Supply Chain Management Blogs by SAP
Expand your SAP SCM knowledge and stay informed about supply chain management technology and solutions with blog posts by SAP. Follow and stay connected.
cancel
Showing results for 
Search instead for 
Did you mean: 
Ayesha_Ameer
Product and Topic Expert
Product and Topic Expert
670
Manufacturing landscape is changing faster than ever, and at the forefront of this transformation is edge computing powered by the cloud. In this blog post, we’ll guide you through the process of deploying Virtual DM Edge - a cloud-based solution that brings the magic of edge computing to your Azure subscription. Plus, we’ll show you how this approach streamlines everything, leaving you with more time to focus on what truly matters - making cool stuff!

The Virtual DM Edge Approach: Cloud Convenience Without the Hardware Hassle 

While traditional edge computing often requires physical hardware, Virtual DM Edge lets you skip all that setup. This approach deploys DM Edge on your Azure data center, so you don't have to worry about maintaining physical machines. Whether you're dealing with tight budgets or simply don’t have time to fuss with hardware, Virtual DM Edge is the perfect solution.

Who Should Use Virtual DM Edge?

  • No hardware headaches: If your organization doesn’t want to deal with the time and cost of procuring and maintaining hardware, this is your go-to.
  • Low latency, no problem: Virtual DM Edge is ideal for those who don’t face major latency or bandwidth challenges.
  • Self-managers: Already rocking Kubernetes infrastructure on the cloud? Then Customer Managed Virtual Edge is right up your alley.
  • Quick start for Proof of concepts

Let’s Dive In: How to Install Virtual DM Edge on AKS

Alright, now it’s time for the fun part—installing Virtual DM Edge on your Azure Kubernetes Service (AKS) cluster. Don’t worry, we’ve got your back with this easy-to-follow guide. Let's break it down step by step.

Prerequisites:

Before diving into the installation, make sure you’ve got these tools and permissions set up:

  1. Edge_Admin role in your SAP BTP subaccount
  2. RBSC configuration access
  3. Helm and kubectl installed
    Helm Installation Guide
    kubectl Installation Guide
  4. Images from RBSC downloaded (if a local container repository is required)

Step 1:Create and Access Your AKS Cluster

  1. Create a standard 2 or 3 node pool AKS cluster in your Azure subscription
    Ayesha_Ameer_0-1736782235356.png
  2. Obtain public domain names mapped to fixed IPs for your cluster: hostname and edge-ui.hostname.
    “your-cluster-hostname” and “edge-ui.your-cluster-hostname”
  3. Ensure that the cluster has at least one storage class, and persistent volumes can be automatically provisioned.
  4. Access the cluster via the Azure CLI or kubectl tool and follow the instructions provided in the Azure tenant.
    Ayesha_Ameer_1-1736782235359.png
  5. Download the cluster credentials and set the context to your kube config using set or export command.Ayesha_Ameer_2-1736782235349.png
  6. Generate or obtain a server certificate for the ingress gateway and prepare a client certificate that is signed for a technical user "dm-edge-services.” Ensure that the private keys are included. You'll also need the CA certificates signing the server certificate and the client certificate for some configurations.

Step 2: Ingress Installation (Choose Your Fighter: Istio vs. Nginx)

Ingress controllers are what help route your traffic to the right places in Kubernetes. You’ve got two choices:

  • Istio (Recommended): A powerful service mesh for managing microservices. Ideal if you're looking to scale fast!
  • Nginx: A more traditional choice for handling HTTP/HTTPS traffic.

Istio (Recommended):

As there are many ways to install Istio, select a method that is best suited to you and your organisation. Below is the procedure for one method.

