Add trusted certs to feature support matrix docs

Even though the feature is technically virt driver agnostic,
the plumbing happens through the virt drivers, so the feature
is only supported by certain virt drivers (libvirt only at
the time of this patch). So this adds a section to the feature
support matrix about the trusted certs validation feature.

Also updates the certificate validation user docs based on
the nova boot --trusted-image-certificate-id option name
in the dependent python-novaclient change.

Depends-On: https://review.openstack.org/500396/

Related to blueprint nova-validate-certificates

Change-Id: Ic5cb4a98c73cc404c7033cf183f25a97aba3c994
This commit is contained in:
Matt Riedemann 2018-06-12 17:14:57 -04:00
parent dc9fb5842c
commit df57c50b2d
2 changed files with 32 additions and 5 deletions

View File

@ -70,7 +70,7 @@ Limitations
``os_compute_api:servers:create:trusted_certs`` and ``os_compute_api:servers:create:trusted_certs`` and
``os_compute_api:servers:rebuild:trusted_certs`` policy rules. ``os_compute_api:servers:rebuild:trusted_certs`` policy rules.
.. _feature support matrix: https://docs.openstack.org/nova/latest/user/support-matrix.html .. _feature support matrix: https://docs.openstack.org/nova/latest/user/support-matrix.html#operation_trusted_certs
.. _policy configuration: https://docs.openstack.org/nova/latest/configuration/policy.html .. _policy configuration: https://docs.openstack.org/nova/latest/configuration/policy.html
Configuration Configuration
@ -152,15 +152,17 @@ Certificate validation is triggered by one of two ways:
Command-Line Flag Command-Line Flag
If booting or rebuilding an instance using the :command:`nova` commands, If booting or rebuilding an instance using the :command:`nova` commands,
use the ``--trusted-image-certificate-ids`` flag to define a comma-delimited use the ``--trusted-image-certificate-id`` flag to define a single trusted
list of trusted certificate IDs. For example: certificate ID. The flag may be used multiple times to specify multiple trusted
certificate IDs. For example:
.. code-block:: console .. code-block:: console
$ nova boot myInstanceName \ $ nova boot myInstanceName \
--flavor 1 \ --flavor 1 \
--image myImageId \ --image myImageId \
--trusted-image-certificate-ids 79a6ad17-3298-4e55-8b3a-1672dd93c40f,b20f5600-3c9d-4af5-8f37-3110df3533a0 --trusted-image-certificate-id 79a6ad17-3298-4e55-8b3a-1672dd93c40f \
--trusted-image-certificate-id b20f5600-3c9d-4af5-8f37-3110df3533a0
If booting or rebuilding an instance using the :command:`openstack server` commands, If booting or rebuilding an instance using the :command:`openstack server` commands,
use the ``--trusted-image-certificate-id`` flag to define a single trusted use the ``--trusted-image-certificate-id`` flag to define a single trusted
@ -651,7 +653,8 @@ Boot the signed image with trusted certificate IDs:
$ nova boot myInstance \ $ nova boot myInstance \
--flavor m1.tiny \ --flavor m1.tiny \
--image cirros_client_signedImage \ --image cirros_client_signedImage \
--trusted-image-certificate-ids "$cert_ca_uuid,$cert_intermediate_a_uuid,$cert_intermediate_b_uuid" --trusted-image-certificate-id $cert_ca_uuid,$cert_intermediate_a_uuid \
--trusted-image-certificate-id $cert_intermediate_b_uuid
.. note:: The instance should successfully boot and certificate validation .. note:: The instance should successfully boot and certificate validation
should succeed. The Nova log output should indicate that "Image should succeed. The Nova log output should indicate that "Image

View File

@ -1452,3 +1452,27 @@ driver-impl-ironic=missing
driver-impl-libvirt-vz-vm=complete driver-impl-libvirt-vz-vm=complete
driver-impl-libvirt-vz-ct=missing driver-impl-libvirt-vz-ct=missing
driver-impl-powervm=missing driver-impl-powervm=missing
[operation.trusted-certs]
title=Validate image with trusted certificates
status=optional
notes=Since trusted image certification validation is configurable
by the cloud deployer it is considered optional. However, it is
a virt-agnostic feature so there is no good reason that all virt
drivers cannot support the feature since it is mostly just plumbing
user requests through the virt driver when downloading images.
cli=nova boot --trusted-image-certificate-id ...
driver-impl-xenserver=missing
driver-impl-libvirt-kvm-x86=complete
driver-impl-libvirt-kvm-aarch64=complete
driver-impl-libvirt-kvm-ppc64=complete
driver-impl-libvirt-kvm-s390x=complete
driver-impl-libvirt-qemu-x86=complete
driver-impl-libvirt-lxc=complete
driver-impl-libvirt-xen=complete
driver-impl-vmware=missing
driver-impl-hyperv=missing
driver-impl-ironic=missing
driver-impl-libvirt-vz-vm=complete
driver-impl-libvirt-vz-ct=complete
driver-impl-powervm=missing