|
| 1 | +# Bitnami Images Deprecation – Migration Analysis |
| 2 | + |
| 3 | +## 1. Introduction |
| 4 | + |
| 5 | +On **August 28th, 2025**, Bitnami will **deprecate the majority of its container images** from the main public repository (`docker.io/bitnami`). |
| 6 | + |
| 7 | +- Only a **limited subset** of _latest_-tag hardened images will remain available for free in the **Bitnami Secure** namespace. |
| 8 | +- All other images will be moved to the **Bitnami Legacy** repository (`docker.io/bitnamilegacy`) — which will **receive no further updates, security patches, or bug fixes**. |
| 9 | +- Version-pinned tags (e.g., `mongodb:8.0.13`) will no longer be available in the free tier. |
| 10 | +- Bitnami Helm charts will remain published but will **fail if they reference removed images**, unless updated. |
| 11 | + |
| 12 | +**Impact:** |
| 13 | +If you are using Bitnami images or Bitnami Helm charts in production, **your deployments will break** when they attempt to pull images that no longer exist. This will cause: |
| 14 | + |
| 15 | +- `ImagePullBackOff` / `ErrImagePull` errors in Kubernetes |
| 16 | +- CI/CD pipeline failures |
| 17 | +- Service downtime during restarts or scaling |
| 18 | + |
| 19 | +## 2. Migration Options |
| 20 | + |
| 21 | +### Option 1 – Point Helm Charts to Legacy Repository |
| 22 | + |
| 23 | +**Example:** `bitnamilegacy/mongodb` |
| 24 | + |
| 25 | +**Pros:** |
| 26 | + |
| 27 | +- Minimal changes needed — only update the repository path in `values.yaml` |
| 28 | +- Keeps current version running without chart rewrites |
| 29 | + |
| 30 | +**Cons:** |
| 31 | + |
| 32 | +- **No security updates** (risk of vulnerabilities over time) |
| 33 | +- **No bug fixes** for critical issues |
| 34 | +- **Unknown lifespan** — Bitnami may remove `bitnamilegacy` in the future |
| 35 | +- **Version drift** — teams could end up on incompatible versions |
| 36 | + |
| 37 | +### Option 2 – Subscribe to Bitnami Secure Images |
| 38 | + |
| 39 | +**Example:** `bitnamisecure/mongodb:<version>` _(requires paid subscription)_ |
| 40 | + |
| 41 | +**Pros:** |
| 42 | + |
| 43 | +- Access to **all versions**, **LTS branches**, and **security updates** |
| 44 | +- Enterprise-grade support, hardened builds, SBOMs, CVE transparency |
| 45 | + |
| 46 | +**Cons:** |
| 47 | + |
| 48 | +- **High cost** ($50,000–$72,000/year) |
| 49 | +- Vendor lock-in |
| 50 | + |
| 51 | +### Option 3 – Use Public “Latest” from Bitnami Secure |
| 52 | + |
| 53 | +**Example:** `bitnamisecure/mongodb:latest` _(free, development use only)_ |
| 54 | + |
| 55 | +**Pros:** |
| 56 | + |
| 57 | +- No subscription cost |
| 58 | +- Automatically receives updates for the latest stable release |
| 59 | + |
| 60 | +**Cons:** |
| 61 | + |
| 62 | +- **No version pinning** — deployments may break due to unexpected major updates |
| 63 | +- **Not production-safe** — could introduce instability if “latest” contains breaking changes |
| 64 | + |
| 65 | +### Option 4 – Replace Bitnami Images with Official Vendor Images |
| 66 | + |
| 67 | +**Example:** Use official MongoDB Helm chart with `mongodb:8.0.13` |
| 68 | + |
| 69 | +**Pros:** |
| 70 | + |
| 71 | +- Maintained directly by the upstream vendor (MongoDB, PostgreSQL, Redis, etc.) |
| 72 | +- No dependency on Bitnami’s business model |
| 73 | + |
| 74 | +**Cons:** |
| 75 | + |
| 76 | +- Requires creating or adapting **custom Helm charts** |
| 77 | +- Ongoing maintenance burden for chart updates and compatibility |
| 78 | + |
| 79 | +### Option 5 – Build and Maintain Your Own Images |
| 80 | + |
| 81 | +**Example:** |
| 82 | + |
| 83 | +- Use Bitnami’s open-source Dockerfiles from GitHub (`bitnami/containers`) |
| 84 | +- Automate builds via GitHub Actions to produce private images regularly |
| 85 | + |
| 86 | +**Pros:** |
| 87 | + |
| 88 | +- Full control over **versioning** and **security patching** |
| 89 | +- Can pin specific versions in Helm charts |
| 90 | +- Avoids Bitnami subscription fees |
| 91 | + |
| 92 | +**Cons:** |
| 93 | + |
| 94 | +- Requires setting up and maintaining a CI/CD pipeline for builds |
| 95 | +- Responsibility for security scanning, updates, and hosting |
| 96 | + |
| 97 | +## 3. Recommendation |
| 98 | + |
| 99 | +**Short-term (Immediate Fix):** |
| 100 | +Migrate production workloads to `bitnamilegacy` to prevent downtime **before August 28th, 2025**. |
| 101 | +This avoids immediate breakage but should be treated as a **temporary solution only**. |
| 102 | + |
| 103 | +**Long-term (Strategic Fix):** |
| 104 | +**Option #5** — Build and maintain your own images — is the most sustainable and cost-effective path without paying for Bitnami Secure. |
| 105 | + |
| 106 | +- Preserves version pinning |
| 107 | +- Eliminates vendor dependency |
| 108 | +- Can be automated with daily/weekly builds for security updates |
| 109 | + |
| 110 | +**Why not Option #4?** |
| 111 | +While official vendor images are reliable, migrating Helm charts for multiple services is more time-consuming than keeping Bitnami’s Helm charts but replacing the image source. |
| 112 | + |
| 113 | +## 4. Migration Checklist |
| 114 | + |
| 115 | +1. **Inventory all Bitnami usage** |
| 116 | + ```bash |
| 117 | + kubectl get pods -o jsonpath='{.items[*].spec.containers[*].image}' | grep bitnami |
| 118 | + ``` |
| 119 | +2. **Update `values.yaml`** to point to `bitnamilegacy` (short term) |
| 120 | +3. **Set up GitHub Actions** to build images from the latest Bitnami's secure image |
| 121 | + ```dockerfile |
| 122 | + FROM docker.io/bitnamisecure/mongodb:latest |
| 123 | + ``` |
| 124 | +4. **Publish built images** in GitHub Packages as the repo is public |
| 125 | +5. **Update `values.yaml`** to point to the custom images deployed in GitHub Packages |
| 126 | +
|
| 127 | +## 5. Conclusion |
| 128 | +
|
| 129 | +The Bitnami image deprecation is a **critical supply chain risk** for Kubernetes environments. |
| 130 | +While pointing to `bitnamilegacy` can buy time, it is **not a safe long-term solution**. |
| 131 | +
|
| 132 | +By automating builds of Bitnami’s open-source images (Option #5), you: |
| 133 | +
|
| 134 | +- Retain control over versions |
| 135 | +- Ensure security patches are applied |
| 136 | +- Avoid costly licensing fees |
| 137 | +- Reduce dependency on third-party registries |
0 commit comments