How Do I Become a Certified Provider?
The Cloud Foundry Certified Provider program is a conformance program for commercial distributions of the Cloud Foundry Application Runtime. By certifying a distribution, providers help ensure standardization of the well known Cloud Foundry developer experience across the ecosystem.
Certified Provider Requirements for 2020
The Cloud Foundry PaaS Certification program of CloudFoundry.org Foundation (the “Foundation”) is designed to certify products and services (“offerings”), that ship include and/or use the Foundation’s Cloud Foundry Application Runtime (CFAR) software, include that software in an unmodified form as shipped by the Foundation’s project teams.
The certification program also aims at increasing CFAR adoption in the industry, by ensuring certified offerings are of good quality, and suitable for production use.
Certified products and services are expected to differentiate themselves, but only via (1) non-functional attributes (availability, customer support, etc…) and (2) functional differences based on explicitly defined plugin points within the CFAR platform architecture. Functional differences include features and functions built on top of the CFAR platform (e.g.: CF as part of a larger offering or suite of offerings).
Certified Provider Requirements
The certification program is designed to work across a spectrum of offering types, including (but not limited to): software distributions, distribution as part of a hardware stack, managed private PaaS / Cloud services and online PaaS services.
The certification requirements apply equally to all of these offering types, with some requirement clarification provided based on offering type.
Certified Provider Requirements
Requirements for Certification
Certified offerings are required to use the exact software packaged in specific releases of both the Cloud Foundry Application Runtime and Developer CLI tool. Details for each component are noted below.
When certifying and during a verification audit, the program participant must provide the Foundation the exact release numbers for each required component.
“Use” is defined as the platform components performing the functions they are designed to perform within the architecture of the CFAR platform by the Foundation project teams. Shipping a component, but not using it for it’s intended purpose, does not meet the requirement. Similarly, shipping a component side-by side with an alternative implementation is only acceptable if the required component is the default option for users.
No feature differentiation may be added by modifying the code of the required components.
- Exceptions to the “exact software” requirement are only allowed for bug fixes or vulnerability patches, which do not add or change any features, with the requirement that the change is sent upstream to the relevant Foundation project(s). Specific to vulnerability patches, organizations with a certified offering are required to follow the Foundation’s vulnerability reporting process for any vulnerability identified as documented here: https://cloudfoundry.org/security/
- During initial certification and / or during any inspection of an offering’s technical compliance, the program participant must provide a listing of all exceptions, with relevant audit trails of the fix being sent to the Foundation project(s).
Current versions of certified products and services are expected to contain versions of the required components in the form released by Foundation project teams, no older than 6 months (unless the component has not had a release in that time), measured at the time of certification.
- For online PaaS, this applies to the currently running environment. Particularly, this applies to any new customer or new application deployment within the platform.
- For offerings that are “shipped” or dedicated to a single customer, this applies specifically to what a new customer or a customer being upgraded will receive from the program participant.
In the case of any uncertainty regarding these requirements, program participant should ask for the clarification by the Foundation via email@example.com. The Foundation reserves the right to determine how these requirements are interpreted in cases where clarification is required.
The Application Runtime portion of a certified offering must include the following components:
- Cloud Controller: https://github.com/cloudfoundry/capi-release
- Router: https://github.com/cloudfoundry-incubator/routing-release
- Eirini (https://github.com/cloudfoundry-incubator/eirini ) and / or Diego: (https://github.com/cloudfoundry/diego-release)
- If using Diego: Garden (https://github.com/cloudfoundry-incubator/garden-runc-release) and / or Garden Windows (https://github.com/cloudfoundry-incubator/garden-windows-bosh-release)
- Cflinuxfs3: https://github.com/cloudfoundry/cflinuxfs3-release
- UAA: https://github.com/cloudfoundry/uaa-release
- Logging & Metrics: https://github.com/cloudfoundry/loggregator-release
The components of the Cloud Foundry Application Runtime should be versions of the associated projects tested together by the Foundation’s Release Integration project team, although this is not required and component compatibility likely exists in more combinations than what is being tested by the Release Integration project team’s pipeline.
For the purpose of clarity, the use of Cloud Foundry BOSH is not required as the method of deploying or managing the Cloud Foundry Application Runtime. Use of “BOSH Release” repositories when identifying required components is for convenience in identifying the collection of source code repositories that together form each component.
Certified offerings must provide users with the official “cf” Command Line Interface (CLI) tool as the primary CLI for interacting with the Cloud Foundry Application Runtime platform. The CLI provided to users must be an unmodified version of the tool released by the Foundation’s CLI project team. This may be a redistribution of the released bits, or a pointer to an official download or distribution channel of the CLI project’s releases.
Certified Provider Requirements
Updates to Requirements
The Foundation may update these requirements in accordance with its by-laws. Future updates may include processes for initial certification, audit, or re-certification.
Generally, the Foundation will aim to undergo a review of these requirements at least annually, with the review beginning mid-year in order to give certified offerings time to meet any new requirements prior to the next certification year starting.
Current Certified Platforms
Frequently Asked Questions
What are the technical requirements for a certified offering?
The Cloud Foundry PaaS Certification requires that the certified offerings meet technical requirements as defined by the Foundation’s PMC Council. The PMC Council is the group charged with technical governance of the Cloud Foundry Foundation projects. The requirements for the current program year are posted here.
How is compliance governed?
The organization certifying an offering must sign a license agreement with the Foundation which provides a right to use the program’s year Cloud Foundry Certified logo and include Cloud Foundry in the offering’s name as long as the certifying company maintains compliance with the technical requirements published by the Foundation’s PMC Council for that year’s certified offering and remains in compliance with the terms and conditions of the license agreement. The Foundation inspects technical compliance of the offering and subsequently grants certification rights.
In the case of any uncertainty regarding these requirements, program participant must ask for clarification by the Foundation via firstname.lastname@example.org. The Foundation reserves the right to determine how these requirements are interpreted in cases where clarification is required.
What if you download the open source software code and compile as is? Are you certified?
You would be using the software in a way that is likely compliant with the certification requirements. However, certification is the formal assurance that a product or service is in compliance with these requirements. That formal assurance results in a contractual relationship with the Foundation and submission to technical verification, which provides a license to use our certification mark to reflect compliance.
If you are certified, does it mean you are using all open source checked in code?
Being certified means that you are using the required “core” parts of the Cloud Foundry platform as released by the Foundation’s project teams.
Offerings are encouraged to differentiate through operational attributes and by adding extensions at the platform’s defined extension points (including, but not limited to, specific services, CLI plugins, logging integrations, buildpacks, CPIs, stacks, and further surfaces as developed in the project).
Who hands out the certifications? Who can certify?
The Cloud Foundry certification program is a program of the Foundation itself. The certification is a contractual agreement between the Foundation and the organization responsible for the certified offering, stating that in return for meeting the Foundation’s certification requirements, the organization may use the certification mark to claim that their offering is certified.
Any organization offering a product or service based on the Cloud Foundry platform is encouraged to certify that offering. Organizations need not be members of the Foundation to achieve certification.
What types of tests do they run?
The Cloud Foundry certification program is based on the requirement for the certified offering to use the exact required software components, as released by the Foundation’s projects. While there are limited exceptions for minor patches, there is a requirement that these patches are sent upstream.
Unlike many industry certification programs, compliance is not just API-level compatibility with a documented API or reference implementation. The Cloud Foundry Certified PaaS certification requires certified offerings to actually use the software released by the Foundation’s project teams.
Do you need to be a Cloud Foundry Foundation member to be certified?
No, you do not need to be a member of the Foundation to be certified. The certification does come from the Cloud Foundry Foundation, but any product or service that is based on Cloud Foundry is encouraged to participate in the certification program.
How often does my code/product need to be certified? How long is my certification good for?
The Cloud Foundry PaaS Certification is an annual certification, and the certification badge reflects the program year of the certification. The technical requirements are reviewed and potentially updated at least once a year. We recommend more consistent integration with the upstream project, which is updated frequently with new releases.
What about security patches?
Security of our users is a primary concern for the Cloud Foundry Foundation. We have designed the certification program to allow providers of certified offerings to immediately patch their systems if they discover a vulnerability. However, all certifying providers are also obligated to report the discovered vulnerability to the upstream project and accept the remediation when provided by the project teams.
How much does it cost to be certified?
The cost for certification of an offering is $100K USD for this certification year, discounted to $50K USD for Cloud Foundry Foundation members.
You are an open source software project. Why are you charging for certification?
Part of our mission, as a nonprofit, is to make sure that developers can run their apps across any Cloud Foundry instance. In order for that to happen, we have to be able to offer a guarantee that each Cloud Foundry instance is the same. We do that through certification. The certification process itself costs money and as a nonprofit, we must neither gain nor lose money through this process.
If you want to provide certified Cloud Foundry services for a nonprofit cause or as a government entity, please contact us at email@example.com.
As an application developer, how can I tell if a service is certified? If its certification is revoked, will I be notified?
All certified offerings are allowed to display and use the Cloud Foundry Certified annual certification mark on their websites and marketing material during the course of that program year. Developers considering the use of a Cloud Foundry based product or service should look for this mark to ensure that they are purchasing a certified product or service.
Users of certified offerings will not be directly notified by the Foundation in cases where an offering ceases to be certified. It is the responsibility of the organization providing that offering to remove any reference to its being certified and discontinue all use of the Cloud Foundry Certified logo, but this removal is mandated by the Foundation’s license agreement.
I’m not distributing Cloud Foundry, I’m just offering it as a service — do I need to be certified?
The Cloud Foundry PaaS Certification program is designed to support a number of different delivery models for the platform. These include delivery models such as software distributions, public PaaS platforms, and managed private and on-premises PaaS offerings.
Since our software is licensed via the Apache Software License version 2, any person or organization has the right to use the software under the terms of that license.
However, the Foundation does not permit the use of the Cloud Foundry Certified mark or the use of the name Cloud Foundry as part of an offering’s name without certification. If we are asked if the given service is a Cloud Foundry service we will have to say “no.” When applied to cloud services, stating that it is “Cloud Foundry” means that it has achieved Cloud Foundry Certification.
Can certified offerings call themselves “Cloud Foundry”?
The CLOUD FOUNDRY mark is a registered mark of the Cloud Foundry Foundation. Its use is permitted in product or service names with an explicit license agreement from the Foundation. This license agreement is an addendum to the Cloud Foundry Certified mark license agreement, and requires that any product or service licensed to use the CLOUD FOUNDRY mark also maintains its Cloud Foundry Certified status.