Skip to main content
Version: v3.8.0

What's New in Datasance PoT

Greenfield release: v3.8.0

Datasance PoT v3.8.0 is a greenfield release. There is no in-place upgrade from v3.7 field deployments.

You need a new Controller database, Edgelet v1.0.0+ on every node, and potctl v3.8.0. Legacy Java iofog-agent and v3.7 field agents are not supported on Controller v3.8.

See Migrating to v3.8.0 for the step-by-step guide.

Platform train v3.8.0 ships Controller v3.8.0, potctl v3.8.0, Edgelet v1.0.0, EdgeOps Console v1.0.9, ioFog Operator v3.8.0, and updated Router and NATS wrapper images. Pair every component on the same train.

  • Greenfield platform train v3.8.0 needs a fresh Control Plane database and Edgelet on every node. See Migrating to v3.8.0.
  • Edgelet v1.0.0 replaces the legacy Java iofog-agent and Agent-Go as the only supported node runtime on Controller v3.8.
  • EdgeOps Console v1.0.9 is embedded in the Controller image and replaces the standalone ECN Viewer npm package.
  • Embedded OIDC authentication is the default for greenfield installs. No external IdP is required for a first deploy.
  • External OIDC authentication supports enterprise IdPs (Okta, Azure AD, Keycloak, or any OIDC provider) when SSO is required.
  • Multi-architecture catalog entries store up to four images per item as images[] with { containerImage, archId }.
  • Four edge architectures are supported end to end: amd64, arm64, riscv64, and arm (32-bit).
  • WebSocket exec and log sessions replace REST exec on microservices. Controller v3.8 allows up to 5 concurrent exec sessions per microservice.
  • EdgeletAPI v1 exposes a local HTTPS and Unix-socket API on every Edgelet node for operator CLI and automation.
  • Wasm workloads run on linux Edgelet nodes through RuntimeClass handlers (edgelet-wasmtime, spin, and upstream shims).
  • Container engines on Edgelet: embedded edgelet, docker, or podman, selected at runtime per node.
  • Controller API and data model renames flows to applications, fogType to arch, and removes EdgeResource and diagnostics APIs.
  • Platform reconcile and HA adds platformStatus on agents and manual reconcile retry endpoints for agents and services.
  • Kubernetes Operator reconciles ControlPlane CRs only. The Application CRD is removed; deploy apps with potctl or the Go SDK.
  • potctl v3.8.0 stores config under ~/.iofog/v3, adds reconcile, and removes v3.7 legacy and rename subcommands.
  • Router and NATS wrapper images pin Skupper Router 3.5.1 and upstream NATS Server 2.14.3.
  • ioFog Go SDK v3.8 updates the Controller client for applications, WebSocket exec, and EdgeletAPI v1 microservice helpers.
  • Agent and environment renames from v3.7 (dockerUrl, viewerUrl, SSL_*, Keycloak env vars, and more).
  • Local Control Plane on Edgelet lets a node host its own Controller workload via kind: ControlPlane.
  • Security and RBAC continue with fine-grained roles, NATS JWT rules, and the certificates manager. Auth now flows through OIDC instead of Keycloak-first deploys.
  • Airgap deployment remains supported with OfflineImage, local image transfer, and --no-cache deploy flags.
  • Acme Smart Plant tutorial walks through NATS rules, services, and multi-application edge patterns on v3.8.

Greenfield platform train

PoT v3.8.0 is not an in-place upgrade from v3.7 or v1.6.x field deployments. You export application YAML, uninstall the legacy operator and v3.7 CRDs, deploy a fresh Control Plane with a new database, and reinstall every edge node with Edgelet v1.0.0+.

Legacy Java Agent, v3.7 field agents, Application CRD workloads, and ECN Viewer are not supported on Controller v3.8. Historical docs for those components live in the v3.7.3 snapshot.

Find out more! and review the Welcome platform version table.

Edgelet node runtime

Edgelet is the node agent for v3.8. It runs on linux production hardware with a thin OTA entry binary and an embedded container runtime, or as a single binary on desktop OSes with Docker or Podman. Edgelet syncs desired microservice state with the Controller, reports status, and exposes local administration APIs.

In UI prose we say Edgelet node. In YAML and API fields you still use kind: Agent.

Pair Edgelet v1.0.0 with Controller v3.8.0. Do not connect v3.7 agents to a v3.8 Controller.

Find out more!, Installation, Configuration, and the Agent YAML specification.

