Skip to content
v4.0.0-release
Jorge Moratinos's avatar
Jorge Moratinos
@jorge.moratinossalcines
4382dfea · Merge branch 'staging' into 'main' ·
Release: OpenCAPIF Release 4.0.0 
## **Release 4.0.0**

### **Visibility Control**

Current relase includes the initial implementation (Not complete functional) of Visibility Control API. The complete feature implementation is expected to be relased on next OpenCAPIF version, stay tuned!

### **Technical Debt Solved**

#### **Certificate Generation Reworked for Multi-Instance Deployments (Common Vault)**

The certificate generation and storage flow has been updated to support **multiple CAPIF instances sharing the same Vault**.
Previously, the startup and certificate provisioning logic assumed a single CAPIF instance and stored certificates from fixed Vault paths, which caused collisions when deploying more than one instance using a common Vault.

With this change:

- Certificates and keys are now **generated at the service level** (e.g., NGINX generates it's own key and CSR locally).
- Vault is now used only as a **signing authority (CA)** to sign incoming CSRs and to store the resulting artifacts, avoiding Vault-specific instance coupling and enabling the same Vault to serve other CAPIF deployments.
- A **unique CCF identifier (ccf_id)** is used as the namespace key to store and retrieve CAPIF certificates.
- CAPIF-related certificates are stored under instance-scoped Vault paths (e.g. `secret/capif/<ccf_id>/...`) to prevent overwriting assets across deployments.
- Startup scripts and tooling were updated to obtain and use the correct `ccf_id` dynamically, ensuring each instance loads the correct certificate material.

#### **NGINX Configuration improved**

The NGINX configuration included in the OpenCAPIF deployment has been improved.
Previously, the nginx.conf implemented a weak validation mechanism for some endpoints; this logic has now been refactored and split into different logical components.

The NGINX configuration now uses maps to handle policies, errors, services, and other concerns, following a modular structure. This approach simplifies the addition of new endpoints or policies in the future.

#### **Security Issues**

- **setuptools** python library updated to version 80.9.0 due to a security issue detected.
- **protobuf-python** library hasta potential rick with DEnial of Service issue.
- **OpenSSL in Cryptography wheels** vulnerability solved.
- **Denial of Service via Missing HTTP Header Validation** vulnerability solved.

#### **Fixed Security Service**

- The problem of an invoker not being able to create the security context for one API when it already had one for another API has been resolved.
- The priority of use of the security methods supported by an API has been established depending on whether they are specified in the AEF profile or in the interface description in the security context creation request.
- An error has been corrected that prevented the PSK from being generated correctly when the AEF ID was used in the security context creation request instead of the interface description.

#### **Improved helm and tools scripts**

Helm scripts under helm/scripts directory are improved with next features:

- **install_capif.sh** Now supports deployment of release 3.0.0, including celery charts configuration.
- All helm scripts now supports addition of environment files to simplify the way to overwrite values in variables according to each environment. Check [How to Deploy Using Helm] Section to learn how to use this functionality.
- **variables.sh** include more variables:
    - **BASE_DOCKER_REGISTRY**: domain to use when image will be retrieved to deploy services.
    - **LOG_LEVEL**: Now you can stablish the log level at all services on deployment, setting it to [CRITICAL, FATAL, ERROR, WARNING, WARN, INFO, DEBUG, NOTSET].
    - **REGISTER_ADMIN_USER** and **REGISTER_ADMIN_PASSWORD**: Setup admin username and password to run scripts like create_remote_users.sh, run_remote_capif_tests.sh, ...
    - **SKOONER_HOSTNAME**: Setup Skooner hostname.
    - **GRAFANA_HOSTNAME**: Setup Grafana hostname.
    - **MONITORING_GRAFANA_ENABLED**: Setup if grafana is enabled or not at monitoring deployment.
    - **MONITORING_PROMETHEUS_ENABLED**: Setup if prometheus is enabled or not at monitoring deployment.
- **install_vault.sh**: Upgraded in order to support latest k8s versions.

Tools scripts improved with next features:

- **push_base_images_ocf.sh**: includes now the busybox image used by mongo chart.
- **generate_all_capif_apis.sh**: improved with help and many variables refactored. Also comments added in order to help developer to use this script. Now parameters are allowed to easy setup in any environment.

#### Supported Features Mandatory on POST and PUT requests.
Added check to make mandatory the presence of supportedFeatures at all POST and PUT requests.

#### New Helper Dynamic Packages
The Helper service now supports dynamic packages, enabling new services to be added easily and expanding overall functionality. More details are available in [Helper Dynamic Services](./helper/dynamic-services.md).

#### **CAPIF Alignment and Standard Compliance**
- OpenCAPIF services have been upgraded from **Release 18 to Release 19** following **3GPP TS 29.222**, ensuring full alignment with the latest CAPIF specification.
- All OpenCAPIF APIs, security flows and service interfaces were updated to comply with the Release 19 normative behavior and data models.
- Added certificate check to PATCH Request of Provider Management 

### **Documentation**

- New section [How to Deploy Using Helm] created. This section includes a guide of how to use helm scripts to deploy all components (including OpenCAPIF) on a k8s environment.
- Change "How to Run" section name to [How to Run locally].
- New section called [Download Repository] included in documentation.
- New section called [Certificate Generation Architecture]