From 04995fa7c71216969e17670cc3fb938de137af35 Mon Sep 17 00:00:00 2001
From: Drew Erny <drew.erny@docker.com>
Date: Tue, 27 Nov 2018 15:57:20 -0600
Subject: [PATCH] Add CredentialSpec from configs support

Signed-off-by: Drew Erny <drew.erny@docker.com>
---
 daemon/cluster/executor/container/container.go |  2 ++
 daemon/oci_windows.go                          | 17 +++++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/daemon/cluster/executor/container/container.go b/daemon/cluster/executor/container/container.go
index b26076bcd8..abbd6bfb11 100644
--- a/daemon/cluster/executor/container/container.go
+++ b/daemon/cluster/executor/container/container.go
@@ -651,6 +651,8 @@ func (c *containerConfig) applyPrivileges(hc *enginecontainer.HostConfig) {
 			hc.SecurityOpt = append(hc.SecurityOpt, "credentialspec=file://"+credentials.GetFile())
 		case *api.Privileges_CredentialSpec_Registry:
 			hc.SecurityOpt = append(hc.SecurityOpt, "credentialspec=registry://"+credentials.GetRegistry())
+		case *api.Privileges_CredentialSpec_Config:
+			hc.SecurityOpt = append(hc.SecurityOpt, "credentialspec=config://"+credentials.GetConfig())
 		}
 	}
 
diff --git a/daemon/oci_windows.go b/daemon/oci_windows.go
index da0c7667d4..11868ba3a0 100644
--- a/daemon/oci_windows.go
+++ b/daemon/oci_windows.go
@@ -288,6 +288,23 @@ func (daemon *Daemon) createSpecWindowsFields(c *container.Container, s *specs.S
 				if cs, err = readCredentialSpecRegistry(c.ID, csValue); err != nil {
 					return err
 				}
+			} else if match, csValue = getCredentialSpec("config://", splitsOpt[1]); match {
+				if csValue == "" {
+					return fmt.Errorf("no value supplied for config:// credential spec security option")
+				}
+
+				// if the container does not have a DependencyStore, then we
+				// return an error
+				if c.DependencyStore == nil {
+					return fmt.Errorf("cannot use config:// credential spec security option if not swarmkit managed")
+				}
+				csConfig, err := c.DependencyStore.Configs().Get(csValue)
+				if err != nil {
+					return fmt.Errorf("error getting value from config store: %v", err)
+				}
+				// stuff the resulting secret data into a string to use as the
+				// CredentialSpec
+				cs = string(csConfig.Spec.Data)
 			} else {
 				return fmt.Errorf("invalid credential spec security option - value must be prefixed file:// or registry:// followed by a value")
 			}