Use types.SystemContext in NewImage*

... instead of Docker-specific certPath and tlsVerify. Also invert the sense of tlsVerify to make the default secure. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
2016-08-11 20:06:17 +02:00 · 2016-08-11 20:06:17 +02:00 · 151faebaba
parent 8f0c70e494
commit 151faebaba
21 changed files with 81 additions and 76 deletions
--- a/image/directory/directory_test.go
+++ b/image/directory/directory_test.go
@ -15,7 +15,7 @@ func TestDestinationReference(t *testing.T) {
 	ref, tmpDir := refToTempDir(t)
 	defer os.RemoveAll(tmpDir)
-	dest, err := ref.NewImageDestination("", true)
+	dest, err := ref.NewImageDestination(nil)
 	require.NoError(t, err)
 	ref2 := dest.Reference()
 	assert.Equal(t, tmpDir, ref2.StringWithinTransport())
@ -26,12 +26,12 @@ func TestGetPutManifest(t *testing.T) {
 	defer os.RemoveAll(tmpDir)
 	man := []byte("test-manifest")
-	dest, err := ref.NewImageDestination("", true)
+	dest, err := ref.NewImageDestination(nil)
 	require.NoError(t, err)
 	err = dest.PutManifest(man)
 	assert.NoError(t, err)
-	src, err := ref.NewImageSource("", true)
+	src, err := ref.NewImageSource(nil)
 	require.NoError(t, err)
 	m, mt, err := src.GetManifest(nil)
 	assert.NoError(t, err)
@ -45,12 +45,12 @@ func TestGetPutBlob(t *testing.T) {
 	digest := "digest-test"
 	blob := []byte("test-blob")
-	dest, err := ref.NewImageDestination("", true)
+	dest, err := ref.NewImageDestination(nil)
 	require.NoError(t, err)
 	err = dest.PutBlob(digest, bytes.NewReader(blob))
 	assert.NoError(t, err)
-	src, err := ref.NewImageSource("", true)
+	src, err := ref.NewImageSource(nil)
 	require.NoError(t, err)
 	rc, size, err := src.GetBlob(digest)
 	assert.NoError(t, err)
@ -96,7 +96,7 @@ func TestPutBlobDigestFailure(t *testing.T) {
 		return 0, fmt.Errorf(digestErrorString)
 	})
-	dest, err := ref.NewImageDestination("", true)
+	dest, err := ref.NewImageDestination(nil)
 	require.NoError(t, err)
 	err = dest.PutBlob(blobDigest, reader)
 	assert.Error(t, err)
@ -111,7 +111,7 @@ func TestGetPutSignatures(t *testing.T) {
 	ref, tmpDir := refToTempDir(t)
 	defer os.RemoveAll(tmpDir)
-	dest, err := ref.NewImageDestination("", true)
+	dest, err := ref.NewImageDestination(nil)
 	require.NoError(t, err)
 	signatures := [][]byte{
 		[]byte("sig1"),
@ -120,7 +120,7 @@ func TestGetPutSignatures(t *testing.T) {
 	err = dest.PutSignatures(signatures)
 	assert.NoError(t, err)
-	src, err := ref.NewImageSource("", true)
+	src, err := ref.NewImageSource(nil)
 	require.NoError(t, err)
 	sigs, err := src.GetSignatures()
 	assert.NoError(t, err)
@ -131,7 +131,7 @@ func TestDelete(t *testing.T) {
 	ref, tmpDir := refToTempDir(t)
 	defer os.RemoveAll(tmpDir)
-	src, err := ref.NewImageSource("", true)
+	src, err := ref.NewImageSource(nil)
 	require.NoError(t, err)
 	err = src.Delete()
 	assert.Error(t, err)
@ -141,7 +141,7 @@ func TestSourceReference(t *testing.T) {
 	ref, tmpDir := refToTempDir(t)
 	defer os.RemoveAll(tmpDir)
-	src, err := ref.NewImageSource("", true)
+	src, err := ref.NewImageSource(nil)
 	require.NoError(t, err)
 	ref2 := src.Reference()
 	assert.Equal(t, tmpDir, ref2.StringWithinTransport())
--- a/image/directory/directory_transport.go
+++ b/image/directory/directory_transport.go
@ -128,18 +128,18 @@ func (ref dirReference) PolicyConfigurationNamespaces() []string {
 }
 // NewImage returns a types.Image for this reference.
