Beto Rodriguez, Ramon Perez, Tatiana Krishtop

Exploring Certification Test Suites Integrated in DCI: A Comprehensive Review

Red Hat Distributed CI (DCI) is a great CI tool written in Ansible that can help you install OpenShift on baremetal, automate the deployment of your plugins and workloads, and run various tests. In this article, we will focus on the certification test suites that Red Hat has created for cloud-native applications to verify their adherence to best practices. DCI simplifies the setup required for these suites, allowing you to focus on improving your workload.


Agent - Infrastructure Tests

CNI Plugin Certification

The Container Network Interface (CNI) plugin certification is designed for applications that provide network services on OpenShift via a CNI plugin. By using the dci-openshift-agent for an OpenShift cluster deployment, a CNI plugin creator can continuously validate that their product complies with the CNI specifications. To enable the tests, it is only necessary to activate the dci_do_cni_tests flag. This will run the recommended Red Hat tests and generate a report for submission to the certification team for validation.

CSI Plugin Certification

The Container Storage Interface (CSI) plugin certification is designed for storage providers working on integrating their solutions with OpenShift using a CSI driver. The test suites will validate that the plugin complies with the CSI specifications and best practices recommended by Red Hat. To run the certification tests during a new cluster deployment using DCI, it is necessary to provide a manifest file with the plugin details and its capabilities. The job will produce a test report that can be used to submit to the certification team for validation. To enable the test, please review the dci_openshift_csi_test_manifest setting in the dci-openshift-agent documentation.

Application Agent - Workload Tests

Containers' certification: Preflight and OSCAP-podman


To become certification-ready, your container must pass all the test suites provided by two tools: Preflight for containers and OSCAP-podman. Preflight for containers checks for basic best practices: "do not run as root", "base on UBI", "provide license", "limit layer count", etc. OSCAP-podman scans for vulnerabilities, running over a thousand biweekly-updated tests. To trigger these tests from DCI, you could customize an example configuration for your needs and use a debug guideline in case of any failing tests. You can also opt for end-to-end container certification from DCI by requesting that DCI automatically create a certification project at and push the test results in that project. This allows you to simply click the publish button to add the container to the catalog.

Helm Chart Verifier


Chart Verifier allows you to validate the Helm chart against a configurable list of checks. The tool ensures that the Helm chart includes the associated metadata and formatting, and is distribution ready. The ultimate goal of Helm chart certification is to get your chart merged into the OpenShift Helm Repository, and DCI can offer you a full service by running all the required tests and even automatically opening a pull request. Please note that not all Helm chart workloads can be certified; for example, the "certification-green" Helm chart must not contain any CRDs. CRDs should be defined using operators.

All Operators: Preflight Certification


General-purpose operators could be certified using the Preflight check-operator tool, that currently runs four tests. Three of these tests are basic formatting validations provided by the operator-sdk, and the fourth one, called DeployableByOLM, verifies if the operator could be deployed by OLM, having its Subscription and CustomServiceVersion up and running. Similarly to Preflight check-container, here are several example configurations that you can customize for your needs, a debug guideline and the possiblity to run an end-to-end certification process, which tests and merges your operator into the certified-operators repository.

Telco Operators: CNF Certification


The Cloud-Native Network Functions (CNFs) certification suite is a set of CNF tests and a framework for building more. Its main goal is not to certify the workloads under test (which can be pods and operators), but rather to measure compliance with the good practices defined in CNF Requirements document published by Red Hat. This suite is run by the dci-openshift-app-agent, which uses DCI configuration to autodiscover the workloads. It then tests their interaction with OpenShift, and generates the report to be submitted to the Red Hat Certification Partner Connect portal. We have also created a blog-post with an example configuration and an extended video presentation if you would like to learn more.