This section describes the structure and configuration options available in the Cumulocity Edge CR. Here is the Edge CR template (c8yedge.yaml) that you can edit and apply to your Kubernetes cluster to install or update Cumulocity Edge.
The initial part of the CR defines the CRD details, and the CR name and namespace, which referred to in this document as EDGE-CR-NAME and EDGE-CR-NAMESPACE.
apiVersion: edge.cumulocity.com/v1
kind: CumulocityIoTEdge
metadata:
name: <EDGE-CR-NAME>
namespace: <EDGE-CR-NAMESPACE>
This section defines the Edge deployment’s configurations.
Field |
Required | Type |
Default | Description |
|---|---|---|---|---|
| version | Yes | String | Edge version to deploy. For example, 2025.0.1 for 2025 and 2025.0.1 for a fix-1 of 2025. |
|
| domain | Yes | String | A fully qualified domain name. For example, myown.iot.com. Here, you must have the Edge license for the domain name iot.com or myown.iot.com. |
|
| licenseKey | Yes | String | Edge license key you received for the domain. To request the license file for Edge, contact product support In the email, you must include - Your company name, under which the license has been bought - The domain name (for example, myown.iot.com), where Edge will be reachable For more information, see Domain name validation for Edge license key generation. |
|
| company | Yes | String | Name of the “edge” tenant, for example, the company’s name. | |
| tlsSecretName | No | String | The Edge operator generates and assigns self-signed TLS/SSL private key and certificates. | Name of the Kubernetes secret containing the TLS/SSL private key and certificates for the domain name specified in the spec.domain field. This secret must contain two keys:- tls.key: TLS/SSL private key in the PEM format. - tls.crt: The TLS/SSL certificate chain associated with the private key in PEM format. It’s essential to ensure the certificates are arranged in the correct sequence for TLS/SSL validation to succeed. The proper order of the certificate chain is: - End-entity certificate: This is the TLS/SSL certificate issued to your domain or server, sometimes referred to as the “leaf” or “server” certificate. - Intermediate certificate(s): These certificates link your end-entity certificate to the trusted root certificate. If there are multiple intermediate certificates, they must be ordered correctly as well. - Root CA certificate: This is the certificate for the Certificate Authority (CA) that is trusted by browsers and other clients. It’s generally included last in the chain. For more information, see TLS/SSL Secret. Info: The Edge operator retrieves this secret from the EDGE-CR-NAMESPACE. Ensure that this secret is created before initiating the Edge deployment or update process. |
| Yes | String | Email used for the admin user. | ||
| cloudTenant | No | Structure | Cumulocity cloud tenant details to configure and manage Edge remotely. For more information, see Cloud Tenant. | |
| storageClassName | No | String | The Edge operator requests three PVCs, as outlined below. - 75 GB, PVC named - 10 GB, PVC named - 5 GB, PVC named Each of these PVCs utilizes the StorageClass if specified within the storageClassName field of the Edge CR.- In case you omit the - If you explicitly specify an empty StorageClass as - Finally, if you specify the name of an existing StorageClass for which dynamic provisioning is enabled, the Operator requests PVCs with that class name, thereby instructing Kubernetes to utilize dynamic provisioning according to the specified class. Info: This value is used only during the Edge installation and can’t be changed for existing installations. |
|
| core | No | Structure | Cumulocity platform configurations. For more information, see Cumulocity Core configurations. | |
| messagingService | No | Structure | Cumulocity Messaging Service is not installed if omitted. | Specifying this field installs the Cumulocity Messaging Service, which is required for using the microservice-based data broker and Notifications 2.0. For more information, see Messaging Service. |
| mongodb | No | Structure | Configurations needed to deploy the MongoDB server managed by the Edge operator or connect to an external one. For more information, see MongoDB. | |
| microservices | No | Array of Structure | The Edge operator deploys all the default Cumulocity microservices, which include the Apama, Smart Rules, OPCUA Management Server microservices. | Specify resources to allocate to each of the default Cumulocity microservices deployed. For more information, see Microservices. |
| dataHub | No | Structure | Cumulocity DataHub is not installed if omitted. | Specifying this field installs and configures Cumulocity DataHub. For more information, see DataHub. |
Specifies the Kubernetes secret containing the TLS/SSL private key and certificate chain. The Edge operator retrieves this secret from the EDGE-CR-NAMESPACE. Ensure that the secret is created before initiating the Edge deployment or update process.
This secret should contain the fields described in the table below.
Field |
Required | Type |
Default | Description |
|---|---|---|---|---|
| tls.key | Yes | String | TLS/SSL private key in the PEM format. | |
| tls.crt | Yes | String | The TLS/SSL certificate chain associated with the private key in PEM format. It’s essential to ensure the certificates are arranged in the correct sequence for TLS/SSL validation to succeed. The proper order of the certificate chain is: - End-entity certificate: This is the TLS/SSL certificate issued to your domain or server, sometimes referred to as the “leaf” or “server” certificate. - Intermediate certificate(s): These certificates link your end-entity certificate to the trusted root certificate. If there are multiple intermediate certificates, they must be ordered correctly as well. - Root CA certificate: This is the certificate for the Certificate Authority (CA) that is trusted by browsers and other clients. It’s generally included last in the chain. |
Edge can be managed, configured, and monitored remotely through a Cumulocity cloud tenant. You can control and troubleshoot your Edge deployments remotely.
To enable this, you must first register Edge as a device within the cloud tenant. This registration process requires providing the Cumulocity cloud tenant URI, along with an optional TLS/SSL key and certificate chain. These credentials authenticate Edge when connecting to the cloud via the MQTT protocol using X.509 certificate-based authentication.
See Registering Edge in the cloud tenant for more details.
Field |
Required | Type |
Default | Description |
|---|---|---|---|---|
| domain | Yes | String | Cumulocity cloud tenant domain. For example, <tenantid>.cumulocity.com |
|
| tlsSecretName | No | string | The Edge operator generates and assigns self-signed TLS/SSL private key and certificates. | Name of the Kubernetes secret containing the TLS/SSL private key and certificates with which Edge connects to the cloud through MQTT protocol using a X.509 certificate for authentication. This secret must contain two keys: - tls.key: TLS/SSL private key in the PEM format. - tls.crt: The TLS/SSL certificate chain associated with the private key in PEM format. It’s essential to ensure the certificates are arranged in the correct sequence for TLS/SSL validation to succeed. The proper order of the certificate chain is: - End-entity certificate: This is the TLS/SSL certificate issued to your domain or server, sometimes referred to as the “leaf” or “server” certificate. - Intermediate certificate(s): These certificates link your end-entity certificate to the trusted root certificate. If there are multiple intermediate certificates, they must be ordered correctly as well. - Root CA certificate: This is the certificate for the Certificate Authority (CA) that is trusted by browsers and other clients. It’s generally included last in the chain. Info: You can also reuse the secret name provided in the For more information, see TLS/SSL Secret. Info: The Edge operator retrieves this secret from the EDGE-CR-NAMESPACE. Ensure that this secret is created before initiating the Edge deployment or update process. |
The core specification specifies the fields for configuring the Cumulocity core node and its resource limits.
Field |
Required | Type |
Default | Description |
|---|---|---|---|---|
| resources.limits | Yes | Structure | Defaults to CPU Limit: 3000m Memory Limit: 6GB |
Specify resource limits for the Cumulocity Core container. For more information, see Resource limits specification. |
Specifying this field installs the Cumulocity Messaging Service, which is required for using the microservice-based data broker and Notifications 2.0. Installing the Messaging Service requires additional system resources, including at least 2 extra CPU cores and 4 GB of RAM on the Kubernetes node. Additionally, the Messaging Service will make use of three Persistent Volumes (PVs) for the Pulsar Bookkeeper Ledgers, Pulsar Bookkeeper Journal, and Pulsar Zookeeper pods. See Configuring storage for more details about Persistent Volumes.
This field is optional, and if omitted, the Messaging Service will not be installed.
Field |
Required | Type |
Default | Description |
|---|---|---|---|---|
| enabled | Yes | Boolean | Set to true to install the Cumulocity Messaging Service. |
This field is necessary for one or more of the following reasons:
Field |
Required | Type |
Default | Description |
|---|---|---|---|---|
| credentialsSecretName | No | String | Defaults to databaseAdmin and a generated password as the database admin user and password for the Edge operator managed MongoDB or fails with validation error for the externally hosted MongoDB server.Info: For the MongoDB managed by the Edge operator, it is recommended to provide the database admin credentials secret, rather than relying on the default credentials assigned by the Edge operator. |
Name of the Kubernetes Secret containing the database admin credentials with which the Edge operator managed MongoDB must be configured or the database admin credentials of the externally hosted MongoDB server. For more information, see MongoDB Credentials Secret. Info: The Edge operator retrieves this secret from the |
| connectionString | No | String | If not provided, the Edge operator installs a single node MongoDB server and configures it with the admin credentials provided in spec.mongodb.credentialsSecretName |
Connection string of the externally hosted MongoDB server. URI format: mongodb://host1[:port1][,...hostN[:portN]]Info: If you do not provide this value, the Edge operator installs a single node MongoDB server. Once Edge is installed and configured to use the MongoDB managed by the Edge operator, you cannot provide the |
| tlsSecretName | No | String | Not required if the TLS/SSL key and certificates are issued by a trusted public CA. | Secret for supplying the Certificate Authority (CA) certificate that issued the TLS/SSL key and certificates used to configure the TLS for the externally hosted MongoDB server. This allows the Edge operator to establish trust with the server. For more information, see Externally hosted MongoDB TLS/SSL Secret. Info: The Edge operator retrieves this secret from the EDGE-CR-NAMESPACE. Ensure that this secret is created before initiating the Edge deployment or update process. |
| resources.limits | No | Structure | Defaults to CPU Limit: 3000m Memory Limit: 6GB |
Specify resource limits for the MongoDB server pod. For more information, see Resource limits specification. |
| resources.requests | No | Structure | Defaults to 75 GB | Specify the size of the Persistent Volume Claim (PVC) named mongod-data-edge-db-rs0-0 made by MongoDB server for persisting application data. For more information, see MongoDB storage size. |
Structure for specifying the resource limits for the containers deployed by the Edge operator.
Field |
Required | Type |
Default | Description |
|---|---|---|---|---|
| cpu | No | String | Specific CPU limit in CPU units. For example, 1000m or 1M | |
| memory | No | String | Specific memory limit in memory units. For example, 1000M or 1G |
Specifies the Kubernetes secret containing the admin credentials with which the MongoDB managed by the Edge operator must be configured or the admin credentials of the externally hosted MongoDB server. The Edge operator retrieves this secret from the namespace EDGE-CR-NAMESPACE. It is important that this secret is created before initiating the Edge deployment or update process.
This secret should contain the fields described in the table below:
Field |
Required | Type |
Default | Description |
|---|---|---|---|---|
| MONGODB_DATABASE_ADMIN_USER | Yes | String | Database admin username with which the MongoDB managed by the Edge operator or the username of the externally hosted MongoDB server is configured. | |
| MONGODB_DATABASE_ADMIN_PASSWORD | Yes | String | Database admin password with which MongoDB managed by the Edge operator or the password for the externally hosted MongoDB server is configured. | |
| MONGODB_USER_ADMIN_USER | No | String | userAdmin | Only used when MongoDB is deployed and managed by the Edge operator. |
| MONGODB_USER_ADMIN_PASSWORD | No | String | Password provided in the field MONGODB_DATABASE_ADMIN_PASSWORD |
Only used when MongoDB is deployed and managed by the Edge operator. |
| MONGODB_CLUSTER_ADMIN_USER | No | String | clusterAdmin | Only used when MongoDB is deployed and managed by the Edge operator. |
| MONGODB_CLUSTER_ADMIN_PASSWORD | No | String | Password provided in the field MONGODB_DATABASE_ADMIN_PASSWORD |
Only used when MongoDB is deployed and managed by the Edge operator. |
| MONGODB_CLUSTER_MONITOR_USER | No | String | clusterMonitor | Only used when MongoDB is deployed and managed by the Edge operator. |
| MONGODB_CLUSTER_MONITOR_PASSWORD | No | String | Password provided in the field MONGODB_DATABASE_ADMIN_PASSWORD |
Only used when MongoDB is deployed and managed by the Edge operator. |
| MONGODB_BACKUP_USER | No | String | backup | Only used when MongoDB is deployed and managed by the Edge operator. |
| MONGODB_BACKUP_PASSWORD | No | String | Password provided in the field MONGODB_DATABASE_ADMIN_PASSWORD |
Only used when MongoDB is deployed and managed by the Edge operator. |
Field |
Required | Type |
Default | Description |
|---|---|---|---|---|
| ca.crt | No | String | Certificate Authority (CA) certificate in PEM format. Only required if the externally hosted MongoDB is TLS/SSL enabled with a self-signed certificate or a certificate not issued by a publicly trusted CA. |
Field |
Required | Type |
Default | Description |
|---|---|---|---|---|
| storage | No | string | Default to 75 GB | Specify the PVC storage. Info: Once Edge is installed, you can only increase this value, but cannot reduce. |
The microservice specification allows specifying resources to allocate to default microservices, including the Apama, Smart Rules, OPCUA Management Service, and DataBroker Agent Server microservices.
Field |
Required | Type |
Default | Description |
|---|---|---|---|---|
| name | Yes | String | The name of the Cumulocity microservice. The allowed values are apama-ctrl, smartrule, opcua-mgmt-service, databroker-agent-server and datahub. | |
| resources.limits | No | Structure | Defaults to CPU Limit: 1000m Memory Limit: 1 GB |
Specify resource limits for the Cumulocity microservice container. For more information, see Resource limits specification. |
Specifying this field installs and configures Cumulocity DataHub. Installing DataHub requires additional system resources, including at least 10 extra CPU cores and 10 GB of RAM on the Kubernetes node. Additionally, DataHub will make use of five Persistent Volumes (PVs) for the DataHub MySQL, Dremio master, executor, executor-cloud, and Zookeeper pods. See Configuring storage for more details about Persistent Volumes.
This field is optional, and if omitted, DataHub will not be installed.
Field |
Required | Type |
Default | Description |
|---|---|---|---|---|
| enabled | Yes | String | Set to true to install Cumulocity DataHub. |
|
| dremioAdminCredentialsSecretName | Yes | String | Name of the Kubernetes Secret containing the credentials for admin access to Dremio. For more information, see Dremio Admin Credentials Secret. Info: The Edge operator retrieves this secret from the EDGE-CR-NAMESPACE. Ensure that this secret is created before initiating the Edge deployment or update process. |
|
| resources.limits | No | Structure | Defaults to CPU limit: 2 Memory limit: 4096Mi |
Specify resource limits for the Dremio master and executor pod. Important: CPU must be specified as an integer (number of CPUs) without the units, for example, 2 for 2 CPUs instead of 2000m or 2M and Memory must be specified in Mi without the units, for example 4096 instead of 4096Mi or 4Gi. For more information, see Resource limits specification. |
Specifies the Kubernetes secret containing the credentials for admin access to Dremio. The Edge operator retrieves this secret from the namespace EDGE-CR-NAMESPACE. It is important that this secret is created before initiating the Edge deployment or update process.
This secret should contain the fields described in the table below:
Field |
Required | Type |
Default | Description |
|---|---|---|---|---|
| DREMIO_ADMIN_USER | Yes | String | Dremio admin username. | |
| DREMIO_ADMIN_PASSWORD | Yes | String | Dremio admin password. Important: The password must be at least 8 letters long, must contain at least one number and one letter. |