Windows: Add CredentialSpec

Signed-off-by: John Howard <jhoward@microsoft.com>

config-windows.md

@@ -94,3 +94,14 @@ The following parameters can be specified:
         }
    }
 ```
+
+## <a name="configWindowsCredentialSpec" />Credential Spec
+
+You can configure a container's group Managed Service Account (gMSA) via the OPTIONAL `credentialspec` field of the Windows configuration.
+The `credentialspec` is a JSON object whose properties are implementation-defined.
+For more information about gMSAs, see [Active Directory Service Accounts for Windows Containers][gMSAOverview].
+For more information about tooling to generate a gMSA, see [Deployment Overview][gMSATooling].
+
+
+[gMSAOverview]: https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/manage-serviceaccounts
+[gMSATooling]: https://github.com/Microsoft/Virtualization-Documentation/tree/live/windows-server-container-tools/ServiceAccounts

schema/config-windows.json

@@ -65,6 +65,10 @@
                         }
                     }
                 }
+            },
+            "credentialspec": {
+                "id": "https://opencontainers.org/schema/bundle/windows/credentialspec",
+                "type": "object"
             }
         }
     }

specs-go/config.go

@@ -432,6 +432,8 @@ type SolarisAnet struct {
 type Windows struct {
 	// Resources contains information for handling resource constraints for the container.
 	Resources *WindowsResources `json:"resources,omitempty"`
+	// CredentialSpec contains a JSON object describing a group Managed Service Account (gMSA) specification.
+	CredentialSpec interface{} `json:"credentialspec,omitempty"`
 }
 
 // WindowsResources has container runtime resource constraints for containers running on Windows.