Add nerdctl image (encrypt|decrypt) SRC DST

[AkihiroSuda]

nerdctl run has been supporting decryption, but we didn't have the command to encrypt images.

This will be probably beneficial for IPFS (#465)

Encrypt:

openssl genrsa -out mykey.pem
openssl rsa -in mykey.pem -pubout -out mypubkey.pem
nerdctl image encrypt --recipient=jwe:mypubkey.pem --platform=linux/amd64,linux/arm64 foo example.com/foo:encrypted
nerdctl push example.com/foo:encrypted

Decrypt:

nerdctl pull --unpack=false example.com/foo:encrypted
nerdctl decrypt --key=mykey.pem example.com/foo:encrypted foo:decrypted

See also docs/ocicrypt.md

nerctl image encrypt

$ nerdctl image encrypt --help
Encrypt image layers.

Use '--recipient' to specify the recipients.
The following protocol prefixes are supported:
- pgp:<email-address>
- jwe:<public-key-file-path>
- pkcs7:<x509-file-path>

Use '--platform' to define the platforms to encrypt. Defaults to the host platform.
When '--all-platforms' is given all images in a manifest list must be available.
Unspecified platforms are omitted from the output image.

Example:
  openssl genrsa -out mykey.pem
  openssl rsa -in mykey.pem -pubout -out mypubkey.pem
  nerdctl image encrypt --recipient=jwe:mypubkey.pem --platform=linux/amd64,linux/arm64 foo example.com/foo:encrypted
  nerdctl push example.com/foo:encrypted

To run the encrypted image, put the private key file (mykey.pem) to /etc/containerd/ocicrypt/keys (rootful) or ~/.config/containerd/ocicrypt/keys (rootless).
containerd before v1.4 requires extra configuration steps, see https://github.com/containerd/nerdctl/blob/master/docs/ocicrypt.md

CAUTION: This command only encrypt image layers, but does NOT encrypt container config information such as 'Env' and 'Cmd'.
To see non-encrypted information, run 'nerdctl image inspect --mode=native --platform=PLATFORM example.com/foo:encrypted' .

Usage:
  nerdctl image encrypt [flags] <source_ref> <target_ref>...

Flags:
      --all-platforms           Convert content for all platforms
      --dec-recipient strings   Recipient of the image; used only for PKCS7 and must be an x509 certificate
      --gpg-homedir string      The GPG homedir to use; by default gpg uses ~/.gnupg
      --gpg-version string      The GPG version ("v1" or "v2"), default will make an educated guess
  -h, --help                    help for encrypt
      --key strings             A secret key's filename and an optional password separated by colon; this option may be provided multiple times
      --platform strings        Convert content for a specific platform
      --recipient strings       Recipient of the image is the person who can decrypt it in the form specified above (i.e. jwe:/path/to/pubkey)

Global Flags:
...

nerctl image decrypt

$ nerdctl image decrypt --help
Decrypt an image locally.

Use '--key' to specify the private keys.
Private keys in PEM format may be encrypted and the password may be passed
along in any of the following formats:
- <filename>:<password>
- <filename>:pass=<password>
- <filename>:fd=<file descriptor> (not available for rootless mode)
- <filename>:filename=<password file>

Use '--platform' to define the platforms to decrypt. Defaults to the host platform.
When '--all-platforms' is given all images in a manifest list must be available.
Unspecified platforms are omitted from the output image.

Example (encrypt):
  openssl genrsa -out mykey.pem
  openssl rsa -in mykey.pem -pubout -out mypubkey.pem
  nerdctl image encrypt --recipient=jwe:mypubkey.pem --platform=linux/amd64,linux/arm64 foo example.com/foo:encrypted
  nerdctl push example.com/foo:encrypted

Example (decrypt):
  nerdctl pull --unpack=false example.com/foo:encrypted
  nerdctl decrypt --key=mykey.pem example.com/foo:encrypted foo:decrypted

Usage:
  nerdctl image decrypt [flags] <source_ref> <target_ref>...

Flags:
      --all-platforms           Convert content for all platforms
      --dec-recipient strings   Recipient of the image; used only for PKCS7 and must be an x509 certificate
      --gpg-homedir string      The GPG homedir to use; by default gpg uses ~/.gnupg
      --gpg-version string      The GPG version ("v1" or "v2"), default will make an educated guess
  -h, --help                    help for decrypt
      --key strings             A secret key's filename and an optional password separated by colon; this option may be provided multiple times
      --platform strings        Convert content for a specific platform

Global Flags:
...

[AkihiroSuda]

I'd like to have this in v0.13, but can be postponed to v0.14.

[lumjjb]

This looks awesome! LGTM with Stefan's feedback

[ktock]

LGTM (except typo)