Skip to content

Comments

Add ACS OPC UA Edge Server integration#596

Open
AlexGodbehere wants to merge 15 commits intomainfrom
opc-ua-edge
Open

Add ACS OPC UA Edge Server integration#596
AlexGodbehere wants to merge 15 commits intomainfrom
opc-ua-edge

Conversation

@AlexGodbehere
Copy link
Contributor

@AlexGodbehere AlexGodbehere commented Feb 17, 2026

This PR introduces acs-opcua-server-edge, a new edge helm chart that exposes UNS topics as OPC UA tags for consumption by OPC UA clients (e.g. SCADA, HMI systems) at the edge.

What's included

New acs-opcua-server-edge edge helm chart

  • Node.js OPC UA server built on node-opcua that subscribes to MQTT topics and surfaces them as OPC UA variable nodes
  • Address space is built dynamically: nodes are created on the fly as new topics arrive from the MQTT broker, supporting wildcard subscriptions rather than requiring a static topic list at startup
  • Last-known values are persisted to disk so the OPC UA server can serve cached values immediately on restart
  • OPC UA security: supports Basic256Sha256 + SignAndEncrypt for secure username/password authentication, with SecurityPolicy.None kept available for anonymous browsing; anonymous access is configurable
  • MQTT: supports optional TLS (mqtts://) with a configurable CA certificate, auto-detected from port 8883

Helm chart (edge-helm-charts/charts/opcua-server)

  • Full Kubernetes deployment with configmap-driven configuration, a PVC for the value cache and PKI data, a NodePort service for external OPC UA access, and a Kerberos keytab secret
  • Certificate managers use a writable /data volume (fixes node-opcua defaulting to ~/.config which is read-only in the container)
  • Dynamic image tag/registry injection via %%REGISTRY%% / %%TAG%% / %%PULLPOLICY%% placeholders
  • Configurable resource limits, tolerations, and host pinning

ACS service-setup integration

  • Registers Local.Role.OPCUAServer (with Auth.Class.EdgeService + UNS.Group.Reader membership) and Local.Chart.OPCUAServer in the helm dump
  • Adds UUIDs for the new role and chart to local-uuids.js

CI

  • acs-opcua-server-edge added to the publish workflow for Docker image builds

Configuration highlights

topics:
  "UNS/v1/site/area/cell/+/Temperature": {}  # wildcard subscriptions supported

opcua:
  port: 4840
  username: "opcua"   # password auto-generated into a Secret

local:
  host: mqtt.namespace.svc.cluster.local
  port: 1883
  # tls: true         # enable for port 8883 or explicit opt-in

Added a new module, `acs-opcua-server-edge`, for exposing UNS topics as OPC UA tags. This includes associated Helm charts, Docker configuration, and support for MQTT and OPC UA protocols.
…ents

Added support for configurable security policies (`SecurityPolicy.Basic256Sha256`) and modes, with conditional anonymous access. Extended `DataStore` with `EventEmitter` capabilities to emit change events. Updated OPC UA server to reflect real-time data changes via data store notifications.
Refactored the OPC UA server to dynamically create nodes for new topics from the data store. Replaced static topic configuration with real-time folder hierarchy and variable creation using MQTT wildcard subscriptions. Enhanced `DataStore` with a `topics` method to support this behavior.
Introduced optional TLS configuration for MQTT connections, including CA file support. Updated MQTT client to distinguish between `mqtt` and `mqtts` protocols. Enhanced server start logs for improved clarity regarding subscribed MQTT topic patterns.
Introduced a new role `OPCUAServer` and corresponding Helm chart configuration. Enhanced setup to include OPC UA Server integration with associated group, subclass, and authentication settings.
…etails

Expanded README to include Helm chart deployment instructions, required and optional configuration values, automatic variables, and value merge behavior for OPC UA Server. Clarified current features and limitations.
Updated Helm chart to support configurable `registry`, `tag`, and `pullPolicy` values for the OPC UA Server image.
Updated OPC UA server initialization to use separate certificate managers for server and user certificates, ensuring both operate within writable `/data` directories to prevent issues in read-only container environments.
@AlexGodbehere AlexGodbehere marked this pull request as ready for review February 18, 2026 12:40
…server

Replaced manual MQTT connection setup with `ServiceClient` for broker discovery, authentication, and improved configuration management. Updated Dockerfile, Helm charts, and related configuration files to reflect these changes. Removed legacy MQTT credentials and configuration.
Replaced file-based OPC UA username/password configuration with environment variables. Updated Docker Compose, Helm charts, and deployment templates to support the new approach. Removed legacy credential volumes and updated secret handling for improved deployment flexibility.
Renamed secret name to include `.password` suffix for clarity. Removed obsolete `local` MQTT configuration from README and documentation.
…entries

Separated `opcua-server-opcua-creds` into distinct username and password secrets in deployment and Helm templates for improved clarity and management. Updated variable references accordingly.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant