diff --git a/doc/source/admin/Anchor.rst b/doc/source/admin/Anchor.rst deleted file mode 100644 index 2c40aae599..0000000000 --- a/doc/source/admin/Anchor.rst +++ /dev/null @@ -1,24 +0,0 @@ -====== -Anchor -====== -Anchor (see https://wiki.openstack.org/wiki/Security/Projects/Anchor) is -an ephemeral PKI system built to enable cryptographic trust in OpenStack -services. In the context of Octavia it can be used to sign the certificates -which secure the amphora - controller communication. - -Basic Setup ------------ -1. Download/Install/Start Anchor from https://github.com/openstack/anchor -2. Change the listening port in config.py to 9999 -3. I found it useful to run anchor in an additional devstack screen -4. Set in octavia.conf (root-ca.crt here is the Anchor CA) - - a. [controller_worker] cert_generator = anchor - b. [haproxy_amphora] server_ca = /opt/stack/anchor/CA/root-ca.crt - -5. Restart o-cw o-hm o-hk - -Benefit -------- -In bigger cloud installations Anchor can be a gateway to a more secure -certificate management system than our default local signing. diff --git a/doc/source/admin/guides/operator-maintenance.rst b/doc/source/admin/guides/operator-maintenance.rst index 12769399fc..c22d8fc93c 100644 --- a/doc/source/admin/guides/operator-maintenance.rst +++ b/doc/source/admin/guides/operator-maintenance.rst @@ -300,10 +300,9 @@ random string of a sufficient length. Rotating Amphora Certificates ----------------------------- -For the server part Octavia will either act as a certificate authority itself, -or use :doc:`../Anchor` to issue amphora certificates to be used -by each amphora. Octavia will also monitor those certificates and refresh them -before they expire. +For the server part Octavia will act as a certificate authority itself to +issue amphora certificates to be used by each amphora. Octavia will also +monitor those certificates and refresh them before they expire. There are three ways to initiate a rotation manually: diff --git a/doc/source/admin/index.rst b/doc/source/admin/index.rst index 0d01eba3c5..cfc3f4077f 100644 --- a/doc/source/admin/index.rst +++ b/doc/source/admin/index.rst @@ -29,7 +29,6 @@ Operator Reference :maxdepth: 1 ../contributor/guides/dev-quick-start.rst - Anchor.rst api-audit.rst guides/certificates.rst ../configuration/configref.rst diff --git a/doc/source/reference/glossary.rst b/doc/source/reference/glossary.rst index a8fc126e2e..8bf9c32a3b 100644 --- a/doc/source/reference/glossary.rst +++ b/doc/source/reference/glossary.rst @@ -28,12 +28,6 @@ description of these terms. back-end amphora corresponding with the driver. This communication happens over the LB network. - Anchor - Is an OpenStack project for an ephemeral PKI system (see - https://wiki.openstack.org/wiki/Security/Projects/Anchor). In Octavia - we can use Anchor to sign the certificates we use to authenticate/secure - controller <-> amphora communication. - Apolocation Term used to describe when two or more amphorae are not colocated on the same physical hardware (which is often essential in HA topologies). diff --git a/etc/octavia.conf b/etc/octavia.conf index 832312899b..8fe2e1fc52 100644 --- a/etc/octavia.conf +++ b/etc/octavia.conf @@ -110,7 +110,6 @@ [certificates] # Certificate Generator options are local_cert_generator -# anchor_cert_generator # cert_generator = local_cert_generator # For local certificate signing: @@ -136,13 +135,6 @@ # Endpoint type to use for communication with the Barbican service. # endpoint_type = publicURL - -[anchor] -# Use OpenStack anchor to sign the amphora REST API certificates -# url = http://localhost:9999/v1/sign/default -# username = -# password = - [networking] # The maximum attempts to retry an action with the networking service. # max_retries = 15 diff --git a/octavia/certificates/generator/anchor.py b/octavia/certificates/generator/anchor.py deleted file mode 100644 index 54f1eb148a..0000000000 --- a/octavia/certificates/generator/anchor.py +++ /dev/null @@ -1,66 +0,0 @@ -# Copyright (c) 2015 Hewlett Packard Enterprise Development Company LP -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from oslo_config import cfg -from oslo_log import log as logging -import requests - -from octavia.certificates.generator import local -from octavia.common import exceptions -from octavia.i18n import _ - -LOG = logging.getLogger(__name__) - -CONF = cfg.CONF - - -class AnchorException(exceptions.CertificateGenerationException): - pass - - -class AnchorCertGenerator(local.LocalCertGenerator): - """Cert