Important
Azure IoT Operations Preview – enabled by Azure Arc is currently in PREVIEW.
You shouldn't use this preview software in production environments.
You will need to deploy a new Azure IoT Operations installation when a generally available release is made available; you won't be able to upgrade a preview installation.
See the
Supplemental Terms of Use for Microsoft Azure Previews
for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
In this article, you learn how to configure and connect the OPC PLC simulator. The simulator simulates an OPC UA server with multiple nodes that generate random data and anomalies. You can configure user defined nodes. The OPC UA simulator lets you test the process of managing OPC UA assets with the
operations experience
web UI or
the Akri services
.
Prerequisites
A deployed instance of Azure IoT Operations Preview. To deploy Azure IoT Operations for demonstration and exploration purposes, see
Quickstart: Run Azure IoT Operations Preview in Github Codespaces with K3s
. If you deploy Azure IoT Operations as described, the installation includes the OPC PLC simulator.
Deploy the OPC PLC simulator
This section shows how to deploy the OPC PLC simulator if you didn't include it when you first deployed Azure IoT Operations.
The following step lowers the security level for the OPC PLC so that it accepts connections from the connector for OPC UA or any client without an explicit peer certificate trust operation.
Important
Don't use the following example in production, use it for simulation and test purposes only.
Run the following code to update the connector for OPC UA deployment and apply the new settings:
az k8s-extension update \
--version 0.3.0-preview \
--name opc-ua-broker \
--release-train preview \
--cluster-name <cluster-name> \
--resource-group <azure-resource-group> \
--cluster-type connectedClusters \
--auto-upgrade-minor-version false \
--config opcPlcSimulation.deploy=true \
--config opcPlcSimulation.autoAcceptUntrustedCertificates=true
The OPC PLC simulator runs as a separate pod in the azure-iot-operations
namespace. The pod name looks like opcplc-000000-7b6447f99c-mqwdq
.
To learn more about mutual trust in OPC UA, see OPC UA certificates infrastructure for the connector for OPC UA.
The application instance certificate of the OPC PLC simulator is a self-signed certificate managed by cert-manager and stored in the aio-opc-ua-opcplc-default-application-cert-000000
Kubernetes secret.
To configure mutual trust between the connector for OPC UA and the OPC PLC simulator:
Get the certificate and push it to Azure Key Vault:
kubectl -n azure-iot-operations get secret aio-opc-ua-opcplc-default-application-cert-000000 -o jsonpath='{.data.tls\.crt}' | \
base64 -d | \
xargs -0 -I {} \
az keyvault secret set \
--name "opcplc-crt" \
--vault-name <your-azure-key-vault-name> \
--value {} \
--content-type application/x-pem-file
Add the certificate to the aio-opc-ua-broker-trust-list
custom resource in the cluster. Use a Kubernetes client such as kubectl
to configure the opcplc.crt
secret in the SecretProviderClass
object array in the cluster.
The following example shows a complete SecretProviderClass
custom resource that contains the simulator certificate in a PEM encoded file with the .crt extension:
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: aio-opc-ua-broker-trust-list
namespace: azure-iot-operations
spec:
provider: azure
parameters:
usePodIdentity: 'false'
keyvaultName: <your-azure-key-vault-name>
tenantId: <your-azure-tenant-id>
objects: |
array:
objectName: opcplc-crt
objectType: secret
objectAlias: opcplc.crt
The time it takes to project Azure Key Vault certificates into the cluster depends on the configured polling interval.
The connector for OPC UA trust relationship with the OPC PLC simulator is now established and you can create an AssetEndpointProfile
to connect to your OPC PLC simulator.
Optionally, you can configure an asset endpoint profile without establishing mutual trust between the connector for OPC UA and the OPC PLC simulator. If you understand the risks, you can turn off authentication for testing purposes.
Caution
Don't configure for no authentication in production or pre-production environments. Exposing your cluster to the internet without authentication can lead to unauthorized access and even DDOS attacks.
To allow your asset endpoint profile to connect to an OPC PLC server without establishing mutual trust, use the additionalConfiguration
setting to modify the AssetEndpointProfile
configuration.
Patch the asset endpoint with autoAcceptUntrustedServerCertificates=true
:
ENDPOINT_NAME=<name-of-you-endpoint-here>
kubectl patch AssetEndpointProfile $ENDPOINT_NAME \
-n azure-iot-operations \
--type=merge \
-p '{"spec":{"additionalConfiguration":"{\"applicationName\":\"'"$ENDPOINT_NAME"'\",\"security\":{\"autoAcceptUntrustedServerCertificates\":true}}"}}'
Related content
OPC UA certificates infrastructure for the connector for OPC UA
Autodetect assets using the Akri services
即將登場:在 2024 年,我們將逐步淘汰 GitHub 問題作為內容的意見反應機制,並將它取代為新的意見反應系統。 如需詳細資訊,請參閱:https://aka.ms/ContentUserFeedback。
提交並檢視相關的意見反應