swcurran
commented
1 year ago Heads up on this @i5okie, @WadeBarnes and @esune. We should discuss the challenges in doing this, and the tools available to help with this process.
Closed swcurran closed 9 months ago
swcurran
commented
1 year ago Heads up on this @i5okie, @WadeBarnes and @esune. We should discuss the challenges in doing this, and the tools available to help with this process.
WadeBarnes
commented
1 year ago I've updated the google spreadsheet with the agent version and storage type information, which will make this easier.
We currently have 33 aca-py instances using indy and another 29 instances using askar
WadeBarnes
commented
1 year ago Migrating to askar should be performed at the same time as an agent and wallet upgrade.
When performing these steps it is extremally important to ensure the upgrades and updates are being done to a single ACA-Py instance at a time. This typically means, at least temporarily, isolating the image tags used by the deployment configuration to ensure the single instance is targeted when new images are deployed. For example the deployment configuration templates for the agents and wallets in bcgov/trust-over-ip-configurations have been specifically designed for this purpose.
Steps:
ACA-Pyaskar-upgrade script. For example:
askar-upgrade \
--strategy dbpw \
--uri postgres://<username>:<password>@<hostname>:<port>/<dbname> \
--wallet-name <wallet name> \
--wallet-key <wallet key>ACAPY_WALLET_TYPE to askarI have a checklist template for this started in the DITP-DevOps repo, but I have not checked it in yet.
WadeBarnes
commented
1 year ago Refer to https://github.com/bcgov/DITP-DevOps/issues/18 for a link to the spreadsheet listing the agent deployments and their associated storage type.
swcurran
commented
1 year ago Looks like IDIM is already using Askar, so the focus is only on the migration of LSBC. Propose making this task ONLY about the migration of LSBC, and we open new tasks for the migration of other deployments.
swcurran
commented
1 year ago Updated the title of the ticket and description to talk only about LSBC. We need to be ready to upgrade the LSBC issuer to a new version of ACA-Py when it becomes available, which will have fixes that are only available using Askar.
WadeBarnes
commented
10 months ago Migrate to using Askar only images at the same time.
WadeBarnes
commented
9 months ago LSBC test - Testing (Successful):
py3.9-indy-1.16.0-0.10.3-pre0 images for testing.$ $(echo aca-py upgrade --force-upgrade --named-tag fix_issue_rev_reg --wallet-name "$(echo ${AGENT_WALLET_NAME} | tr '[:upper:]' '[:lower:]' | sed "s~-~_~g")" --wallet-key "${WALLET_ENCRYPTION_KEY}" --wallet-storage-config "$(eval echo \"${WALLET_STORAGE_CONFIGURATION}\")" --wallet-storage-creds "$(eval echo \"${WALLET_STORAGE_CREDENTIALS}\")" --seed "${INDY_WALLET_SEED}");
$ PUT https://lsbc-agent-admin-test.apps.silver.devops.gov.bc.ca/revocation/registry/AuJrigKQGRLJajKAebTgWu%3A4%3AAuJrigKQGRLJajKAebTgWu%3A3%3ACL%3A209526%3Adefault%3ACL_ACCUM%3A7aa88d5c-e1e8-488c-a0a5-63aee1b0ae66/fix-revocation-entry-state?apply_ledger_update=false'