-func (ref dirReference) NewImage(certPath string, tlsVerify bool) (types.Image, error) {
+func (ref dirReference) NewImage(ctx *types.SystemContext) (types.Image, error) {
 	src := newImageSource(ref)
 	return image.FromSource(src, nil), nil
 }
 // NewImageSource returns a types.ImageSource for this reference.
-func (ref dirReference) NewImageSource(certPath string, tlsVerify bool) (types.ImageSource, error) {
+func (ref dirReference) NewImageSource(ctx *types.SystemContext) (types.ImageSource, error) {
 	return newImageSource(ref), nil
 }
 // NewImageDestination returns a types.ImageDestination for this reference.
-func (ref dirReference) NewImageDestination(certPath string, tlsVerify bool) (types.ImageDestination, error) {
+func (ref dirReference) NewImageDestination(ctx *types.SystemContext) (types.ImageDestination, error) {
 	return newImageDestination(ref), nil
 }
--- a/image/directory/directory_transport_test.go
+++ b/image/directory/directory_transport_test.go
@ -149,21 +149,21 @@ func TestReferencePolicyConfigurationNamespaces(t *testing.T) {
 func TestReferenceNewImage(t *testing.T) {
 	ref, tmpDir := refToTempDir(t)
 	defer os.RemoveAll(tmpDir)
-	_, err := ref.NewImage("/this/doesn't/exist", true)
+	_, err := ref.NewImage(nil)
 	assert.NoError(t, err)
 }
 func TestReferenceNewImageSource(t *testing.T) {
 	ref, tmpDir := refToTempDir(t)
 	defer os.RemoveAll(tmpDir)
-	_, err := ref.NewImageSource("/this/doesn't/exist", true)
+	_, err := ref.NewImageSource(nil)
 	assert.NoError(t, err)
 }
 func TestReferenceNewImageDestination(t *testing.T) {
 	ref, tmpDir := refToTempDir(t)
 	defer os.RemoveAll(tmpDir)
-	_, err := ref.NewImageDestination("/this/doesn't/exist", true)
+	_, err := ref.NewImageDestination(nil)
 	assert.NoError(t, err)
 }
--- a/image/doc.go
+++ b/image/doc.go
@ -13,7 +13,7 @@
 //    	if err != nil {
 //    		panic(err)
 //    	}
-//    	img, err := ref.NewImage("", true)
+//    	img, err := ref.NewImage(nil)
 //    	if err != nil {
 //    		panic(err)
 //    	}
--- a/image/docker/docker_client.go
+++ b/image/docker/docker_client.go
@ -14,6 +14,7 @@ import (
 	"time"
 	"github.com/Sirupsen/logrus"
 	"github.com/containers/image/types"
 	"github.com/docker/docker/pkg/homedir"
 )
@ -44,7 +45,7 @@ type dockerClient struct {
 }
 // newDockerClient returns a new dockerClient instance for refHostname (a host a specified in the Docker image reference, not canonicalized to dockerRegistry)
-func newDockerClient(refHostname, certPath string, tlsVerify bool) (*dockerClient, error) {
+func newDockerClient(ctx *types.SystemContext, refHostname string) (*dockerClient, error) {
 	var registry string
 	if refHostname == dockerHostname {
 		registry = dockerRegistry
@ -56,17 +57,17 @@ func newDockerClient(refHostname, certPath string, tlsVerify bool) (*dockerClien
 		return nil, err
 	}
 	var tr *http.Transport
-	if certPath != "" || !tlsVerify {
+	if ctx != nil && (ctx.DockerCertPath != "" || ctx.DockerInsecureSkipTLSVerify) {
 		tlsc := &tls.Config{}
-		if certPath != "" {
+		if ctx.DockerCertPath != "" {
-			cert, err := tls.LoadX509KeyPair(filepath.Join(certPath, "cert.pem"), filepath.Join(certPath, "key.pem"))
+			cert, err := tls.LoadX509KeyPair(filepath.Join(ctx.DockerCertPath, "cert.pem"), filepath.Join(ctx.DockerCertPath, "key.pem"))
 			if err != nil {
 				return nil, fmt.Errorf("Error loading x509 key pair: %s", err)
 			}
 			tlsc.Certificates = append(tlsc.Certificates, cert)
 		}
-		tlsc.InsecureSkipVerify = !tlsVerify
+		tlsc.InsecureSkipVerify = ctx.DockerInsecureSkipTLSVerify
 		tr = &http.Transport{
 			TLSClientConfig: tlsc,
 		}
--- a/image/docker/docker_image.go
+++ b/image/docker/docker_image.go
@ -18,8 +18,8 @@ type Image struct {
 // newImage returns a new Image interface type after setting up
 // a client to the registry hosting the given image.
