Closed swcurran closed 9 months ago
Heads up on this @i5okie, @WadeBarnes and @esune. We should discuss the challenges in doing this, and the tools available to help with this process.
I've updated the google spreadsheet with the agent version and storage type information, which will make this easier.
We currently have 33 aca-py instances using indy and another 29 instances using askar
Migrating to askar should be performed at the same time as an agent and wallet upgrade.
When performing these steps it is extremally important to ensure the upgrades and updates are being done to a single ACA-Py instance at a time. This typically means, at least temporarily, isolating the image tags used by the deployment configuration to ensure the single instance is targeted when new images are deployed. For example the deployment configuration templates for the agents and wallets in bcgov/trust-over-ip-configurations have been specifically designed for this purpose.
Steps:
ACA-Py
askar-upgrade
script. For example:
askar-upgrade \
--strategy dbpw \
--uri postgres://<username>:<password>@<hostname>:<port>/<dbname> \
--wallet-name <wallet name> \
--wallet-key <wallet key>
ACAPY_WALLET_TYPE
to askar
I have a checklist template for this started in the DITP-DevOps repo, but I have not checked it in yet.
Refer to https://github.com/bcgov/DITP-DevOps/issues/18 for a link to the spreadsheet listing the agent deployments and their associated storage type.
Looks like IDIM is already using Askar, so the focus is only on the migration of LSBC. Propose making this task ONLY about the migration of LSBC, and we open new tasks for the migration of other deployments.
Updated the title of the ticket and description to talk only about LSBC. We need to be ready to upgrade the LSBC issuer to a new version of ACA-Py when it becomes available, which will have fixes that are only available using Askar.
Migrate to using Askar only images at the same time.
LSBC test
- Testing (Successful):
py3.9-indy-1.16.0-0.10.3-pre0
images for testing.$ $(echo aca-py upgrade --force-upgrade --named-tag fix_issue_rev_reg --wallet-name "$(echo ${AGENT_WALLET_NAME} | tr '[:upper:]' '[:lower:]' | sed "s~-~_~g")" --wallet-key "${WALLET_ENCRYPTION_KEY}" --wallet-storage-config "$(eval echo \"${WALLET_STORAGE_CONFIGURATION}\")" --wallet-storage-creds "$(eval echo \"${WALLET_STORAGE_CREDENTIALS}\")" --seed "${INDY_WALLET_SEED}");
$
PUT https://lsbc-agent-admin-test.apps.silver.devops.gov.bc.ca/revocation/registry/AuJrigKQGRLJajKAebTgWu%3A4%3AAuJrigKQGRLJajKAebTgWu%3A3%3ACL%3A209526%3Adefault%3ACL_ACCUM%3A7aa88d5c-e1e8-488c-a0a5-63aee1b0ae66/fix-revocation-entry-state?apply_ledger_update=false'
{
"rev_reg_delta": {
"ver": "1.0",
"value": {
