Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a new Unverified Person deployment that uses CANdy Dev as its ledger #108

Closed
swcurran opened this issue Dec 11, 2021 · 10 comments
Closed

Add a new Unverified Person deployment that uses CANdy Dev as its ledger #108

swcurran opened this issue Dec 11, 2021 · 10 comments

Comments

@swcurran
Copy link
Contributor

Please deploy a new instance of the Unverified Person instance of Identity Kit, but anchored on the CANdy Dev network.

We will need to get an Endorser DID for this, and ideally have an automated way to create and execute transactions. However, for now, we can manually endorse (e.g., have Wade B do them with the Indy CLI) create, endorse and execute the necessary transactions.

For the URL, I suggest that we use "unvp-candy.dev" and then plan on later having a test versions of the URL.

Let me know what else is needed to get this done.
@swcurran
Copy link
Contributor Author

@wadeking98 -- please start this when you can, beginning with some guidance from @esune and @WadeBarnes.

Not even sure I have created this issue in the right repo -- so we might have to move it.

@jljordan42 -- heads up on this work.

@esune
Copy link
Member

esune commented Dec 13, 2021

@wadeking98 -- please start this when you can, beginning with some guidance from @esune and @WadeBarnes.

Not even sure I have created this issue in the right repo -- so we might have to move it.

@jljordan42 -- heads up on this work.

The configurations for unverified person are in https://github.com/bcgov/essential-services-delivery (openvp profile).

@swcurran
Copy link
Contributor Author

@esune - do those configurations include the ledger being used or is that somewhere else? Can you point out where that is controlled? We'll need to adjust to support multi-ledgers as now implemented in ACA-Py, including defining the proof request to accept credentials from multiple schema or multiple cred defs.

Should this issue be moved to the https://github.com/bcgov/essential-services-delivery repo? Are there any changes needed here that will have to be made to deploy the new issuer instance?

@swcurran swcurran transferred this issue from bcgov/identity-kit-configurations Dec 14, 2021
@swcurran swcurran mentioned this issue Dec 14, 2021
Closed
@esune
Copy link
Member

esune commented Dec 14, 2021

@esune - do those configurations include the ledger being used or is that somewhere else? Can you point out where that is controlled? We'll need to adjust to support multi-ledgers as now implemented in ACA-Py, including defining the proof request to accept credentials from multiple schema or multiple cred defs.

Should this issue be moved to the https://github.com/bcgov/essential-services-delivery repo? Are there any changes needed here that will have to be made to deploy the new issuer instance?

I would move it to essential-services-delivery for consistency, since the "original" unverified person service configurations are there.

The ledger is inferred by the Genesis URL parameter used to configure the agent, I do not know how this has changed for multi-ledger so I might need to get a quick update on that in order to provide input.

@swcurran
Copy link
Contributor Author

I've asked @ianco to do the 0.7.3-rc0 update and the adding of the multi-ledger support per #109 . He might need to ask you questions, @esune about this. Once that is in place, I'm guessing it is easy to add the configuration for a new instance -- although it will be a little more fun to go through the deployment process...

@esune
Copy link
Member

esune commented Dec 16, 2021
edited
Loading

As a recap of the conversation I had with @ianco on how to proceed to deploy a new issuer attached to the CANdy network.

  1. Make a copy of the openvp profile to something like settings.openvp-candy.sh
  2. Make copies of all of the *.openvp.*.param files in agent, api and issuer-web, renaming them to use the same profile name chosen at step 1 (e.g.: openvp-candy)
  3. Update the GENESIS_FILE_URL parameter (example) to point to CANdy and set AGENT_READ_ONLY_LEDGER (example) to `true: this will start the agent in read-only mode the first time, allowing it to create a did/verkey pair
  4. Communicate the generated did/verkey to @WadeBarnes to be registered as Endorser on CANdy, then set AGENT_READ_ONLY_LEDGER to false and restart it. The api service will need to be restarted as well, as it needs an agent with write capabilities to write schema/creddef to the ledger.

This should cover creating a new issuer. Make sure that the configuration files in the config folder for api and issuer-web are duplicated for the new profile as well, and tweaked as necessary (e.g.: to account for the new URL names, everything follows the same naming convention as the profile so it should be relatively easy to search and carefully replace values).

As a bonus step, the agent build configuration can be updated to use the newer aca-py image (see here).

Let me know if I missed something or something else is required and I'll make some time to help! 😉

@swcurran
Copy link
Contributor Author

A second bonus step is to add the multi-ledger functionality, so that the verifier parts of these can use multiple ledgers, and the issuer part uses one specific ledger from the list. And documentation about that...

Thanks!

@ianco
Copy link
Contributor

ianco commented Dec 22, 2021

  1. Update the GENESIS_FILE_URL parameter (example) to point to CANdy and set AGENT_READ_ONLY_LEDGER (example) to `true: this will start the agent in read-only mode the first time, allowing it to create a did/verkey pair
  2. Communicate the generated did/verkey to @WadeBarnes to be registered as Endorser on CANdy, then set AGENT_READ_ONLY_LEDGER to false and restart it. The api service will need to be restarted as well, as it needs an agent with write capabilities to write schema/creddef to the ledger.

@esune It looks like the agents start with a seed INDY_WALLET_SEED, so don't we just provide the seed via openshift secret and then we don't have to go through the "two-step" with starting/restarting the agent?

@ianco ianco mentioned this issue Dec 22, 2021
Merged
@esune
Copy link
Member

esune commented Dec 23, 2021

  1. Update the GENESIS_FILE_URL parameter (example) to point to CANdy and set AGENT_READ_ONLY_LEDGER (example) to `true: this will start the agent in read-only mode the first time, allowing it to create a did/verkey pair
  2. Communicate the generated did/verkey to @WadeBarnes to be registered as Endorser on CANdy, then set AGENT_READ_ONLY_LEDGER to false and restart it. The api service will need to be restarted as well, as it needs an agent with write capabilities to write schema/creddef to the ledger.

@esune It looks like the agents start with a seed INDY_WALLET_SEED, so don't we just provide the seed via openshift secret and then we don't have to go through the "two-step" with starting/restarting the agent?

Yep, that is correct. The first start, however, needs to be in read-only mode otherwise the agent won't be able to start-up correctly without the DID being registered on the ledger.

@WadeBarnes
Copy link
Member

The new issuers have been deployed:

Full list of environments:
dev: https://openvp-candy-issuer-dev.apps.silver.devops.gov.bc.ca/
test: https://openvp-candy-issuer-test.apps.silver.devops.gov.bc.ca/
prod: https://openvp-candy-dev.vonx.io/

The first credential to be issued from the CANdy Dev network:

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@swcurran @ianco @esune @WadeBarnes