cdk-ecr-deployment 3.3.1 → 4.0.1

package/lambda-src/internal/tarfile/src.go

@@ -1,328 +0,0 @@
-// Taken from https://github.com/containers/image
-// Modifications Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
-
-package tarfile
-
-import (
-	"archive/tar"
-	"bytes"
-	"cdk-ecr-deployment-handler/internal/iolimits"
-	"context"
-	"encoding/json"
-	"io"
-	"io/ioutil"
-	"path"
-	"sync"
-
-	"github.com/containers/image/v5/docker/reference"
-	"github.com/containers/image/v5/manifest"
-	"github.com/containers/image/v5/pkg/compression"
-	"github.com/containers/image/v5/types"
-	digest "github.com/opencontainers/go-digest"
-	"github.com/pkg/errors"
-)
-
-// S3FileSource is a partial implementation of types.ImageSource for reading from tarPath.
-type S3FileSource struct {
-	s3fileReader *S3FileReader
-	closeArchive bool // .Close() the archive when the source is closed.
-	// If ref is nil and sourceIndex is -1, indicates the only image in the archive.
-	ref         reference.NamedTagged // May be nil
-	sourceIndex int                   // May be -1
-	// The following data is only available after ensureCachedDataIsPresent() succeeds
-	tarManifest       *ManifestItem // nil if not available yet.
-	configBytes       []byte
-	configDigest      digest.Digest
-	orderedDiffIDList []digest.Digest
-	knownLayers       map[digest.Digest]*layerInfo
-	// Other state
-	generatedManifest []byte    // Private cache for GetManifest(), nil if not set yet.
-	cacheDataLock     sync.Once // Private state for ensureCachedDataIsPresent to make it concurrency-safe
-	cacheDataResult   error     // Private state for ensureCachedDataIsPresent
-}
-
-type layerInfo struct {
-	path string
-	size int64
-}
-
-// NewSource returns a tarfile.Source for an image in the specified archive matching ref
-// and sourceIndex (or the only image if they are (nil, -1)).
-// The archive will be closed if closeArchive
-func NewSource(archive *S3FileReader, closeArchive bool, ref reference.NamedTagged, sourceIndex int) *S3FileSource {
-	return &S3FileSource{
-		s3fileReader: archive,
-		closeArchive: closeArchive,
-		ref:          ref,
-		sourceIndex:  sourceIndex,
-	}
-}
-
-// ensureCachedDataIsPresent loads data necessary for any of the public accessors.
-// It is safe to call this from multi-threaded code.
-func (s *S3FileSource) ensureCachedDataIsPresent() error {
-	s.cacheDataLock.Do(func() {
-		s.cacheDataResult = s.ensureCachedDataIsPresentPrivate()
-	})
-	return s.cacheDataResult
-}
-
-// ensureCachedDataIsPresentPrivate is a private implementation detail of ensureCachedDataIsPresent.
-// Call ensureCachedDataIsPresent instead.
-func (s *S3FileSource) ensureCachedDataIsPresentPrivate() error {
-	tarManifest, _, err := s.s3fileReader.ChooseManifestItem(s.ref, s.sourceIndex)
-	if err != nil {
-		return err
-	}
-
-	// Read and parse config.
-	configBytes, err := s.s3fileReader.readTarComponent(tarManifest.Config, iolimits.MaxConfigBodySize)
-	if err != nil {
-		return err
-	}
-	var parsedConfig manifest.Schema2Image // There's a lot of info there, but we only really care about layer DiffIDs.
-	if err := json.Unmarshal(configBytes, &parsedConfig); err != nil {
-		return errors.Wrapf(err, "Error decoding tar config %s", tarManifest.Config)
-	}
-	if parsedConfig.RootFS == nil {
-		return errors.Errorf("Invalid image config (rootFS is not set): %s", tarManifest.Config)
-	}
-
-	knownLayers, err := s.prepareLayerData(tarManifest, &parsedConfig)
-	if err != nil {
-		return err
-	}
-
-	// Success; commit.
-	s.tarManifest = tarManifest
-	s.configBytes = configBytes
-	s.configDigest = digest.FromBytes(configBytes)
-	s.orderedDiffIDList = parsedConfig.RootFS.DiffIDs
-	s.knownLayers = knownLayers
-	return nil
-}
-
-// Close removes resources associated with an initialized Source, if any.