-func newImage(ref dockerReference, certPath string, tlsVerify bool) (types.Image, error) {
+func newImage(ctx *types.SystemContext, ref dockerReference) (types.Image, error) {
-	s, err := newImageSource(ref, certPath, tlsVerify)
+	s, err := newImageSource(ctx, ref)
 	if err != nil {
 		return nil, err
 	}
--- a/image/docker/docker_image_dest.go
+++ b/image/docker/docker_image_dest.go
@ -17,9 +17,9 @@ type dockerImageDestination struct {
 	c   *dockerClient
 }
-// newImageDestination creates a new ImageDestination for the specified image reference and connection specification.
+// newImageDestination creates a new ImageDestination for the specified image reference.
-func newImageDestination(ref dockerReference, certPath string, tlsVerify bool) (types.ImageDestination, error) {
+func newImageDestination(ctx *types.SystemContext, ref dockerReference) (types.ImageDestination, error) {
-	c, err := newDockerClient(ref.ref.Hostname(), certPath, tlsVerify)
+	c, err := newDockerClient(ctx, ref.ref.Hostname())
 	if err != nil {
 		return nil, err
 	}
--- a/image/docker/docker_image_src.go
+++ b/image/docker/docker_image_src.go
@ -27,9 +27,9 @@ type dockerImageSource struct {
 	c   *dockerClient
 }
-// newImageSource creates a new ImageSource for the specified image reference and connection specification.
+// newImageSource creates a new ImageSource for the specified image reference.
-func newImageSource(ref dockerReference, certPath string, tlsVerify bool) (*dockerImageSource, error) {
+func newImageSource(ctx *types.SystemContext, ref dockerReference) (*dockerImageSource, error) {
-	c, err := newDockerClient(ref.ref.Hostname(), certPath, tlsVerify)
+	c, err := newDockerClient(ctx, ref.ref.Hostname())
 	if err != nil {
 		return nil, err
 	}
--- a/image/docker/docker_transport.go
+++ b/image/docker/docker_transport.go
@ -116,18 +116,18 @@ func (ref dockerReference) PolicyConfigurationNamespaces() []string {
 }
 // NewImage returns a types.Image for this reference.
-func (ref dockerReference) NewImage(certPath string, tlsVerify bool) (types.Image, error) {
+func (ref dockerReference) NewImage(ctx *types.SystemContext) (types.Image, error) {
-	return newImage(ref, certPath, tlsVerify)
+	return newImage(ctx, ref)
 }
 // NewImageSource returns a types.ImageSource for this reference.
-func (ref dockerReference) NewImageSource(certPath string, tlsVerify bool) (types.ImageSource, error) {
+func (ref dockerReference) NewImageSource(ctx *types.SystemContext) (types.ImageSource, error) {
-	return newImageSource(ref, certPath, tlsVerify)
+	return newImageSource(ctx, ref)
 }
 // NewImageDestination returns a types.ImageDestination for this reference.
-func (ref dockerReference) NewImageDestination(certPath string, tlsVerify bool) (types.ImageDestination, error) {
+func (ref dockerReference) NewImageDestination(ctx *types.SystemContext) (types.ImageDestination, error) {
-	return newImageDestination(ref, certPath, tlsVerify)
+	return newImageDestination(ctx, ref)
 }
 // tagOrDigest returns a tag or digest from the reference.
--- a/image/docker/docker_transport_test.go
+++ b/image/docker/docker_transport_test.go
@ -160,21 +160,21 @@ func TestReferencePolicyConfigurationNamespaces(t *testing.T) {
 func TestReferenceNewImage(t *testing.T) {
 	ref, err := ParseReference("//busybox")
 	require.NoError(t, err)
-	_, err = ref.NewImage("", true)
+	_, err = ref.NewImage(nil)
 	assert.NoError(t, err)
 }
 func TestReferenceNewImageSource(t *testing.T) {
 	ref, err := ParseReference("//busybox")
 	require.NoError(t, err)
-	_, err = ref.NewImageSource("", true)
+	_, err = ref.NewImageSource(nil)
 	assert.NoError(t, err)
 }
 func TestReferenceNewImageDestination(t *testing.T) {
 	ref, err := ParseReference("//busybox")
 	require.NoError(t, err)
-	_, err = ref.NewImageDestination("", true)
+	_, err = ref.NewImageDestination(nil)
 	assert.NoError(t, err)
 }
--- a/image/oci/oci_dest_test.go
+++ b/image/oci/oci_dest_test.go
@ -44,7 +44,7 @@ func TestPutBlobDigestFailure(t *testing.T) {
 		return 0, fmt.Errorf(digestErrorString)
 	})
-	dest, err := ref.NewImageDestination("", true)
+	dest, err := ref.NewImageDestination(nil)
 	require.NoError(t, err)
 	err = dest.PutBlob(blobDigest, reader)
 	assert.Error(t, err)
--- a/image/oci/oci_transport.go
+++ b/image/oci/oci_transport.go
@ -165,17 +165,17 @@ func (ref ociReference) PolicyConfigurationNamespaces() []string {
 }
 // NewImage returns a types.Image for this reference.