{
"rev_reg_delta": {
"ver": "1.0",
"value": {
"accum": "21 1253592B6F67D2A2ECECCE3E216E157D28B54AEF42C33888063CB9355650C337D 21 129A318069EA0FDD03EF556B6F04061DF5A61F017365513111E067BB446C25CD7 6 6CB65E8DE785E5B8F038A92F24BE3CDF4FD2CACE8EF4E3E3676E7F20C05F1F13 4 1A62FFE7E57C9FD4DC8871F6249DA0E8E4F7A55664B49EC2C37A7F4D3E133DFD 6 771D3BF43FC333479B8FE954EFB8DD99606D6EA6914DFBCCE26025D4376A6BAF 4 2E80316297E2A95EE05B5B72AB3D2100B03E35DBB47E319034B866C0A1A09F87",
"issued": [],
"revoked": [
1,
2,
3,
4,
5,
6,
7,
8,
9,
10,
11,
12,
13,
14,
15,
16,
17,
18,
19,
20,
21,
22,
23,
24,
25,
26,
27,
28,
29,
30,
31,
32,
33,
34,
35,
36,
37,
38,
39,
40,
41,
42,
43,
44,
45,
46,
47,
48,
49,
50,
51,
52,
53,
54,
55,
56,
57,
58,
59,
60,
61,
62,
63,
64,
65,
66,
67,
68,
69,
70,
71,
72,
73,
74,
75,
76,
77,
78,
79,
80,
81,
82,
83,
84,
85,
86,
87,
88,
89,
90,
91,
92,
93,
94,
95,
96,
97,
98,
99,
100,
101,
102,
103,
104,
105,
106,
107,
108,
109,
110,
111,
112,
113,
114,
115,
116,
117,
118,
119,
120,
121,
123,
124,
125,
126,
127,
128,
129,
130,
131,
132,
133,
134,
135,
136,
137,
138,
139,
140,
141,
142,
143,
144,
145,
146,
147,
148,
149,
150,
151,
152,
153,
154,
155,
156,
157,
158,
159,
160,
161,
162,
163,
164,
165,
166,
167,
168,
169,
170,
171,
172,
173,
174,
175,
176,
177,
178,
179,
180,
181,
182,
183,
184,
185,
186,
187,
188,
190,
191,
192,
193,
194,
195,
196,
197,
198,
199,
200,
201,
210,
211,
212,
213,
214,
215,
219,
221,
225,
229,
233,
235,
238,
239,
240,
241,
242
]
}
},
"accum_calculated": {
"ver": "1.0",
"value": {
"prevAccum": "21 1253592B6F67D2A2ECECCE3E216E157D28B54AEF42C33888063CB9355650C337D 21 129A318069EA0FDD03EF556B6F04061DF5A61F017365513111E067BB446C25CD7 6 6CB65E8DE785E5B8F038A92F24BE3CDF4FD2CACE8EF4E3E3676E7F20C05F1F13 4 1A62FFE7E57C9FD4DC8871F6249DA0E8E4F7A55664B49EC2C37A7F4D3E133DFD 6 771D3BF43FC333479B8FE954EFB8DD99606D6EA6914DFBCCE26025D4376A6BAF 4 2E80316297E2A95EE05B5B72AB3D2100B03E35DBB47E319034B866C0A1A09F87",
"accum": "21 11AB2F20F36D40F338A59D6FAA94407C0ECACE5F4E12D820602117D8E1C9A03F2 21 132D6779E5996516E195656CEF8F7DA4E26B05AD67B87FCE929EE7CF15A577ABB 6 61FF6CE62976173F71B34517BDE03245374AE1FDE6F6C77E888CCFB777034C4B 4 133869BEB2A09A0CBC2A812797BC683E64F6F4CF4C55635E7BED2C9138F10D45 6 8395D6E2CE610172988D77E397C119500EC016F69DE2E0AF4DDEB61B23BA6945 4 37F9FF4AB0C855624487C89D97537A3726D5F298369BAAED2A0F3181C17F071E",
"revoked": [
245,
243,
244
]
}
},
"accum_fixed": {}
}PUT https://lsbc-agent-admin-test.apps.silver.devops.gov.bc.ca/revocation/registry/AuJrigKQGRLJajKAebTgWu%3A4%3AAuJrigKQGRLJajKAebTgWu%3A3%3ACL%3A209526%3Adefault%3ACL_ACCUM%3A7aa88d5c-e1e8-488c-a0a5-63aee1b0ae66/fix-revocation-entry-state?apply_ledger_update=true'
{
"rev_reg_delta": {
"ver": "1.0",
"value": {
"accum": "21 1253592B6F67D2A2ECECCE3E216E157D28B54AEF42C33888063CB9355650C337D 21 129A318069EA0FDD03EF556B6F04061DF5A61F017365513111E067BB446C25CD7 6 6CB65E8DE785E5B8F038A92F24BE3CDF4FD2CACE8EF4E3E3676E7F20C05F1F13 4 1A62FFE7E57C9FD4DC8871F6249DA0E8E4F7A55664B49EC2C37A7F4D3E133DFD 6 771D3BF43FC333479B8FE954EFB8DD99606D6EA6914DFBCCE26025D4376A6BAF 4 2E80316297E2A95EE05B5B72AB3D2100B03E35DBB47E319034B866C0A1A09F87",
