SPIKE: manual connection to Endorser for tenants

[esune]

As part of our plan to move Traction to production use, we need the process of connecting to an endorser to be:

1. configurable: each tenant will decide which endorser they want to connect to, based on permissions (https://github.com/bcgov/traction/issues/681)
2. controllable: the endorser will be able to gate access to functionality based on allow-lists (https://github.com/hyperledger/aries-endorser-service/issues/32)

As a mitigation plan for #2 while the solution is implemented, the use of NetworkPolicies to limit ingress traffic to the Endorser instances. The work is being tracked here: https://github.com/bcgov/DITP-DevOps/issues/100 A concern being raised is this this approach would require private endpoints to be published to the ledger, since the discovery of the endorser agent happens by public DID, and this would not be desirable.

A stop-gap option that could allow us to move forward without having to implement temporary ad-hoc patches, would be to manually set-up the connection to the endorser agent, since this is a one-time procedure and it will likely only be necessary for one or two agents at most.

• Traction determines if the agent is connected to an endorser by the connection alias, specified at deployment time.
• Not including the endorser public DID will prevent tenants from initiating a connection request.
• Manually accepting a connection request from the endorser in the Traction tenant using the expected alias, and setting the connection metadata role as author for the tenant (this is what the Traction plug-in is doing), should result in an active connection with the endorser being recognized by the tenant.
• Endorsement of publishing the DID as well as creating a schema should work seamlessly assuming the appropriate configuration flags were set at the endorser level.

The ticket is to evaluate and validate that this approach would work and be a feasible temporary alternative in production until the granular endorser configuration work is completed and deployed.

[WadeBarnes]

Scripts to automate the manual connection between author and endorser can be found here:

• https://github.com/bcgov/dts-endorser-service/blob/main/openshift/manage#L47-L62

The scripts are well documented and contain links to the "official" documentation on the subject. These can be used, at least, to inform the process. The scripts initiate the connection between the author and endorser and then configure the endorser settings at the connection level, allowing the settings at the global level to remain manual/private.

[esune]

Closing, done as part of https://github.com/bcgov/traction/issues/797