-func (ref ociReference) NewImage(certPath string, tlsVerify bool) (types.Image, error) {
+func (ref ociReference) NewImage(ctx *types.SystemContext) (types.Image, error) {
 	return nil, errors.New("Full Image support not implemented for oci: image names")
 }
 // NewImageSource returns a types.ImageSource for this reference.
-func (ref ociReference) NewImageSource(certPath string, tlsVerify bool) (types.ImageSource, error) {
+func (ref ociReference) NewImageSource(ctx *types.SystemContext) (types.ImageSource, error) {
 	return nil, errors.New("Reading images not implemented for oci: image names")
 }
 // NewImageDestination returns a types.ImageDestination for this reference.
-func (ref ociReference) NewImageDestination(certPath string, tlsVerify bool) (types.ImageDestination, error) {
+func (ref ociReference) NewImageDestination(ctx *types.SystemContext) (types.ImageDestination, error) {
 	return newImageDestination(ref), nil
 }
--- a/image/oci/oci_transport_test.go
+++ b/image/oci/oci_transport_test.go
@ -205,21 +205,21 @@ func TestReferencePolicyConfigurationNamespaces(t *testing.T) {
 func TestReferenceNewImage(t *testing.T) {
 	ref, tmpDir := refToTempOCI(t)
 	defer os.RemoveAll(tmpDir)
-	_, err := ref.NewImage("/this/doesn't/exist", true)
+	_, err := ref.NewImage(nil)
 	assert.Error(t, err)
 }
 func TestReferenceNewImageSource(t *testing.T) {
 	ref, tmpDir := refToTempOCI(t)
 	defer os.RemoveAll(tmpDir)
-	_, err := ref.NewImageSource("/this/doesn't/exist", true)
+	_, err := ref.NewImageSource(nil)
 	assert.Error(t, err)
 }
 func TestReferenceNewImageDestination(t *testing.T) {
 	ref, tmpDir := refToTempOCI(t)
 	defer os.RemoveAll(tmpDir)
-	_, err := ref.NewImageDestination("/this/doesn't/exist", true)
+	_, err := ref.NewImageDestination(nil)
 	assert.NoError(t, err)
 }
--- a/image/openshift/openshift.go
+++ b/image/openshift/openshift.go
@ -171,15 +171,14 @@ func (c *openshiftClient) dockerRegistryHostPart() string {
 type openshiftImageSource struct {
 	client *openshiftClient
 	// Values specific to this image
-	certPath  string // Only for parseDockerImageSource
+	ctx *types.SystemContext
 	tlsVerify bool   // Only for parseDockerImageSource
 	// State
 	docker               types.ImageSource // The Docker Registry endpoint, or nil if not resolved yet
 	imageStreamImageName string            // Resolved image identifier, or "" if not known yet
 }
-// newImageSource creates a new ImageSource for the specified reference and connection specification.
+// newImageSource creates a new ImageSource for the specified reference.
-func newImageSource(ref openshiftReference, certPath string, tlsVerify bool) (types.ImageSource, error) {
+func newImageSource(ctx *types.SystemContext, ref openshiftReference) (types.ImageSource, error) {
 	client, err := newOpenshiftClient(ref)
 	if err != nil {
 		return nil, err
@ -187,8 +186,7 @@ func newImageSource(ref openshiftReference, certPath string, tlsVerify bool) (ty
 	return &openshiftImageSource{
 		client: client,
-		certPath:  certPath,
+		ctx:    ctx,
 		tlsVerify: tlsVerify,
 	}, nil
 }
@ -270,7 +268,7 @@ func (s *openshiftImageSource) ensureImageIsResolved() error {
 	if err != nil {
 		return err
 	}
-	d, err := dockerRef.NewImageSource(s.certPath, s.tlsVerify)
+	d, err := dockerRef.NewImageSource(s.ctx)
 	if err != nil {
 		return err
 	}
@ -286,8 +284,8 @@ type openshiftImageDestination struct {
 	imageStreamImageName string // "" if not yet known
 }
-// newImageDestination creates a new ImageDestination for the specified reference and connection specification.