"issued": [],
"revoked": [
1,
2,
3,
4,
5,
6,
7,
8,
9,
10,
11,
12,
13,
14,
15,
16,
17,
18,
19,
20,
21,
22,
23,
24,
25,
26,
27,
28,
29,
30,
31,
32,
33,
34,
35,
36,
37,
38,
39,
40,
41,
42,
43,
44,
45,
46,
47,
48,
49,
50,
51,
52,
53,
54,
55,
56,
57,
58,
59,
60,
61,
62,
63,
64,
65,
66,
67,
68,
69,
70,
71,
72,
73,
74,
75,
76,
77,
78,
79,
80,
81,
82,
83,
84,
85,
86,
87,
88,
89,
90,
91,
92,
93,
94,
95,
96,
97,
98,
99,
100,
101,
102,
103,
104,
105,
106,
107,
108,
109,
110,
111,
112,
113,
114,
115,
116,
117,
118,
119,
120,
121,
123,
124,
125,
126,
127,
128,
129,
130,
131,
132,
133,
134,
135,
136,
137,
138,
139,
140,
141,
142,
143,
144,
145,
146,
147,
148,
149,
150,
151,
152,
153,
154,
155,
156,
157,
158,
159,
160,
161,
162,
163,
164,
165,
166,
167,
168,
169,
170,
171,
172,
173,
174,
175,
176,
177,
178,
179,
180,
181,
182,
183,
184,
185,
186,
187,
188,
190,
191,
192,
193,
194,
195,
196,
197,
198,
199,
200,
201,
210,
211,
212,
213,
214,
215,
219,
221,
225,
229,
233,
235,
238,
239,
240,
241,
242
]
}
},
"accum_calculated": {
"ver": "1.0",
"value": {
"prevAccum": "21 1253592B6F67D2A2ECECCE3E216E157D28B54AEF42C33888063CB9355650C337D 21 129A318069EA0FDD03EF556B6F04061DF5A61F017365513111E067BB446C25CD7 6 6CB65E8DE785E5B8F038A92F24BE3CDF4FD2CACE8EF4E3E3676E7F20C05F1F13 4 1A62FFE7E57C9FD4DC8871F6249DA0E8E4F7A55664B49EC2C37A7F4D3E133DFD 6 771D3BF43FC333479B8FE954EFB8DD99606D6EA6914DFBCCE26025D4376A6BAF 4 2E80316297E2A95EE05B5B72AB3D2100B03E35DBB47E319034B866C0A1A09F87",
"accum": "21 11AB2F20F36D40F338A59D6FAA94407C0ECACE5F4E12D820602117D8E1C9A03F2 21 132D6779E5996516E195656CEF8F7DA4E26B05AD67B87FCE929EE7CF15A577ABB 6 61FF6CE62976173F71B34517BDE03245374AE1FDE6F6C77E888CCFB777034C4B 4 133869BEB2A09A0CBC2A812797BC683E64F6F4CF4C55635E7BED2C9138F10D45 6 8395D6E2CE610172988D77E397C119500EC016F69DE2E0AF4DDEB61B23BA6945 4 37F9FF4AB0C855624487C89D97537A3726D5F298369BAAED2A0F3181C17F071E",
"revoked": [
244,
245,
243
]
}
},
"accum_fixed": {
"auditPath": [
"DL3Ux9PSYR6UvJtAsp3ikKSiYP4dg6m333cUZGDHJ1k4",
"6onWdWfYJmowWixCSndq1A6XFYR7ZKqgAskwzHfmVQQh",
"ChHSDQVYsAFKSwRoyTFgDaAbXVPwyzFUHUkRGLP8v91p",
"4DyhvqxUFsgQZFZuxfe7Ys6x3W3e764nDpb3xvV93Kbx",
"9xRhQTWt7jXbLPX7AMG64XQvTKcMsB7gYV5CXuf1swEM",
"7JL2W7AgaKyLozE3BVWV6tQfmq26nshsUuRFpJ5eJLm4",
"9yeSmLwWEVn7Pa2NEH37t9wMKsN56PPYqNuVnNeLnaZA",
"DMbwesR2sT2GeytnA748QL8cohHRVibvkHN2EiDQ3vaT"
],
"rootHash": "HkqNX3UJxd4wmKNT1wt2SpFWF4cghAT6Kxfrpjf3Fu7S",
"txnMetadata": {
"seqNo": 341385,
"txnId": "5:AuJrigKQGRLJajKAebTgWu:4:AuJrigKQGRLJajKAebTgWu:3:CL:209526:default:CL_ACCUM:7aa88d5c-e1e8-488c-a0a5-63aee1b0ae66",
"txnTime": 1695914893
},
"ver": "1",
"reqSignature": {
"values": [
{
"from": "AuJrigKQGRLJajKAebTgWu",
"value": "44x6CDs8fXfWtUfQxHYUAg17AuaUMbRPgB9FKQR9YBikcnuiaTtr1ZyoGdQCYvsXycnrhfhC8WFxF2KM4kL31Fyf"
}
],
"type": "ED25519"
},
"txn": {
"protocolVersion": 2,
