WIP: Only obtain a bearer token once at a time

[mtrmac]

Currently, on pushes, we can start several concurrent layer pushes; each one will check for a bearer token in tokenCache, find none, and ask the server for one, and then write it into the cache.

So, we can hammer the server with 6 basically-concurrent token requests. That's unnecessary, slower than just asking once, and potentially might impact rate limiting heuristics.

Instead, serialize writes to a bearerToken so that we only have one request in flight at a time.

This does not apply to pulls, where the first request is for a manifest, which obtains a token, so subsequent concurrent layer pulls will not request a token again.

WIP: Clean up the debugging log entries.

[mtrmac]

The not-directly-related refactoring are now filed separately in #2480.