Microversion 2.63 - Add trusted_image_certificates

This change adds a `--trusted-image-certificate-id` option to the `nova boot` and `nova rebuild` commands. This option takes in a a single trusted certificate ID. The option may be used multiple times to specify multiple trusted certificate IDs, which will be used to validate certificates in the image signature verification process. If ID values are not specified using this option, the value of the newly added OS_TRUSTED_IMAGE_CERTIFICATE_IDS environment variable will be used instead. This value will be converted into a list before being passed on. The ``nova rebuild`` command also gets a new ``--trusted-image-certificates-unset`` option to unset/reset the trusted image certificates in a server during rebuild. This is similar to unsetting key_name and user_data during rebuild. Corresponding `trusted_image_certificates` kwarg has been added to the server create and rebuild Python API bindings. Co-Authored-By: Brianna Poulos <Brianna.Poulos@jhuapl.edu> Co-Authored-By: Matt Riedemann <mriedem.os@gmail.com> Change-Id: I235541a689732826950c7b2a510d5835211120c3 Implements: blueprint nova-validate-certificates
author: Jackie Truong <jacklyn.truong@jhuapl.edu> 2017-09-03 17:24:40 -0400
committer: Matt Riedemann <mriedem.os@gmail.com> 2018-06-15 10:40:24 -0400
commit: 7f10707e5d060874f1a562b5efdce5ddc2701389 (patch)
tree: a5f85b68f97145cd2e274a88444f7e5f4675711c /doc/source
parent: 7907528256439d02b555c976485ea85cc49fa14c (diff)
download: python-novaclient-7f10707e5d060874f1a562b5efdce5ddc2701389.tar.gz
2 files changed, 32 insertions, 0 deletions
diff --git a/doc/source/cli/nova.rst b/doc/source/cli/nova.rst
index e53f4c1a..35b950b0 100644
--- a/doc/source/cli/nova.rst
+++ b/doc/source/cli/nova.rst
@@ -1011,6 +1011,7 @@ nova boot
                     [--config-drive <value>] [--poll] [--admin-pass <value>]
                     [--access-ip-v4 <value>] [--access-ip-v6 <value>]
                     [--description <description>]
+                    [--trusted-image-certificate-id]
                     <name>
 
 Boot a new server.
@@ -1164,6 +1165,13 @@ Boot a new server.
   Description for the server. (Supported by API
   versions '2.19' - '2.latest')
 
+``--trusted-image-certificate-id <trusted-image-certificate-id>``
+  Trusted image certificate IDs used to validate certificates
+  during the image signature verification process.
+  Defaults to env[OS_TRUSTED_IMAGE_CERTIFICATE_IDS].
+  May be specified multiple times to pass multiple trusted image
+  certificate IDs. (Supported by API versions '2.63' - '2.latest')
+
 .. _nova_cell-capacities:
 
 nova cell-capacities
@@ -2660,6 +2668,8 @@ nova rebuild
                        [--minimal] [--preserve-ephemeral] [--name <name>]
                        [--description <description>] [--meta <key=value>]
                        [--file <dst-path=src-path>]
+                       [--trusted-image-certificate-id <trusted-image-certificate-id>]
+                       [--trusted-image-certificates-unset]
                        <server> <image>
 
 Shutdown, re-image, and re-boot a server.
@@ -2707,6 +2717,18 @@ Shutdown, re-image, and re-boot a server.
   to <dst-path> on the new server. You may store
   up to 5 files.
 
+``--trusted-image-certificate-id <trusted-image-certificate-id>``
+  Trusted image certificate IDs used to validate certificates
+  during the image signature verification process.
+  Defaults to env[OS_TRUSTED_IMAGE_CERTIFICATE_IDS].
+  May be specified multiple times to pass multiple trusted image
+  certificate IDs. (Supported by API versions '2.63' - '2.latest')
+
+``--trusted-image-certificates-unset``
+  Unset trusted_image_certificates in the server. Cannot be
+  specified with the ``--trusted-image-certificate-id`` option.
+  (Supported by API versions '2.63' - '2.latest')
+
 .. _nova_refresh-network:
 
 nova refresh-network
diff --git a/doc/source/user/shell.rst b/doc/source/user/shell.rst
index bd1fb7e9..882bb756 100644
--- a/doc/source/user/shell.rst
+++ b/doc/source/user/shell.rst
@@ -60,6 +60,16 @@ some environment variables:
     The Keystone region name. Defaults to the first region if multiple regions
     are available.
 
+.. envvar:: OS_TRUSTED_IMAGE_CERTIFICATE_IDS
+
+    A comma-delimited list of trusted image certificate IDs. Only used
+    with the ``nova boot`` and ``nova rebuild`` commands starting with the
+    2.63 microversion.
+
+    For example::
+
+      export OS_TRUSTED_IMAGE_CERTIFICATE_IDS=trusted-cert-id1,trusted-cert-id2
+
 For example, in Bash you'd use::
 
     export OS_USERNAME=yourname
author	Jackie Truong <jacklyn.truong@jhuapl.edu>	2017-09-03 17:24:40 -0400
committer	Matt Riedemann <mriedem.os@gmail.com>	2018-06-15 10:40:24 -0400
commit	7f10707e5d060874f1a562b5efdce5ddc2701389 (patch)
tree	a5f85b68f97145cd2e274a88444f7e5f4675711c /doc/source
parent	7907528256439d02b555c976485ea85cc49fa14c (diff)
download	python-novaclient-7f10707e5d060874f1a562b5efdce5ddc2701389.tar.gz