EdgeOps Console

EdgeOps Console v1.0.9 is a static React SPA embedded in the Controller image. It listens on port 8008 by default (REST API stays on 51121). You manage Edgelet nodes, applications, microservices, registries, catalogs, exec sessions, and logs from the browser with the same RBAC model as potctl.

Initial Control Plane deployment and Edgelet provisioning still use potctl. Day-2 operations work from the Console or CLI.

Open the Console with potctl view or the URL you set in CONSOLE_URL / controller.consoleUrl.

Find out more!, Console features, and Console configuration.

Embedded OIDC authentication

Greenfield deploys use embedded OIDC inside the Controller image. The issuer runs at {CONTROLLER_PUBLIC_URL}/oidc. EdgeOps Console and potctl share the same OAuth BFF flow. Bootstrap admin credentials come from Control Plane YAML or environment variables.

You do not need Keycloak or any external IdP for a standard lab or production install unless corporate SSO is required.

Find out more! and the Control Plane YAML specification.

External OIDC authentication

When you must integrate with an enterprise IdP, set auth.mode: external and configure OIDC_ISSUER_URL, OIDC_CLIENT_ID, and OIDC_CLIENT_SECRET. Keycloak is one supported provider, not a platform requirement.

Find out more! and Controller configuration.

Multi-architecture catalog

Catalog items no longer use legacy x86 / arm fields. Define amd64, arm64, riscv64, and arm (32-bit) image references under spec. The Controller stores them as images[] with { containerImage, archId }. Microservices reference a catalog ID instead of repeating per-arch images in every manifest.

List built-in catalog entries with potctl get catalog.

Find out more! and the Catalog Item YAML specification.

WebSocket exec and log sessions

Controller v3.8.0 removes REST POST/DELETE .../exec on microservices. Interactive exec and log streaming use WebSocket sessions with a unique sessionId per attachment.

Concernv3.8 behavior
Exec transportWebSocket only (Console, potctl, SDK, REST API dial helpers)
Concurrent execUp to 5 sessions per microservice (Controller quota)
Edgelet field pathWS .../agent/exec/microservice/{uuid}/{sessionId}
Local on-node execedgelet ms exec via EdgeletAPI (no Controller quota)
LogsSame multi-session WebSocket model as exec

RBAC still limits who can open sessions. SRE roles can exec into agents and microservices; developer roles are limited to microservices.

Find out more!, Microservice logs, and Console exec features.

potctl and Edgelet exec commands

Provision debugger exec on an Edgelet node, then open a shell:

potctl attach exec agent <agent-name>
potctl exec agent <agent-name>

Connect to a microservice exec session (WebSocket dial after Controller creates the session row):

potctl exec <application>/<microservice>
potctl exec <system-app>/<system-microservice>

On the Edgelet node itself, open a local session without going through the Controller quota:

edgelet ms exec <uuid|namespace.name>
edgelet ms exec <uuid> -- /bin/sh -c 'ps aux'

v3.8 removes attach exec microservice and detach exec microservice. Microservice exec dials the session directly.

EdgeletAPI v1

Every Edgelet node exposes EdgeletAPI v1 on https://127.0.0.1:54321 (TLS) and a Unix socket at /run/edgelet/edgelet.sock. The edgelet CLI is a thin client over this API. Routes cover system status, microservice lifecycle, image management, RuntimeClass deploy, log streams, and local exec sessions.

JWT bearer auth protects operator routes. Health and metrics endpoints are unauthenticated for orchestrators.

Browse the OpenAPI spec: Edgelet API reference.

Find out more! and Edgelet architecture.

Wasm workloads

On linux with containerEngine: edgelet, Edgelet schedules Wasm microservices using platform: wasi/wasm and a RuntimeClass handler. Supported handlers include edgelet-wasmtime, spin, and upstream wasmtime, wasmedge, wasmer, and others when the matching shim binary is on PATH.

potctl can stage Wasm shims during Edgelet node install when package.wasm is set on the Agent manifest.

Find out more! and Container engines.

Container engines

Edgelet selects a ContainerEngine at runtime:

EngineUse when
edgeletEmbedded containerd on linux. Required for Wasm RuntimeClass workloads.
dockerHost Docker socket. Supported on linux, darwin, and windows.
podmanHost Podman socket. Supported on linux, darwin, and windows.

Agent YAML field containerEngineUrl (formerly dockerUrl) points at the engine socket. pruningFrequency (formerly dockerPruningFrequency) controls image prune cadence.

Find out more! and the Agent YAML specification.

Controller API and data model

Controller v3.8.0 aligns REST paths and RBAC with the Edgelet runtime:

v3.7v3.8
/api/v3/flow/*/api/v3/application/*
RBAC resource flowsapplications
GET /api/v3/fog-typesGET /api/v3/architectures/
Catalog x86Image / armImageimages[] with archId
Microservice create flowId queryapplication field in body
EdgeResource CRUDRemoved
Diagnostics, strace, image snapshot APIsRemoved

Microservices must declare images per archId. The target Edgelet node arch / archId and availableRuntimes must match the workload.

Find out more!, Controller overview, and the OpenAPI spec.

Platform reconcile and HA

Controller v3.8 tracks asynchronous platform provisioning on Edgelet nodes and services. Agent detail responses can include platformStatus (phase, generation, lastError). When provisioning stalls, retry with:

potctl reconcile agent <agent-name>
potctl reconcile service <service-name>

REST equivalents: POST /api/v3/iofog/{uuid}/reconcile and POST /api/v3/services/{name}/reconcile.

You can run multiple Controllers for resiliency when every Edgelet node has network paths to each instance.

Find out more! and potctl reconcile commands.

Kubernetes Operator

The ioFog Operator v3.8.0 reconciles ControlPlane custom resources only. It creates Controller, Router, NATS, Services, Ingresses, Secrets, and related cluster objects. It does not deploy application workloads.

Removed in v3.8:

  • Application CRD and reconciler
  • Keycloak auth blocks on ControlPlane
  • ECN Viewer-related Controller fields

Install from https://datasance.github.io/iofog-operator (Datasance mirror) or the Eclipse ioFog gh-pages index. The legacy datasance.github.io/helm repo is deprecated.

Find out more!, Kubernetes Helm deployment, and Control Plane YAML.

Router and NATS

Router v3.8.0 wraps Skupper Router 3.5.1 inside the platform image. Routers form the messaging mesh between the Controller interior router and edge routers on each Edgelet node. The wrapper reads config from Edgelet LocalAPI v1 in PoT mode or from a mounted file in Kubernetes mode.

NATS Server wrapper image pins upstream NATS 2.14.3. NATS carries pub/sub, request/reply, KV, and JetStream traffic. The Controller provisions account resolver JWTs, user credentials, and TLS material. Enable NATS on the Control Plane with nats.enabled: true.

Both components support amd64, arm64, arm (32-bit), and riscv64.

Find out more!, NATS Server, and NATs JWT authentication.

CLI and Go SDK

potctl v3.8.0 is the primary operator CLI for greenfield deploys:

  • Config directory: ~/.iofog/v3
  • New top-level command: reconcile
  • Removed: legacy, rename, attach exec microservice, detach exec microservice
  • Agent YAML: use spec.config.arch instead of FogType
  • Deploy YAML: no Keycloak blocks; use auth.mode: embedded or external

The ioFog Go SDK v3.8.0 (github.com/eclipse-iofog/iofog-go-sdk/v3) updates Controller clients for applications, WebSocket exec and logs, and EdgeletAPI v1 microservice helpers. Legacy messagebus and EdgeResource client methods are removed.

Find out more!, potctl getting familiar, and ioFog Go SDK overview.

Agent and environment renames

When you rewrite v3.7 YAML for v3.8, apply these renames:

v3.7 field or envv3.8 field or env
dockerUrlcontainerEngineUrl
dockerPruningFrequencypruningFrequency
fogType / fogTypeIdarch / archId
viewerUrlconsoleUrl
VIEWER_*CONSOLE_*
SSL_*TLS_*
keycloak-connect, KC_*, auth.realmOIDC_*, AUTH_MODE, auth.mode

Local Control Plane on Edgelet

An Edgelet node can host a local ControlPlane workload (kind: ControlPlane) for disconnected or hub-and-spoke topologies. Edgelet reconciles the manifest, wires DNS, and runs the Controller as a system microservice on the node.

Find out more!, ControlPlane microservice runtime, and Setup Edgelet Nodes.

Security and RBAC

Authentication moves from Keycloak-first installs to embedded OIDC by default. RBAC for Controller REST and WebSocket APIs still uses Roles and Role Bindings. NATS access uses NATS Account Rules and NATS User Rules with automatic JWT provisioning. The Certificates Manager continues to issue and rotate TLS material for microservices, Routers, and NATS.

Find out more!, Roles, Embedded OIDC, and Certificates Manager.

Group 3See anything wrong with the document? Help us improve it!