Closed esune closed 1 year ago
@dbluhm thoughts on this? I believe Indicio is using multi-tenant deployments of ACA-Py as well and I'd be curious in feedback/thoughts from your use-cases/
c.c.: @swcurran @andrewwhitehead @shaangill025 @usingtechnology
It's been a minute since I've interacted with a multi-tenant setup but, from memory, I don't recall ever needing to anchor a public DID for the base wallet before the tenants were able to write. When testing, I usually do not use the --wallet-seed
argument and create DIDs through the Admin API for a subwallet and go through onboarding for that DID for that specific subwallet. Am I missing something?
I did not think/know it was possible to run an agent without providing a seed - this might be what we are missing in our deployments so I'll have to try that.
We also provision subwallet DIDs using the API as well, and that is not a problem - the main wallet DID is what is currently throwing us off.
@dbluhm I learned something new today, thanks! 🙂 I did not realize we could start the main wallet WITHOUT a seed, switching to this pattern seems to resolve our issues and I think make this specific issue unnecessary. I wonder if we should document this as preferred method to run multitenancy to help other people not fall into the same situation?
An update to the Multi-tenancy doc?
An update to the Multi-tenancy doc?
I opened a PR with a quick doc update - please let me know if the wording makes sense.
When running in multitenancy mode, the agent deployment needs to run with the "ledger write" mode enabled (
ACAPY_READ_ONLY_LEDGER=false
) for tenants to be able to perform ledger writes (e.g.: publishing a public DID, a schema definition, etc.) either directly, or by using an endorser.This requires the main wallet, which only ever acts as tenant manager, to have a public DID registered on the ledger as well, which seems unnecessary.
Suggested behaviour:
ACAPY_READ_ONLY_LEDGER=false