+// newImageDestination creates a new ImageDestination for the specified reference.
-func newImageDestination(ref openshiftReference, certPath string, tlsVerify bool) (types.ImageDestination, error) {
+func newImageDestination(ctx *types.SystemContext, ref openshiftReference) (types.ImageDestination, error) {
 	client, err := newOpenshiftClient(ref)
 	if err != nil {
 		return nil, err
@ -301,7 +299,7 @@ func newImageDestination(ref openshiftReference, certPath string, tlsVerify bool
 	if err != nil {
 		return nil, err
 	}
-	docker, err := dockerRef.NewImageDestination(certPath, tlsVerify)
+	docker, err := dockerRef.NewImageDestination(ctx)
 	if err != nil {
 		return nil, err
 	}
--- a/image/openshift/openshift_transport.go
+++ b/image/openshift/openshift_transport.go
@ -154,16 +154,16 @@ func (ref openshiftReference) PolicyConfigurationNamespaces() []string {
 }
 // NewImage returns a types.Image for this reference.
-func (ref openshiftReference) NewImage(certPath string, tlsVerify bool) (types.Image, error) {
+func (ref openshiftReference) NewImage(ctx *types.SystemContext) (types.Image, error) {
 	return nil, errors.New("Full Image support not implemented for atomic: image names")
 }
 // NewImageSource returns a types.ImageSource for this reference.
-func (ref openshiftReference) NewImageSource(certPath string, tlsVerify bool) (types.ImageSource, error) {
+func (ref openshiftReference) NewImageSource(ctx *types.SystemContext) (types.ImageSource, error) {
-	return newImageSource(ref, certPath, tlsVerify)
+	return newImageSource(ctx, ref)
 }
 // NewImageDestination returns a types.ImageDestination for this reference.
-func (ref openshiftReference) NewImageDestination(certPath string, tlsVerify bool) (types.ImageDestination, error) {
+func (ref openshiftReference) NewImageDestination(ctx *types.SystemContext) (types.ImageDestination, error) {
-	return newImageDestination(ref, certPath, tlsVerify)
+	return newImageDestination(ctx, ref)
 }
--- a/image/openshift/openshift_transport_test.go
+++ b/image/openshift/openshift_transport_test.go
@ -113,7 +113,7 @@ func TestReferencePolicyConfigurationNamespaces(t *testing.T) {
 func TestReferenceNewImage(t *testing.T) {
 	ref, err := NewReference(testBaseURL, "ns", "stream", "notlatest")
 	require.NoError(t, err)
-	_, err = ref.NewImage("", true)
+	_, err = ref.NewImage(nil)
 	assert.Error(t, err)
 }
--- a/image/signature/policy_eval_signedby_test.go
+++ b/image/signature/policy_eval_signedby_test.go
@ -25,7 +25,7 @@ func dirImageMock(t *testing.T, dir, dockerReference string) types.Image {
 func dirImageMockWithRef(t *testing.T, dir string, ref types.ImageReference) types.Image {
 	srcRef, err := directory.NewReference(dir)
 	require.NoError(t, err)
-	src, err := srcRef.NewImageSource("", true)
+	src, err := srcRef.NewImageSource(nil)
 	require.NoError(t, err)
 	return image.FromSource(&dirImageSourceMock{
 		ImageSource: src,
--- a/image/signature/policy_eval_simple_test.go
+++ b/image/signature/policy_eval_simple_test.go
@ -34,13 +34,13 @@ func (ref nameOnlyImageReferenceMock) PolicyConfigurationIdentity() string {
 func (ref nameOnlyImageReferenceMock) PolicyConfigurationNamespaces() []string {
 	panic("unexpected call to a mock function")
 }
-func (ref nameOnlyImageReferenceMock) NewImage(certPath string, tlsVerify bool) (types.Image, error) {
+func (ref nameOnlyImageReferenceMock) NewImage(ctx *types.SystemContext) (types.Image, error) {
 	panic("unexpected call to a mock function")
 }
-func (ref nameOnlyImageReferenceMock) NewImageSource(certPath string, tlsVerify bool) (types.ImageSource, error) {
+func (ref nameOnlyImageReferenceMock) NewImageSource(ctx *types.SystemContext) (types.ImageSource, error) {
 	panic("unexpected call to a mock function")
 }
-func (ref nameOnlyImageReferenceMock) NewImageDestination(certPath string, tlsVerify bool) (types.ImageDestination, error) {
