Share via

How to publish the aks application along with creatoing other azure resources too?

Padmanabhan M 220 Reputation points
2026-03-16T04:59:25.0466667+00:00

This is Microsoft's official recommended pattern for exactly your scenario. The idea is a two-offer approach:

  • Offer A: Your existing Kubernetes Container offer (keep it simple — just the cluster extension)
  • Offer B: A new Azure Managed Application offer that wraps Offer A and deploys all your Azure infrastructure alongside it

The managed app offer needs to create a new managed AKS cluster and install the application on the cluster. Your UI definition and ARM template in the Kubernetes offer can be really simple, as you extend them in the managed app offer. Microsoft Learn

In the managed app's mainTemplate.json, you can add extra components like user-assigned identities, Key Vault, and any other Azure resources alongside the Kubernetes extension. You update the variables section with your plan-name, plan-publisher, plan-offerID, releaseTrain, and clusterExtensionTypeName from your existing Kubernetes offer. Microsoft Learn

So your managed app's ARM template would deploy:

  • Microsoft.ContainerService/managedClusters (the AKS cluster)
  • Microsoft.KubernetesConfiguration/extensions (your app via the K8s offer)
  • Microsoft.OperationalInsights/workspaces (Log Analytics)
  • Microsoft.Storage/storageAccounts
  • Microsoft.DBforPostgreSQL/flexibleServers
  • Microsoft.Insights/dataCollectionRules
  • …all in one ARM template, no restrictions

Limitation to know: The managed app offer won't work against an existing managed AKS cluster — it needs to create a new one. Microsoft Learn If your customers want to bring their own cluster, this approach won't suit them.This is Microsoft's official recommended pattern for exactly your scenario. The idea is a two-offer approach:

  • Offer A: Your existing Kubernetes Container offer (keep it simple — just the cluster extension)
  • Offer B: A new Azure Managed Application offer that wraps Offer A and deploys all your Azure infrastructure alongside it

The managed app offer needs to create a new managed AKS cluster and install the application on the cluster. Your UI definition and ARM template in the Kubernetes offer can be really simple, as you extend them in the managed app offer. Microsoft Learn

In the managed app's mainTemplate.json, you can add extra components like user-assigned identities, Key Vault, and any other Azure resources alongside the Kubernetes extension. You update the variables section with your plan-name, plan-publisher, plan-offerID, releaseTrain, and clusterExtensionTypeName from your existing Kubernetes offer. Microsoft Learn

So your managed app's ARM template would deploy:

  • Microsoft.ContainerService/managedClusters (the AKS cluster)
  • Microsoft.KubernetesConfiguration/extensions (your app via the K8s offer)
  • Microsoft.OperationalInsights/workspaces (Log Analytics)
  • Microsoft.Storage/storageAccounts
  • Microsoft.DBforPostgreSQL/flexibleServers
  • Microsoft.Insights/dataCollectionRules
  • …all in one ARM template, no restrictions

Limitation to know: The managed app offer won't work against an existing managed AKS cluster — it needs to create a new one. Microsoft Learn If your customers want to bring their own cluster, this approach won't suit them.

Whether this is a possible way to publish my aks apllication in the marketplace?

Azure Kubernetes Service
Azure Kubernetes Service

An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.

Answer accepted by question author
  1. Manish Deshpande 5,420 Reputation points Microsoft External Staff Moderator
    2026-03-16T05:30:37.8066667+00:00

    Hello Padmanabhan

    To deploy (publish) an AKS‑based application together with its dependent Azure resources (such as Key Vault, Storage, databases, Log Analytics, etc.), Microsoft recommends using a two‑offer deployment pattern when distributing via Azure Marketplace, or a single Infrastructure‑as‑Code (IaC) deployment when deploying internally.

    For Marketplace publishing, the officially recommended approach is a two‑offer model:

    Offer A – Kubernetes Application (Cluster Extension)

    • Contains only the Kubernetes application logic
    • Keeps the ARM/UI definition simple
    • Installed as a cluster extension on AKS

    Offer B – Azure Managed Application

    • Wraps Offer A
    • Deploys all required Azure infrastructure and AKS in a single ARM/Bicep template
    • Installs the Kubernetes application as part of the same deployment

    Using this model, the managed application ARM template can deploy:

    • Microsoft.ContainerService/managedClusters (AKS)
    • Microsoft.KubernetesConfiguration/extensions (your AKS app)
    • Supporting resources such as Key Vault, Storage, databases, Log Analytics, etc.

