Remove references to OpenStack Anchor

The OpenStack Anchor project is now officially retired[1].

This patch removes the references to Anchor from Octavia.
These old references were confusing new users.

[1] https://review.opendev.org/#/c/611187/

Change-Id: Idfe90aa69b497e8270118174dde00567d7fab4ab

doc/source/admin/Anchor.rst

@@ -1,24 +0,0 @@
-======
-Anchor
-======
-Anchor (see https://wiki.openstack.org/wiki/Security/Projects/Anchor) is
-an ephemeral PKI system built to enable cryptographic trust in OpenStack
-services. In the context of Octavia it can be used to sign the certificates
-which secure the amphora - controller communication.
-
-Basic Setup
------------
-1. Download/Install/Start Anchor from  https://github.com/openstack/anchor
-2. Change the listening port in config.py to 9999
-3. I found it useful to run anchor in an additional devstack screen
-4. Set in octavia.conf (root-ca.crt here is the Anchor CA)
-
-   a. [controller_worker] cert_generator = anchor
-   b. [haproxy_amphora] server_ca = /opt/stack/anchor/CA/root-ca.crt
-
-5. Restart o-cw o-hm o-hk
-
-Benefit
--------
-In bigger cloud installations Anchor can be a gateway to a more secure
-certificate management system than our default local signing.

doc/source/admin/guides/operator-maintenance.rst

@@ -300,10 +300,9 @@ random string of a sufficient length.
 Rotating Amphora Certificates
 -----------------------------
 
-For the server part Octavia will either act as a certificate authority itself,
-or use :doc:`../Anchor` to issue amphora certificates to be used
-by each amphora. Octavia will also monitor those certificates and refresh them
-before they expire.
+For the server part Octavia will act as a certificate authority itself to
+issue amphora certificates to be used by each amphora. Octavia will also
+monitor those certificates and refresh them before they expire.
 
 There are three ways to initiate a rotation manually:
 

doc/source/admin/index.rst

@@ -29,7 +29,6 @@ Operator Reference
    :maxdepth: 1
 
    ../contributor/guides/dev-quick-start.rst
-   Anchor.rst
    api-audit.rst
    guides/certificates.rst
    ../configuration/configref.rst

doc/source/reference/glossary.rst

@@ -28,12 +28,6 @@ description of these terms.
         back-end amphora corresponding with the driver. This communication
         happens over the LB network.
 
-    Anchor
-       Is an OpenStack project for an ephemeral PKI system (see
-       https://wiki.openstack.org/wiki/Security/Projects/Anchor). In Octavia
-       we can use Anchor to sign the certificates we use to authenticate/secure
-       controller <-> amphora communication.
-
     Apolocation
         Term used to describe when two or more amphorae are not colocated on
         the same physical hardware (which is often essential in HA topologies).

etc/octavia.conf

@@ -110,7 +110,6 @@
 
 [certificates]
 # Certificate Generator options are local_cert_generator
-#                                   anchor_cert_generator
 # cert_generator = local_cert_generator
 
 # For local certificate signing:
@@ -136,13 +135,6 @@
 # Endpoint type to use for communication with the Barbican service.
 # endpoint_type = publicURL
 
-
-[anchor]
-# Use OpenStack anchor to sign the amphora REST API certificates
-# url = http://localhost:9999/v1/sign/default
-# username =
-# password =
-
 [networking]
 # The maximum attempts to retry an action with the networking service.
 # max_retries = 15

octavia/certificates/generator/anchor.py

@@ -1,66 +0,0 @@
-# Copyright (c) 2015 Hewlett Packard Enterprise Development Company LP
-# All Rights Reserved.
-#
-#    Licensed under the Apache License, Version 2.0 (the "License"); you may
-#    not use this file except in compliance with the License. You may obtain
-#    a copy of the License at
-#
-#         http://www.apache.org/licenses/LICENSE-2.0
-#
-#    Unless required by applicable law or agreed to in writing, software
-#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-#    License for the specific language governing permissions and limitations
-#    under the License.
-
-from oslo_config import cfg
-from oslo_log import log as logging
-import requests
-
-from octavia.certificates.generator import local
-from octavia.common import exceptions
-from octavia.i18n import _
-
-LOG = logging.getLogger(__name__)
-
-CONF = cfg.CONF
-
-
-class AnchorException(exceptions.CertificateGenerationException):
-    pass
-
-
-class AnchorCertGenerator(local.LocalCertGenerator):
-    """Cert Generator Interface that signs certs with Anchor."""
-
-    @classmethod
-    def sign_cert(cls, csr, validity=None, **kwargs):
-        """Signs a certificate using Anchor based on the specified CSR
-
-        :param csr: A Certificate Signing Request
-        :param validity: Will be ignored for now
-        :param kwargs: Will be ignored for now
-
-        :return: Signed certificate
-        :raises Exception: if certificate signing fails
-        """
-        LOG.debug("Signing a certificate request using Anchor")
-
-        try:
-            LOG.debug('Certificate: %s', csr)
-            r = requests.post(CONF.anchor.url, data={
-                'user': CONF.anchor.username,
-                'secret': CONF.anchor.password,
-                'encoding': 'pem',
-                'csr': csr})
-
-            if r.status_code != 200:
-                LOG.debug('Anchor returned: %s', r.content)
-                raise AnchorException(_("Anchor returned Status Code : "
-                                        "{0}").format(str(r.status_code)))
-
-            return r.content
-
-        except Exception as e:
-            LOG.error("Unable to sign certificate.")
-            raise exceptions.CertificateGenerationException(msg=e)

