Open-source software, containers, and Kubernetes have combined to usher in a new era of opportunity for companies to derive value from the software they build and run in their infrastructure. These technologies come with their own challenges, however.
Modern workflows don’t eliminate all of the difficulty inherent in using server software. Building and maintaining reusable container images requires navigating a complex web of dependencies, libraries, version compatibility issues, and configuration quirks. The most readily available way for developers to overcome these challenges is to use pre-packaged, open-source containers that are found in public registries, like Docker Hub. One of the most trusted publishers of those containers, with more than 3 million registered developers, is Bitnami.
Bitnami engineers automated every step of the packaging, publishing, and testing lifecycle for open-source containers by monitoring for changes in hundreds of upstream repositories and vulnerability databases, updating the library thousands of times per month across multiple clouds and platforms, and continuously testing every version update natively in every environment. The result is that deploying open-source applications went from a time-consuming, error-prone process to something that developers could do in minutes without compromising quality or introducing vulnerabilities.
When Bitnami was acquired by VMware in June 2019, it marked a new chapter in both companies’ stories. For Bitnami, the acquisition gave it the resources and access it needed to expand to the enterprise at an accelerated pace, and in a way that naturally aligned with VMware’s “any application on any device in any cloud” vision. Bitnami’s mission has always been about making open-source software available to anyone, on any platform. Achieving this mission for VMware’s Enterprise customers meant not only supporting the needs of developers, but exposing all the features that made Bitnami successful in a way that is consumable by operators.
Tanzu Application Catalog solves some of the fundamental challenges of using open-source software. Whereas developers want to self-serve apps and components quickly so they can innovate, operators want all software to be built and maintained transparently and according to IT policy governance. Tanzu Application Catalog is designed to bridge that gap. It provides open-source containers and charts that developers access much the same way they would from a public registry, while also delivering transparency, proof of testing and security scanning, and compliance with IT governance for operators.
With those enterprise developers and operators in mind, we were excited to announce on March 10th that Tanzu Application Catalog is now available.
Tanzu Application Catalog is a customizable selection of open-source software from the Bitnami collection that is continuously maintained and verifiably tested for use in production environments. It brings developers the productivity and agility of pre-packaged apps and components, while enabling operators to meet the stringent security and transparency requirements of enterprise IT.
Let’s take a look into how Tanzu App Catalog brings Bitnami’s mission to enterprise developers and operators alike.
Curate a private catalog of containers from the Bitnami collection
Tanzu Application Catalog is a curated selection of open-source containers and Helm charts from the Bitnami collection, packaged onto your Linux distribution of choice and stored in a repository of your choosing. Either give us an endpoint to continuously push your software to, or we can host a repository for you to pull from. Operators can access comprehensive metadata about every container, including a manifest of which libraries, binaries, and open-source licenses are in the stack, as well as proof of functional tests, version upgrade tests, and security/virus scans. Operators can make this repository of containers available to developers for self-service, and they can also deploy and manage software like databases, developer productivity tools, and line-of-business apps themselves.
Select applications and components to be built and maintained for your catalog
Self-service application components for developers
Developers today don't write much of the code that goes into applications. Instead, they compose multiple open-source components that work together with the business logic they write to form applications. They also have access to an almost unlimited supply of containers in public registries; Docker Hub has more than 100,000 containers alone. However, there are details about the contents of containers in public registries that are not transparent to the user. And while these details don’t affect the functionality of the container, they can be critical when it comes to understanding whether a container is vulnerable or compliant with IT policy. For example, developers typically don’t need to know which versions of low-level Linux libraries are in their containers, because the functionality of those libraries does not change significantly from version to version. Operators, on the other hand, lose sleep at night wondering if a vulnerable library (such as OpenSSL) is lurking somewhere in their infrastructure. With Tanzu Application Catalog, operators know exactly what they are getting in every container, and developers can focus only on what matters for them to build innovative applications.
