Nephio R4 Release Notes

Overview

Building on the solid foundations of R1, R2, and R3, this release introduces significant advancements in functionality, usability, and security, with a strong focus on production-grade deployments and O-RAN integration. Key Highlights of Nephio R4 include:

O-RAN IMS Integration
FluxCD GitOps Automation
Platform improvements
UI enhancements
Security Enhancements
Other improvements include improved developer experience with support for modern IDEs, as well as a number of dependency upgrades and security fixes

For example new CRDs were added to support Focom (FocomProvisioningRequest, OCloud, TemplateInfo) and O2IMS (ProvisioningRequest) cluster provisioning APIs. Platform updates include fixes, security patches, and enhancements to Porch. Documentation received aesthetic improvements and bug fixes. New end-to-end test suites were introduced for FluxCD workload deployment and O2IMS provisioning. Security enhancements include a SPIFFE-based Workload Identity mechanism, improving the OpenSSF score to 7.6.

Prerequisites

Refer to the Install Guide for the prerequisites on supported environments.

Support matrix

The sandbox environment requires a physical or virtual machine with the following:

Ubuntu-20.04-focal or Ubuntu 22.04 Linux Or Fedora 34.
A minimum of eight cores. 16 cores is the recommended quantity, however, as they are needed for end-to-end testing with RAN and core.
32 GB memory.
200 GB disk size.
A default user with sudo passwordless permissions.

This installation has been verified on virtual machines (VMs) running on Google Cloud.

A Nephio sandbox can be created on any Kubernetes cluster, from v1.26 onwards.

Features

API

Focom Operator
- CRDs to support the Focom cluster provisioning api:
O2IMS Operator
- CRDs to support the O2IMS cluster provisioning api:
  - ProvisioningRequest

Web UI

The UI has received parametric editor implementation introducing multiple improvements to the configurable editor component which make it feasible for implementation of editors for complex, multi-level Kubernetes resources as well as Nephio specific resources. There were also security related updates done.

Packages

The following packages have been introduced:

ORAN Cluster Provisioning pkgs:
- Focom operator
- O2IMS Operator
FluxCD operators
Centralized FluxCD pkgs:
- Nephio Workload Cluster Flux
- Flux Gitrepo Kustomize
Spire/Spiffe related pkgs:

Functionalities

Platform
- Fixes, security patches, and enhancements to Porch. See Appendix for details.
Documentation
- Improvements in esthetics and bug fixes.
CI/CD Testing
- New e2e test suites added:
  - FluxCD Centralized workload deployemnt
  - O2IMS Cluster Provisioning
Security
- Added Workload Identity provisioning mechanism using SPIFFE based control plane.
- OSSF score has been improved to 7.6

Limitations

Intercluster networking is not dynamic. Therefore, as more clusters are deployed, some manual tweaking will be needed for intercluster communications.
Provisioning of the VLAN interfaces on the nodes is currently performed manually.
Feedback of the workload deployments from the workload clusters to the management cluster is limited. You may need to connect directly to the workload cluster via kubectl to resolve any deployment issues.
The web UI features are limited to the viewing and editing of packages, and resources in those packages, and their deployment. Additional features will be added in subsequent releases.
When the capacities of the UPF, SMF, and AMF NFs are changed, the free5GC operator on the workload cluster will instantiate a new POD with correspondingly modified resources (CPU, memory, and so on). During this process, the pod will restart. This is a limitation of free5GC.
Only Gitea works with automated cluster provisioning to create new repositories and join them to Nephio. To use a different Git provider, you must manually provision the cluster repositories, register them to the Nephio management server, and set up Config Sync on the workload cluster.
The web UI does not require authentication in the current demo configuration. Testing of the web UI with authentication configured has not yet been done.
The web UI only shows the resources in the default namespace.
While many types of Git authentication are supported, testing has only been done with token-based Git authentication in Gitea.

Known issues and workarounds

Packages may take time to be approved by the auto-approval controller. If they appear to have frozen, it may help to restart the Porch and the Nephio controllers using the following commands:

kubectl -n porch-system rollout restart deploy porch-server
kubectl -n nephio-system rollout restart deploy nephio-controller

Occasional calls to porchctl rpkg copy may fail with the following message:

Error: Internal error occurred: error applying patch: conflict: fragment line does not match src line.

If such a message appears, then retry in a little while, as this error may resolve itself. Restarting Porch may also help.

Appendix

Fixes and enhancements

Certificate renewal on webhooks
Checks for binary files in kpt packages
Add retry on “update” operations
Merge all Porch code into a single module
Add readiness check for propose/approve on package revisions
Fix synchronization on concurrent Create/update/Delete operations
Make maximum request size configurable
Refactor cache into a single package
Remove unused Function CRD
Fix exponential increase in package approval time
Support private authenticated registries for upstream packages
Allow configuration of interval of background periodic synchronization job
Allow TLS configuration of function-runner images
Enable rendering of packages > 4MB in the kpt function runner
Refactor the Porch code to improve the structure of the Porch engine and task handling
Refactor mutex handling on cache refreshing to avoid deadlocks
Prevent proposing and approval of packages if the kpt pipeline of the package fails to render
Fix modify event handling on package revisions
Refactor mutexes to allow concurrent reads on package revisions
Many small bugs fixed