Skip to content

Comments

Add ACS OPC UA Edge Server integration#596

Open
AlexGodbehere wants to merge 15 commits intomainfrom
opc-ua-edge
Open

Add ACS OPC UA Edge Server integration#596
AlexGodbehere wants to merge 15 commits intomainfrom
opc-ua-edge

Conversation

@AlexGodbehere
Copy link
Contributor

@AlexGodbehere AlexGodbehere commented Feb 17, 2026
edited
Loading

This PR introduces acs-opcua-server-edge, a new edge helm chart that exposes UNS topics as OPC UA tags for consumption by OPC UA clients (e.g. SCADA, HMI systems) at the edge.

What's included

New acs-opcua-server-edge edge helm chart

  • Node.js OPC UA server built on node-opcua that subscribes to MQTT topics and surfaces them as OPC UA variable nodes
  • Address space is built dynamically: nodes are created on the fly as new topics arrive from the MQTT broker, supporting wildcard subscriptions rather than requiring a static topic list at startup
  • Last-known values are persisted to disk so the OPC UA server can serve cached values immediately on restart
  • OPC UA security: supports Basic256Sha256 + SignAndEncrypt for secure username/password authentication, with SecurityPolicy.None kept available for anonymous browsing; anonymous access is configurable
  • MQTT: supports optional TLS (mqtts://) with a configurable CA certificate, auto-detected from port 8883

Helm chart (edge-helm-charts/charts/opcua-server)

  • Full Kubernetes deployment with configmap-driven configuration, a PVC for the value cache and PKI data, a NodePort service for external OPC UA access, and a Kerberos keytab secret
  • Certificate managers use a writable /data volume (fixes node-opcua defaulting to ~/.config which is read-only in the container)
  • Dynamic image tag/registry injection via %%REGISTRY%% / %%TAG%% / %%PULLPOLICY%% placeholders
  • Configurable resource limits, tolerations, and host pinning

ACS service-setup integration

  • Registers Local.Role.OPCUAServer (with Auth.Class.EdgeService + UNS.Group.Reader membership) and Local.Chart.OPCUAServer in the helm dump
  • Adds UUIDs for the new role and chart to local-uuids.js

CI

  • acs-opcua-server-edge added to the publish workflow for Docker image builds

Configuration highlights

topics:
  "UNS/v1/site/area/cell/+/Temperature": {}  # wildcard subscriptions supported

opcua:
  port: 4840
  username: "opcua"   # password auto-generated into a Secret

local:
  host: mqtt.namespace.svc.cluster.local
  port: 1883
  # tls: true         # enable for port 8883 or explicit opt-in

@AlexGodbehere
feat: add ACS OPC UA Edge Server integration
b8942ce 
Added a new module, `acs-opcua-server-edge`, for exposing UNS topics as OPC UA tags. This includes associated Helm charts, Docker configuration, and support for MQTT and OPC UA protocols.
@AlexGodbehere
chore: add acs-opcua-server-edge to publish workflow
813fa61
@AlexGodbehere
MVP
2d26a23
@AlexGodbehere
feat: enhance OPC UA server with security policies and data change ev…
aeea4b4 
…ents

Added support for configurable security policies (`SecurityPolicy.Basic256Sha256`) and modes, with conditional anonymous access. Extended `DataStore` with `EventEmitter` capabilities to emit change events. Updated OPC UA server to reflect real-time data changes via data store notifications.
@AlexGodbehere
feat: enable dynamic topic handling in OPC UA server
112931e 
Refactored the OPC UA server to dynamically create nodes for new topics from the data store. Replaced static topic configuration with real-time folder hierarchy and variable creation using MQTT wildcard subscriptions. Enhanced `DataStore` with a `topics` method to support this behavior.
@AlexGodbehere
feat: add TLS support for MQTT connections in OPC UA server
190c9c2 
Introduced optional TLS configuration for MQTT connections, including CA file support. Updated MQTT client to distinguish between `mqtt` and `mqtts` protocols. Enhanced server start logs for improved clarity regarding subscribed MQTT topic patterns.
@AlexGodbehere
feat: add OPC UA Server role and Helm chart integration
ded043d 
Introduced a new role `OPCUAServer` and corresponding Helm chart configuration. Enhanced setup to include OPC UA Server integration with associated group, subclass, and authentication settings.
@AlexGodbehere
docs: update OPC UA Server README with deployment and configuration d…
1190e31 
…etails

Expanded README to include Helm chart deployment instructions, required and optional configuration values, automatic variables, and value merge behavior for OPC UA Server. Clarified current features and limitations.
@AlexGodbehere
feat: update OPC UA Server Helm chart with dynamic image configuration
8fa51d8 
Updated Helm chart to support configurable `registry`, `tag`, and `pullPolicy` values for the OPC UA Server image.
@AlexGodbehere
fix: ensure certificate managers use writable volumes in OPC UA server
79b89d8 
Updated OPC UA server initialization to use separate certificate managers for server and user certificates, ensuring both operate within writable `/data` directories to prevent issues in read-only container environments.
@AlexGodbehere
chore: remove unnecessary user: root from Docker Compose configuration
51d5ff1
@AlexGodbehere AlexGodbehere marked this pull request as ready for review February 18, 2026 12:40
@AlexGodbehere
feat: integrate ServiceClient for MQTT connection handling in OPC UA …
f98c358 
…server

Replaced manual MQTT connection setup with `ServiceClient` for broker discovery, authentication, and improved configuration management. Updated Dockerfile, Helm charts, and related configuration files to reflect these changes. Removed legacy MQTT credentials and configuration.
@AlexGodbehere
Switch to LocalSecret for OPC UA credentials
2efb520 
Replaced file-based OPC UA username/password configuration with environment variables. Updated Docker Compose, Helm charts, and deployment templates to support the new approach. Removed legacy credential volumes and updated secret handling for improved deployment flexibility.
@AlexGodbehere
fix: update OPC UA server secrets and remove unused local MQTT config
8e87f21 
Renamed secret name to include `.password` suffix for clarity. Removed obsolete `local` MQTT configuration from README and documentation.
@AlexGodbehere
fix: split OPC UA server secrets into separate username and password …
ee3d820 
…entries

Separated `opcua-server-opcua-creds` into distinct username and password secrets in deployment and Helm templates for improved clarity and management. Updated variable references accordingly.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@amrc-benmorrow amrc-benmorrow Awaiting requested review from amrc-benmorrow

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@AlexGodbehere