add {generate,play} kube

Add the `podman generate kube` and `podman play kube` command.  The code
has largely been copied from Podman v1 but restructured to not leak the
K8s core API into the (remote) client.

Both commands are added in the same commit to allow for enabling the
tests at the same time.

Move some exports from `cmd/podman/common` to the appropriate places in
the backend to avoid circular dependencies.

Move definitions of label annotations to `libpod/define` and set the
security-opt labels in the frontend to make kube tests pass.

Implement rest endpoints, bindings and the tunnel interface.

Signed-off-by: Valentin Rothberg <rothberg@redhat.com>

2 files changed, 127 insertions, 0 deletions

diff --git a/cmd/podman/play/kube.go b/cmd/podman/play/kube.go
new file mode 100644
index 000000000..2499b54b9
--- /dev/null
+++ b/cmd/podman/play/kube.go
@@ -0,0 +1,101 @@
+package pods
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/containers/common/pkg/auth"
+	"github.com/containers/image/v5/types"
+	"github.com/containers/libpod/cmd/podman/registry"
+	"github.com/containers/libpod/cmd/podman/utils"
+	"github.com/containers/libpod/pkg/domain/entities"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+// playKubeOptionsWrapper allows for separating CLI-only fields from API-only
+// fields.
+type playKubeOptionsWrapper struct {
+	entities.PlayKubeOptions
+
+	TLSVerifyCLI bool
+}
+
+var (
+	// https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/
+	defaultSeccompRoot = "/var/lib/kubelet/seccomp"
+	kubeOptions        = playKubeOptionsWrapper{}
+	kubeDescription    = `Command reads in a structured file of Kubernetes YAML.
+
+  It creates the pod and containers described in the YAML.  The containers within the pod are then started and the ID of the new Pod is output.`
+
+	kubeCmd = &cobra.Command{
+		Use:   "kube [flags] KUBEFILE",
+		Short: "Play a pod based on Kubernetes YAML.",
+		Long:  kubeDescription,
+		RunE:  kube,
+		Args:  cobra.ExactArgs(1),
+		Example: `podman play kube nginx.yml
+  podman play kube --creds user:password --seccomp-profile-root /custom/path apache.yml`,
+	}
+)
+
+func init() {
+	registry.Commands = append(registry.Commands, registry.CliCommand{
+		Mode:    []entities.EngineMode{entities.ABIMode, entities.TunnelMode},
+		Command: kubeCmd,
+		Parent:  playCmd,
+	})
+
+	flags := kubeCmd.Flags()
+	flags.SetNormalizeFunc(utils.AliasFlags)
+	flags.StringVar(&kubeOptions.Credentials, "creds", "", "`Credentials` (USERNAME:PASSWORD) to use for authenticating to a registry")
+	flags.StringVar(&kubeOptions.Network, "network", "", "Connect pod to CNI network(s)")
+	flags.BoolVarP(&kubeOptions.Quiet, "quiet", "q", false, "Suppress output information when pulling images")
+	if !registry.IsRemote() {
+		flags.StringVar(&kubeOptions.Authfile, "authfile", auth.GetDefaultAuthFile(), "Path of the authentication file. Use REGISTRY_AUTH_FILE environment variable to override")
+		flags.StringVar(&kubeOptions.CertDir, "cert-dir", "", "`Pathname` of a directory containing TLS certificates and keys")
+		flags.BoolVar(&kubeOptions.TLSVerifyCLI, "tls-verify", true, "Require HTTPS and verify certificates when contacting registries")
+		flags.StringVar(&kubeOptions.SignaturePolicy, "signature-policy", "", "`Pathname` of signature policy file (not usually used)")
+		flags.StringVar(&kubeOptions.SeccompProfileRoot, "seccomp-profile-root", defaultSeccompRoot, "Directory path for seccomp profiles")
+	}
+}
+
+func kube(cmd *cobra.Command, args []string) error {
+	// TLS verification in c/image is controlled via a `types.OptionalBool`
+	// which allows for distinguishing among set-true, set-false, unspecified
+	// which is important to implement a sane way of dealing with defaults of
+	// boolean CLI flags.
+	if cmd.Flags().Changed("tls-verify") {
+		kubeOptions.SkipTLSVerify = types.NewOptionalBool(!kubeOptions.TLSVerifyCLI)
+	}
+	if kubeOptions.Authfile != "" {
+		if _, err := os.Stat(kubeOptions.Authfile); err != nil {
+			return errors.Wrapf(err, "error getting authfile %s", kubeOptions.Authfile)
+		}
+	}
+
+	report, err := registry.ContainerEngine().PlayKube(registry.GetContext(), args[0], kubeOptions.PlayKubeOptions)
+	if err != nil {
+		return err
+	}
+
+	for _, l := range report.Logs {
+		fmt.Fprintf(os.Stderr, l)
+	}
+
+	fmt.Printf("Pod:\n%s\n", report.Pod)
+	switch len(report.Containers) {
+	case 0:
+		return nil
+	case 1:
+		fmt.Printf("Container:\n")
+	default:
+		fmt.Printf("Containers:\n")
+	}
+	for _, ctr := range report.Containers {
+		fmt.Println(ctr)
+	}
+
+	return nil
+}
diff --git a/cmd/podman/play/play.go b/cmd/podman/play/play.go
new file mode 100644
index 000000000..b151e5f5d
--- /dev/null
+++ b/cmd/podman/play/play.go
@@ -0,0 +1,26 @@
+package pods
+
+import (
+	"github.com/containers/libpod/cmd/podman/registry"
+	"github.com/containers/libpod/cmd/podman/validate"
+	"github.com/containers/libpod/pkg/domain/entities"
+	"github.com/spf13/cobra"
+)
+
+var (
+	// Command: podman _play_
+	playCmd = &cobra.Command{
+		Use:              "play",
+		Short:            "Play a pod and its containers from a structured file.",
+		Long:             "Play structured data (e.g., Kubernetes pod or service yaml) based on containers and pods.",
+		TraverseChildren: true,
+		RunE:             validate.SubCommandExists,
+	}
+)
+
+func init() {
+	registry.Commands = append(registry.Commands, registry.CliCommand{
+		Mode:    []entities.EngineMode{entities.ABIMode, entities.TunnelMode},
+		Command: playCmd,
+	})
+}