8 files changed, 126 insertions, 5 deletions
diff --git a/pkg/domain/entities/containers.go b/pkg/domain/entities/containers.go
index 4707ced85..eacc14d50 100644
--- a/pkg/domain/entities/containers.go
+++ b/pkg/domain/entities/containers.go
@@ -265,6 +265,7 @@ type ContainerExistsOptions struct {
 // ContainerStartOptions describes the val from the
 // CLI needed to start a container
 type ContainerStartOptions struct {
+	Filters     map[string][]string
 	All         bool
 	Attach      bool
 	DetachKeys  string
diff --git a/pkg/domain/filters/containers.go b/pkg/domain/filters/containers.go
index 9ac72e415..965a12468 100644
--- a/pkg/domain/filters/containers.go
+++ b/pkg/domain/filters/containers.go
@@ -1,6 +1,7 @@
 package filters
 
 import (
+	"fmt"
 	"strconv"
 	"strings"
 	"time"
@@ -226,6 +227,32 @@ func GenerateContainerFilterFuncs(filter string, filterValues []string, r *libpo
 			}
 			return false
 		}, nil
+	case "restart-policy":
+		invalidPolicyNames := []string{}
+		for _, policy := range filterValues {
+			if _, ok := define.RestartPolicyMap[policy]; !ok {
+				invalidPolicyNames = append(invalidPolicyNames, policy)
+			}
+		}
+		var filterValueError error = nil
+		if len(invalidPolicyNames) > 0 {
+			errPrefix := "invalid restart policy"
+			if len(invalidPolicyNames) > 1 {
+				errPrefix = "invalid restart policies"
+			}
+			filterValueError = fmt.Errorf("%s %s", strings.Join(invalidPolicyNames, ", "), errPrefix)
+		}
+		return func(c *libpod.Container) bool {
+			for _, policy := range filterValues {
+				if policy == "none" && c.RestartPolicy() == define.RestartPolicyNone {
+					return true
+				}
+				if c.RestartPolicy() == policy {
+					return true
+				}
+			}
+			return false
+		}, filterValueError
 	}
 	return nil, errors.Errorf("%s is an invalid filter", filter)
 }
diff --git a/pkg/domain/infra/abi/containers.go b/pkg/domain/infra/abi/containers.go
index ef3ccab0c..d0a2b1bae 100644
--- a/pkg/domain/infra/abi/containers.go
+++ b/pkg/domain/infra/abi/containers.go
@@ -694,7 +694,33 @@ func (ic *ContainerEngine) ContainerExecDetached(ctx context.Context, nameOrID s
 func (ic *ContainerEngine) ContainerStart(ctx context.Context, namesOrIds []string, options entities.ContainerStartOptions) ([]*entities.ContainerStartReport, error) {
 	reports := []*entities.ContainerStartReport{}
 	var exitCode = define.ExecErrorCodeGeneric
-	ctrs, rawInputs, err := getContainersAndInputByContext(options.All, options.Latest, namesOrIds, ic.Libpod)
+	containersNamesOrIds := namesOrIds
+	if len(options.Filters) > 0 {
+		filterFuncs := make([]libpod.ContainerFilter, 0, len(options.Filters))
+		if len(options.Filters) > 0 {
+			for k, v := range options.Filters {
+				generatedFunc, err := dfilters.GenerateContainerFilterFuncs(k, v, ic.Libpod)
+				if err != nil {
+					return nil, err
+				}
+				filterFuncs = append(filterFuncs, generatedFunc)
+			}
+		}
+		candidates, err := ic.Libpod.GetContainers(filterFuncs...)
+		if err != nil {
+			return nil, err
+		}
+		containersNamesOrIds = []string{}
+		for _, candidate := range candidates {
+			for _, nameOrID := range namesOrIds {
+				if nameOrID == candidate.ID() || nameOrID == candidate.Name() {
+					containersNamesOrIds = append(containersNamesOrIds, nameOrID)
+				}
+			}
+		}
+	}
+
+	ctrs, rawInputs, err := getContainersAndInputByContext(options.All, options.Latest, containersNamesOrIds, ic.Libpod)
 	if err != nil {
 		return nil, err
 	}
diff --git a/pkg/domain/infra/abi/play.go b/pkg/domain/infra/abi/play.go
index 64e7f208c..a94c5f5c5 100644
--- a/pkg/domain/infra/abi/play.go
+++ b/pkg/domain/infra/abi/play.go
@@ -16,6 +16,7 @@ import (
 	"github.com/containers/image/v5/types"
 	"github.com/containers/podman/v3/libpod"
 	"github.com/containers/podman/v3/libpod/define"
+	"github.com/containers/podman/v3/pkg/autoupdate"
 	"github.com/containers/podman/v3/pkg/domain/entities"
 	"github.com/containers/podman/v3/pkg/specgen"
 	"github.com/containers/podman/v3/pkg/specgen/generate"
@@ -73,7 +74,7 @@ func (ic *ContainerEngine) PlayKube(ctx context.Context, path string, options en
 			podTemplateSpec.ObjectMeta = podYAML.ObjectMeta
 			podTemplateSpec.Spec = podYAML.Spec
 
