From 5cc7ac29901f5ca08ca089d2e8ff1b8858c75470 Mon Sep 17 00:00:00 2001
From: Sebastiaan van Stijn <github@gone.nl>
Date: Sat, 8 Jul 2017 13:33:24 -0700
Subject: [PATCH] Service privileges: CLI reference docs & completion

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
 contrib/completion/bash/docker               |  1 +
 docs/reference/commandline/service_create.md | 19 +++++++++++++++++++
 docs/reference/commandline/service_update.md |  1 +
 3 files changed, 21 insertions(+)

diff --git a/contrib/completion/bash/docker b/contrib/completion/bash/docker
index 95cc588ca0..616adb7ebf 100644
--- a/contrib/completion/bash/docker
+++ b/contrib/completion/bash/docker
@@ -3091,6 +3091,7 @@ _docker_service_update() {
 # and `docker service update`
 _docker_service_update_and_create() {
 	local options_with_args="
+		--credential-spec
 		--endpoint-mode
 		--entrypoint
 		--env -e
diff --git a/docs/reference/commandline/service_create.md b/docs/reference/commandline/service_create.md
index a1b6d18f9d..d09a6bf8e6 100644
--- a/docs/reference/commandline/service_create.md
+++ b/docs/reference/commandline/service_create.md
@@ -23,6 +23,7 @@ Create a new service
 Options:
       --constraint list                    Placement constraints
       --container-label list               Container labels
+      --credential-spec                    Credential spec for managed service account (Windows only)
   -d, --detach                             Exit immediately instead of waiting for the service to converge (default true)
       --dns list                           Set custom DNS servers
       --dns-option list                    Set DNS options
@@ -779,6 +780,24 @@ $ docker service create --name dns-cache -p 53:53/tcp -p 53:53/udp dns-cache
 $ docker service create --name dns-cache -p 53:53/udp dns-cache
 ```
 
+### Provide credential specs for managed service accounts (Windows only)
+
+This option is only used for services using Windows containers. The
+`--credential-spec` must be in the format `file://<filename>` or
+`registry://<value-name>`.
+
+When using the `file://<filename>` format, the referenced file must be
+present in the `CredentialSpecs` subdirectory in the docker data directory,
+which defaults to `C:\ProgramData\Docker\` on Windows. For example,
+specifying `file://spec.json` loads `C:\ProgramData\Docker\CredentialSpecs\spec.json`.
+
+When using the `registry://<value-name>` format, the credential spec is
+read from the Windows registry on the daemon's host. The specified
+registry value must be located in:
+
+    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Containers\CredentialSpecs
+
+
 ### Create services using templates
 
 You can use templates for some flags of `service create`, using the syntax
diff --git a/docs/reference/commandline/service_update.md b/docs/reference/commandline/service_update.md
index 93c5750eee..8f075d2c19 100644
--- a/docs/reference/commandline/service_update.md
+++ b/docs/reference/commandline/service_update.md
@@ -26,6 +26,7 @@ Options:
       --constraint-rm list                 Remove a constraint
       --container-label-add list           Add or update a container label
       --container-label-rm list            Remove a container label by its key
+      --credential-spec                    Credential spec for managed service account (Windows only)
   -d, --detach                             Exit immediately instead of waiting for the service to converge (default true)
       --dns-add list                       Add or update a custom DNS server
       --dns-option-add list                Add or update a DNS option