openstack/octavia
Code Issues Proposed changes
ee09fd19a7
octavia/doc/source/main/Anchor.rst
Michael Johnson b60b2b2454 Fix the docs page title 
Currently the title for the octavia docs page is "Main".
This updates the title to be more descriptive.

This patch also updates the index for Anchor documentation and
our version 1.0 specs.

Change-Id: I1258503b7a778789b77c7ec6c4db1fbd310b6133
2017-01-20 21:43:43 +00:00

870 B
Raw Blame History

Anchor

Anchor (see https://wiki.openstack.org/wiki/Security/Projects/Anchor) is an ephemeral PKI system built to enable cryptographic trust in OpenStack services. In the context of Octavia it can be used to sign the certificates which secure the amphora - controller communication.

Basic Setup

  1. Download/Install/Start Anchor from https://github.com/openstack/anchor
  2. Change the listening port in config.py to 9999
  3. I found it useful to run anchor in an additional devstack screen
  4. Set in octavia.conf (root-ca.crt here is the Anchor CA)
    1. [controller_worker] cert_generator = anchor
    2. [haproxy_amphora] server_ca = /opt/stack/anchor/CA/root-ca.crt
  5. Restart o-cw o-hm o-hk

Benefit

In bigger cloud installations Anchor can be a gateway to a more secure certificate management system than our default local signing.