-func (s *S3FileSource) Close() error {
-	if s.closeArchive {
-		return s.s3fileReader.Close()
-	}
-	return nil
-}
-
-// TarManifest returns contents of manifest.json
-func (s *S3FileSource) TarManifest() []ManifestItem {
-	return s.s3fileReader.Manifest
-}
-
-func (s *S3FileSource) prepareLayerData(tarManifest *ManifestItem, parsedConfig *manifest.Schema2Image) (map[digest.Digest]*layerInfo, error) {
-	// Collect layer data available in manifest and config.
-	if len(tarManifest.Layers) != len(parsedConfig.RootFS.DiffIDs) {
-		return nil, errors.Errorf("Inconsistent layer count: %d in manifest, %d in config", len(tarManifest.Layers), len(parsedConfig.RootFS.DiffIDs))
-	}
-	knownLayers := map[digest.Digest]*layerInfo{}
-	unknownLayerSizes := map[string]*layerInfo{} // Points into knownLayers, a "to do list" of items with unknown sizes.
-	for i, diffID := range parsedConfig.RootFS.DiffIDs {
-		if _, ok := knownLayers[diffID]; ok {
-			// Apparently it really can happen that a single image contains the same layer diff more than once.
-			// In that case, the diffID validation ensures that both layers truly are the same, and it should not matter
-			// which of the tarManifest.Layers paths is used; (docker save) actually makes the duplicates symlinks to the original.
-			continue
-		}
-		layerPath := path.Clean(tarManifest.Layers[i])
-		if _, ok := unknownLayerSizes[layerPath]; ok {
-			return nil, errors.Errorf("Layer tarfile %s used for two different DiffID values", layerPath)
-		}
-		li := &layerInfo{ // A new element in each iteration
-			path: layerPath,
-			size: -1,
-		}
-		knownLayers[diffID] = li
-		unknownLayerSizes[layerPath] = li
-	}
-
-	// Scan the tar file to collect layer sizes.
-	t := tar.NewReader(s.s3fileReader.s3file)
-	for {
-		h, err := t.Next()
-		if err == io.EOF {
-			break
-		}
-		if err != nil {
-			return nil, err
-		}
-		layerPath := path.Clean(h.Name)
-		// FIXME: Cache this data across images in Reader.
-		if li, ok := unknownLayerSizes[layerPath]; ok {
-			// Since GetBlob will decompress layers that are compressed we need
-			// to do the decompression here as well, otherwise we will
-			// incorrectly report the size. Pretty critical, since tools like
-			// umoci always compress layer blobs. Obviously we only bother with
-			// the slower method of checking if it's compressed.
-			uncompressedStream, isCompressed, err := compression.AutoDecompress(t)
-			if err != nil {
-				return nil, errors.Wrapf(err, "Error auto-decompressing %s to determine its size", layerPath)
-			}
-			defer uncompressedStream.Close()
-
-			uncompressedSize := h.Size
-			if isCompressed {
-				uncompressedSize, err = io.Copy(ioutil.Discard, uncompressedStream)
-				if err != nil {
-					return nil, errors.Wrapf(err, "Error reading %s to find its size", layerPath)
-				}
-			}
-			li.size = uncompressedSize
-			delete(unknownLayerSizes, layerPath)
-		}
-	}
-	if len(unknownLayerSizes) != 0 {
-		return nil, errors.Errorf("Some layer tarfiles are missing in the tarball") // This could do with a better error reporting, if this ever happened in practice.
-	}
-
-	return knownLayers, nil
-}
-
-// GetManifest returns the image's manifest along with its MIME type (which may be empty when it can't be determined but the manifest is available).
-// It may use a remote (= slow) service.
-// If instanceDigest is not nil, it contains a digest of the specific manifest instance to retrieve (when the primary manifest is a manifest list);
-// this never happens if the primary manifest is not a manifest list (e.g. if the source never returns manifest lists).
-// This source implementation does not support manifest lists, so the passed-in instanceDigest should always be nil,
-// as the primary manifest can not be a list, so there can be no secondary instances.
