diff --git a/ee/release-notes.md b/ee/release-notes.md index 4cded0fbb8..55c98ff4fc 100644 --- a/ee/release-notes.md +++ b/ee/release-notes.md @@ -12,7 +12,7 @@ pages listed in the following **Docker Enterprise components install and upgrade | Feature | Component | Component version | |---------|-----------|-------------------| -| [Group Managed Service Accounts (gMSA)](/engine/swarm/services/) | UCP | 3.2.0 | +| [Group Managed Service Accounts (gMSA)](/engine/swarm/services.md#gmsa-for-swarm) | UCP | 3.2.0 | | [Open Security Controls Assessment Language (OSCAL)](/compliance/oscal/) | UCP | 3.2.0 | | [Container storage interface (CSI)](/ee/ucp/kubernetes/storage/use-csi/) | UCP | 3.2.0 | | [Internet Small Computer System Interface (iSCSI)](/ee/ucp/kubernetes/storage/use-iscsi/) | UCP | 3.2.0 | diff --git a/engine/swarm/services.md b/engine/swarm/services.md index ec7c30e04f..335f405914 100644 --- a/engine/swarm/services.md +++ b/engine/swarm/services.md @@ -74,6 +74,27 @@ $ docker service create --name helloworld alpine:3.6 ping docker.com For more details about image tag resolution, see [Specify the image version the service should use](#specify-the-image-version-the-service-should-use). +### gMSA for Swarm + +Swarm now allows using a Docker Config as a gMSA credential spec - a requirement for Active Directory-authenticated applications. This reduces the burden of distributing credential specs to the nodes they're used on. + +The following example assumes a gMSA and its credential spec (called credspec.json) already exists, and that the nodes being deployed to are correctly configured for the gMSA. + +To use a Config as a credential spec, first create the Docker Config containing the credential spec: + + +```bash +docker config create credspec credspec.json +``` + +Now, you should have a Docker Config named credspec, and you can create a service using this credential spec. To do so, use the --credential-spec flag with the config name, like this: + +```bash +docker service create --credential-spec="config://credspec" +``` + +Your service will use the gMSA credential spec when it starts, but unlike a typical Docker Config (used by passing the --config flag), the credential spec will not be mounted into the container. + ### Create a service using an image on a private registry If your image is available on a private registry which requires login, use the