Migrate Law Society apps to TrustOverIP namespace

[esune]

The services currently hosted in devex-von-prod that refer to the Law Society should be migrated to the TrustOverIP OpenShift namepace.

The services that need to be migrated are:

Issuer Agent

• [X] law-society-agent
• [X] law-society wallet

Demo App

• [X] law-society-demo

Notes: If the demo app still needs to use the Verified Person and Verified Email credentials the law-society-agent should be migrated to Sovrin StagingNet as per #341. Another option could be updating the presentation-request used to access the demo app to accept a credential from the development issuer instead, until the new version of A2A is available (I am thinking this is the better option). In this case, the app should be configured to target the ToIP instance of vc-authn instead, rather than the shared "demo" one hosted in devex-von-prod.

Plan of Attack

prod environments and services will initially be registered with Sovrin StagingNet and will eventually be registered with Sovrin MainNet once the services transition to full production mode.

The vc-authn-oidc instances in the TrustOverIP environment(s) will be used to replace the single vc-authn-oidc instance in devex-von-prod.

Issuers and Demos will be separated into their own App Groups.

Separation

The bcgov/law-society-demo contains the law-society demo application along with the OpenShift configurations for the law-society issuer agent and it's wallet. The Law Society team is developing their companion issuer-controller elsewhere.

The agent and wallet configurations will be separated from the demo application and it's configurations so only the demo application and it's configuration remain in the repository. The law-society agent and wallet configuration will be integrated into what is now the TrustOverIP configurations repository bcgov/a2a-trust-over-ip-configurations

Issuer Agents

• New instances (dev, test, and prod) of the law-society agent services will be deployed into the TrustOverIP namespaces and configured to connect with Sovrin StagingNet.
• These services can be brought online using non-conflicting URLs.
• Once ready the team will coordinate with the law-society team and swap the existing URLs over to the new routes.
• The existing instance can then be decommissioned.

Demo App

• New instances (dev and test) of the law-society demo application will be deployed into the TrustOverIP namespaces and wired to the vc-authn-oidc instances in the corresponding environment.
• There won't be a demo app deployed into the prod namespace.
• It is expected, over time, the demo app will be replaced with a connection to the real A2A application in the corresponding environment.

[swcurran]

The production law-society-agent will use Sovrin MainNet, not the Sovrin Staging Net. We could have a staging instance that uses Staging, but the instance that will issue credentials to lawyers will (likely) be on the Sovrin mainnet.

[esune]

@swcurran that is correct. This is for the current development issuer agent, we do not (yet) have a production one.

My thought was that we will likely want the development/test issuers to either be on BCovrin Test or Sovrin StagingNet so that developers can poke at things without polluting the production ledger.

[WadeBarnes]

I think this migration is more a matter of setting up the new instances and then have the client(s) move over. Since we're switching ledgers we won't be able to migrate the wallet.

[esune]

@swcurran Identity Kit still points to the csb-audio demo as the app to test the credential with once the issuance is completed. Can we point it to something else using the verified-person credential (e.g.: the PHN issuer from essential services) instead so that I can remove the demo app in devex-von-prod and leave the app in the ToIP namespace to be used for testing the Law Society credential?

The issue is that the application uses the same instance of Keycloak and therefore the IdP integration can only require - as it is right now - a single proof-request configuration. To support multiple proof request on the same realm the app itself needs to be updated to use a different keycloak/oidc adapter that supports adding query parameters to the authentication request (bypassing the keycloak login screen).

[esune]

This PR includes the changes to OpenShift configurations to provision the new agents for LSBC.

Agents have been provisioned for dev and test, and connected to Sovrin StagingNet. I have NOT provisioned a prod agent yet, since it doesn't seem like we need one at this time: we can quickly get it up and running when necessary, pointing it directly to MainNet (I will wait for feedback from LSBC to know wether they need a prod instance quite yet or not).

The old instance of the csb-audio demo has been scaled down and I pointed Identity Kit to use the HealthBC issuer we stood up for the Essential Services demo instead.