Remove references to OpenStack Anchor

The OpenStack Anchor project is now officially retired[1]. This patch removes the references to Anchor from Octavia. These old references were confusing new users. [1] https://review.opendev.org/#/c/611187/ Change-Id: Idfe90aa69b497e8270118174dde00567d7fab4ab
2019-06-03 14:57:04 -07:00 · 2019-06-03 14:57:04 -07:00 · 6d2e2be86a
commit 6d2e2be86a
parent 59660fb365
10 changed files with 3 additions and 170 deletions
--- a/doc/source/admin/Anchor.rst
+++ b/doc/source/admin/Anchor.rst
@ -1,24 +0,0 @@
 ======
 Anchor
 ======
 Anchor (see https://wiki.openstack.org/wiki/Security/Projects/Anchor) is
 an ephemeral PKI system built to enable cryptographic trust in OpenStack
 services. In the context of Octavia it can be used to sign the certificates
 which secure the amphora - controller communication.
 Basic Setup
 -----------
 1. Download/Install/Start Anchor from  https://github.com/openstack/anchor
 2. Change the listening port in config.py to 9999
 3. I found it useful to run anchor in an additional devstack screen
 4. Set in octavia.conf (root-ca.crt here is the Anchor CA)
   a. [controller_worker] cert_generator = anchor
   b. [haproxy_amphora] server_ca = /opt/stack/anchor/CA/root-ca.crt
 5. Restart o-cw o-hm o-hk
 Benefit
 -------
 In bigger cloud installations Anchor can be a gateway to a more secure
 certificate management system than our default local signing.
--- a/doc/source/admin/guides/operator-maintenance.rst
+++ b/doc/source/admin/guides/operator-maintenance.rst
@ -300,10 +300,9 @@ random string of a sufficient length.
 Rotating Amphora Certificates
 -----------------------------
-For the server part Octavia will either act as a certificate authority itself,
+For the server part Octavia will act as a certificate authority itself to
-or use :doc:`../Anchor` to issue amphora certificates to be used
+issue amphora certificates to be used by each amphora. Octavia will also
-by each amphora. Octavia will also monitor those certificates and refresh them
+monitor those certificates and refresh them before they expire.
 before they expire.
 There are three ways to initiate a rotation manually:
--- a/doc/source/admin/index.rst
+++ b/doc/source/admin/index.rst
@ -29,7 +29,6 @@ Operator Reference
   :maxdepth: 1
   ../contributor/guides/dev-quick-start.rst
   Anchor.rst
   api-audit.rst
   guides/certificates.rst
   ../configuration/configref.rst
--- a/doc/source/reference/glossary.rst
+++ b/doc/source/reference/glossary.rst
@ -28,12 +28,6 @@ description of these terms.
        back-end amphora corresponding with the driver. This communication
        happens over the LB network.
    Anchor
       Is an OpenStack project for an ephemeral PKI system (see
       https://wiki.openstack.org/wiki/Security/Projects/Anchor). In Octavia
       we can use Anchor to sign the certificates we use to authenticate/secure
       controller <-> amphora communication.
    Apolocation
        Term used to describe when two or more amphorae are not colocated on
        the same physical hardware (which is often essential in HA topologies).
--- a/etc/octavia.conf
+++ b/etc/octavia.conf
@ -110,7 +110,6 @@
 [certificates]
 # Certificate Generator options are local_cert_generator
 #                                   anchor_cert_generator
 # cert_generator = local_cert_generator
 # For local certificate signing:
@ -136,13 +135,6 @@
 # Endpoint type to use for communication with the Barbican service.
 # endpoint_type = publicURL
 [anchor]
 # Use OpenStack anchor to sign the amphora REST API certificates
 # url = http://localhost:9999/v1/sign/default
 # username =
 # password =
 [networking]
 # The maximum attempts to retry an action with the networking service.
 # max_retries = 15
--- a/octavia/certificates/generator/anchor.py
+++ b/octavia/certificates/generator/anchor.py
@ -1,66 +0,0 @@
 # Copyright (c) 2015 Hewlett Packard Enterprise Development Company LP
 # All Rights Reserved.
 #
 #    Licensed under the Apache License, Version 2.0 (the "License"); you may
 #    not use this file except in compliance with the License. You may obtain
 #    a copy of the License at
 #
 #         http://www.apache.org/licenses/LICENSE-2.0
 #
 #    Unless required by applicable law or agreed to in writing, software
 #    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 #    License for the specific language governing permissions and limitations
 #    under the License.
 from oslo_config import cfg
 from oslo_log import log as logging
 import requests
 from octavia.certificates.generator import local
 from octavia.common import exceptions
 from octavia.i18n import _
 LOG = logging.getLogger(__name__)
 CONF = cfg.CONF
 class AnchorException(exceptions.CertificateGenerationException):
    pass
 class AnchorCertGenerator(local.LocalCertGenerator):
    """Cert Generator Interface that signs certs with Anchor."""
