From d026ccf9a7c7d4ed5c47e1e5838a210dcdddb0e2 Mon Sep 17 00:00:00 2001
From: Ygal Blum <ygal.blum@gmail.com>
Date: Sun, 10 Dec 2023 15:57:30 +0200
Subject: [PATCH] Kube Play - pass arguments to build

Create a buildah SystemContext from the existing cli arguments
Pass the SystemContext to the build
Add system test

Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
---
 cmd/podman/kube/play.go      |  8 +++++++
 pkg/domain/entities/play.go  |  2 ++
 pkg/domain/infra/abi/play.go |  1 +
 test/system/700-play.bats    | 44 ++++++++++++++++++++++++++++++++++++
 4 files changed, 55 insertions(+)

diff --git a/cmd/podman/kube/play.go b/cmd/podman/kube/play.go
index f2d2565c88..8c6aa6a788 100644
--- a/cmd/podman/kube/play.go
+++ b/cmd/podman/kube/play.go
@@ -12,6 +12,7 @@ import (
 	"strings"
 	"syscall"
 
+	buildahParse "github.com/containers/buildah/pkg/parse"
 	"github.com/containers/common/pkg/auth"
 	"github.com/containers/common/pkg/completion"
 	"github.com/containers/image/v5/types"
@@ -219,6 +220,13 @@ func play(cmd *cobra.Command, args []string) error {
 	}
 	if cmd.Flags().Changed("build") {
 		playOptions.Build = types.NewOptionalBool(playOptions.BuildCLI)
+		if playOptions.Build == types.OptionalBoolTrue {
+			systemContext, err := buildahParse.SystemContextFromOptions(cmd)
+			if err != nil {
+				return err
+			}
+			playOptions.SystemContext = systemContext
+		}
 	}
 	if cmd.Flags().Changed("authfile") {
 		if err := auth.CheckAuthFile(playOptions.Authfile); err != nil {
diff --git a/pkg/domain/entities/play.go b/pkg/domain/entities/play.go
index 579fe8b7d6..94d4247d89 100644
--- a/pkg/domain/entities/play.go
+++ b/pkg/domain/entities/play.go
@@ -75,6 +75,8 @@ type PlayKubeOptions struct {
 	PublishAllPorts bool
 	// Wait - indicates whether to return after having created the pods
 	Wait bool
+	// SystemContext - used when building the image
+	SystemContext *types.SystemContext
 }
 
 // PlayKubePod represents a single pod and associated containers created by play kube
diff --git a/pkg/domain/infra/abi/play.go b/pkg/domain/infra/abi/play.go
index 0263d43bee..610648d892 100644
--- a/pkg/domain/infra/abi/play.go
+++ b/pkg/domain/infra/abi/play.go
@@ -1025,6 +1025,7 @@ func (ic *ContainerEngine) getImageAndLabelInfo(ctx context.Context, cwd string,
 		}
 		buildOpts.Isolation = isolation
 		buildOpts.CommonBuildOpts = commonOpts
+		buildOpts.SystemContext = options.SystemContext
 		buildOpts.Output = container.Image
 		buildOpts.ContextDirectory = filepath.Dir(buildFile)
 		buildOpts.ReportWriter = writer
diff --git a/test/system/700-play.bats b/test/system/700-play.bats
index f5c8631ad5..c964aa25d6 100644
--- a/test/system/700-play.bats
+++ b/test/system/700-play.bats
@@ -5,6 +5,7 @@
 
 load helpers
 load helpers.network
+load helpers.registry
 
 # This is a long ugly way to clean up pods and remove the pause image
 function teardown() {
@@ -934,3 +935,46 @@ spec:
     run_podman pod rm -a
     run_podman rm -a
 }
+
+@test "podman play --build private registry" {
+    skip_if_remote "--build is not supported in context remote"
+
+    local registry=localhost:${PODMAN_LOGIN_REGISTRY_PORT}
+    local from_image=$registry/quadlet_image_test:$(random_string)
+    local authfile=$PODMAN_TMPDIR/authfile.json
+
+    mkdir -p $PODMAN_TMPDIR/userimage
+    cat > $PODMAN_TMPDIR/userimage/Containerfile << _EOF
+from $from_image
+USER bin
+_EOF
+
+    # Start the registry and populate the authfile that we can use for the test.
+    start_registry
+    run_podman login --authfile=$authfile \
+        --tls-verify=false \
+        --username ${PODMAN_LOGIN_USER} \
+        --password ${PODMAN_LOGIN_PASS} \
+        $registry
+
+    # Push the test image to the registry
+    run_podman image tag $IMAGE $from_image
+    run_podman image push --tls-verify=false --authfile=$authfile $from_image
+
+    # Remove the local image to make sure it will be pulled again
+    run_podman image rm --ignore $from_image
+
+    _write_test_yaml command=id image=userimage
+    run_podman 125 play kube --build --start=false $PODMAN_TMPDIR/test.yaml
+    assert "$output" "=~" \
+        "Error: short-name resolution enforced but cannot prompt without a TTY|Resolving \"userimage\" using unqualified-search registries" \
+        "The error message does match any of the expected ones"
+
+    run_podman play kube --replace --context-dir=$PODMAN_TMPDIR --tls-verify=false --authfile=$authfile --build --start=false $PODMAN_TMPDIR/test.yaml
+    run_podman inspect --format "{{ .Config.User }}" test_pod-test
+    is "$output" bin "expect container within pod to run as the bin user"
+
+    run_podman stop -a -t 0
+    run_podman pod rm -t 0 -f test_pod
+    run_podman rmi -f userimage:latest $from_image
+}