  1. Download Istio.
    curl -L https://istio.io/downloadIstio | sh -
  2. Enter the Istio directory.
    cd istio-<version>
  3. Install Istio using istioctl.
    istioctl install --set profile=default
  4. Verify the istio Installation.
    kubectl get pods -n istio-system
    Ayesha_Ameer_3-1736782336169.png

Nginx:

  1. Add a chart repository named as ingress-nginx.
    helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
  2. Install the preferred version of ingress-nginx on your cluster in a dedicated namespace.
    helm search repo ingress-nginx/ingress-nginx -l
    helm install ingress-nginx ingress-nginx/ingress-nginx --version x.x.x --set controller.service.externalTrafficPolicy=Local -n ingress-nginx --create-namespace
  3. Ensure the cluster IP and external IP are mapped to the load balancer of the ingress.

Ayesha_Ameer_5-1736782436971.png
If the external IP is not automatically mapped, edit and add the IP to the service (svc).

kubectl edit svc ingress-svc-name -n your-ingress-namespace

This will open the svc and enter appropriate command based on your OS specifications to edit the svc Vim file. Add the external IPs in specs section

4. Update the hosts file of your system with permissible IP and hostnames for your cluster to obtain local access.

IP  your-hostname
IP edge-ui.your-hostname

Note: The hosts file can be found at the following locations:

  • Linux: /etc/hosts
  • Windows: C:\Windows\System32\drivers\etc\hosts

5. Ensure the ingress setup is successful in the AZ subscription.

Ayesha_Ameer_6-1736782436964.png

Step 3: Generating self-signed certificate

Every good digital ecosystem needs security, and that’s where certificates come in. Here’s how to generate them:

  1. Create a CA certificate (the certificate authority for your self-signed certs).
  2. Generate server and client certificates using OpenSSL.

It’s easier than it sounds—just follow the steps to create the keys and certificates, ensuring your traffic remains secure!

  1. Generate a CA key pair (ca.key) and CA certificate (ca.crt).
openssl req -x509 -sha256 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 365 -nodes -subj "/CN=Custom Cert Authority"

2. Generate a server key pair (server.key) and sign the server certificate signing request (server.csr) with the CA certificate.

server.csr
[req]
distinguished_name = req_distinguished_name
prompt = no

[req_distinguished_name]
C = YourCountry (in two capitals)
ST = YourStateOrProvince
L = YourLocation
O = YourOrganization
OU = YourOrganizationUnit
CN = dm-edge

[v3_req]
keyUsage=critical,digitalSignature,keyEncipherment
extendedKeyUsage=serverAuth
subjectAltName = _names
[alt_names]
DNS.1 = your-hostname
DNS.2 = edge-ui.your-hostname​

3. Create a certificate signing request (CSR) and verify the content.

openssl req -new -newkey rsa:4096 -keyout server.key -out server.csr -nodes -config server_csr.cnf -extensions v3_req
openssl req -text -noout -verify -in server.csr

4. Sign the CSR (server.csr) using the CA certificate and its private key.

openssl x509 -req -sha256 -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt -extfile server_csr.cnf -extensions v3_req

5. Generate a client key pair (client.key) and sign the client CSR (client.csr) with the CA certificate.

openssl req -new -newkey rsa:4096 -keyout client.key -out client.csr -nodes -subj "/CN=dm-edge-services"
openssl x509 -req -sha256 -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out client.crt

Step 4: Create Edge Device in DM Cloud UI

Now, let’s create an Edge device in the Manage Edge Devices UI in the SAP Cloud.

  1. Name your device, select the plant, and choose your deployment option (Self-Managed).
    Ayesha_Ameer_7-1736782579934.png
  2. Download the parameter values yaml file.
    Ayesha_Ameer_8-1736782579932.png

Step 5: Prepare Your YAML File 📄

The YAML file contains all the configurations for your deployment. You’ll populate it with the necessary parameters, then refer to the SAP help documentation for the specifics.