-			r, err := ic.playKubePod(ctx, podTemplateSpec.ObjectMeta.Name, &podTemplateSpec, options, &ipIndex)
+			r, err := ic.playKubePod(ctx, podTemplateSpec.ObjectMeta.Name, &podTemplateSpec, options, &ipIndex, podYAML.Annotations)
 			if err != nil {
 				return nil, err
 			}
@@ -143,7 +144,7 @@ func (ic *ContainerEngine) playKubeDeployment(ctx context.Context, deploymentYAM
 	// create "replicas" number of pods
 	for i = 0; i < numReplicas; i++ {
 		podName := fmt.Sprintf("%s-pod-%d", deploymentName, i)
-		podReport, err := ic.playKubePod(ctx, podName, &podSpec, options, ipIndex)
+		podReport, err := ic.playKubePod(ctx, podName, &podSpec, options, ipIndex, deploymentYAML.Annotations)
 		if err != nil {
 			return nil, errors.Wrapf(err, "error encountered while bringing up pod %s", podName)
 		}
@@ -152,7 +153,7 @@ func (ic *ContainerEngine) playKubeDeployment(ctx context.Context, deploymentYAM
 	return &report, nil
 }
 
-func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podYAML *v1.PodTemplateSpec, options entities.PlayKubeOptions, ipIndex *int) (*entities.PlayKubeReport, error) {
+func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podYAML *v1.PodTemplateSpec, options entities.PlayKubeOptions, ipIndex *int, annotations map[string]string) (*entities.PlayKubeReport, error) {
 	var (
 		writer      io.Writer
 		playKubePod entities.PlayKubePod
@@ -265,6 +266,9 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
 
 	containers := make([]*libpod.Container, 0, len(podYAML.Spec.Containers))
 	for _, container := range podYAML.Spec.Containers {
+		// Contains all labels obtained from kube
+		labels := make(map[string]string)
+
 		// NOTE: set the pull policy to "newer".  This will cover cases
 		// where the "latest" tag requires a pull and will also
 		// transparently handle "localhost/" prefixed files which *may*
@@ -292,6 +296,22 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
 			return nil, err
 		}
 
+		// Handle kube annotations
+		for k, v := range annotations {
+			switch k {
+			// Auto update annotation without container name will apply to
+			// all containers within the pod
+			case autoupdate.Label, autoupdate.AuthfileLabel:
+				labels[k] = v
+			// Auto update annotation with container name will apply only
+			// to the specified container
+			case fmt.Sprintf("%s/%s", autoupdate.Label, container.Name),
+				fmt.Sprintf("%s/%s", autoupdate.AuthfileLabel, container.Name):
+				prefixAndCtr := strings.Split(k, "/")
+				labels[prefixAndCtr[0]] = v
+			}
+		}
+
 		specgenOpts := kube.CtrSpecGenOptions{
 			Container:      container,
 			Image:          pulledImages[0],
@@ -305,6 +325,7 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
 			NetNSIsHost:    p.NetNS.IsHost(),
 			SecretsManager: secretsManager,
 			LogDriver:      options.LogDriver,
+			Labels:         labels,
 		}
 		specGen, err := kube.ToSpecGen(ctx, &specgenOpts)
 		if err != nil {
diff --git a/pkg/domain/infra/tunnel/containers.go b/pkg/domain/infra/tunnel/containers.go
index aa26825e0..3830835cc 100644
--- a/pkg/domain/infra/tunnel/containers.go
+++ b/pkg/domain/infra/tunnel/containers.go
@@ -506,7 +506,30 @@ func startAndAttach(ic *ContainerEngine, name string, detachKeys *string, input,
 func (ic *ContainerEngine) ContainerStart(ctx context.Context, namesOrIds []string, options entities.ContainerStartOptions) ([]*entities.ContainerStartReport, error) {
 	reports := []*entities.ContainerStartReport{}
 	var exitCode = define.ExecErrorCodeGeneric
-	ctrs, err := getContainersByContext(ic.ClientCtx, options.All, false, namesOrIds)
+	containersNamesOrIds := namesOrIds
+	if len(options.Filters) > 0 {
+		containersNamesOrIds = []string{}
+		opts := new(containers.ListOptions).WithFilters(options.Filters).WithAll(true)
+		candidates, listErr := containers.List(ic.ClientCtx, opts)
+		if listErr != nil {
+			return nil, listErr
+		}
+		for _, candidate := range candidates {
+			for _, nameOrID := range namesOrIds {
+				if nameOrID == candidate.ID {
+					containersNamesOrIds = append(containersNamesOrIds, nameOrID)
+					continue
+				}
+				for _, containerName := range candidate.Names {
+					if containerName == nameOrID {
+						containersNamesOrIds = append(containersNamesOrIds, nameOrID)
+						continue
+					}
+				}
+			}
+		}
+	}
+	ctrs, err := getContainersByContext(ic.ClientCtx, options.All, false, containersNamesOrIds)
 	if err != nil {
 		return nil, err
 	}
diff --git a/pkg/specgen/generate/container_create.go b/pkg/specgen/generate/container_create.go
index 0090156c9..7682367b7 100644
--- a/pkg/specgen/generate/container_create.go
+++ b/pkg/specgen/generate/container_create.go
@@ -402,6 +402,11 @@ func createContainerOptions(ctx context.Context, rt *libpod.Runtime, s *specgen.
 	if len(s.Secrets) != 0 {
 		options = append(options, libpod.WithSecrets(s.Secrets))
 	}
+
+	if len(s.EnvSecrets) != 0 {
+		options = append(options, libpod.WithEnvSecrets(s.EnvSecrets))
+	}
+
 	if len(s.DependencyContainers) > 0 {
 		deps := make([]*libpod.Container, 0, len(s.DependencyContainers))
 		for _, ctr := range s.DependencyContainers {
diff --git a/pkg/specgen/generate/kube/kube.go b/pkg/specgen/generate/kube/kube.go
index 73c1c31ba..ccce3edba 100644
--- a/pkg/specgen/generate/kube/kube.go
+++ b/pkg/specgen/generate/kube/kube.go
@@ -100,6 +100,8 @@ type CtrSpecGenOptions struct {
 	SecretsManager *secrets.SecretsManager
 	// LogDriver which should be used for the container
 	LogDriver string
+	// Labels define key-value pairs of metadata
+	Labels map[string]string
 }
 
 func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGenerator, error) {
@@ -278,6 +280,19 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener
 		s.NetNS.NSMode = specgen.Host
 	}
 
+	// Add labels that come from kube
+	if len(s.Labels) == 0 {
+		// If there are no labels, let's use the map that comes
+		// from kube
+		s.Labels = opts.Labels
+	} else {
+		// If there are already labels in the map, append the ones
+		// obtained from kube
+		for k, v := range opts.Labels {
+			s.Labels[k] = v
+		}
+	}
+
 	return s, nil
 }
 
diff --git a/pkg/specgen/specgen.go b/pkg/specgen/specgen.go
index 5ef2b0653..2e01d1535 100644
--- a/pkg/specgen/specgen.go
+++ b/pkg/specgen/specgen.go
@@ -180,6 +180,9 @@ type ContainerBasicConfig struct {
 	// set tags as `json:"-"` for not supported remote
 	// Optional.
 	PidFile string `json:"-"`
+	// EnvSecrets are secrets that will be set as environment variables
+	// Optional.
+	EnvSecrets map[string]string `json:"secret_env,omitempty"`
 }
 
 // ContainerStorageConfig contains information on the storage configuration of a