Access information about your catalog through the user interface
Runtimes, databases, and other components of modern applications
Developers building cloud-native applications need to be able to freely access a mix of runtime and framework containers that run their code (such as Python, Nodejs, or Java) and components that their applications depend on (such as MySQL, Redis, Elasticsearch, or Kafka). Tanzu Application Catalog provides developers with an approved source of all these application building blocks in containers, when they would normally get them from unapproved sources. These containers are continuously tested in multiple Kubernetes distributions, with proof of successful functional tests available for every update. The end result: applications and code that run consistently in the environments where you want to deploy them.
The included Helm charts enable developers to seamlessly adopt Tanzu Application Catalog by dropping vetted charts in as a replacement for unvalidated community ones. These charts are developed using best practices that enable seamless Day 2 operations, such as upgrades and scale-out. Because developers can use Tanzu Application Catalog containers and charts to develop locally, compatibility issues between development and production environments can be greatly reduced.
Transparency and auditability meet simplicity for operators
Operators manage Tanzu Application Catalog through a user interface or API. They can add and remove software from the catalog, update base-OS golden images, specify a registry for containers and charts, and access metadata about every container.
Vital compliance and audit details for security and operations teams
Tanzu Application Catalog delivers the open-source containers that cloud-native applications rely on to run while addressing the risk factors that can make community-sourced software impossible to use in production. It gives a full accounting of the provenance of open-source code used in applications and components, with a simple user interface that makes this information easily accessible to operators, legal teams and security teams. With Tanzu Application Catalog, there’s no guessing or tedious spreadsheet matrices to track which versions of what software is running in which environment. You can standardize on one set of containers, for which you have the following available:
History of updates to each container in the catalog
Source code and software licenses for libraries and binaries in every container
Logs of functional and unit tests, run in every environment relevant to the customer for every container update
Results of open-source security scans
Manifest of libraries and binaries included in every container
Drill down into the details about every container in your catalog
Your catalog, built on IT-approved base OS containers
Getting open-source software to work on custom OS images can be a challenge. It’s time-consuming work that takes developers away from writing code. Tanzu Application Catalog builds all of the selected containers onto customer-supplied base OS container images. This enables you to provide a security-hardened “golden image,” with your required agents or settings pre-configured. From there, all your containers are built on top of it. If you apply a patch or other change, your entire catalog is automatically rebuilt on the updated base OS image and retested before being updated in your private repository.
Don’t have your own base OS container image? Use one of ours. Tanzu Application Catalog provides a variety of base images for the most popular distributions of Linux, which are packaged using best practices. This comes with the added benefit of having the base OS image continuously patched with security vulnerability updates, which are continuously built into your catalog and automatically pushed to your repository.
Developers consume Tanzu App Catalog containers in a private registry
Bitnami automation, working for you
Bitnami, which has more than a decade of experience maintaining tens of thousands of software artifacts, is known for keeping its open-source containers up to date. When a new vulnerability is patched or a system library has a security update, this expertise is put to work for you. All the affected containers in your catalog will automatically be rebuilt, tested in every environment, and updated in your repository—all within a very short period of time. All of the most widely used repositories are supported, such as Harbor, JFrog Artifactory, and public cloud container registries. DevOps teams can subscribe to images in their private registries and feed updates into their CI/CD pipeline, and developers always have access to the latest version of any container.
Image updates are continuously updated in the registry
With the Tanzu portfolio of products, VMware is helping our customers become modern software organizations. Containers and open-source software are playing an increasingly important role in that transformation. With Tanzu Application Catalog and VMware, Bitnami is realizing a giant leap forward in its mission to make open-source software available to anyone, on any platform. We look forward to working with VMware’s enterprise customers as they leverage this new service to innovate with open-source software more rapidly and safely than they ever thought possible.
Be sure to check this additional blog post about getting started with Tanzu Application Catalog, including an overview video. Check out the Tanzu Application Catalog website, and if you would like to get in touch, contact us here.