From df57c50b2df54510e8aa2ddd1b124bcde1dd7293 Mon Sep 17 00:00:00 2001
From: Matt Riedemann <mriedem.os@gmail.com>
Date: Tue, 12 Jun 2018 17:14:57 -0400
Subject: [PATCH] Add trusted certs to feature support matrix docs

Even though the feature is technically virt driver agnostic,
the plumbing happens through the virt drivers, so the feature
is only supported by certain virt drivers (libvirt only at
the time of this patch). So this adds a section to the feature
support matrix about the trusted certs validation feature.

Also updates the certificate validation user docs based on
the nova boot --trusted-image-certificate-id option name
in the dependent python-novaclient change.

Depends-On: https://review.openstack.org/500396/

Related to blueprint nova-validate-certificates

Change-Id: Ic5cb4a98c73cc404c7033cf183f25a97aba3c994
---
 doc/source/user/certificate-validation.rst | 13 +++++++-----
 doc/source/user/support-matrix.ini         | 24 ++++++++++++++++++++++
 2 files changed, 32 insertions(+), 5 deletions(-)

diff --git a/doc/source/user/certificate-validation.rst b/doc/source/user/certificate-validation.rst
index fcafd8a3af4e..1b18c535cc11 100644
--- a/doc/source/user/certificate-validation.rst
+++ b/doc/source/user/certificate-validation.rst
@@ -70,7 +70,7 @@ Limitations
   ``os_compute_api:servers:create:trusted_certs`` and
   ``os_compute_api:servers:rebuild:trusted_certs`` policy rules.
 
-.. _feature support matrix: https://docs.openstack.org/nova/latest/user/support-matrix.html
+.. _feature support matrix: https://docs.openstack.org/nova/latest/user/support-matrix.html#operation_trusted_certs
 .. _policy configuration: https://docs.openstack.org/nova/latest/configuration/policy.html
 
 Configuration
@@ -152,15 +152,17 @@ Certificate validation is triggered by one of two ways:
 
    Command-Line Flag
      If booting or rebuilding an instance using the :command:`nova` commands,
-     use the ``--trusted-image-certificate-ids`` flag to define a comma-delimited
-     list of trusted certificate IDs. For example:
+     use the ``--trusted-image-certificate-id`` flag to define a single trusted
+     certificate ID. The flag may be used multiple times to specify multiple trusted
+     certificate IDs. For example:
 
      .. code-block:: console
 
        $ nova boot myInstanceName \
            --flavor 1 \
            --image myImageId \
-           --trusted-image-certificate-ids 79a6ad17-3298-4e55-8b3a-1672dd93c40f,b20f5600-3c9d-4af5-8f37-3110df3533a0
+           --trusted-image-certificate-id 79a6ad17-3298-4e55-8b3a-1672dd93c40f \
+           --trusted-image-certificate-id b20f5600-3c9d-4af5-8f37-3110df3533a0
 
      If booting or rebuilding an instance using the :command:`openstack server` commands,
      use the ``--trusted-image-certificate-id`` flag to define a single trusted
@@ -651,7 +653,8 @@ Boot the signed image with trusted certificate IDs:
   $ nova boot myInstance \
       --flavor m1.tiny \
       --image cirros_client_signedImage \
-      --trusted-image-certificate-ids "$cert_ca_uuid,$cert_intermediate_a_uuid,$cert_intermediate_b_uuid"
+      --trusted-image-certificate-id $cert_ca_uuid,$cert_intermediate_a_uuid \
+      --trusted-image-certificate-id $cert_intermediate_b_uuid
 
 .. note:: The instance should successfully boot and certificate validation
           should succeed. The Nova log output should indicate that "Image
diff --git a/doc/source/user/support-matrix.ini b/doc/source/user/support-matrix.ini
index 83f87fba64fe..4891e2b76b8f 100644
--- a/doc/source/user/support-matrix.ini
+++ b/doc/source/user/support-matrix.ini
@@ -1452,3 +1452,27 @@ driver-impl-ironic=missing
 driver-impl-libvirt-vz-vm=complete
 driver-impl-libvirt-vz-ct=missing
 driver-impl-powervm=missing
+
+[operation.trusted-certs]
+title=Validate image with trusted certificates
+status=optional
+notes=Since trusted image certification validation is configurable
+  by the cloud deployer it is considered optional. However, it is
+  a virt-agnostic feature so there is no good reason that all virt
+  drivers cannot support the feature since it is mostly just plumbing
+  user requests through the virt driver when downloading images.
+cli=nova boot --trusted-image-certificate-id ...
+driver-impl-xenserver=missing
+driver-impl-libvirt-kvm-x86=complete
+driver-impl-libvirt-kvm-aarch64=complete
+driver-impl-libvirt-kvm-ppc64=complete
+driver-impl-libvirt-kvm-s390x=complete
+driver-impl-libvirt-qemu-x86=complete
+driver-impl-libvirt-lxc=complete
+driver-impl-libvirt-xen=complete
+driver-impl-vmware=missing
+driver-impl-hyperv=missing
+driver-impl-ironic=missing
+driver-impl-libvirt-vz-vm=complete
+driver-impl-libvirt-vz-ct=complete
+driver-impl-powervm=missing