htpassword file
-  htpasswd:
-    create: true
-    crypt_scheme: bcrypt
-    path: "{{ buildset_registry_root }}/auth/htpasswd"
-    name: "zuul"
-    password: "{{ registry_password }}"
-- name: Generate a TLS key for the Docker registry
-  openssl_privatekey:
-    path: "{{ buildset_registry_root }}/certs/domain.key"
-- name: Generate a TLS CSR for the Docker registry
-  openssl_csr:
-    path: "{{ buildset_registry_root }}/certs/domain.csr"
-    privatekey_path: "{{ buildset_registry_root }}/certs/domain.key"
-    common_name: "{{ ansible_host }}"
-    subject_alt_name: "DNS:zuul-jobs.buildset-registry,DNS:{{ ansible_host }},IP:{{ ansible_host }},IP:127.0.0.1"
-- name: Generate a TLS cert for the Docker registry
-  openssl_certificate:
-    path: "{{ buildset_registry_root }}/certs/domain.crt"
-    csr_path: "{{ buildset_registry_root }}/certs/domain.csr"
-    privatekey_path: "{{ buildset_registry_root }}/certs/domain.key"
-    provider: selfsigned
-  register: generated_cert
+    registry_secret: "{{ lookup('password', '/dev/null') }}"
+- name: Write registry config
+  template:
+    src: registry.yaml.j2
+    dest: "{{ buildset_registry_root }}/conf/registry.yaml"
+- name: Generate a TLS key for the registry
+  command: "openssl req -x509 -newkey rsa:2048 -keyout {{ buildset_registry_root }}/tls/cert.key -out {{ buildset_registry_root }}/tls/cert.pem -days 365 -nodes -subj '/C=US/ST=California/L=Oakland/O=Company Name/OU=Org/CN={{ ansible_host }}' -addext 'subjectAltName = DNS:zuul-jobs.buildset-registry,DNS:{{ ansible_host }},IP:{{ ansible_host }},IP:127.0.0.1'"
 - name: Read TLS certificate
   slurp:
-    src: "{{ generated_cert.filename }}"
+    src: "{{ buildset_registry_root }}/tls/cert.pem"
   register: certificate
 - name: Decode TLS certificate
   set_fact:
     certificate: "{{ certificate.content | b64decode }}"
-- name: Start a docker registry
+- name: Start the buildset registry
   docker_container:
     name: buildset_registry
-    image: registry:2
+    image: zuul/zuul-registry:latest
     state: started
     restart_policy: always
     ports:
      - "5000:5000"
-    env:
-      REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt
-      REGISTRY_HTTP_TLS_KEY: /certs/domain.key
-      REGISTRY_AUTH: htpasswd
-      REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
-      REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
     volumes:
-      - "{{ buildset_registry_root }}/certs:/certs"
-      - "{{ buildset_registry_root }}/auth:/auth"
-- name: Start a docker proxy
-  docker_container:
-    name: buildset_proxy
-    image: registry:2
-    state: started
-    restart_policy: always
-    ports:
-     - "5001:5000"
-    env:
-      REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt
-      REGISTRY_HTTP_TLS_KEY: /certs/domain.key
-      REGISTRY_AUTH: htpasswd
-      REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
-      REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
-      REGISTRY_PROXY_REMOTEURL: https://registry-1.docker.io
-      REGISTRY_PROXY_USERNAME: ''
-      REGISTRY_PROXY_PASSWORD: ''
-    volumes:
-      - "{{ buildset_registry_root }}/certs:/certs"
-      - "{{ buildset_registry_root }}/auth:/auth"
+      - "{{ buildset_registry_root }}/tls:/tls"
+      - "{{ buildset_registry_root }}/conf:/conf"
 - name: Set registry information fact
   set_fact:
     buildset_registry:
       host: "{{ ansible_host }}"
       port: 5000
-      proxy_port: 5001
       username: zuul
       password: "{{ registry_password }}"
       cert: "{{ certificate }}"
diff --git a/roles/run-buildset-registry/templates/registry.yaml.j2 b/roles/run-buildset-registry/templates/registry.yaml.j2
new file mode 100644
index 000000000..7901b727f
--- /dev/null
+++ b/roles/run-buildset-registry/templates/registry.yaml.j2
@@ -0,0 +1,14 @@
+registry:
+  address: '::'
+  port: 5000
+  public-url: 'https://{{ ansible_host | ipwrap }}:5000'
+  tls-cert: /tls/cert.pem
+  tls-key: /tls/cert.key
+  secret: "{{ registry_secret }}"
+  users:
+    - name: zuul
+      pass: "{{ registry_password }}"
+      access: write
+  storage:
+    driver: filesystem
+    root: /storage
diff --git a/roles/use-buildset-registry/README.rst b/roles/use-buildset-registry/README.rst
index 8c93942a3..2801477a0 100644
--- a/roles/use-buildset-registry/README.rst
+++ b/roles/use-buildset-registry/README.rst
@@ -17,10 +17,6 @@ Use this role on any host which should use the buildset registry.
 
