Windows: Add CredentialSpec #814
Conversation
config-windows.md
Outdated
|
|
||
| ## <a name="configWindowsCredentialSpec" />Credential Spec | ||
|
|
||
| You can configure a container's group Managed Service Accounts (gMSAs) via the OPTIONAL `credentialspec` field of the Windows configuration. For more information about gMSAs, see [Active Directory Service Accounts for Windows Containers][gMSAOverview]. For more information about tooling to generate a gMSA, see [Deployment Overview][gMSATooling]. |
There was a problem hiding this comment.
Travis doesn't like the trailing whitespace here (or after "GroupManagedServiceAccounts": [ below).
config-windows.md
Outdated
|
|
||
| ```json | ||
| "windows": { | ||
| "credentialspec": { |
There was a problem hiding this comment.
This value is a JSON object. Your current docs don't have much to say on the value type (using the “credentialspec (object, OPTIONAL) …” pattern would help with this), but your current Go type has it listed as a string (which will break if you try to read in your example here).
There was a problem hiding this comment.
It's an opaque JSON blob passed as a string. I should have escaped the example and will shortly. The actual contents are very independent from the spec and implementation specific which is why I referred to the tooling to create such an example. I really don't believe the contents should be described in this spec.
lowenna
force-pushed
the
credentialspec
branch
2 times, most recently
from
a7b7359
to
93a4dce
Compare
|
Added matching change to schema\config-windows.json |
config-windows.md
Outdated
|
|
||
| ## <a name="configWindowsCredentialSpec" />Credential Spec | ||
|
|
||
| You can configure a container's group Managed Service Accounts (gMSAs) via the OPTIONAL `credentialspec` field of the Windows configuration. For more information about gMSAs, see [Active Directory Service Accounts for Windows Containers][gMSAOverview]. For more information about tooling to generate a gMSA, see [Deployment Overview][gMSATooling]. The `credentialspec` MUST be a string containing an escaped JSON object. |
There was a problem hiding this comment.
Instead of making this a string with serialized JSON, can you make it a JSON object, say the object properties are implementation-defined, and use an interface{} in the Go type? That should get you the same flexibility while still letting you (de)serialize in a single pass.
There was a problem hiding this comment.
Yes, I can change this to be interface{}. (Done). I'm not sure what this should be in schema\config-windows.json though if not type string? This is unique - no similar example exists in the spec to duplicate.
I have also updated the description in config-windows.md to indicate it's implementation-defined.
To be clear though - you are recommending to remove the example (even though technically accurate)? And what about the links? Should they stay (I think they should...)?
There was a problem hiding this comment.
I'm not sure what this should be in schema\config-windows.json though if not type string?
You can just declare it an object and leave it at that (backing RFC drafts here and here):
"credentialspec": {
"id": "https://opencontainers.org/schema/bundle/windows/credentialspec",
"type": "object"
}
To be clear though - you are recommending to remove the example (even though technically accurate)?
Ideally we'd link to the backing Windows docs (which are necessary to satisfy “implementation-defined”. Lacking that, I'm in favor of including as much information as we can as long as we're reasonably confident that it won't go stale during the useful lifetime of the next spec release. If you expect the links and example you have now to be current for the lifetime of the 1.0 runtime spec, I'm fine with them. If you expect they will go stale before runtime-spec 1.0 is archaic, I'd rather replace them with something generic enough to stay current.
There was a problem hiding this comment.
You can just declare it an object and leave it at that
Thanks. Done.
While I don't believe there's any reason that the example will be invalid (as it's already in a released Microsoft product that customers are using), on reflection, it probably is cleaner to remove the example and refer readers back to the source of knowledge, that being the Microsoft documentation. Update done and pushed.
For the links, @PatrickLang is going to arrange a couple of aka.ms redirects, and I'll update the PR with them once I have them.
lowenna
force-pushed
the
credentialspec
branch
4 times, most recently
from
c7365cb
to
1aad32c
Compare
Signed-off-by: John Howard <jhoward@microsoft.com>
|
Updated to |
|
LGTM |
|
LGTM |
|
LGTM |
Through f4d221c (Merge pull request opencontainers#880 from dqminh/wking-linux-only-capabilities-again, 2017-07-05). The rc6 release picked up an earlier version of these notes, and those entries are mostly unchanged except for: * The credentialSpec entry, which was opencontainers#814 for credentialspec and now also includes opencontainers#859 for credentialSpec. * The root(.path) Hyper-V entry, which was opencontainers#820 for root.path and now also includes opencontainers#838 for root. I also moved this into the "breaking changes" section, because rc5 Hyper-V configs required root to be set, and rc6 Hyper-V configs require it to not be set. Although whether rc5 allowed Hyper-V configs at all is not clear to me. * Fixed indenting for the typo-fixes entry, as well as a number of more recent typo-fix PRs. Signed-off-by: W. Trevor King <wking@tremily.us>
Through f4d221c (Merge pull request opencontainers#880 from dqminh/wking-linux-only-capabilities-again, 2017-07-05). The rc6 release picked up an earlier version of these notes, and those entries are mostly unchanged except for: * The credentialSpec entry, which was opencontainers#814 for credentialspec and now also includes opencontainers#859 for credentialSpec. * The root(.path) Hyper-V entry, which was opencontainers#820 for root.path and now also includes opencontainers#838 for root. I also moved this into the "breaking changes" section, because rc5 Hyper-V configs required root to be set, and rc6 Hyper-V configs require it to not be set. Although whether rc5 allowed Hyper-V configs at all is not clear to me. * Fixed indenting for the typo-fixes entry, as well as a number of more recent typo-fix PRs. Signed-off-by: W. Trevor King <wking@tremily.us>
Signed-off-by: John Howard jhoward@microsoft.com
The Windows implementation of the docker daemon still passes a number of fields out of band from the OCI runtime spec. This PR addresses the
CredentialSpecfield by adding it to the runtime spec. (https://github.com/moby/moby/blob/master/libcontainerd/client_windows.go#L177-L178)