Add CredentialSpec from configs support

Signed-off-by: Drew Erny <drew.erny@docker.com>

daemon/cluster/executor/container/container.go

@@ -651,6 +651,8 @@ func (c *containerConfig) applyPrivileges(hc *enginecontainer.HostConfig) {
 			hc.SecurityOpt = append(hc.SecurityOpt, "credentialspec=file://"+credentials.GetFile())
 		case *api.Privileges_CredentialSpec_Registry:
 			hc.SecurityOpt = append(hc.SecurityOpt, "credentialspec=registry://"+credentials.GetRegistry())
+		case *api.Privileges_CredentialSpec_Config:
+			hc.SecurityOpt = append(hc.SecurityOpt, "credentialspec=config://"+credentials.GetConfig())
 		}
 	}
 

daemon/oci_windows.go

@@ -288,6 +288,23 @@ func (daemon *Daemon) createSpecWindowsFields(c *container.Container, s *specs.S
 				if cs, err = readCredentialSpecRegistry(c.ID, csValue); err != nil {
 					return err
 				}
+			} else if match, csValue = getCredentialSpec("config://", splitsOpt[1]); match {
+				if csValue == "" {
+					return fmt.Errorf("no value supplied for config:// credential spec security option")
+				}
+
+				// if the container does not have a DependencyStore, then we
+				// return an error
+				if c.DependencyStore == nil {
+					return fmt.Errorf("cannot use config:// credential spec security option if not swarmkit managed")
+				}
+				csConfig, err := c.DependencyStore.Configs().Get(csValue)
+				if err != nil {
+					return fmt.Errorf("error getting value from config store: %v", err)
+				}
+				// stuff the resulting secret data into a string to use as the
+				// CredentialSpec
+				cs = string(csConfig.Spec.Data)
 			} else {
 				return fmt.Errorf("invalid credential spec security option - value must be prefixed file:// or registry:// followed by a value")
 			}