-func (s *S3FileSource) GetManifest(ctx context.Context, instanceDigest *digest.Digest) ([]byte, string, error) {
-	if instanceDigest != nil {
-		// How did we even get here? GetManifest(ctx, nil) has returned a manifest.DockerV2Schema2MediaType.
-		return nil, "", errors.New(`Manifest lists are not supported by "docker-daemon:"`)
-	}
-	if s.generatedManifest == nil {
-		if err := s.ensureCachedDataIsPresent(); err != nil {
-			return nil, "", err
-		}
-		m := manifest.Schema2{
-			SchemaVersion: 2,
-			MediaType:     manifest.DockerV2Schema2MediaType,
-			ConfigDescriptor: manifest.Schema2Descriptor{
-				MediaType: manifest.DockerV2Schema2ConfigMediaType,
-				Size:      int64(len(s.configBytes)),
-				Digest:    s.configDigest,
-			},
-			LayersDescriptors: []manifest.Schema2Descriptor{},
-		}
-		for _, diffID := range s.orderedDiffIDList {
-			li, ok := s.knownLayers[diffID]
-			if !ok {
-				return nil, "", errors.Errorf("Internal inconsistency: Information about layer %s missing", diffID)
-			}
-			m.LayersDescriptors = append(m.LayersDescriptors, manifest.Schema2Descriptor{
-				Digest:    diffID, // diffID is a digest of the uncompressed tarball
-				MediaType: manifest.DockerV2Schema2LayerMediaType,
-				Size:      li.size,
-			})
-		}
-		manifestBytes, err := json.Marshal(&m)
-		if err != nil {
-			return nil, "", err
-		}
-		s.generatedManifest = manifestBytes
-	}
-	return s.generatedManifest, manifest.DockerV2Schema2MediaType, nil
-}
-
-// uncompressedReadCloser is an io.ReadCloser that closes both the uncompressed stream and the underlying input.
-type uncompressedReadCloser struct {
-	io.Reader
-	underlyingCloser   func() error
-	uncompressedCloser func() error
-}
-
-func (r uncompressedReadCloser) Close() error {
-	var res error
-	if err := r.uncompressedCloser(); err != nil {
-		res = err
-	}
-	if err := r.underlyingCloser(); err != nil && res == nil {
-		res = err
-	}
-	return res
-}
-
-// HasThreadSafeGetBlob indicates whether GetBlob can be executed concurrently.
-func (s *S3FileSource) HasThreadSafeGetBlob() bool {
-	return false // Not supported yet
-}
-
-// GetBlob returns a stream for the specified blob, and the blob’s size (or -1 if unknown).
-// The Digest field in BlobInfo is guaranteed to be provided, Size may be -1 and MediaType may be optionally provided.
-// May update BlobInfoCache, preferably after it knows for certain that a blob truly exists at a specific location.
-func (s *S3FileSource) GetBlob(ctx context.Context, info types.BlobInfo, cache types.BlobInfoCache) (io.ReadCloser, int64, error) {
-	if err := s.ensureCachedDataIsPresent(); err != nil {
-		return nil, 0, err
-	}
-
-	if info.Digest == s.configDigest { // FIXME? Implement a more general algorithm matching instead of assuming sha256.
-		return ioutil.NopCloser(bytes.NewReader(s.configBytes)), int64(len(s.configBytes)), nil
-	}
-
-	if li, ok := s.knownLayers[info.Digest]; ok { // diffID is a digest of the uncompressed tarball,
-		underlyingStream, err := s.s3fileReader.openTarComponent(li.path)
-		if err != nil {
-			return nil, 0, err
-		}
-		closeUnderlyingStream := true
-		defer func() {
-			if closeUnderlyingStream {
-				underlyingStream.Close()
-			}
-		}()
-
-		// In order to handle the fact that digests != diffIDs (and thus that a
-		// caller which is trying to verify the blob will run into problems),
-		// we need to decompress blobs. This is a bit ugly, but it's a
-		// consequence of making everything addressable by their DiffID rather
-		// than by their digest...
-		//
-		// In particular, because the v2s2 manifest being generated uses
-		// DiffIDs, any caller of GetBlob is going to be asking for DiffIDs of
-		// layers not their _actual_ digest. The result is that copy/... will
-		// be verifying a "digest" which is not the actual layer's digest (but
-		// is instead the DiffID).