    @classmethod
    def sign_cert(cls, csr, validity=None, **kwargs):
        """Signs a certificate using Anchor based on the specified CSR
        :param csr: A Certificate Signing Request
        :param validity: Will be ignored for now
        :param kwargs: Will be ignored for now
        :return: Signed certificate
        :raises Exception: if certificate signing fails
        """
        LOG.debug("Signing a certificate request using Anchor")
        try:
            LOG.debug('Certificate: %s', csr)
            r = requests.post(CONF.anchor.url, data={
                'user': CONF.anchor.username,
                'secret': CONF.anchor.password,
                'encoding': 'pem',
                'csr': csr})
            if r.status_code != 200:
                LOG.debug('Anchor returned: %s', r.content)
                raise AnchorException(_("Anchor returned Status Code : "
                                        "{0}").format(str(r.status_code)))
            return r.content
        except Exception as e:
            LOG.error("Unable to sign certificate.")
            raise exceptions.CertificateGenerationException(msg=e)
--- a/octavia/common/config.py
+++ b/octavia/common/config.py
@ -451,17 +451,6 @@ house_keeping_opts = [
                      ' rotation'))
 ]
 anchor_opts = [
    cfg.StrOpt('url',
               default='http://localhost:9999/v1/sign/default',
               help=_('Anchor URL')),
    cfg.StrOpt('username',
               help=_('Anchor username')),
    cfg.StrOpt('password',
               help=_('Anchor password'),
               secret=True)
 ]
 keepalived_vrrp_opts = [
    cfg.IntOpt('vrrp_advert_int',
               default=1,
@ -629,7 +618,6 @@ cfg.CONF.register_opts(controller_worker_opts, group='controller_worker')
 cfg.CONF.register_opts(keepalived_vrrp_opts, group='keepalived_vrrp')
 cfg.CONF.register_opts(task_flow_opts, group='task_flow')
 cfg.CONF.register_opts(house_keeping_opts, group='house_keeping')
 cfg.CONF.register_opts(anchor_opts, group='anchor')
 cfg.CONF.register_cli_opts(core_cli_opts)
 cfg.CONF.register_opts(certificate_opts, group='certificates')
 cfg.CONF.register_cli_opts(healthmanager_opts, group='health_manager')
--- a/octavia/opts.py
+++ b/octavia/opts.py
@ -39,7 +39,6 @@ def list_opts():
            octavia.certificates.common.local.certgen_opts)),
        ('house_keeping', octavia.common.config.house_keeping_opts),
        ('keepalived_vrrp', octavia.common.config.keepalived_vrrp_opts),
        ('anchor', octavia.common.config.anchor_opts),
        ('nova', octavia.common.config.nova_opts),
        ('neutron', octavia.common.config.neutron_opts),
        ('glance', octavia.common.config.glance_opts),
--- a/octavia/tests/unit/certificates/generator/test_anchor.py
+++ b/octavia/tests/unit/certificates/generator/test_anchor.py
@ -1,47 +0,0 @@
 # Copyright 2015 Hewlett Packard Enterprise Development Company LP
 #
 #    Licensed under the Apache License, Version 2.0 (the "License"); you may
 #    not use this file except in compliance with the License. You may obtain
 #    a copy of the License at
 #
 #         http://www.apache.org/licenses/LICENSE-2.0
 #
 #    Unless required by applicable law or agreed to in writing, software
 #    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 #    License for the specific language governing permissions and limitations
 #    under the License.
 from oslo_config import cfg
 import requests_mock
 import six
 from octavia.certificates.generator import anchor
 from octavia.common import exceptions
 from octavia.tests.unit.certificates.generator import local_csr
 CONF = cfg.CONF
 class TestAnchorGenerator(local_csr.BaseLocalCSRTestCase):
    def setUp(self):
        super(TestAnchorGenerator, self).setUp()
        self.cert_generator = anchor.AnchorCertGenerator
    @requests_mock.mock()
    def test_sign_cert(self, m):
        m.post(CONF.anchor.url, content=six.b('test'))
        # Attempt to sign a cert
        signed_cert = self.cert_generator.sign_cert(
            csr=self.certificate_signing_request
        )
        self.assertEqual("test", signed_cert.decode('ascii'))
        self.assertTrue(m.called)
        m.post(CONF.anchor.url, status_code=400)
        self.assertRaises(exceptions.CertificateGenerationException,
                          self.cert_generator.sign_cert,
                          self.certificate_signing_request)
--- a/setup.cfg
+++ b/setup.cfg
@ -83,7 +83,6 @@ octavia.distributor.drivers =
    single_VIP_amphora = octavia.distributor.drivers.single_VIP_amphora.driver:SingleVIPAmpDistributorDriver
 octavia.cert_generator =
    local_cert_generator = octavia.certificates.generator.local:LocalCertGenerator
    anchor_cert_generator = octavia.certificates.generator.anchor:AnchorCertGenerator
 octavia.cert_manager =
    local_cert_manager = octavia.certificates.manager.local:LocalCertManager
    barbican_cert_manager = octavia.certificates.manager.barbican:BarbicanCertManager