Add a new Unverified Person deployment that uses CANdy Dev as its ledger about essential-services-delivery HOT 10 CLOSED

I've asked @ianco to do the 0.7.3-rc0 update and the adding of the multi-ledger support per #109 . He might need to ask you questions, @esune about this. Once that is in place, I'm guessing it is easy to add the configuration for a new instance -- although it will be a little more fun to go through the deployment process...

from essential-services-delivery.

@wadeking98 -- please start this when you can, beginning with some guidance from @esune and @WadeBarnes.

Not even sure I have created this issue in the right repo -- so we might have to move it.

@jljordan42 -- heads up on this work.

from essential-services-delivery.

@wadeking98 -- please start this when you can, beginning with some guidance from @esune and @WadeBarnes.

Not even sure I have created this issue in the right repo -- so we might have to move it.

@jljordan42 -- heads up on this work.

The configurations for unverified person are in https://github.com/bcgov/essential-services-delivery (openvp profile).

from essential-services-delivery.

@esune - do those configurations include the ledger being used or is that somewhere else? Can you point out where that is controlled? We'll need to adjust to support multi-ledgers as now implemented in ACA-Py, including defining the proof request to accept credentials from multiple schema or multiple cred defs.

Should this issue be moved to the https://github.com/bcgov/essential-services-delivery repo? Are there any changes needed here that will have to be made to deploy the new issuer instance?

from essential-services-delivery.

@esune - do those configurations include the ledger being used or is that somewhere else? Can you point out where that is controlled? We'll need to adjust to support multi-ledgers as now implemented in ACA-Py, including defining the proof request to accept credentials from multiple schema or multiple cred defs.

Should this issue be moved to the https://github.com/bcgov/essential-services-delivery repo? Are there any changes needed here that will have to be made to deploy the new issuer instance?

I would move it to essential-services-delivery for consistency, since the "original" unverified person service configurations are there.

The ledger is inferred by the Genesis URL parameter used to configure the agent, I do not know how this has changed for multi-ledger so I might need to get a quick update on that in order to provide input.

from essential-services-delivery.

As a recap of the conversation I had with @ianco on how to proceed to deploy a new issuer attached to the CANdy network.

1. Make a copy of the openvp profile to something like settings.openvp-candy.sh
2. Make copies of all of the *.openvp.*.param files in agent, api and issuer-web, renaming them to use the same profile name chosen at step 1 (e.g.: openvp-candy)
3. Update the GENESIS_FILE_URL parameter (example) to point to CANdy and set AGENT_READ_ONLY_LEDGER (example) to `true: this will start the agent in read-only mode the first time, allowing it to create a did/verkey pair
4. Communicate the generated did/verkey to @WadeBarnes to be registered as Endorser on CANdy, then set AGENT_READ_ONLY_LEDGER to false and restart it. The api service will need to be restarted as well, as it needs an agent with write capabilities to write schema/creddef to the ledger.

This should cover creating a new issuer. Make sure that the configuration files in the config folder for api and issuer-web are duplicated for the new profile as well, and tweaked as necessary (e.g.: to account for the new URL names, everything follows the same naming convention as the profile so it should be relatively easy to search and carefully replace values).

As a bonus step, the agent build configuration can be updated to use the newer aca-py image (see here).

Let me know if I missed something or something else is required and I'll make some time to help! 😉

from essential-services-delivery.

A second bonus step is to add the multi-ledger functionality, so that the verifier parts of these can use multiple ledgers, and the issuer part uses one specific ledger from the list. And documentation about that...

Thanks!

from essential-services-delivery.

3. Update the GENESIS_FILE_URL parameter (example) to point to CANdy and set AGENT_READ_ONLY_LEDGER (example) to `true: this will start the agent in read-only mode the first time, allowing it to create a did/verkey pair
4. Communicate the generated did/verkey to @WadeBarnes to be registered as Endorser on CANdy, then set AGENT_READ_ONLY_LEDGER to false and restart it. The api service will need to be restarted as well, as it needs an agent with write capabilities to write schema/creddef to the ledger.

@esune It looks like the agents start with a seed INDY_WALLET_SEED, so don't we just provide the seed via openshift secret and then we don't have to go through the "two-step" with starting/restarting the agent?

from essential-services-delivery.

3. Update the GENESIS_FILE_URL parameter (example) to point to CANdy and set AGENT_READ_ONLY_LEDGER (example) to `true: this will start the agent in read-only mode the first time, allowing it to create a did/verkey pair
4. Communicate the generated did/verkey to @WadeBarnes to be registered as Endorser on CANdy, then set AGENT_READ_ONLY_LEDGER to false and restart it. The api service will need to be restarted as well, as it needs an agent with write capabilities to write schema/creddef to the ledger.

@esune It looks like the agents start with a seed INDY_WALLET_SEED, so don't we just provide the seed via openshift secret and then we don't have to go through the "two-step" with starting/restarting the agent?

Yep, that is correct. The first start, however, needs to be in read-only mode otherwise the agent won't be able to start-up correctly without the DID being registered on the ledger.

from essential-services-delivery.

The new issuers have been deployed:

Full list of environments:
dev: https://openvp-candy-issuer-dev.apps.silver.devops.gov.bc.ca/
test: https://openvp-candy-issuer-test.apps.silver.devops.gov.bc.ca/
prod: https://openvp-candy-dev.vonx.io/

The first credential to be issued from the CANdy Dev network:

from essential-services-delivery.