-
-		uncompressedStream, _, err := compression.AutoDecompress(underlyingStream)
-		if err != nil {
-			return nil, 0, errors.Wrapf(err, "Error auto-decompressing blob %s", info.Digest)
-		}
-
-		newStream := uncompressedReadCloser{
-			Reader:             uncompressedStream,
-			underlyingCloser:   underlyingStream.Close,
-			uncompressedCloser: uncompressedStream.Close,
-		}
-		closeUnderlyingStream = false
-
-		return newStream, li.size, nil
-	}
-
-	return nil, 0, errors.Errorf("Unknown blob %s", info.Digest)
-}
-
-// GetSignatures returns the image's signatures.  It may use a remote (= slow) service.
-// This source implementation does not support manifest lists, so the passed-in instanceDigest should always be nil,
-// as there can be no secondary manifests.
-func (s *S3FileSource) GetSignatures(ctx context.Context, instanceDigest *digest.Digest) ([][]byte, error) {
-	if instanceDigest != nil {
-		// How did we even get here? GetManifest(ctx, nil) has returned a manifest.DockerV2Schema2MediaType.
-		return nil, errors.Errorf(`Manifest lists are not supported by "docker-daemon:"`)
-	}
-	return [][]byte{}, nil
-}
-
-// LayerInfosForCopy returns either nil (meaning the values in the manifest are fine), or updated values for the layer
-// blobsums that are listed in the image's manifest.  If values are returned, they should be used when using GetBlob()
-// to read the image's layers.
-// This source implementation does not support manifest lists, so the passed-in instanceDigest should always be nil,
-// as the primary manifest can not be a list, so there can be no secondary manifests.
-// The Digest field is guaranteed to be provided; Size may be -1.
-// WARNING: The list may contain duplicates, and they are semantically relevant.
-func (s *S3FileSource) LayerInfosForCopy(context.Context, *digest.Digest) ([]types.BlobInfo, error) {
-	return nil, nil
-}

package/lambda-src/internal/tarfile/types.go

@@ -1,31 +0,0 @@
-// Taken from https://github.com/containers/image
-// Modifications Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
-
-package tarfile
-
-import (
-	"github.com/containers/image/v5/manifest"
-	"github.com/opencontainers/go-digest"
-)
-
-// Various data structures.
-
-// Based on github.com/docker/docker/image/tarexport/tarexport.go
-const (
-	manifestFileName           = "manifest.json"
-	legacyLayerFileName        = "layer.tar"
-	legacyConfigFileName       = "json"
-	legacyVersionFileName      = "VERSION"
-	legacyRepositoriesFileName = "repositories"
-)
-
-// ManifestItem is an element of the array stored in the top-level manifest.json file.
-type ManifestItem struct { // NOTE: This is visible as docker/tarfile.ManifestItem, and a part of the stable API.
-	Config       string
-	RepoTags     []string
-	Layers       []string
-	Parent       imageID                                      `json:",omitempty"`
-	LayerSources map[digest.Digest]manifest.Schema2Descriptor `json:",omitempty"`
-}
-
-type imageID string

package/lambda-src/main.go

@@ -1,176 +0,0 @@
-// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-package main
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"log"
-	"os"
-
-	"github.com/containers/image/v5/copy"
-	"github.com/containers/image/v5/signature"
-	"github.com/containers/image/v5/transports/alltransports"
-	"github.com/sirupsen/logrus"
-
-	"github.com/aws/aws-lambda-go/cfn"
-	"github.com/aws/aws-lambda-go/lambda"
-
-	_ "cdk-ecr-deployment-handler/s3" // Install s3 transport plugin
-)
-
-const EnvLogLevel = "LOG_LEVEL"
-
-func init() {