"accum": "21 1253592B6F67D2A2ECECCE3E216E157D28B54AEF42C33888063CB9355650C337D 21 129A318069EA0FDD03EF556B6F04061DF5A61F017365513111E067BB446C25CD7 6 6CB65E8DE785E5B8F038A92F24BE3CDF4FD2CACE8EF4E3E3676E7F20C05F1F13 4 1A62FFE7E57C9FD4DC8871F6249DA0E8E4F7A55664B49EC2C37A7F4D3E133DFD 6 771D3BF43FC333479B8FE954EFB8DD99606D6EA6914DFBCCE26025D4376A6BAF 4 2E80316297E2A95EE05B5B72AB3D2100B03E35DBB47E319034B866C0A1A09F87",
"issued": [],
"revoked": [
1,
2,
3,
4,
5,
6,
7,
8,
9,
10,
11,
12,
13,
14,
15,
16,
17,
18,
19,
20,
21,
22,
23,
24,
25,
26,
27,
28,
29,
30,
31,
32,
33,
34,
35,
36,
37,
38,
39,
40,
41,
42,
43,
44,
45,
46,
47,
48,
49,
50,
51,
52,
53,
54,
55,
56,
57,
58,
59,
60,
61,
62,
63,
64,
65,
66,
67,
68,
69,
70,
71,
72,
73,
74,
75,
76,
77,
78,
79,
80,
81,
82,
83,
84,
85,
86,
87,
88,
89,
90,
91,
92,
93,
94,
95,
96,
97,
98,
99,
100,
101,
102,
103,
104,
105,
106,
107,
108,
109,
110,
111,
112,
113,
114,
115,
116,
117,
118,
119,
120,
121,
123,
124,
125,
126,
127,
128,
129,
130,
131,
132,
133,
134,
135,
136,
137,
138,
139,
140,
141,
142,
143,
144,
145,
146,
147,
148,
149,
150,
151,
152,
153,
154,
155,
156,
157,
158,
159,
160,
161,
162,
163,
164,
165,
166,
167,
168,
169,
170,
171,
172,
173,
174,
175,
176,
177,
178,
179,
180,
181,
182,
183,
184,
185,
186,
187,
188,
190,
191,
192,
193,
194,
195,
196,
197,
198,
199,
200,
201,
210,
211,
212,
213,
214,
215,
219,
221,
225,
229,
233,
235,
238,
239,
240,
241,
242
]
}
},
"accum_calculated": {
"ver": "1.0",
"value": {
"prevAccum": "21 1253592B6F67D2A2ECECCE3E216E157D28B54AEF42C33888063CB9355650C337D 21 129A318069EA0FDD03EF556B6F04061DF5A61F017365513111E067BB446C25CD7 6 6CB65E8DE785E5B8F038A92F24BE3CDF4FD2CACE8EF4E3E3676E7F20C05F1F13 4 1A62FFE7E57C9FD4DC8871F6249DA0E8E4F7A55664B49EC2C37A7F4D3E133DFD 6 771D3BF43FC333479B8FE954EFB8DD99606D6EA6914DFBCCE26025D4376A6BAF 4 2E80316297E2A95EE05B5B72AB3D2100B03E35DBB47E319034B866C0A1A09F87",
"accum": "21 11AB2F20F36D40F338A59D6FAA94407C0ECACE5F4E12D820602117D8E1C9A03F2 21 132D6779E5996516E195656CEF8F7DA4E26B05AD67B87FCE929EE7CF15A577ABB 6 61FF6CE62976173F71B34517BDE03245374AE1FDE6F6C77E888CCFB777034C4B 4 133869BEB2A09A0CBC2A812797BC683E64F6F4CF4C55635E7BED2C9138F10D45 6 8395D6E2CE610172988D77E397C119500EC016F69DE2E0AF4DDEB61B23BA6945 4 37F9FF4AB0C855624487C89D97537A3726D5F298369BAAED2A0F3181C17F071E",
"revoked": [
245,
243,
244
]
}
},
"accum_fixed": {}
}
PUT https://lsbc-agent-admin-test.apps.silver.devops.gov.bc.ca/revocation/registry/AuJrigKQGRLJajKAebTgWu%3A4%3AAuJrigKQGRLJajKAebTgWu%3A3%3ACL%3A209526%3Adefault%3ACL_ACCUM%3A7aa88d5c-e1e8-488c-a0a5-63aee1b0ae66/fix-revocation-entry-state?apply_ledger_update=true'
{
"rev_reg_delta": {
"ver": "1.0",
"value": {
"accum": "21 1253592B6F67D2A2ECECCE3E216E157D28B54AEF42C33888063CB9355650C337D 21 129A318069EA0FDD03EF556B6F04061DF5A61F017365513111E067BB446C25CD7 6 6CB65E8DE785E5B8F038A92F24BE3CDF4FD2CACE8EF4E3E3676E7F20C05F1F13 4 1A62FFE7E57C9FD4DC8871F6249DA0E8E4F7A55664B49EC2C37A7F4D3E133DFD 6 771D3BF43FC333479B8FE954EFB8DD99606D6EA6914DFBCCE26025D4376A6BAF 4 2E80316297E2A95EE05B5B72AB3D2100B03E35DBB47E319034B866C0A1A09F87",
