Anchor (see is an ephemeral PKI system built to enable cryptographic trust in OpenStack services. In the context of Octavia it can be used to sign the certificates which secure the amphora - controller communication.

Basic Setup

  1. Download/Install/Start Anchor from
  2. Change the listening port in to 9999
  3. I found it useful to run anchor in an additional devstack screen
  4. Set in octavia.conf (root-ca.crt here is the Anchor CA)
    1. [controller_worker] cert_generator = anchor
    2. [haproxy_amphora] server_ca = /opt/stack/anchor/CA/root-ca.crt
  5. Restart o-cw o-hm o-hk


In bigger cloud installations Anchor can be a gateway to a more secure certificate management system than our default local signing.

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.