Windows: Add CredentialSpec

John Howard · John Howard · commit 93a4dce45a85 · 2017-05-12T20:46:51.000-07:00
Signed-off-by: John Howard &lt;jhoward@microsoft.com&gt;
diff --git a/config-windows.md b/config-windows.md
@@ -94,3 +94,42 @@ The following parameters can be specified:
         }
    }
 ```
+
+## <a name="configWindowsCredentialSpec" />Credential Spec
+
+You can configure a container's group Managed Service Accounts (gMSAs) via the OPTIONAL `credentialspec` field of the Windows configuration. For more information about gMSAs, see [Active Directory Service Accounts for Windows Containers][gMSAOverview]. For more information about tooling to generate a gMSA, see [Deployment Overview][gMSATooling]. The `credentialspec` MUST be a string containing an escaped JSON object.
+
+
+### Example
+
+```json
+    "windows": {
+        "credentialspec": "{
+            \"CmsPlugins\":  [ \"ActiveDirectory\" ],
+            \"DomainJoinConfig\":  {
+                \"Sid\":  \"S-1-5-21-4288985-3632099173-1864715694\",
+                \"MachineAccountName\":  \"MusicStoreAcct\",
+                \"Guid\":  \"3705d4c3-0b80-42a9-ad97-ebc1801c74b9\",
+                \"DnsTreeName\":  \"hyperv.local\",
+                \"DnsName\":  \"hyperv.local\",
+                \"NetBiosName\":  \"hyperv\"
+            },
+            \"ActiveDirectoryConfig\":  {
+                \"GroupManagedServiceAccounts\": [
+                    {
+                        \"Name\":  \"MusicStoreAcct\",
+                        \"Scope\":  \"hyperv.local\"
+                    },
+                    {
+                        \"Name\":  \"MusicStoreAcct\",
+                        \"Scope\":  \"hyperv\"
+                    }
+                ]
+            }
+        }"
+    }
+```
+
+
+[gMSAOverview]: https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/manage-serviceaccounts
+[gMSATooling]: https://github.com/Microsoft/Virtualization-Documentation/tree/live/windows-server-container-tools/ServiceAccounts
diff --git a/schema/config-windows.json b/schema/config-windows.json
@@ -65,7 +65,12 @@
                         }
                     }
                 }
+            },
+            "credentialspec": {
+				"id": "https://opencontainers.org/schema/bundle/windows/credentialspec",
+				"type": "string"
             }
+
         }
     }
 }
diff --git a/specs-go/config.go b/specs-go/config.go
@@ -432,6 +432,8 @@ type SolarisAnet struct {
 type Windows struct {
 	// Resources contains information for handling resource constraints for the container.
 	Resources *WindowsResources `json:"resources,omitempty"`
+	// CredentialSpec contain an optional opaque escaped JSON object describing a group Managed Service Accounts (gMSA) specification.
+	CredentialSpec string `json:"credentialspec,omitempty"`
 }
 
 // WindowsResources has container runtime resource constraints for containers running on Windows.

Original file line number	Diff line number	Diff line change
`@@ -65,7 +65,12 @@`
`65`	`65`	`}`
`66`	`66`	`}`
`67`	`67`	`}`
	`68`	`+ },`
	`69`	`+ "credentialspec": {`
	`70`	`+ "id": "https://opencontainers.org/schema/bundle/windows/credentialspec",`
	`71`	`+ "type": "string"`
`68`	`72`	`}`
	`73`	`+`
`69`	`74`	`}`
`70`	`75`	`}`
`71`	`76`	`}`
Original file line number	Diff line number	Diff line change
`@@ -432,6 +432,8 @@ type SolarisAnet struct {`
`432`	`432`	`type Windows struct {`
`433`	`433`	`// Resources contains information for handling resource constraints for the container.`
`434`	`434`	Resources *WindowsResources `json:"resources,omitempty"`
	`435`	`+ // CredentialSpec contain an optional opaque escaped JSON object describing a group Managed Service Accounts (gMSA) specification.`
	`436`	+ CredentialSpec string `json:"credentialspec,omitempty"`
`435`	`437`	`}`
`436`	`438`
`437`	`439`	`// WindowsResources has container runtime resource constraints for containers running on Windows.`