octavia/doc/source/admin/Anchor.rst
Michael Johnson 93c8e006ce Update Octavia docs for documentation migration
This patch updates the Octavia documentation in support of the
OpenStack documentation migration[1].

[1] https://specs.openstack.org/openstack/docs-specs/specs \
    /pike/os-manuals-migration.html

Change-Id: I97fd038b8050bfe776c3fca8336d9090f8236362
Depends-On: Ia750cb049c0f53a234ea70ce1f2bbbb7a2aa9454
2017-07-03 11:43:40 -07:00

870 B

Anchor

Anchor (see https://wiki.openstack.org/wiki/Security/Projects/Anchor) is an ephemeral PKI system built to enable cryptographic trust in OpenStack services. In the context of Octavia it can be used to sign the certificates which secure the amphora - controller communication.

Basic Setup

  1. Download/Install/Start Anchor from https://github.com/openstack/anchor
  2. Change the listening port in config.py to 9999
  3. I found it useful to run anchor in an additional devstack screen
  4. Set in octavia.conf (root-ca.crt here is the Anchor CA)
    1. [controller_worker] cert_generator = anchor
    2. [haproxy_amphora] server_ca = /opt/stack/anchor/CA/root-ca.crt
  5. Restart o-cw o-hm o-hk

Benefit

In bigger cloud installations Anchor can be a gateway to a more secure certificate management system than our default local signing.