octavia/common/config.py

@@ -451,17 +451,6 @@ house_keeping_opts = [
                       ' rotation'))
 ]
 
-anchor_opts = [
-    cfg.StrOpt('url',
-               default='http://localhost:9999/v1/sign/default',
-               help=_('Anchor URL')),
-    cfg.StrOpt('username',
-               help=_('Anchor username')),
-    cfg.StrOpt('password',
-               help=_('Anchor password'),
-               secret=True)
-]
-
 keepalived_vrrp_opts = [
     cfg.IntOpt('vrrp_advert_int',
                default=1,
@@ -629,7 +618,6 @@ cfg.CONF.register_opts(controller_worker_opts, group='controller_worker')
 cfg.CONF.register_opts(keepalived_vrrp_opts, group='keepalived_vrrp')
 cfg.CONF.register_opts(task_flow_opts, group='task_flow')
 cfg.CONF.register_opts(house_keeping_opts, group='house_keeping')
-cfg.CONF.register_opts(anchor_opts, group='anchor')
 cfg.CONF.register_cli_opts(core_cli_opts)
 cfg.CONF.register_opts(certificate_opts, group='certificates')
 cfg.CONF.register_cli_opts(healthmanager_opts, group='health_manager')

octavia/opts.py

@@ -39,7 +39,6 @@ def list_opts():
             octavia.certificates.common.local.certgen_opts)),
         ('house_keeping', octavia.common.config.house_keeping_opts),
         ('keepalived_vrrp', octavia.common.config.keepalived_vrrp_opts),
-        ('anchor', octavia.common.config.anchor_opts),
         ('nova', octavia.common.config.nova_opts),
         ('neutron', octavia.common.config.neutron_opts),
         ('glance', octavia.common.config.glance_opts),

octavia/tests/unit/certificates/generator/test_anchor.py

@@ -1,47 +0,0 @@
-# Copyright 2015 Hewlett Packard Enterprise Development Company LP
-#
-#    Licensed under the Apache License, Version 2.0 (the "License"); you may
-#    not use this file except in compliance with the License. You may obtain
-#    a copy of the License at
-#
-#         http://www.apache.org/licenses/LICENSE-2.0
-#
-#    Unless required by applicable law or agreed to in writing, software
-#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-#    License for the specific language governing permissions and limitations
-#    under the License.
-
-from oslo_config import cfg
-import requests_mock
-import six
-
-from octavia.certificates.generator import anchor
-from octavia.common import exceptions
-from octavia.tests.unit.certificates.generator import local_csr
-
-
-CONF = cfg.CONF
-
-
-class TestAnchorGenerator(local_csr.BaseLocalCSRTestCase):
-    def setUp(self):
-        super(TestAnchorGenerator, self).setUp()
-        self.cert_generator = anchor.AnchorCertGenerator
-
-    @requests_mock.mock()
-    def test_sign_cert(self, m):
-
-        m.post(CONF.anchor.url, content=six.b('test'))
-
-        # Attempt to sign a cert
-        signed_cert = self.cert_generator.sign_cert(
-            csr=self.certificate_signing_request
-        )
-        self.assertEqual("test", signed_cert.decode('ascii'))
-        self.assertTrue(m.called)
-
-        m.post(CONF.anchor.url, status_code=400)
-        self.assertRaises(exceptions.CertificateGenerationException,
-                          self.cert_generator.sign_cert,
-                          self.certificate_signing_request)

setup.cfg

@@ -83,7 +83,6 @@ octavia.distributor.drivers =
     single_VIP_amphora = octavia.distributor.drivers.single_VIP_amphora.driver:SingleVIPAmpDistributorDriver
 octavia.cert_generator =
     local_cert_generator = octavia.certificates.generator.local:LocalCertGenerator
-    anchor_cert_generator = octavia.certificates.generator.anchor:AnchorCertGenerator
 octavia.cert_manager =
     local_cert_manager = octavia.certificates.manager.local:LocalCertManager
     barbican_cert_manager = octavia.certificates.manager.barbican:BarbicanCertManager