From 5a9490a8e64200da21f1720f9efc341febbf7fa3 Mon Sep 17 00:00:00 2001
From: John Howard <jhoward@microsoft.com>
Date: Fri, 12 May 2017 14:33:31 -0700
Subject: [PATCH] Windows: Add CredentialSpec

Signed-off-by: John Howard <jhoward@microsoft.com>
---
 config-windows.md          | 11 +++++++++++
 schema/config-windows.json |  4 ++++
 specs-go/config.go         |  2 ++
 3 files changed, 17 insertions(+)

diff --git a/config-windows.md b/config-windows.md
index 0f7e8fef1..761f2a79a 100644
--- a/config-windows.md
+++ b/config-windows.md
@@ -94,3 +94,14 @@ The following parameters can be specified:
         }
    }
 ```
+
+## <a name="configWindowsCredentialSpec" />Credential Spec
+
+You can configure a container's group Managed Service Account (gMSA) via the OPTIONAL `credentialspec` field of the Windows configuration.
+The `credentialspec` is a JSON object whose properties are implementation-defined.
+For more information about gMSAs, see [Active Directory Service Accounts for Windows Containers][gMSAOverview].
+For more information about tooling to generate a gMSA, see [Deployment Overview][gMSATooling].
+
+
+[gMSAOverview]: https://aka.ms/windowscontainers/manage-serviceaccounts
+[gMSATooling]: https://aka.ms/windowscontainers/credentialspec-tools
\ No newline at end of file
diff --git a/schema/config-windows.json b/schema/config-windows.json
index 6d3f223bf..5ecd6dbd6 100644
--- a/schema/config-windows.json
+++ b/schema/config-windows.json
@@ -65,6 +65,10 @@
                         }
                     }
                 }
+            },
+            "credentialspec": {
+                "id": "https://opencontainers.org/schema/bundle/windows/credentialspec",
+                "type": "object"
             }
         }
     }
diff --git a/specs-go/config.go b/specs-go/config.go
index f2016b04b..b9093b0d8 100644
--- a/specs-go/config.go
+++ b/specs-go/config.go
@@ -432,6 +432,8 @@ type SolarisAnet struct {
 type Windows struct {
 	// Resources contains information for handling resource constraints for the container.
 	Resources *WindowsResources `json:"resources,omitempty"`
+	// CredentialSpec contains a JSON object describing a group Managed Service Account (gMSA) specification.
+	CredentialSpec interface{} `json:"credentialspec,omitempty"`
 }
 
 // WindowsResources has container runtime resource constraints for containers running on Windows.