"issued": [],
"revoked": [
1,
2,
3,
4,
5,
6,
7,
8,
9,
10,
11,
12,
13,
14,
15,
16,
17,
18,
19,
20,
21,
22,
23,
24,
25,
26,
27,
28,
29,
30,
31,
32,
33,
34,
35,
36,
37,
38,
39,
40,
41,
42,
43,
44,
45,
46,
47,
48,
49,
50,
51,
52,
53,
54,
55,
56,
57,
58,
59,
60,
61,
62,
63,
64,
65,
66,
67,
68,
69,
70,
71,
72,
73,
74,
75,
76,
77,
78,
79,
80,
81,
82,
83,
84,
85,
86,
87,
88,
89,
90,
91,
92,
93,
94,
95,
96,
97,
98,
99,
100,
101,
102,
103,
104,
105,
106,
107,
108,
109,
110,
111,
112,
113,
114,
115,
116,
117,
118,
119,
120,
121,
123,
124,
125,
126,
127,
128,
129,
130,
131,
132,
133,
134,
135,
136,
137,
138,
139,
140,
141,
142,
143,
144,
145,
146,
147,
148,
149,
150,
151,
152,
153,
154,
155,
156,
157,
158,
159,
160,
161,
162,
163,
164,
165,
166,
167,
168,
169,
170,
171,
172,
173,
174,
175,
176,
177,
178,
179,
180,
181,
182,
183,
184,
185,
186,
187,
188,
190,
191,
192,
193,
194,
195,
196,
197,
198,
199,
200,
201,
210,
211,
212,
213,
214,
215,
219,
221,
225,
229,
233,
235,
238,
239,
240,
241,
242
]
}
},
"accum_calculated": {
"ver": "1.0",
"value": {
"prevAccum": "21 1253592B6F67D2A2ECECCE3E216E157D28B54AEF42C33888063CB9355650C337D 21 129A318069EA0FDD03EF556B6F04061DF5A61F017365513111E067BB446C25CD7 6 6CB65E8DE785E5B8F038A92F24BE3CDF4FD2CACE8EF4E3E3676E7F20C05F1F13 4 1A62FFE7E57C9FD4DC8871F6249DA0E8E4F7A55664B49EC2C37A7F4D3E133DFD 6 771D3BF43FC333479B8FE954EFB8DD99606D6EA6914DFBCCE26025D4376A6BAF 4 2E80316297E2A95EE05B5B72AB3D2100B03E35DBB47E319034B866C0A1A09F87",
"accum": "21 11AB2F20F36D40F338A59D6FAA94407C0ECACE5F4E12D820602117D8E1C9A03F2 21 132D6779E5996516E195656CEF8F7DA4E26B05AD67B87FCE929EE7CF15A577ABB 6 61FF6CE62976173F71B34517BDE03245374AE1FDE6F6C77E888CCFB777034C4B 4 133869BEB2A09A0CBC2A812797BC683E64F6F4CF4C55635E7BED2C9138F10D45 6 8395D6E2CE610172988D77E397C119500EC016F69DE2E0AF4DDEB61B23BA6945 4 37F9FF4AB0C855624487C89D97537A3726D5F298369BAAED2A0F3181C17F071E",
"revoked": [
244,
245,
243
]
}
},
"accum_fixed": {
"auditPath": [
"DL3Ux9PSYR6UvJtAsp3ikKSiYP4dg6m333cUZGDHJ1k4",
"6onWdWfYJmowWixCSndq1A6XFYR7ZKqgAskwzHfmVQQh",
"ChHSDQVYsAFKSwRoyTFgDaAbXVPwyzFUHUkRGLP8v91p",
"4DyhvqxUFsgQZFZuxfe7Ys6x3W3e764nDpb3xvV93Kbx",
"9xRhQTWt7jXbLPX7AMG64XQvTKcMsB7gYV5CXuf1swEM",
"7JL2W7AgaKyLozE3BVWV6tQfmq26nshsUuRFpJ5eJLm4",
"9yeSmLwWEVn7Pa2NEH37t9wMKsN56PPYqNuVnNeLnaZA",
"DMbwesR2sT2GeytnA748QL8cohHRVibvkHN2EiDQ3vaT"
],
"rootHash": "HkqNX3UJxd4wmKNT1wt2SpFWF4cghAT6Kxfrpjf3Fu7S",
"txnMetadata": {
"seqNo": 341385,
"txnId": "5:AuJrigKQGRLJajKAebTgWu:4:AuJrigKQGRLJajKAebTgWu:3:CL:209526:default:CL_ACCUM:7aa88d5c-e1e8-488c-a0a5-63aee1b0ae66",
"txnTime": 1695914893
},
"ver": "1",
"reqSignature": {
"values": [
{
"from": "AuJrigKQGRLJajKAebTgWu",
"value": "44x6CDs8fXfWtUfQxHYUAg17AuaUMbRPgB9FKQR9YBikcnuiaTtr1ZyoGdQCYvsXycnrhfhC8WFxF2KM4kL31Fyf"
}
],
"type": "ED25519"
},
"txn": {
"protocolVersion": 2,
"type": "114",
"metadata": {
"reqId": 1695914892105194500,
"payloadDigest": "e5bf9980e6963852e24e984b84600b4df3a559c0564fa527f26ff9468588849f",
"digest": "8a78d7aee64bf9a9da8efe6dee130221faf498ba6be995d4039acaa968353250",
"from": "AuJrigKQGRLJajKAebTgWu",
"taaAcceptance": {
"mechanism": "on_file",
"taaDigest": "8cee5d7a573e4893b08ff53a0761a22a1607df3b3fcd7e75b98696c92879641f",
"time": 1693872000
}
},
"data": {
"revocDefType": "CL_ACCUM",
"revocRegDefId": "AuJrigKQGRLJajKAebTgWu:4:AuJrigKQGRLJajKAebTgWu:3:CL:209526:default:CL_ACCUM:7aa88d5c-e1e8-488c-a0a5-63aee1b0ae66",
"value": {
"revoked": [
244,
245,
243
],
"prevAccum": "21 1253592B6F67D2A2ECECCE3E216E157D28B54AEF42C33888063CB9355650C337D 21 129A318069EA0FDD03EF556B6F04061DF5A61F017365513111E067BB446C25CD7 6 6CB65E8DE785E5B8F038A92F24BE3CDF4FD2CACE8EF4E3E3676E7F20C05F1F13 4 1A62FFE7E57C9FD4DC8871F6249DA0E8E4F7A55664B49EC2C37A7F4D3E133DFD 6 771D3BF43FC333479B8FE954EFB8DD99606D6EA6914DFBCCE26025D4376A6BAF 4 2E80316297E2A95EE05B5B72AB3D2100B03E35DBB47E319034B866C0A1A09F87",
"accum": "21 11AB2F20F36D40F338A59D6FAA94407C0ECACE5F4E12D820602117D8E1C9A03F2 21 132D6779E5996516E195656CEF8F7DA4E26B05AD67B87FCE929EE7CF15A577ABB 6 61FF6CE62976173F71B34517BDE03245374AE1FDE6F6C77E888CCFB777034C4B 4 133869BEB2A09A0CBC2A812797BC683E64F6F4CF4C55635E7BED2C9138F10D45 6 8395D6E2CE610172988D77E397C119500EC016F69DE2E0AF4DDEB61B23BA6945 4 37F9FF4AB0C855624487C89D97537A3726D5F298369BAAED2A0F3181C17F071E"
}
}
}
}
}
I plan to switch the migrated instances to the Askar only images and rotate the registries once the official ACA-Py 0.10.3
release is available. Then proceed with the upgrade and migration of prod
.
LSBC dev
has been connected to the Sovrin TestNet endorser and its RevRegs have been rotated.
I rotated the RevRegs twice as a test, since the rotate only generated a single RevReg.
First rotation: Active:
{
"rev_reg_ids": [
"UUHA3oknprvKrpa7a6sncK:4:UUHA3oknprvKrpa7a6sncK:3:CL:209518:default:CL_ACCUM:f1399a43-9046-44ce-9a69-94203beab9ca"
]
}
Decommissioned:
{
"rev_reg_ids": [
"UUHA3oknprvKrpa7a6sncK:4:UUHA3oknprvKrpa7a6sncK:3:CL:209518:default:CL_ACCUM:d41706d2-c3ef-4297-878a-b9c30318a89e",
"UUHA3oknprvKrpa7a6sncK:4:UUHA3oknprvKrpa7a6sncK:3:CL:209518:default:CL_ACCUM:c6f98707-dbca-4ecc-92d6-5eb0837f20dc"
]
}
Second rotation: Active:
{
"rev_reg_ids": [
"UUHA3oknprvKrpa7a6sncK:4:UUHA3oknprvKrpa7a6sncK:3:CL:209518:default:CL_ACCUM:a7a6ebb0-cfed-42fe-8c98-b061c5be81e3"
]
}
Decommissioned:
{
"rev_reg_ids": [
"UUHA3oknprvKrpa7a6sncK:4:UUHA3oknprvKrpa7a6sncK:3:CL:209518:default:CL_ACCUM:f1399a43-9046-44ce-9a69-94203beab9ca",
"UUHA3oknprvKrpa7a6sncK:4:UUHA3oknprvKrpa7a6sncK:3:CL:209518:default:CL_ACCUM:d41706d2-c3ef-4297-878a-b9c30318a89e",
"UUHA3oknprvKrpa7a6sncK:4:UUHA3oknprvKrpa7a6sncK:3:CL:209518:default:CL_ACCUM:c6f98707-dbca-4ecc-92d6-5eb0837f20dc"
]
}
@usingtechnology, can you confirm this behavior would be due to only having a single RevReg active to start with. I forgot to double check before I rotated.