-	s, exists := os.LookupEnv(EnvLogLevel)
-	if !exists {
-		logrus.SetLevel(logrus.InfoLevel)
-	} else {
-		lvl, err := logrus.ParseLevel(s)
-		if err != nil {
-			logrus.Errorf("error parsing %s: %v", EnvLogLevel, err)
-		}
-		logrus.SetLevel(lvl)
-	}
-}
-
-func handler(ctx context.Context, event cfn.Event) (physicalResourceID string, data map[string]interface{}, err error) {
-	physicalResourceID = event.PhysicalResourceID
-	data = make(map[string]interface{})
-
-	log.Printf("Event: %s", Dumps(event))
-
-	if event.RequestType == cfn.RequestDelete {
-		return physicalResourceID, data, nil
-	}
-	if event.RequestType == cfn.RequestCreate || event.RequestType == cfn.RequestUpdate {
-		srcImage, err := getStrProps(event.ResourceProperties, SRC_IMAGE)
-		if err != nil {
-			return physicalResourceID, data, err
-		}
-		destImage, err := getStrProps(event.ResourceProperties, DEST_IMAGE)
-		if err != nil {
-			return physicalResourceID, data, err
-		}
-		imageArch, err := getStrPropsDefault(event.ResourceProperties, IMAGE_ARCH, "")
-		if err != nil {
-			return physicalResourceID, data, err
-		}
-		srcCreds, err := getStrPropsDefault(event.ResourceProperties, SRC_CREDS, "")
-		if err != nil {
-			return physicalResourceID, data, err
-		}
-		destCreds, err := getStrPropsDefault(event.ResourceProperties, DEST_CREDS, "")
-		if err != nil {
-			return physicalResourceID, data, err
-		}
-
-		srcCreds, err = parseCreds(srcCreds)
-		if err != nil {
-			return physicalResourceID, data, err
-		}
-		destCreds, err = parseCreds(destCreds)
-		if err != nil {
-			return physicalResourceID, data, err
-		}
-
-		log.Printf("SrcImage: %v DestImage: %v ImageArch: %v", srcImage, destImage, imageArch)
-
-		srcRef, err := alltransports.ParseImageName(srcImage)
-		if err != nil {
-			return physicalResourceID, data, err
-		}
-		destRef, err := alltransports.ParseImageName(destImage)
-		if err != nil {
-			return physicalResourceID, data, err
-		}
-
-		srcOpts := NewImageOpts(srcImage, imageArch)
-		srcOpts.SetCreds(srcCreds)
-		srcCtx, err := srcOpts.NewSystemContext()
-		if err != nil {
-			return physicalResourceID, data, err
-		}
-		destOpts := NewImageOpts(destImage, imageArch)
-		destOpts.SetCreds(destCreds)
-		destCtx, err := destOpts.NewSystemContext()
-		if err != nil {
-			return physicalResourceID, data, err
-		}
-
-		ctx, cancel := newTimeoutContext()
-		defer cancel()
-		policyContext, err := newPolicyContext()
-		if err != nil {
-			return physicalResourceID, data, err
-		}
-		defer policyContext.Destroy()
-
-		_, err = copy.Image(ctx, policyContext, destRef, srcRef, &copy.Options{
-			ReportWriter:   os.Stdout,
-			DestinationCtx: destCtx,
-			SourceCtx:      srcCtx,
-		})
-		if err != nil {
-			// log.Printf("Copy image failed: %v", err.Error())
-			// return physicalResourceID, data, nil
-			return physicalResourceID, data, fmt.Errorf("copy image failed: %s", err.Error())
-		}
-	}
-
-	return physicalResourceID, data, nil
-}
-
-func main() {
-	lambda.Start(cfn.LambdaWrap(handler))
-}
-
-func newTimeoutContext() (context.Context, context.CancelFunc) {
-	ctx := context.Background()
-	var cancel context.CancelFunc = func() {}
-	return ctx, cancel
-}
-
-func newPolicyContext() (*signature.PolicyContext, error) {
-	policy := &signature.Policy{Default: []signature.PolicyRequirement{signature.NewPRInsecureAcceptAnything()}}
-	return signature.NewPolicyContext(policy)
-}
-
-func getStrProps(m map[string]interface{}, k string) (string, error) {
-	v := m[k]
-	val, ok := v.(string)
-	if ok {
-		return val, nil
-	}
