feat: integrate EdgeX Foundry 4.0 (Odessa)#7
Conversation
- Add docker-compose.edgex-client.yml: minimal no-security EdgeX stack for edge nodes (Core Services + Supporting Services + device-modbus) - Add docker-compose.edgex-server.yml: EdgeX Security Services (OpenBao, nginx gateway, bootstrapper, proxy-auth) for central server - Add helm/edgekit/values-client.yaml: Helm overrides for edge clusters - Add helm/edgekit/values-server.yaml: Helm overrides for central server - Add fleet.yaml: Rancher Fleet GitOps multi-cluster config - Add scripts: start/stop helpers for both EdgeX stacks - Add docs/edgex.md: full EdgeX integration guide - Update docs/architecture.md and README.md
tomgrv
left a comment
tomgrv
left a comment
There was a problem hiding this comment.
@copilot there will be 2 edgex clients: a full k3s client and a thin single-container client.
Both of them carry the same function, but thin client is standalone, hardened and not extendable with additional services.
Update accordingly
Introduces a standalone, hardened single-container EdgeX client (edgekit-thin-client) alongside the existing full k3s multi-container client, as requested. Thin client bundles all EdgeX Core Services, Supporting Services, device-modbus, embedded PostgreSQL 16, and Mosquitto MQTT broker into one Alpine-based Docker image managed by supervisord. Key properties: - Standalone: no external service dependencies - Hardened: read-only root FS, no-new-privileges, minimal Alpine base, internal MQTT not published - Fixed service set: not extendable without rebuilding (contrast with full k3s client which uses separate containers and compose overrides) - Same EdgeX API ports as full client (59880/59881/59882/59860/59863/59901) New files: - edgex-thin-client/Dockerfile (multi-stage build) - edgex-thin-client/supervisord.conf - edgex-thin-client/mosquitto.conf - edgex-thin-client/entrypoint.sh - docker-compose.edgex-thin-client.yml - helm/edgekit/values-thin-client.yaml - scripts/start-edgex-thin-client.sh - scripts/stop-edgex-thin-client.sh Updated: - fleet.yaml: add edge-thin target (edgekit/role=edge-thin) - docs/edgex.md: document both client variants with comparison table - docs/architecture.md: add thin client architecture section - README.md: update architecture diagram and EdgeX section
Done. Two EdgeX client variants are now available: Full k3s client ( Thin client (
Fleet label: Comparison table and updated architecture diagram added to Commit: the latest commit on this branch. |
There was a problem hiding this comment.
Pull request overview
Integrates EdgeX Foundry 4.0 (Odessa) into EdgeKit by adding Docker Compose stacks for edge (no-security), thin edge (single-container), and central security services, plus supporting Helm/Fleet configuration and documentation.
Changes:
- Added Docker Compose stacks for
edgex-client,edgex-server(security), andedgex-thin-client(single-container) plus start/stop helper scripts. - Introduced a new
edgex-thin-client/image (Alpine + supervisord) bundling EdgeX core/support/device-modbus with embedded PostgreSQL + Mosquitto. - Added Helm values overrides (
values-client.yaml,values-server.yaml,values-thin-client.yaml) and Rancher Fleet targeting, with updated docs/README architecture guidance.
Reviewed changes
Copilot reviewed 20 out of 20 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| scripts/stop-edgex-thin-client.sh | Adds stop/purge helper for the thin-client compose stack. |
| scripts/stop-edgex-server.sh | Adds stop helper for the central security compose stack. |
| scripts/stop-edgex-client.sh | Adds stop helper for the edge (no-security) compose stack. |
| scripts/start-edgex-thin-client.sh | Adds build/start + basic smoke-test helper for the thin-client stack. |
| scripts/start-edgex-server.sh | Adds start helper for the central security compose stack. |
| scripts/start-edgex-client.sh | Adds start helper for the edge (no-security) compose stack. |
| README.md | Updates architecture and repo layout; documents EdgeX integration and how to run stacks. |
| helm/edgekit/values-thin-client.yaml | Adds Helm override values intended for “edge-thin” nodes. |
| helm/edgekit/values-server.yaml | Adds Helm override values for central/server profile (broker enabled, agent disabled). |
| helm/edgekit/values-client.yaml | Adds Helm override values for edge/client profile (agent enabled, broker disabled). |
| fleet.yaml | Adds Rancher Fleet targets mapping cluster labels to Helm values files. |
| edgex-thin-client/supervisord.conf | Defines process supervision + startup ordering for bundled EdgeX services and infra. |
| edgex-thin-client/mosquitto.conf | Configures embedded Mosquitto to listen on localhost only. |
| edgex-thin-client/entrypoint.sh | Initializes/chowns PostgreSQL data dir and starts supervisord. |
| edgex-thin-client/Dockerfile | Builds the thin-client image via multi-stage extraction of EdgeX binaries/configs. |
| docs/edgex.md | Adds detailed EdgeX integration guide (architecture, local compose, Helm, Fleet, Modbus setup). |
| docs/architecture.md | Extends overall system architecture docs with EdgeX deployment modes. |
| docker-compose.edgex-thin-client.yml | Adds single-container thin-client compose definition with hardening settings. |
| docker-compose.edgex-server.yml | Adds central security-services compose definition (OpenBao + security bootstrap/proxy/nginx). |
| docker-compose.edgex-client.yml | Adds edge no-security EdgeX compose definition (core/support/device-modbus + PG + MQTT). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| [program:core-keeper] | ||
| command=/edgex/bin/core-keeper | ||
| directory=/edgex/services/core-keeper | ||
| priority=20 | ||
| autostart=true | ||
| autorestart=true | ||
| startsecs=5 | ||
| startretries=10 |
There was a problem hiding this comment.