LSBC test
has been connected to the Sovrin TestNet endorser and its RevRegs have been rotated.
State Before Rotation: Active:
{
"rev_reg_ids": [
"AuJrigKQGRLJajKAebTgWu:4:AuJrigKQGRLJajKAebTgWu:3:CL:209526:default:CL_ACCUM:7aa88d5c-e1e8-488c-a0a5-63aee1b0ae66"
]
}
Full:
{
"rev_reg_ids": [
"AuJrigKQGRLJajKAebTgWu:4:AuJrigKQGRLJajKAebTgWu:3:CL:209526:default:CL_ACCUM:1608bebf-71c5-469a-990c-64c47c6e853f"
]
}
State After Rotation: Active:
{
"rev_reg_ids": [
"AuJrigKQGRLJajKAebTgWu:4:AuJrigKQGRLJajKAebTgWu:3:CL:209526:default:CL_ACCUM:9fc50d37-b15d-47f2-8ada-75c2249abc44"
]
}
Decommissioned:
{
"rev_reg_ids": [
"AuJrigKQGRLJajKAebTgWu:4:AuJrigKQGRLJajKAebTgWu:3:CL:209526:default:CL_ACCUM:1608bebf-71c5-469a-990c-64c47c6e853f",
"AuJrigKQGRLJajKAebTgWu:4:AuJrigKQGRLJajKAebTgWu:3:CL:209526:default:CL_ACCUM:7aa88d5c-e1e8-488c-a0a5-63aee1b0ae66"
]
}
@usingtechnology, These results confirm the rotate is only creating new RevRegs for active
ones.
Are you fetching results with GET /revocation/registries/created?state=
?
Long story short - yes. For each Active registry being rotated out a new one is created/activated. If there is only one then only one will replace it.
The list of decommissioned can appear larger than expected because every call to rotate will mark ALL (except init state) as decommissioned - so the currently active plus: generated, posted, and full.
Are you fetching results with
GET /revocation/registries/created?state=
?
Yes, and filtered by the cred_def_id.
Notified LSBC that the updates are complete for dev
and test
.
LSBC prod
has been upgraded to ACA-Py 0.10.3 and Postgres v14, migrated to Askar only images, connected to the Sovrin MainNet endorser, and its RevRegs have been rotated.
State Before Rotation: Active:
{
"rev_reg_ids": [
"4xE68b6S5VRFrKMMG1U95M:4:4xE68b6S5VRFrKMMG1U95M:3:CL:59232:default:CL_ACCUM:4ae1cc6c-f6bd-486c-8057-88f2ce74e960",
"4xE68b6S5VRFrKMMG1U95M:4:4xE68b6S5VRFrKMMG1U95M:3:CL:59232:default:CL_ACCUM:60cd8717-2543-4b67-bccd-6cbedcff6b31"
]
}
State After Rotation: Active:
{
"rev_reg_ids": [
"4xE68b6S5VRFrKMMG1U95M:4:4xE68b6S5VRFrKMMG1U95M:3:CL:59232:default:CL_ACCUM:521a117c-c68f-4622-949e-48c853b33ee8",
"4xE68b6S5VRFrKMMG1U95M:4:4xE68b6S5VRFrKMMG1U95M:3:CL:59232:default:CL_ACCUM:bb1863ef-7891-4e21-89dc-4af5b99d18c6"
]
}
Decommissioned:
{
"rev_reg_ids": [
"4xE68b6S5VRFrKMMG1U95M:4:4xE68b6S5VRFrKMMG1U95M:3:CL:59232:default:CL_ACCUM:4ae1cc6c-f6bd-486c-8057-88f2ce74e960",
"4xE68b6S5VRFrKMMG1U95M:4:4xE68b6S5VRFrKMMG1U95M:3:CL:59232:default:CL_ACCUM:60cd8717-2543-4b67-bccd-6cbedcff6b31"
]
}
Updated: Changed to be specific to the LSBC Issuer. This is a precursor task to updating the LSBC Issuer to a soon-to-be-released version of ACA-Py.
Dev
UUHA3oknprvKrpa7a6sncK:3:CL:209518:default
Test
AuJrigKQGRLJajKAebTgWu:3:CL:209526:default
Prod
4xE68b6S5VRFrKMMG1U95M:3:CL:59232:default
Related tickets:
Tagged Upgrade Command: