Remove references to OpenStack Anchor

The OpenStack Anchor project is now officially retired[1].

This patch removes the references to Anchor from Octavia.
These old references were confusing new users.

[1] https://review.opendev.org/#/c/611187/

Change-Id: Idfe90aa69b497e8270118174dde00567d7fab4ab
changes/66/662866/1
Michael Johnson 3 years ago
parent 59660fb365
commit 6d2e2be86a
  1. 24
      doc/source/admin/Anchor.rst
  2. 7
      doc/source/admin/guides/operator-maintenance.rst
  3. 1
      doc/source/admin/index.rst
  4. 6
      doc/source/reference/glossary.rst
  5. 8
      etc/octavia.conf
  6. 66
      octavia/certificates/generator/anchor.py
  7. 12
      octavia/common/config.py
  8. 1
      octavia/opts.py
  9. 47
      octavia/tests/unit/certificates/generator/test_anchor.py
  10. 1
      setup.cfg

@ -1,24 +0,0 @@
======
Anchor
======
Anchor (see https://wiki.openstack.org/wiki/Security/Projects/Anchor) is
an ephemeral PKI system built to enable cryptographic trust in OpenStack
services. In the context of Octavia it can be used to sign the certificates
which secure the amphora - controller communication.
Basic Setup
-----------
1. Download/Install/Start Anchor from https://github.com/openstack/anchor
2. Change the listening port in config.py to 9999
3. I found it useful to run anchor in an additional devstack screen
4. Set in octavia.conf (root-ca.crt here is the Anchor CA)
a. [controller_worker] cert_generator = anchor
b. [haproxy_amphora] server_ca = /opt/stack/anchor/CA/root-ca.crt
5. Restart o-cw o-hm o-hk
Benefit
-------
In bigger cloud installations Anchor can be a gateway to a more secure
certificate management system than our default local signing.

@ -300,10 +300,9 @@ random string of a sufficient length.
Rotating Amphora Certificates
-----------------------------
For the server part Octavia will either act as a certificate authority itself,
or use :doc:`../Anchor` to issue amphora certificates to be used
by each amphora. Octavia will also monitor those certificates and refresh them
before they expire.
For the server part Octavia will act as a certificate authority itself to
issue amphora certificates to be used by each amphora. Octavia will also
monitor those certificates and refresh them before they expire.
There are three ways to initiate a rotation manually:

@ -29,7 +29,6 @@ Operator Reference
:maxdepth: 1
../contributor/guides/dev-quick-start.rst
Anchor.rst
api-audit.rst
guides/certificates.rst
../configuration/configref.rst

@ -28,12 +28,6 @@ description of these terms.
back-end amphora corresponding with the driver. This communication
happens over the LB network.
Anchor
Is an OpenStack project for an ephemeral PKI system (see
https://wiki.openstack.org/wiki/Security/Projects/Anchor). In Octavia
we can use Anchor to sign the certificates we use to authenticate/secure
controller <-> amphora communication.
Apolocation
Term used to describe when two or more amphorae are not colocated on
the same physical hardware (which is often essential in HA topologies).

@ -110,7 +110,6 @@
[certificates]
# Certificate Generator options are local_cert_generator
# anchor_cert_generator
# cert_generator = local_cert_generator
# For local certificate signing:
@ -136,13 +135,6 @@
# Endpoint type to use for communication with the Barbican service.
# endpoint_type = publicURL
[anchor]
# Use OpenStack anchor to sign the amphora REST API certificates
# url = http://localhost:9999/v1/sign/default
# username =
# password =
[networking]
# The maximum attempts to retry an action with the networking service.
# max_retries = 15

