IoT Layer — Technology Stack¶
Purpose¶
The IoT Layer defines the technology stack underneath the Data Plane services. Each Data Plane service wraps an open-source IoT platform, adding FlexGalaxy API conventions, multi-tenant account scoping, and access control.
This is analogous to how the Identity Plane defines DotID as the umbrella service, and Keycloak is the underlying OIDC provider.
Technology Map¶
Data Plane Service |
IoT Technology |
Role |
|---|---|---|
Device registry, connectivity, telemetry ingestion, alerts |
||
Data processing, analytics pipelines, dashboards, widgets |
||
OTA updates, artifact delivery, policy-driven rollouts |
Architecture Overview¶
FlexGalaxy.AI Platform
┌───────────────────────────────────────────────────────────────┐
│ │
│ ┌─────────────┐ ┌──────────────┐ ┌───────────────────┐ │
│ │ DotID │ │ Policy │ │ Equator / Marie │ │
│ │ (Identity) │ │ Service │ │ (Spatial) │ │
│ └──────┬───────┘ └──────┬───────┘ └────────┬──────────┘ │
│ │ │ │ │
│ ┌──────▼─────────────────▼────────────────────▼──────────┐ │
│ │ Provisioning Service │ │
│ │ Device enrollment, credential issuance, tenant routing │ │
│ └──────┬─────────────────┬────────────────────┬──────────┘ │
│ │ │ │ │
│ ┌──────▼──────┐ ┌─────▼──────┐ ┌────────▼─────────┐ │
│ │ ThingsBoard │ │ hawkBit │ │ StreamPipes │ │
│ │ CE │ │ │ │ │ │
│ │ Device mgmt │ │ OTA update │ │ Stream analytics │ │
│ │ Telemetry │ │ Artifact │ │ ML inference │ │
│ │ Rule engine │ │ delivery │ │ IIoT processing │ │
│ └──────┬──────┘ └─────┬──────┘ └────────▲─────────┘ │
│ │ │ │ │
│ │ │ │ │
│ ┌──────▼────────────────┘ │ │
│ │ Kafka Cluster A │ │
│ │ (ThingsBoard MSK) │ │
│ │ Telemetry, device events, commands │ │
│ └────────────────┬───────────────────────────┘ │
│ │ cross-cluster replication │
│ ┌────────────────▼───────────────────────────────────────┐ │
│ │ Kafka Cluster B │ │
│ │ (StreamPipes MSK) │ │
│ │ Analytics pipelines, processed results, sink outputs │ │
│ └────────────────────────────────────────────────────────┘ │
│ │
└───────────────────────────────────────────────────────────────┘
│ │
MQTT / CoAP DDI (HTTP)
LwM2M / HTTP polling
│ │
┌─────▼─────────────────▼───────┐
│ Edge Device │
│ ├── MQTT client (ThingsBoard) │
│ ├── Hara (polls OTAForge DDI) │
│ └── Local edge planner │
└────────────────────────────────┘
Integration Topology¶
ThingsBoard CE → DeviceAdmin¶
DeviceAdmin wraps ThingsBoard CE, providing the platform’s unified device management interface. ThingsBoard runs as an internal service — developers never interact with it directly.
DeviceAdmin exposes:
Device enrollment (delegates to Provisioning Service)
Alert monitoring (surfaces ThingsBoard rule engine alerts)
OTA status visibility (reads hawkBit deployment state)
ThingsBoard operates in microservices mode on EKS, sharing the same Kubernetes cluster as other platform services.
Apache StreamPipes → ThingIO¶
ThingIO wraps Apache StreamPipes, providing
account-scoped data processing and dashboard visualization. Applications
(WES, ClearJanitor) register custom dashboards, widgets, and data pipelines
via APIs and embed them using the ThingIO React SDK
(@flexgalaxy/thingIO-widgets).
ThingIO exposes:
REST APIs for dashboard, widget, and pipeline management
React component library for embedding visualizations in applications
Data processing pipelines (pattern detection, ML inference, aggregation)
Data sourcing from enrolled devices’ telemetry
ThingsBoard and StreamPipes connect via Kafka — the ThingsBoard Rule Engine publishes to Kafka Cluster A, and cross-cluster replication delivers telemetry to Kafka Cluster B where StreamPipes adapters consume it.
Eclipse hawkBit → OTAForge¶
OTAForge wraps Eclipse hawkBit, providing OTA artifact management with CI/CD integration and policy-driven rollout automation.
OTAForge exposes:
Artifact publishing (firmware, maps, configs, ML models, certificates)
Distribution set composition
Policy-driven rollout automation (OTAForge polls DeviceAdmin for device state, evaluates policies, auto-creates rollouts)
Access keys (AK/SK) for CI/CD integration (Jenkins, GitHub Actions)
Proxied DDI endpoint — devices poll OTAForge, not hawkBit directly
Distributor portal for web-based artifact management
Kafka as Event Backbone¶
Apache Kafka serves as the central event bus connecting all IoT components. The platform uses two separate MSK clusters to isolate ThingsBoard’s high-throughput telemetry from StreamPipes’ analytics workloads.
Kafka Cluster A (ThingsBoard)¶
Flow |
Topic Pattern |
Description |
|---|---|---|
ThingsBoard → Platform |
|
Raw telemetry from devices |
ThingsBoard → Platform |
|
Device lifecycle events (connect, disconnect, alarm) |
Platform → ThingsBoard |
|
Device commands and RPC calls |
Kafka Cluster B (StreamPipes)¶
Flow |
Topic Pattern |
Description |
|---|---|---|
Replicated from Cluster A |
|
Telemetry replicated for analytics processing |
StreamPipes → Platform |
|
Analytics results and alerts |
StreamPipes → Sinks |
|
Processed data for external destinations |
Why Separate Clusters¶
Concern |
Separate Clusters |
|---|---|
Failure isolation |
ThingsBoard telemetry ingestion is unaffected by StreamPipes pipeline failures |
Scaling independence |
Telemetry volume scales differently from analytics workload |
Retention policies |
Raw telemetry may have different retention than analytics results |
Security boundaries |
ThingsBoard cluster contains raw device data; StreamPipes cluster contains processed/enriched data |
Cross-cluster replication (Amazon MSK Replicator or MirrorMaker 2) delivers selected topics from Cluster A to Cluster B.
Proxied DDI¶
Devices poll OTAForge’s DDI (Device Domain Interface) endpoint, not hawkBit’s DDI directly. OTAForge validates tenant context, applies rate limiting, and logs all interactions before proxying to hawkBit.
Edge Device ──► OTAForge DDI Proxy ──► hawkBit DDI
(Hara) (tenant validation, (deployment actions,
audit logging, artifact downloads)
rate limiting)
Credential Model¶
Devices hold credentials issued during provisioning, varying by provisioning scenario:
Credential |
Issuer |
Purpose |
Provisioning Scenario |
|---|---|---|---|
MQTT access token |
ThingsBoard |
Telemetry ingestion and device management |
All scenarios |
DDI security token |
hawkBit (via OTAForge proxy) |
OTA update polling |
All scenarios |
M2M OIDC client |
DotID (Keycloak) |
FlexGalaxy business API access |
Assembly and field only |
X.509 certificate |
Manufacturer CA |
Enrollment identity proof |
Factory and assembly (robots) |
MQTT credentials are for the IoT data plane; DotID credentials are for the platform API plane. DDI tokens are for OTA update polling. See the Device Provisioning pattern for the full credential issuance flow across factory, assembly, and field scenarios.
Deployment¶
Component |
Technology |
Deployment |
License |
|---|---|---|---|
ThingsBoard CE |
Java (Spring) |
EKS (Helm) |
Apache 2.0 |
Apache StreamPipes |
Java |
EKS (Helm) |
Apache 2.0 |
Eclipse hawkBit |
Java (Spring Boot) |
EKS (Helm) |
EPL 2.0 |
Kafka Cluster A |
Apache Kafka |
Amazon MSK (ThingsBoard) |
Apache 2.0 |
Kafka Cluster B |
Apache Kafka |
Amazon MSK (StreamPipes) |
Apache 2.0 |
PostgreSQL |
— |
Amazon RDS |
PostgreSQL |
Cassandra / TimescaleDB |
— |
Amazon Keyspaces or EKS |
Apache 2.0 / Timescale |
All components run on the shared EKS cluster within isolated namespaces. ThingsBoard microservices mode requires its own Kafka cluster (Cluster A). StreamPipes uses a separate Kafka cluster (Cluster B) with cross-cluster replication for telemetry topics.
Alternatives Considered¶
Alternative |
Category |
Why Not |
|---|---|---|
Eclipse Ditto |
Digital twin framework |
No telemetry storage, no dashboards, no rule engine — complementary, not a replacement |
Eclipse Kura |
Edge gateway |
Gateway-only, not a cloud platform |
EMQX |
MQTT broker |
Broker-only — still need device management, storage, rule engine |
Magistrala (ex-Mainflux) |
IoT platform |
Smaller community, fewer integrations, less production-proven |
AWS IoT Core |
Managed IoT |
Vendor lock-in, not self-hostable, conflicts with APaaS principle |