Generator Interface that signs certs with Anchor.""" - - @classmethod - def sign_cert(cls, csr, validity=None, **kwargs): - """Signs a certificate using Anchor based on the specified CSR - - :param csr: A Certificate Signing Request - :param validity: Will be ignored for now - :param kwargs: Will be ignored for now - - :return: Signed certificate - :raises Exception: if certificate signing fails - """ - LOG.debug("Signing a certificate request using Anchor") - - try: - LOG.debug('Certificate: %s', csr) - r = requests.post(CONF.anchor.url, data={ - 'user': CONF.anchor.username, - 'secret': CONF.anchor.password, - 'encoding': 'pem', - 'csr': csr}) - - if r.status_code != 200: - LOG.debug('Anchor returned: %s', r.content) - raise AnchorException(_("Anchor returned Status Code : " - "{0}").format(str(r.status_code))) - - return r.content - - except Exception as e: - LOG.error("Unable to sign certificate.") - raise exceptions.CertificateGenerationException(msg=e) diff --git a/octavia/common/config.py b/octavia/common/config.py index 52948b8378..55a0be082e 100644 --- a/octavia/common/config.py +++ b/octavia/common/config.py @@ -451,17 +451,6 @@ house_keeping_opts = [ ' rotation')) ] -anchor_opts = [ - cfg.StrOpt('url', - default='http://localhost:9999/v1/sign/default', - help=_('Anchor URL')), - cfg.StrOpt('username', - help=_('Anchor username')), - cfg.StrOpt('password', - help=_('Anchor password'), - secret=True) -] - keepalived_vrrp_opts = [ cfg.IntOpt('vrrp_advert_int', default=1, @@ -629,7 +618,6 @@ cfg.CONF.register_opts(controller_worker_opts, group='controller_worker') cfg.CONF.register_opts(keepalived_vrrp_opts, group='keepalived_vrrp') cfg.CONF.register_opts(task_flow_opts, group='task_flow') cfg.CONF.register_opts(house_keeping_opts, group='house_keeping') -cfg.CONF.register_opts(anchor_opts, group='anchor') cfg.CONF.register_cli_opts(core_cli_opts) cfg.CONF.register_opts(certificate_opts, group='certificates') cfg.CONF.register_cli_opts(healthmanager_opts, group='health_manager') diff --git a/octavia/opts.py b/octavia/opts.py index 7b71cd1895..450dd96681 100644 --- a/octavia/opts.py +++ b/octavia/opts.py @@ -39,7 +39,6 @@ def list_opts(): octavia.certificates.common.local.certgen_opts)), ('house_keeping', octavia.common.config.house_keeping_opts), ('keepalived_vrrp', octavia.common.config.keepalived_vrrp_opts), - ('anchor', octavia.common.config.anchor_opts), ('nova', octavia.common.config.nova_opts), ('neutron', octavia.common.config.neutron_opts), ('glance', octavia.common.config.glance_opts), diff --git a/octavia/tests/unit/certificates/generator/test_anchor.py b/octavia/tests/unit/certificates/generator/test_anchor.py deleted file mode 100644 index b91f4e5d13..0000000000 --- a/octavia/tests/unit/certificates/generator/test_anchor.py +++ /dev/null @@ -1,47 +0,0 @@ -# Copyright 2015 Hewlett Packard Enterprise Development Company LP -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -from oslo_config import cfg -import requests_mock -import six - -from octavia.certificates.generator import anchor -from octavia.common import exceptions -from octavia.tests.unit.certificates.generator import local_csr - - -CONF = cfg.CONF - - -class TestAnchorGenerator(local_csr.BaseLocalCSRTestCase): - def setUp(self): - super(TestAnchorGenerator, self).setUp() - self.cert_generator = anchor.AnchorCertGenerator - - @requests_mock.mock() - def test_sign_cert(self, m): - - m.post(CONF.anchor.url, content=six.b('test')) - - # Attempt to sign a cert - signed_cert = self.cert_generator.sign_cert( - csr=self.certificate_signing_request - ) - self.assertEqual("test", signed_cert.decode('ascii')) - self.assertTrue(m.called) - - m.post(CONF.anchor.url, status_code=400) - self.assertRaises(exceptions.CertificateGenerationException, - self.cert_generator.sign_cert, - self.certificate_signing_request) diff --git a/setup.cfg b/setup.cfg index 4734bc3e33..0b451e84cc 100644 --- a/setup.cfg +++ b/setup.cfg @@ -83,7 +83,6 @@ octavia.distributor.drivers = single_VIP_amphora = octavia.distributor.drivers.single_VIP_amphora.driver:SingleVIPAmpDistributorDriver octavia.cert_generator = local_cert_generator = octavia.certificates.generator.local:LocalCertGenerator - anchor_cert_generator = octavia.certificates.generator.anchor:AnchorCertGenerator octavia.cert_manager = local_cert_manager = octavia.certificates.manager.local:LocalCertManager barbican_cert_manager = octavia.certificates.manager.barbican:BarbicanCertManager