compute: Make image certificate validation a configurable feature

tempest.api.compute.servers.test_servers.ServerShowV263Test would
previously always run and provide the optional
trusted_image_certificates parameter to validate the 2.63 API
microversion. However if the test image had not been cached locally this
would actually cause the underlying certificate validation logic within
Nova to be called resulting in the test failing as the test image would
not have the required img_signature_* properties set and the provided
trusted certificates are just test strings.

This change makes this specific test optional (not running by default)
now by introducing two required compute configurables. These allow a
signed image with the required img_signature_* properties set along with
a valid list of trusted image certificates to also be used during the
test.

Ica1d32ca66d6f89692e9cc90e415bf569332f58d is currently attempting to
wire up various image certificate and signature validation tests under
the barbican-tempest-plugin.

Change-Id: Ib346d383c430d5151d9aafa6e856dd0a7cae8a23
Closes-bug: 1831866

releasenotes/notes/config_image_certificate_compute_feature-c56efb520d54aff5.yaml

@@ -0,0 +1,8 @@
+---
+other:
+  - |
+    New configuration options ``[compute]/certified_image_ref`` and
+    ``[compute]/certified_image_trusted_certs`` have been introduced. These
+    are required in order to run the ``ServerShowV263Test`` test and allow a
+    signed image with the required img_signature_* properties set along
+    with a list of trusted certificates to be used during the test.

tempest/api/compute/servers/test_servers.py

@@ -186,10 +186,17 @@ class ServerShowV263Test(base.BaseV2ComputeTest):
     min_microversion = '2.63'
     max_microversion = 'latest'
 
+    @testtools.skipUnless(CONF.compute.certified_image_ref,
+                          '``[compute]/certified_image_ref`` required to test '
+                          'image certificate validation.')
+    @testtools.skipUnless(CONF.compute.certified_image_trusted_certs,
+                          '``[compute]/certified_image_trusted_certs`` '
+                          'required to test image certificate validation.')
     @decorators.idempotent_id('71b8e3d5-11d2-494f-b917-b094a4afed3c')
     def test_show_update_rebuild_list_server(self):
-        trusted_certs = ['test-cert-1', 'test-cert-2']
+        trusted_certs = CONF.compute.certified_image_trusted_certs
         server = self.create_test_server(
+            imageRef=CONF.compute.certified_image_ref,
             trusted_image_certificates=trusted_certs,
             wait_until='ACTIVE')
 

tempest/config.py

@@ -271,6 +271,17 @@ ComputeGroup = [
                help="Valid secondary image reference to be used in tests. "
                     "This is a required option, but if only one image is "
                     "available duplicate the value of image_ref above"),
+    cfg.StrOpt('certified_image_ref',
+               help="Valid image reference to be used in image certificate "
+                    "validation tests when enabled. This image must also "
+                    "have the required img_signature_* properties set. "
+                    "Additional details available within the following Nova "
+                    "documentation: https://docs.openstack.org/nova/latest/"
+                    "user/certificate-validation.html"),
+    cfg.ListOpt('certified_image_trusted_certs',
+                help="A list of trusted certificates to be used when the "
+                     "image certificate validation compute feature is "
+                     "enabled."),
     cfg.StrOpt('flavor_ref',
                default="1",
                help="Valid primary flavor to use in tests."),