Add GMSA Credential Spec passing

Signed-off-by: Daniel Canter <dcanter@microsoft.com>

pkg/server/container_create_windows.go

@@ -68,13 +68,30 @@ func (c *criService) containerSpec(id string, sandboxID string, sandboxPid uint3
 
 	specOpts = append(specOpts, customopts.WithWindowsMounts(c.os, config, extraMounts))
 
-	specOpts = append(specOpts, customopts.WithWindowsResources(config.GetWindows().GetResources()))
+	// Start with the image config user and override below if RunAsUsername is not "".
+	username := imageConfig.User
 
-	username := config.GetWindows().GetSecurityContext().GetRunAsUsername()
-	if username != "" {
-		specOpts = append(specOpts, oci.WithUser(username))
+	windowsConfig := config.GetWindows()
+	if windowsConfig != nil {
+		specOpts = append(specOpts, customopts.WithWindowsResources(windowsConfig.GetResources()))
+		securityCtx := windowsConfig.GetSecurityContext()
+		if securityCtx != nil {
+			runAsUser := securityCtx.GetRunAsUsername()
+			if runAsUser != "" {
+				username = runAsUser
+			}
+			cs := securityCtx.GetCredentialSpec()
+			if cs != "" {
+				specOpts = append(specOpts, customopts.WithWindowsCredentialSpec(cs))
+			}
+		}
 	}
-	// TODO(windows): Add CredentialSpec support.
+
+	// There really isn't a good Windows way to verify that the username is available in the
+	// image as early as here like there is for Linux. Later on in the stack hcsshim
+	// will handle the behavior of erroring out if the user isn't available in the image
+	// when trying to run the init process.
+	specOpts = append(specOpts, oci.WithUser(username))
 
 	for pKey, pValue := range getPassthroughAnnotations(sandboxConfig.Annotations,
 		ociRuntime.PodAnnotations) {