       The port on which the registry is listening.
 
-   .. zuul:rolevar:: proxy_port
-
-      The port on which the registry proxy is listening.
-
    .. zuul:rolevar:: username
 
       The username used to access the registry via HTTP basic auth.
diff --git a/roles/use-buildset-registry/tasks/main.yaml b/roles/use-buildset-registry/tasks/main.yaml
index a276442ea..12ee2ac4e 100644
--- a/roles/use-buildset-registry/tasks/main.yaml
+++ b/roles/use-buildset-registry/tasks/main.yaml
@@ -28,21 +28,11 @@
   file:
     path: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.port }}/"
     state: directory
-- name: Ensure proxy registry cert directory exists
-  become: true
-  file:
-    path: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.proxy_port }}/"
-    state: directory
 - name: Write buildset registry TLS certificate
   become: true
   copy:
     content: "{{ buildset_registry.cert }}"
     dest: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.port }}/ca.crt"
-- name: Write proxy registry TLS certificate
-  become: true
-  copy:
-    content: "{{ buildset_registry.cert }}"
-    dest: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.proxy_port }}/ca.crt"
 
 # Update daemon config
 - name: Check if docker daemon configuration exists
@@ -66,7 +56,7 @@
 - name: Add registry to docker daemon configuration
   vars:
     new_config:
-      registry-mirrors: "['https://{{ buildset_registry_alias }}:{{ buildset_registry.port }}/', 'https://{{ buildset_registry_alias }}:{{ buildset_registry.proxy_port }}/']"
+      registry-mirrors: "['https://{{ buildset_registry_alias }}:{{ buildset_registry.port }}/']"
   set_fact:
     docker_config: "{{ docker_config | combine(new_config) }}"
 - name: Save docker daemon configuration
diff --git a/roles/use-buildset-registry/tasks/user-config.yaml b/roles/use-buildset-registry/tasks/user-config.yaml
index 8b7ebbff8..7aff92d4a 100644
--- a/roles/use-buildset-registry/tasks/user-config.yaml
+++ b/roles/use-buildset-registry/tasks/user-config.yaml
@@ -27,11 +27,7 @@
     new_config:
       auths: |
         {
-          "https://index.docker.io/v1/":
-            {"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"},
           "{{ buildset_registry_alias }}:{{ buildset_registry.port }}":
-            {"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"},
-          "{{ buildset_registry_alias }}:{{ buildset_registry.proxy_port }}":
             {"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"}
         }
   set_fact:
@@ -51,4 +47,4 @@
   file:
     src: "~{{ buildset_registry_docker_user | default(ansible_user) }}/.docker/config.json"
     dest: /var/lib/kubelet/config.json
-    state: link
\ No newline at end of file
+    state: link