+func (ref nameOnlyImageReferenceMock) NewImageDestination(ctx *types.SystemContext) (types.ImageDestination, error) {
 	panic("unexpected call to a mock function")
 }
--- a/image/signature/policy_eval_test.go
+++ b/image/signature/policy_eval_test.go
@ -90,13 +90,13 @@ func (ref pcImageReferenceMock) PolicyConfigurationNamespaces() []string {
 	}
 	return policyconfiguration.DockerReferenceNamespaces(ref.ref)
 }
-func (ref pcImageReferenceMock) NewImage(certPath string, tlsVerify bool) (types.Image, error) {
+func (ref pcImageReferenceMock) NewImage(ctx *types.SystemContext) (types.Image, error) {
 	panic("unexpected call to a mock function")
 }
-func (ref pcImageReferenceMock) NewImageSource(certPath string, tlsVerify bool) (types.ImageSource, error) {
+func (ref pcImageReferenceMock) NewImageSource(ctx *types.SystemContext) (types.ImageSource, error) {
 	panic("unexpected call to a mock function")
 }
-func (ref pcImageReferenceMock) NewImageDestination(certPath string, tlsVerify bool) (types.ImageDestination, error) {
+func (ref pcImageReferenceMock) NewImageDestination(ctx *types.SystemContext) (types.ImageDestination, error) {
 	panic("unexpected call to a mock function")
 }
--- a/image/signature/policy_reference_match_test.go
+++ b/image/signature/policy_reference_match_test.go
@ -101,13 +101,13 @@ func (ref refImageReferenceMock) PolicyConfigurationIdentity() string {
 func (ref refImageReferenceMock) PolicyConfigurationNamespaces() []string {
 	panic("unexpected call to a mock function")
 }
-func (ref refImageReferenceMock) NewImage(certPath string, tlsVerify bool) (types.Image, error) {
+func (ref refImageReferenceMock) NewImage(ctx *types.SystemContext) (types.Image, error) {
 	panic("unexpected call to a mock function")
 }
-func (ref refImageReferenceMock) NewImageSource(certPath string, tlsVerify bool) (types.ImageSource, error) {
+func (ref refImageReferenceMock) NewImageSource(ctx *types.SystemContext) (types.ImageSource, error) {
 	panic("unexpected call to a mock function")
 }
-func (ref refImageReferenceMock) NewImageDestination(certPath string, tlsVerify bool) (types.ImageDestination, error) {
+func (ref refImageReferenceMock) NewImageDestination(ctx *types.SystemContext) (types.ImageDestination, error) {
 	panic("unexpected call to a mock function")
 }
--- a/image/types/types.go
+++ b/image/types/types.go
@ -71,11 +71,11 @@ type ImageReference interface {
 	PolicyConfigurationNamespaces() []string
 	// NewImage returns a types.Image for this reference.
-	NewImage(certPath string, tlsVerify bool) (Image, error)
+	NewImage(ctx *SystemContext) (Image, error)
 	// NewImageSource returns a types.ImageSource for this reference.
-	NewImageSource(certPath string, tlsVerify bool) (ImageSource, error)
+	NewImageSource(ctx *SystemContext) (ImageSource, error)
 	// NewImageDestination returns a types.ImageDestination for this reference.
-	NewImageDestination(certPath string, tlsVerify bool) (ImageDestination, error)
+	NewImageDestination(ctx *SystemContext) (ImageDestination, error)
 }
 // ImageSource is a service, possibly remote (= slow), to download components of a single image.
@ -159,6 +159,12 @@ type SystemContext struct {
 	// Not used for any paths specified by users in config files (even if the location of the config file _was_ affected by it).
 	// NOTE: This does NOT affect paths starting by $HOME.
 	RootForImplicitAbsolutePaths string
 	// === Global configuration overrides ===
 	// If not "", overrides the system's default path for signature.Policy configuration.
 	SignaturePolicyPath string
 	// === docker.Transport overrides ===
 	DockerCertPath              string // If not "", a directory containing "cert.pem" and "key.pem" used when talking to a Docker Registry
 	DockerInsecureSkipTLSVerify bool
 }