    This ensures customers get a single‑click, end‑to‑end deployment of the AKS application and all required Azure resources in a consistent and supported manner.

    Limitation: This approach creates a new AKS cluster; it does not support deploying into an existing customer‑managed AKS cluster.

    Reference Links:

    https://4sight.cloud/blog/a-step-by-step-guide-to-publishing-your-software-on-azure-marketplace

    https://learn.microsoft.com/en-us/azure/aks/deploy-application-template

    https://learn.microsoft.com/en-us/azure/aks/learn/quick-kubernetes-deploy-bicep?tabs=azure-cli

    When you deploy your solution using the two‑offer Marketplace model (Kubernetes application + Azure Managed Application), Microsoft does not recommend passing sensitive values such as database passwords directly into Helm values.

    Instead, the supported and secure pattern is:

    Azure Managed Application → Azure Key Vault → AKS (Helm) via Secrets Store CSI Driver.

    Managed Application ( ARM/Bicep)

    • Deploy PostgreSQL (Azure Database for PostgreSQL)
    • Capture:

    AKS Cluster Setup

    • Enable Azure Key Vault Provider for Secrets Store CSI Driver
    • AKS uses Managed Identity to authenticate to Key Vault
    • No credentials stored in code or Helm values

    Kubernetes Application (Offer A – Helm / Cluster Extension)

    • Helm chart defines:
      • SecretProviderClass
      • Volume mount from Key Vault
      • Secrets are injected into pods as:
      • Environment variables or
      • Mounted files

    This is the supported way to pass dynamic secrets into Helm deployments

    https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-driver

    Please note that Azure Managed Application offers always create a new AKS cluster as part of deployment. Deploying the solution into an existing, customer‑managed AKS cluster is not supported with this Marketplace model.

    Thanks.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-03-16T04:59:50.2533333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Yes, this is a supported and recommended way to publish an AKS-based application in Azure Marketplace.

    The documented pattern is:

    1. Create and publish a Kubernetes app–based Azure Container offer (Managed AKS or Arc-enabled Kubernetes) packaged as a CNAB bundle. This offer is registered as a cluster extension type and is what actually installs the application into the AKS cluster.
      • The Kubernetes offer must target either Managed AKS or Arc-Enabled Kubernetes, not both, and only Linux AMD64 images are supported.
      • The offer deploys via Microsoft.KubernetesConfiguration/extensions on the cluster.
    2. Create an Azure Application – Managed Application plan that references that Kubernetes offer.
      • Use a deployment package .zip with mainTemplate.json and createUiDefinition.json.
      • Start from the managed app sample mainTemplate and createUiDefinition and update the variables: 
             "variables": {
       "plan-name": "DONOTMODIFY",
       "plan-publisher": "DONOTMODIFY",
       "plan-offerID": "DONOTMODIFY",
       "releaseTrain": "DONOTMODIFY",
       "clusterExtensionTypeName": "DONOTMODIFY"
     }
        and bind them to values from the Kubernetes offer as described in the “Reference Kubernetes apps in the Azure application using a managed app sample” guidance.
      • In this managed app ARM template you can deploy:
        • Microsoft.ContainerService/managedClusters (new AKS cluster)
        • Microsoft.KubernetesConfiguration/extensions (the extension from your Kubernetes offer)
        • Plus any other allowed Azure resources for your solution (identities, networking, storage, databases, monitoring, etc.).
    3. Important limitation:
      • The managed app offer must create a new managed AKS cluster and then install the application on that cluster. It won’t work against an existing managed AKS or Arc-enabled Kubernetes cluster; if customers must bring their own cluster, this pattern does not apply.

    Within these constraints, using a two-offer model (Kubernetes Container offer + Azure Managed Application that wraps it and adds other Azure resources) is explicitly documented as the way to combine an AKS application with broader Azure infrastructure in a single Marketplace experience.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.