"type": "114",
"metadata": {
"reqId": 1695914892105194500,
"payloadDigest": "e5bf9980e6963852e24e984b84600b4df3a559c0564fa527f26ff9468588849f",
"digest": "8a78d7aee64bf9a9da8efe6dee130221faf498ba6be995d4039acaa968353250",
"from": "AuJrigKQGRLJajKAebTgWu",
"taaAcceptance": {
"mechanism": "on_file",
"taaDigest": "8cee5d7a573e4893b08ff53a0761a22a1607df3b3fcd7e75b98696c92879641f",
"time": 1693872000
}
},
"data": {
"revocDefType": "CL_ACCUM",
"revocRegDefId": "AuJrigKQGRLJajKAebTgWu:4:AuJrigKQGRLJajKAebTgWu:3:CL:209526:default:CL_ACCUM:7aa88d5c-e1e8-488c-a0a5-63aee1b0ae66",
"value": {
"revoked": [
244,
245,
243
],
"prevAccum": "21 1253592B6F67D2A2ECECCE3E216E157D28B54AEF42C33888063CB9355650C337D 21 129A318069EA0FDD03EF556B6F04061DF5A61F017365513111E067BB446C25CD7 6 6CB65E8DE785E5B8F038A92F24BE3CDF4FD2CACE8EF4E3E3676E7F20C05F1F13 4 1A62FFE7E57C9FD4DC8871F6249DA0E8E4F7A55664B49EC2C37A7F4D3E133DFD 6 771D3BF43FC333479B8FE954EFB8DD99606D6EA6914DFBCCE26025D4376A6BAF 4 2E80316297E2A95EE05B5B72AB3D2100B03E35DBB47E319034B866C0A1A09F87",
"accum": "21 11AB2F20F36D40F338A59D6FAA94407C0ECACE5F4E12D820602117D8E1C9A03F2 21 132D6779E5996516E195656CEF8F7DA4E26B05AD67B87FCE929EE7CF15A577ABB 6 61FF6CE62976173F71B34517BDE03245374AE1FDE6F6C77E888CCFB777034C4B 4 133869BEB2A09A0CBC2A812797BC683E64F6F4CF4C55635E7BED2C9138F10D45 6 8395D6E2CE610172988D77E397C119500EC016F69DE2E0AF4DDEB61B23BA6945 4 37F9FF4AB0C855624487C89D97537A3726D5F298369BAAED2A0F3181C17F071E"
}
}
}
}
}I plan to switch the migrated instances to the Askar only images and rotate the registries once the official ACA-Py 0.10.3 release is available. Then proceed with the upgrade and migration of prod.
WadeBarnes
commented
9 months ago LSBC dev has been connected to the Sovrin TestNet endorser and its RevRegs have been rotated.
I rotated the RevRegs twice as a test, since the rotate only generated a single RevReg.
First rotation: Active:
{
"rev_reg_ids": [
"UUHA3oknprvKrpa7a6sncK:4:UUHA3oknprvKrpa7a6sncK:3:CL:209518:default:CL_ACCUM:f1399a43-9046-44ce-9a69-94203beab9ca"
]
}Decommissioned:
{
"rev_reg_ids": [
"UUHA3oknprvKrpa7a6sncK:4:UUHA3oknprvKrpa7a6sncK:3:CL:209518:default:CL_ACCUM:d41706d2-c3ef-4297-878a-b9c30318a89e",
"UUHA3oknprvKrpa7a6sncK:4:UUHA3oknprvKrpa7a6sncK:3:CL:209518:default:CL_ACCUM:c6f98707-dbca-4ecc-92d6-5eb0837f20dc"
]
}Second rotation: Active:
{
"rev_reg_ids": [
"UUHA3oknprvKrpa7a6sncK:4:UUHA3oknprvKrpa7a6sncK:3:CL:209518:default:CL_ACCUM:a7a6ebb0-cfed-42fe-8c98-b061c5be81e3"
]
}Decommissioned:
{
"rev_reg_ids": [
"UUHA3oknprvKrpa7a6sncK:4:UUHA3oknprvKrpa7a6sncK:3:CL:209518:default:CL_ACCUM:f1399a43-9046-44ce-9a69-94203beab9ca",
"UUHA3oknprvKrpa7a6sncK:4:UUHA3oknprvKrpa7a6sncK:3:CL:209518:default:CL_ACCUM:d41706d2-c3ef-4297-878a-b9c30318a89e",
"UUHA3oknprvKrpa7a6sncK:4:UUHA3oknprvKrpa7a6sncK:3:CL:209518:default:CL_ACCUM:c6f98707-dbca-4ecc-92d6-5eb0837f20dc"
]
}@usingtechnology, can you confirm this behavior would be due to only having a single RevReg active to start with. I forgot to double check before I rotated.
