Add trusted certs to feature support matrix docs

Even though the feature is technically virt driver agnostic,
the plumbing happens through the virt drivers, so the feature
is only supported by certain virt drivers (libvirt only at
the time of this patch). So this adds a section to the feature
support matrix about the trusted certs validation feature.

Also updates the certificate validation user docs based on
the nova boot --trusted-image-certificate-id option name
in the dependent python-novaclient change.

Depends-On: https://review.openstack.org/500396/

Related to blueprint nova-validate-certificates

Change-Id: Ic5cb4a98c73cc404c7033cf183f25a97aba3c994

doc/source/user/certificate-validation.rst

@@ -70,7 +70,7 @@ Limitations
   ``os_compute_api:servers:create:trusted_certs`` and
   ``os_compute_api:servers:rebuild:trusted_certs`` policy rules.
 
-.. _feature support matrix: https://docs.openstack.org/nova/latest/user/support-matrix.html
+.. _feature support matrix: https://docs.openstack.org/nova/latest/user/support-matrix.html#operation_trusted_certs
 .. _policy configuration: https://docs.openstack.org/nova/latest/configuration/policy.html
 
 Configuration
@@ -152,15 +152,17 @@ Certificate validation is triggered by one of two ways:
 
    Command-Line Flag
      If booting or rebuilding an instance using the :command:`nova` commands,
-     use the ``--trusted-image-certificate-ids`` flag to define a comma-delimited
-     list of trusted certificate IDs. For example:
+     use the ``--trusted-image-certificate-id`` flag to define a single trusted
+     certificate ID. The flag may be used multiple times to specify multiple trusted
+     certificate IDs. For example:
 
      .. code-block:: console
 
        $ nova boot myInstanceName \
            --flavor 1 \
            --image myImageId \
-           --trusted-image-certificate-ids 79a6ad17-3298-4e55-8b3a-1672dd93c40f,b20f5600-3c9d-4af5-8f37-3110df3533a0
+           --trusted-image-certificate-id 79a6ad17-3298-4e55-8b3a-1672dd93c40f \
+           --trusted-image-certificate-id b20f5600-3c9d-4af5-8f37-3110df3533a0
 
      If booting or rebuilding an instance using the :command:`openstack server` commands,
      use the ``--trusted-image-certificate-id`` flag to define a single trusted
@@ -651,7 +653,8 @@ Boot the signed image with trusted certificate IDs:
   $ nova boot myInstance \
       --flavor m1.tiny \
       --image cirros_client_signedImage \
-      --trusted-image-certificate-ids "$cert_ca_uuid,$cert_intermediate_a_uuid,$cert_intermediate_b_uuid"
+      --trusted-image-certificate-id $cert_ca_uuid,$cert_intermediate_a_uuid \
+      --trusted-image-certificate-id $cert_intermediate_b_uuid
 
 .. note:: The instance should successfully boot and certificate validation
           should succeed. The Nova log output should indicate that "Image

doc/source/user/support-matrix.ini

@@ -1452,3 +1452,27 @@ driver-impl-ironic=missing
 driver-impl-libvirt-vz-vm=complete
 driver-impl-libvirt-vz-ct=missing
 driver-impl-powervm=missing
+
+[operation.trusted-certs]
+title=Validate image with trusted certificates
+status=optional
+notes=Since trusted image certification validation is configurable
+  by the cloud deployer it is considered optional. However, it is
+  a virt-agnostic feature so there is no good reason that all virt
+  drivers cannot support the feature since it is mostly just plumbing
+  user requests through the virt driver when downloading images.
+cli=nova boot --trusted-image-certificate-id ...
+driver-impl-xenserver=missing
+driver-impl-libvirt-kvm-x86=complete
+driver-impl-libvirt-kvm-aarch64=complete
+driver-impl-libvirt-kvm-ppc64=complete
+driver-impl-libvirt-kvm-s390x=complete
+driver-impl-libvirt-qemu-x86=complete
+driver-impl-libvirt-lxc=complete
+driver-impl-libvirt-xen=complete
+driver-impl-vmware=missing
+driver-impl-hyperv=missing
+driver-impl-ironic=missing
+driver-impl-libvirt-vz-vm=complete
+driver-impl-libvirt-vz-ct=complete
+driver-impl-powervm=missing