Merge "Microversion 2.63 - Add trusted_image_certificates"

2 files changed, 32 insertions, 0 deletions

diff --git a/doc/source/cli/nova.rst b/doc/source/cli/nova.rst
index e066955f..ea11e8b6 100644
--- a/doc/source/cli/nova.rst
+++ b/doc/source/cli/nova.rst
@@ -1011,6 +1011,7 @@ nova boot
                     [--config-drive <value>] [--poll] [--admin-pass <value>]
                     [--access-ip-v4 <value>] [--access-ip-v6 <value>]
                     [--description <description>]
+                    [--trusted-image-certificate-id]
                     <name>
 
 Boot a new server.
@@ -1164,6 +1165,13 @@ Boot a new server.
   Description for the server. (Supported by API
   versions '2.19' - '2.latest')
 
+``--trusted-image-certificate-id <trusted-image-certificate-id>``
+  Trusted image certificate IDs used to validate certificates
+  during the image signature verification process.
+  Defaults to env[OS_TRUSTED_IMAGE_CERTIFICATE_IDS].
+  May be specified multiple times to pass multiple trusted image
+  certificate IDs. (Supported by API versions '2.63' - '2.latest')
+
 .. _nova_cell-capacities:
 
 nova cell-capacities
@@ -2683,6 +2691,8 @@ nova rebuild
                        [--minimal] [--preserve-ephemeral] [--name <name>]
                        [--description <description>] [--meta <key=value>]
                        [--file <dst-path=src-path>]
+                       [--trusted-image-certificate-id <trusted-image-certificate-id>]
+                       [--trusted-image-certificates-unset]
                        <server> <image>
 
 Shutdown, re-image, and re-boot a server.
@@ -2730,6 +2740,18 @@ Shutdown, re-image, and re-boot a server.
   to <dst-path> on the new server. You may store
   up to 5 files.
 
+``--trusted-image-certificate-id <trusted-image-certificate-id>``
+  Trusted image certificate IDs used to validate certificates
+  during the image signature verification process.
+  Defaults to env[OS_TRUSTED_IMAGE_CERTIFICATE_IDS].
+  May be specified multiple times to pass multiple trusted image
+  certificate IDs. (Supported by API versions '2.63' - '2.latest')
+
+``--trusted-image-certificates-unset``
+  Unset trusted_image_certificates in the server. Cannot be
+  specified with the ``--trusted-image-certificate-id`` option.
+  (Supported by API versions '2.63' - '2.latest')
+
 .. _nova_refresh-network:
 
 nova refresh-network
diff --git a/doc/source/user/shell.rst b/doc/source/user/shell.rst
index bd1fb7e9..882bb756 100644
--- a/doc/source/user/shell.rst
+++ b/doc/source/user/shell.rst
@@ -60,6 +60,16 @@ some environment variables:
     The Keystone region name. Defaults to the first region if multiple regions
     are available.
 
+.. envvar:: OS_TRUSTED_IMAGE_CERTIFICATE_IDS
+
+    A comma-delimited list of trusted image certificate IDs. Only used
+    with the ``nova boot`` and ``nova rebuild`` commands starting with the
+    2.63 microversion.
+
+    For example::
+
+      export OS_TRUSTED_IMAGE_CERTIFICATE_IDS=trusted-cert-id1,trusted-cert-id2
+
 For example, in Bash you'd use::
 
     export OS_USERNAME=yourname