As I understand it, we expect that the nova service will be the one that customers need to define somehow - rather than using a pre-defined service.  The contents of this service need to be validated somehow - and in particular, we expect there will be definition of the tlsCert contents, issuer and cacerts.

How does one validate this?

—

First we need to distinguish between nova services and all other services. At this time our resources are not explicitly tagged as enabling nova, and we expect our customers to provide their own nova service.

We can either provide a new field, `serviceType` for example, to specify which kind of service is being deployed.

Alternatively, we can make a new resource, specifically for nova service.

Finally, we could consider any service resource to be a nova service resource, if name of the playbook used, or name of the resource, matches specific pattern, most likely some variation of "nova".