@ -1,66 +0,0 @@
# Copyright (c) 2015 Hewlett Packard Enterprise Development Company LP
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from oslo_log import log as logging
import requests
from octavia.certificates.generator import local
from octavia.common import exceptions
from octavia.i18n import _
LOG = logging.getLogger(__name__)
CONF = cfg.CONF
class AnchorException(exceptions.CertificateGenerationException):
pass
class AnchorCertGenerator(local.LocalCertGenerator):
"""Cert Generator Interface that signs certs with Anchor."""
@classmethod
def sign_cert(cls, csr, validity=None, **kwargs):
"""Signs a certificate using Anchor based on the specified CSR
:param csr: A Certificate Signing Request
:param validity: Will be ignored for now
:param kwargs: Will be ignored for now
:return: Signed certificate
:raises Exception: if certificate signing fails
"""
LOG.debug("Signing a certificate request using Anchor")
try:
LOG.debug('Certificate: %s', csr)
r = requests.post(CONF.anchor.url, data={
'user': CONF.anchor.username,
'secret': CONF.anchor.password,
'encoding': 'pem',
'csr': csr})
if r.status_code != 200:
LOG.debug('Anchor returned: %s', r.content)
raise AnchorException(_("Anchor returned Status Code : "
"{0}").format(str(r.status_code)))
return r.content
except Exception as e:
LOG.error("Unable to sign certificate.")
raise exceptions.CertificateGenerationException(msg=e)

@ -451,17 +451,6 @@ house_keeping_opts = [
' rotation'))
]
anchor_opts = [
cfg.StrOpt('url',
default='http://localhost:9999/v1/sign/default',
help=_('Anchor URL')),
cfg.StrOpt('username',
help=_('Anchor username')),
cfg.StrOpt('password',
help=_('Anchor password'),
secret=True)
]
keepalived_vrrp_opts = [
cfg.IntOpt('vrrp_advert_int',
default=1,
@ -629,7 +618,6 @@ cfg.CONF.register_opts(controller_worker_opts, group='controller_worker')
cfg.CONF.register_opts(keepalived_vrrp_opts, group='keepalived_vrrp')
cfg.CONF.register_opts(task_flow_opts, group='task_flow')
cfg.CONF.register_opts(house_keeping_opts, group='house_keeping')
cfg.CONF.register_opts(anchor_opts, group='anchor')
cfg.CONF.register_cli_opts(core_cli_opts)
cfg.CONF.register_opts(certificate_opts, group='certificates')
cfg.CONF.register_cli_opts(healthmanager_opts, group='health_manager')

@ -39,7 +39,6 @@ def list_opts():
octavia.certificates.common.local.certgen_opts)),
('house_keeping', octavia.common.config.house_keeping_opts),
('keepalived_vrrp', octavia.common.config.keepalived_vrrp_opts),
('anchor', octavia.common.config.anchor_opts),
('nova', octavia.common.config.nova_opts),
('neutron', octavia.common.config.neutron_opts),
('glance', octavia.common.config.glance_opts),

@ -1,47 +0,0 @@
# Copyright 2015 Hewlett Packard Enterprise Development Company LP
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
import requests_mock
import six
from octavia.certificates.generator import anchor
from octavia.common import exceptions
from octavia.tests.unit.certificates.generator import local_csr
CONF = cfg.CONF
class TestAnchorGenerator(local_csr.BaseLocalCSRTestCase):
def setUp(self):
super(TestAnchorGenerator, self).setUp()
self.cert_generator = anchor.AnchorCertGenerator
@requests_mock.mock()
def test_sign_cert(self, m):
m.post(CONF.anchor.url, content=six.b('test'))
# Attempt to sign a cert
signed_cert = self.cert_generator.sign_cert(
csr=self.certificate_signing_request
)
self.assertEqual("test", signed_cert.decode('ascii'))
self.assertTrue(m.called)
m.post(CONF.anchor.url, status_code=400)
self.assertRaises(exceptions.CertificateGenerationException,
self.cert_generator.sign_cert,
self.certificate_signing_request)

@ -83,7 +83,6 @@ octavia.distributor.drivers =
single_VIP_amphora = octavia.distributor.drivers.single_VIP_amphora.driver:SingleVIPAmpDistributorDriver
octavia.cert_generator =
local_cert_generator = octavia.certificates.generator.local:LocalCertGenerator
anchor_cert_generator = octavia.certificates.generator.anchor:AnchorCertGenerator
octavia.cert_manager =
local_cert_manager = octavia.certificates.manager.local:LocalCertManager
barbican_cert_manager = octavia.certificates.manager.barbican:BarbicanCertManager

Loading…
Cancel
Save