-	return "", fmt.Errorf("can't get %v", k)
-}
-
-func getStrPropsDefault(m map[string]interface{}, k string, d string) (string, error) {
-	v := m[k]
-	if v == nil {
-		return d, nil
-	}
-	val, ok := v.(string)
-	if ok {
-		return val, nil
-	}
-	return "", fmt.Errorf("can't get %v", k)
-}
-
-func parseCreds(creds string) (string, error) {
-	credsType := GetCredsType(creds)
-	if creds == "" {
-		return "", nil
-	} else if (credsType == SECRET_ARN) || (credsType == SECRET_NAME) {
-		secret, err := GetSecret(creds)
-		if err != nil && len(secret) > 0 && json.Valid([]byte(secret)) {
-			secret, err = ParseJsonSecret(secret)
-		}
-		return secret, err
-	} else if credsType == SECRET_TEXT {
-		return creds, nil
-	}
-	return "", fmt.Errorf("unkown creds type")
-}

package/lambda-src/main_test.go

@@ -1,64 +0,0 @@
-// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-package main
-
-import (
-	"log"
-	"os"
-	"testing"
-
-	"github.com/containers/image/v5/copy"
-	"github.com/containers/image/v5/transports/alltransports"
-	"github.com/stretchr/testify/assert"
-
-	_ "cdk-ecr-deployment-handler/s3"
-)
-
-func TestMain(t *testing.T) {
-	t.Skip()
-
-	// reference format: s3://bucket/key[:docker-reference]
-	// valid examples:
-	// s3://bucket/key:nginx:latest
-	// s3://bucket/key:@0
-
-	srcImage := "s3://cdk-ecr-deployment/nginx.tar:nginx:latest"
-	destImage := "dir:/tmp/nginx.dir"
-
-	log.Printf("SrcImage: %v DestImage: %v", srcImage, destImage)
-
-	srcRef, err := alltransports.ParseImageName(srcImage)
-	assert.NoError(t, err)
-	destRef, err := alltransports.ParseImageName(destImage)
-	assert.NoError(t, err)
-
-	srcOpts := NewImageOpts(srcImage, "")
-	srcCtx, err := srcOpts.NewSystemContext()
-	assert.NoError(t, err)
-	destOpts := NewImageOpts(destImage, "")
-	destCtx, err := destOpts.NewSystemContext()
-	assert.NoError(t, err)
-
-	ctx, cancel := newTimeoutContext()
-	defer cancel()
-	policyContext, err := newPolicyContext()
-	assert.NoError(t, err)
-	defer policyContext.Destroy()
-
-	_, err = copy.Image(ctx, policyContext, destRef, srcRef, &copy.Options{
-		ReportWriter:   os.Stdout,
-		DestinationCtx: destCtx,
-		SourceCtx:      srcCtx,
-	})
-	assert.NoError(t, err)
-}
-
-func TestNewImageOpts(t *testing.T) {
-	srcOpts := NewImageOpts("s3://cdk-ecr-deployment/nginx.tar:nginx:latest", "arm64")
-	_, err := srcOpts.NewSystemContext()
-	assert.NoError(t, err)
-	destOpts := NewImageOpts("dir:/tmp/nginx.dir", "arm64")
-	_, err = destOpts.NewSystemContext()
-	assert.NoError(t, err)
-}

package/lambda-src/s3/src.go

@@ -1,40 +0,0 @@
-// Taken from https://github.com/containers/image
-// Modifications Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
-
-package s3
-
-import (
-	"cdk-ecr-deployment-handler/internal/tarfile"
-	"context"
-
-	"github.com/aws/aws-sdk-go-v2/config"
-	"github.com/containers/image/v5/types"
-)
-
-type s3ArchiveImageSource struct {
-	*tarfile.S3FileSource
-	ref *s3ArchiveReference
-}
-
-func (s *s3ArchiveImageSource) Reference() types.ImageReference {
-	return s.ref
-}
-
-func newImageSource(ctx context.Context, sys *types.SystemContext, ref *s3ArchiveReference) (types.ImageSource, error) {
-	cfg, err := config.LoadDefaultConfig(context.TODO())
-	if err != nil {
-		return nil, err
-	}
-	f, err := tarfile.NewS3File(cfg, *ref.s3uri)
-	if err != nil {
-		return nil, err
-	}
-	reader, err := tarfile.NewS3FileReader(f)
-	if err != nil {
-		return nil, err
-	}
-	return &s3ArchiveImageSource{
-		S3FileSource: tarfile.NewSource(reader, false, ref.ref, ref.sourceIndex),
-		ref:          ref,
-	}, nil
-}