WadeBarnes
commented
9 months ago LSBC test has been connected to the Sovrin TestNet endorser and its RevRegs have been rotated.
State Before Rotation: Active:
{
"rev_reg_ids": [
"AuJrigKQGRLJajKAebTgWu:4:AuJrigKQGRLJajKAebTgWu:3:CL:209526:default:CL_ACCUM:7aa88d5c-e1e8-488c-a0a5-63aee1b0ae66"
]
}Full:
{
"rev_reg_ids": [
"AuJrigKQGRLJajKAebTgWu:4:AuJrigKQGRLJajKAebTgWu:3:CL:209526:default:CL_ACCUM:1608bebf-71c5-469a-990c-64c47c6e853f"
]
}State After Rotation: Active:
{
"rev_reg_ids": [
"AuJrigKQGRLJajKAebTgWu:4:AuJrigKQGRLJajKAebTgWu:3:CL:209526:default:CL_ACCUM:9fc50d37-b15d-47f2-8ada-75c2249abc44"
]
}Decommissioned:
{
"rev_reg_ids": [
"AuJrigKQGRLJajKAebTgWu:4:AuJrigKQGRLJajKAebTgWu:3:CL:209526:default:CL_ACCUM:1608bebf-71c5-469a-990c-64c47c6e853f",
"AuJrigKQGRLJajKAebTgWu:4:AuJrigKQGRLJajKAebTgWu:3:CL:209526:default:CL_ACCUM:7aa88d5c-e1e8-488c-a0a5-63aee1b0ae66"
]
}@usingtechnology, These results confirm the rotate is only creating new RevRegs for active ones.
usingtechnology
commented
9 months ago Are you fetching results with GET /revocation/registries/created?state=?
Long story short - yes. For each Active registry being rotated out a new one is created/activated. If there is only one then only one will replace it.
The list of decommissioned can appear larger than expected because every call to rotate will mark ALL (except init state) as decommissioned - so the currently active plus: generated, posted, and full.
WadeBarnes
commented
9 months ago Are you fetching results with
GET /revocation/registries/created?state=?
Yes, and filtered by the cred_def_id.
WadeBarnes
commented
9 months ago Notified LSBC that the updates are complete for dev and test.
WadeBarnes
commented
9 months ago LSBC prod has been upgraded to ACA-Py 0.10.3 and Postgres v14, migrated to Askar only images, connected to the Sovrin MainNet endorser, and its RevRegs have been rotated.
State Before Rotation: Active:
{
"rev_reg_ids": [
"4xE68b6S5VRFrKMMG1U95M:4:4xE68b6S5VRFrKMMG1U95M:3:CL:59232:default:CL_ACCUM:4ae1cc6c-f6bd-486c-8057-88f2ce74e960",
"4xE68b6S5VRFrKMMG1U95M:4:4xE68b6S5VRFrKMMG1U95M:3:CL:59232:default:CL_ACCUM:60cd8717-2543-4b67-bccd-6cbedcff6b31"
]
}State After Rotation: Active:
{
"rev_reg_ids": [
"4xE68b6S5VRFrKMMG1U95M:4:4xE68b6S5VRFrKMMG1U95M:3:CL:59232:default:CL_ACCUM:521a117c-c68f-4622-949e-48c853b33ee8",
"4xE68b6S5VRFrKMMG1U95M:4:4xE68b6S5VRFrKMMG1U95M:3:CL:59232:default:CL_ACCUM:bb1863ef-7891-4e21-89dc-4af5b99d18c6"
]
}Decommissioned:
{
"rev_reg_ids": [
"4xE68b6S5VRFrKMMG1U95M:4:4xE68b6S5VRFrKMMG1U95M:3:CL:59232:default:CL_ACCUM:4ae1cc6c-f6bd-486c-8057-88f2ce74e960",
"4xE68b6S5VRFrKMMG1U95M:4:4xE68b6S5VRFrKMMG1U95M:3:CL:59232:default:CL_ACCUM:60cd8717-2543-4b67-bccd-6cbedcff6b31"
]
}
Updated: Changed to be specific to the LSBC Issuer. This is a precursor task to updating the LSBC Issuer to a soon-to-be-released version of ACA-Py.
DevUUHA3oknprvKrpa7a6sncK:3:CL:209518:defaultTestAuJrigKQGRLJajKAebTgWu:3:CL:209526:defaultProd4xE68b6S5VRFrKMMG1U95M:3:CL:59232:defaultRelated tickets:
Tagged Upgrade Command: