Introduction
The Azure Marketplace offers a wealth of solutions that are easily deployable onto Kubernetes clusters running on Azure. In this article, we will explore how to create a container-based solution and deploy it on the Azure Marketplace using a Container for Kubernetes (K8s) offer type. By following the steps outlined in this article, you will learn how to create an Azure Container Registry, build container images for your solution, create and manage a Cloud Native Application Bundle (CNAB) bundle, and publish your solution on the Azure Marketplace. Finally, we’ll visit the security requirements for your images.
Creating an Azure Container Registry
The first step in deploying your solution on the Azure Marketplace is to create an Azure Container Registry (ACR) that will host your solution images. This ACR will be used by the marketplace to read the image and copy it to a Microsoft-owned registry. You can create a container registry using the Azure portal or the Azure CLI.
Once the container registry is created, you can access it through the Azure portal or from the Azure CLI. From there, you can manage your container images, and set up access policies. One access policy that must be created is to allow the marketplace the “ACR pull” permission so your images can be pulled into Microsoft’s marketplace ACR for vulnerability scanning and publication.
You will use this ACR to store your images that will be submitted as part of your offer through the Partner Center portal.
Creating solution container images
After creating the ACR, the next step is to create container images for your solution and host them in the ACR. This section will cover the steps involved in creating the Docker container image, adding the Helm chart files, deployment files, and uploading the images to the ACR.
Dockerfile
This process starts with your Dockerfile used to build your solution’s images. Be sure to use the latest base images and update the services and apps on the base image so you will be best positioned to pass the vulnerability scan that comes later.
Helm chart files
A Helm chart is a package format used to define, install, and manage Kubernetes applications. It consists of a collection of YAML files that describe the various components of an application, including its dependencies, configurations, and resources. With Helm charts, developers can quickly and easily deploy and scale their applications on Kubernetes clusters.
Your deployment must be based on Helm charts and use digests instead of tags to ensure each CNAB bundle created is deterministic.
Deployment files
There are several files which we’ll refer to as our deployment files. These have various purposes as described below.
cluster-deployment.json
The cluster-deployment.json file is an Azure Resource Manager (ARM) template that can be used to deploy a Kubernetes cluster on Azure. This template provides a declarative way of defining the infrastructure resources required for a Kubernetes cluster, such as network services, storage accounts, and even AKS clusters. The ARM template also includes configuration settings for the Kubernetes master and worker nodes, as well as the necessary extensions and plugins. With the cluster-deployment.json file, users can easily provision and manage Kubernetes clusters on Azure in a repeatable and consistent manner.
createUiDefinition.json
The createUIDefinition.json file is used to define the user interface for creating or updating resources during deployment of your solution. The file defines the layout, content, and behavior of the user interface for creating or updating the solution via the Azure portal. This file includes sections for fields, input validation, and dependencies, and allows developers to customize the user interface for their specific needs.
During deployment of your solution, output from createUIDefinition.json feeds directly into the ARM template parameters so that the ARM template can be parameterized for custom deployment scenarios. With this, users can easily deploy Azure resources with a user-friendly interface that guides them through the deployment process.
When creating a createUiDefinition.json file for your application, you will want to test the user experience. To simplify testing and development, copy your file contents to the Create UI Definition Sandbox in the Azure portal. The sandbox presents your user interface in the current, full-screen portal experience. The sandbox is the recommended way to preview the user interface.
manifest.json
This file provides information such as the name, version, and description of the container image, as well as providing pointers to all the other files in the package. This enables a single source of configuration for which files are included in the image when the manifest is used to create the CNAB.
Testing the deployment files
To further test createUiDefinition.json and cluster-deployment.json, you can use the ARM-TTK tool. It runs automated tests on ARM templates and UI Definition files, informing you of any issues in your files before you create your image.
Creating the CNAB bundle
The Cloud Native Application Bundle (CNAB) is an open-source deployment format for containers used by the Azure Marketplace to deploy solutions. This section explores how to download the CNAB bundler container, verify the package, package the artifacts, and push the CNAB to your ACR using the cpa buildbundle command.
You can follow these general steps:
- Download the image you’ll use to create the CNAB bundle. It may be pulled from the Microsoft public ACR with the following command.
docker pull mcr.microsoft.com/container-package-app:latest
- Login to the running container and map your local package file environment as a volume in the container.
- Validate the bundle artifacts using the following command.
cpa verify
- Build the bundle and upload the resulting CNAB to your ACR with the following command.
cpa buildbundle
Now that the CNAB is in your ACR, the next step is to set up your offer in Partner Center to reference the image.
Setting up Partner Center
Partner Center is the publisher’s portal for the Azure Marketplace, where you can set up your offer and plan(s). You’ll start by creating a Container offer for Kubernetes apps. The offer will require marketing collateral, rich descriptions of your product, company logos, and other assets.
After the initial offer is in place, add one or more plans to the offer, each of which has its own pricing and technical configuration. In setting up the technical configuration, select your CNAB from your ACR. Once you’ve selected the appropriate images in the technical configuration, you can publish your offer.
A note on security
Security is an important consideration when submitting container images to the Azure Marketplace.
Enable Microsoft Cloud Defender for your ACR to scan images and how to check the images for a CVSS 3.0 score under 7.0, which is required to pass certification. Scanning your images with Microsoft Cloud Defender means you are performing the same vulnerability scan that will be done by the Microsoft certification team.
Conclusion
By following the steps outlined in this article, you should now have a good understanding of how to create and deploy container-based solutions on the Azure Marketplace using the CNAB format. Remember to always consider security when submitting images to the marketplace and to leverage the tools provided by Azure, such as Microsoft Cloud Defender, to scan your images for vulnerabilities. With this knowledge, you can now take advantage of the power and flexibility of the Azure Marketplace to deploy your container-based solutions with ease.