Fixed in the latest commit. All EdgeX programs in supervisord.conf now have user=edgex set; Mosquitto has user=mosquitto. Supervisord itself still starts as root so it can apply the per-program privilege-drop directives (this is a supervisord requirement).
| # Run as root so entrypoint.sh can chown the PostgreSQL data directory; | ||
| # supervisord then drops individual services to the edgex user (uid 2002) | ||
| # or postgres user as appropriate. |
There was a problem hiding this comment.
Fixed. supervisord.conf now sets user=edgex on every EdgeX program and user=mosquitto on the Mosquitto program, so the compose comment accurately describes what happens at runtime.
| x-stagegate-env: &stagegate-env | ||
| STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper | ||
| STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" | ||
| STAGEGATE_DATABASE_HOST: edgex-postgres | ||
| STAGEGATE_DATABASE_PORT: "5432" | ||
| STAGEGATE_DATABASE_READYPORT: "5432" | ||
| STAGEGATE_PROXYSETUP_READYPORT: "54325" | ||
| STAGEGATE_READY_TORUNPORT: "54329" | ||
| STAGEGATE_REGISTRY_HOST: edgex-core-keeper | ||
| STAGEGATE_REGISTRY_PORT: "59890" | ||
| STAGEGATE_REGISTRY_READYPORT: "54324" |
There was a problem hiding this comment.
Add missing registry/db services
There was a problem hiding this comment.
Done. Added mqtt-broker (Mosquitto), database (PostgreSQL 16), and core-keeper to docker-compose.edgex-server.yml. The stage-gate env variables (STAGEGATE_DATABASE_HOST, STAGEGATE_REGISTRY_HOST) now resolve to actual services in the stack, and security-proxy-auth can reach edgex-core-keeper:59890.
| # Add routes for the EdgeX core services exposed by this proxy | ||
| EDGEX_ADD_PROXY_ROUTE: >- | ||
| core-data.http://edgex-core-data:59880, | ||
| core-metadata.http://edgex-core-metadata:59881, | ||
| core-command.http://edgex-core-command:59882, | ||
| support-notifications.http://edgex-support-notifications:59860, | ||
| support-scheduler.http://edgex-support-scheduler:59863, | ||
| device-modbus.http://edgex-device-modbus:59901 |
There was a problem hiding this comment.
Align routes with server services
There was a problem hiding this comment.
Fixed. EDGEX_ADD_PROXY_ROUTE now only includes core-keeper.http://edgex-core-keeper:59890 — the only EdgeX service present in this server-side stack. Routes for core-data, core-metadata, core-command, support-notifications, support-scheduler, and device-modbus have been removed.
|
@copilot see comments & reply, and update accordingly |
…erver; align proxy routes - supervisord.conf: add user=edgex to all EdgeX programs and user=mosquitto to mosquitto; supervisord continues to start as root (needed for entrypoint chown) so privilege-drop directives take effect - docker-compose.edgex-thin-client.yml: update comment to match the now-correct per-program user-drop behaviour - docker-compose.edgex-server.yml: add mqtt-broker, database (postgres), and core-keeper services required by the stage-gate scripts and security-proxy-auth; also add db-data volume and restrict EDGEX_ADD_PROXY_ROUTE to only core-keeper (the sole EdgeX service actually present in this stack)
All four review items addressed in the latest commit:
|
Integrates EdgeX Foundry 4.0 into EdgeKit with a clear split: edge nodes run a minimal no-security EdgeX platform; the central server hosts the EdgeX Security Services.
Edge node (
docker-compose.edgex-client.yml)Minimal all-in-one EdgeX stack, no security:
core-keeper,core-common-config-bootstrapper,core-data,core-metadata,core-commandsupport-notifications,support-schedulerdevice-modbus(Modbus TCP/RTU)Central server (
docker-compose.edgex-server.yml)EdgeX Security Services only:
:8443./scripts/start-edgex-server.sh curl http://localhost:8200/v1/sys/health # OpenBaoHelm & GitOps
values-client.yaml— disables in-cluster broker; agent connects to central server viaws://edgekit-server.edgekit.svc.cluster.local:9001values-server.yaml— enables broker asLoadBalancer; disables agentfleet.yaml— Rancher Fleet targets by label:edgekit/role=central→ server profile,edgekit/role=edge→ client profileDocs
docs/edgex.md— full integration guide: service table, local dev, Helm deploy, Fleet labelling, Modbus device registrationdocs/architecture.md/README.mdupdated with revised architecture diagrams