Step 6: Install DM Edge with Helm

  1.  Set the Kubernetes context.
    export KUBECONFIG=[kubeconfig_file_path]
    Note: For Windows, the command is set KUBECONFIG=[kubeconfig_file_path]
  2. Create a namespace for SAP Digital Manufacturing for edge computing.
    kubectl create namespace [namespace]
  3. [Required for Istio] Enable Istio for the namespace.
    kubectl label namespace [namespace] istio-injection=enabled
  4. [Only for Istio] Verify the istio injection in the namespace.
    kubectl get ns -L istio-injection

Ayesha_Ameer_4-1736782336175.png

5. Add a chart repository for the SAP Digital Manufacturing for edge computing Helm chartAdd a chart repository, using the repository endpoint and the technical username and password for the RBSC or your own container registry.

helm repo add [helm_repo] [helm_chart_URL] --username *** --password *** --pass-credentials 

The helm_repo parameter is the name you give to a local Helm chart repository. The helm_chart_URL parameter is obtained from RBSC.

6. Check the latest version of the Helm chart.

helm search repo [helm_repo]/offline-edge --versions

NoteIf you are testing beta versions, which are reserved for the quality testing window before official release, add the "--devel" option.

7. Check the configurable values of the chart.

helm show values [helm_repo]/offline-edge --version [version]

8. Create Kubernetes secrets to store different certificates. For NGINX, create all the following secrets in SAP Digital Manufacturing for edge computing namespace. For Istio, create the first two secrets (all in one secret) in Istio namespace and the third in SAP Digital Manufacturing for edge computing namespace.

1. Secret for trusted certificates, including CA certificate for SAP Digital Manufacturing for edge computing client certificate and CA certificate for Cloud Connector system certificate. Or if it's a self-signed system certificate for PoC purposes, include the Cloud Connector system certificate itself.

2. Secret for SAP Digital Manufacturing for edge computing server certificate.

3. Secret for CA certificate for Dex server certificate (in the case of embedded Dex, secret for CA certificate for SAP Digital Manufacturing for edge computing server certificate).

NGINX:

kubectl create secret generic [ca_secret_name] --from-file=ca.crt=[trusted_ca_certificates] -n [dm_edge_namespace]
kubectl create secret tls [tls_secret_name] --key [server_certificate_key] --cert [server_certificate] -n [dm_edge_namespace]
kubectl create secret generic [dex-ca-secret-name] --from-file=ca.crt=[Dex_CA_Certificate] -n [dm_edge_namespace]

Istio:

kubectl create secret generic [tls_secret_name] --from-file=tls.key=[server_certificate_key] --from-file=tls.crt=[server_certificate] --from-file=ca.crt=[trusted_ca_certificates] -n [istio_namespace]
kubectl create secret generic [dex-ca-secret-name] --from-file=ca.crt=[Dex_CA_Certificate] -n [dm_edge_namespace]

6. Install the application using Helm.

helm install [release_name] [helm_repo]/offline-edge -f [values_file] -n [namespace] --version [helm_chart_version]

The release_name parameter is a name you give to the SAP Digital Manufacturing for edge computing instance to be installed.

7. When installation is complete, check the pod status in the given namespace.

kubectl get pods -n [namespace]

The pods should be in Running status and jobs in Completed status. Additionally, you can verify the installation status in the Manage Edge Devices UI. The status should say "Installed."

Ayesha_Ameer_0-1736782880572.png

Step 7: Set up Azure Lighthouse (Optional)

Azure Lighthouse is a service offered by Microsoft for service providers that offers multi-tenant management with enhanced scalability, automation, and governance. It allows customers to share their resource logs, including Azure Monitor logs and activity logs, with providers using delegated resource management. Providers can access this data through Azure RBAC, ensuring secure, controlled access. This service helps streamline monitoring, troubleshooting, and optimization, while maintaining customer data privacy.

Therefore, these steps are optional but highly recommended for efficient resource management and enhanced service delivery.

  1. In Azure subscription, navigate to custom template: template.
  2. Choose Edit Parameters.
    Ayesha_Ameer_0-1736784844408.png

     

  3. In the Edit Parameters section, replace the content with the below JSON.

 

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "mspOfferName": {
      "value": "DMC_Lighthouse_Test_MSP_Security"
    },
    "mspOfferDescription": {
      "value": "DMC Lighthouse Test Service Provider"
    },
    "managedByTenantId": {
      "value": "[managed_by_tenant_id]"
    },
    "authorizations": {
      "value": [
        {
          "principalId": "[principal_id]",
          "roleDefinitionId": "[role_definition_id]",
          "principalIdDisplayName": "Lighthouse Contributor"
        },
        {
          "principalId": "[principal_id]",
          "roleDefinitionId": "[role_definition_id]",
          "principalIdDisplayName": "Lighthouse Managed Services Registration Assignment Delete Role"
        }
      ]
    },
    "rgName": {
      "value": "[nameof-your-resource-groups]"
    }
  }
}

 

  • mspOfferName: A unique name for your Lighthouse offer.
  • mspOfferDescription: A description of the offer (e.g., "DMC Lighthouse Test Service Provider").
  • managedByTenantId: The Tenant ID of the managed service provider (MSP).
  • principalId: The Principal ID (the ID of the service principal or managed identity).
  • roleDefinitionId: The role definition that will be assigned to the service provider.
  • rgName: The name of the resource group that will be used in this configuration.

Ayesha_Ameer_1-1736784844441.png

Important:
Replace [managed_by_tenant_id], [principal_id], [role_definition_id], and [nameof-your-resource-groups] with actual values. These details must be provided by the DM Edge team (or your internal team managing Azure Lighthouse).

Navigate through the wizard and click on “Review + create” to create the custom deployment template.

  • To verify the Azure Lighthouse configurations, navigate to Home > Azure Lighthouse.Ayesha_Ameer_2-1736784844437.png
  • Choose View service provider offers.
    Ayesha_Ameer_3-1736784844440.png

     


    Ayesha_Ameer_4-1736784844407.png
  • Click on service providers from the list to view their details and role assignments.
    Ayesha_Ameer_5-1736784844401.png

    Role Assignments

    Ayesha_Ameer_6-1736784844412.png

Conclusion: Your Edge Computing Journey Starts Here 🚀

With Virtual DM Edge, you’re now equipped to take full advantage of edge computing in your manufacturing operations. This powerful technology not only accelerates decision-making but also drives real-time improvements on the shop floor—without the hassle of managing physical hardware.

Here are a few key takeaways to remember as you embark on this journey:

  • Zero Hardware Hassles: Virtual DM Edge allows you to deploy SAP’s edge computing capabilities directly in your Azure data center, saving you time and resources spent on physical infrastructure.

  • Faster Decisions, Smarter Operations: By processing data closer to the source, edge computing reduces latency, enabling faster, more accurate responses to production needs.

  • Seamless Integration: Thanks to a containerized approach powered by Kubernetes, scaling and managing your applications is easier than ever, giving you the flexibility you need to grow without compromise.

  • Security First: By using self-signed certificates and robust ingress controllers (like Istio or Nginx), you can ensure that all your edge operations stay secure while communicating effectively with the cloud.

  • Efficient Resource Management: If you’re a service provider, consider setting up Azure Lighthouse to streamline monitoring, troubleshooting, and optimization across multiple tenants. It’s an optional step, but it significantly enhances your ability to manage resources efficiently.

With these benefits in hand, your organization is now on the fast track to harnessing the full power of edge computing for manufacturing. Whether you’re looking to improve business continuity, scale quickly, or simply eliminate infrastructure headaches, Virtual DM Edge provides the flexibility, speed, and reliability you need to succeed.

Ready to dive deeper into edge computing? For more insights and the latest updates, click on SAP help documentation to stay on top of all things SAP Digital Manufacturing!

Happy edge computing! 🌐