Bitnami’s Free Catalog Says Goodbye: Avoid Brownouts and a $72k Surprise

tldr

• Bitnami is narrowing public access to images and pausing updates to many chart artifacts. Expect brownouts as the cut-over window starts on Aug 28th with final public catalog deletion on Sept 29th 
• The biggest risks: 
  
  • Kubernetes ImagePullBackOff on restarts or during  autoscaling,
  • stale/unpatched images (CVE drift),
  • chart drift and subchart dependencies that break upgrades.
• We’re publishing CREs (Common Reliability Enumerations) that help you quickly identify Bitnami-related risks and resolve them. 

‍

Why Bitnami mattered

For years, Bitnami’s images and Helm charts were the de-facto path to running popular apps on Kubernetes. Well-maintained images, sensible defaults, and easy Helm installs. Many teams pinned Bitnami images in deployments, CI pipelines, and internal charts.

What’s changing

Bitnami is making a number of changes following their acquisition by Broadcom and renewed focus on a subscription model. 

• Catalog changes. The container repos are undergoing a major shift.  
  
  1. The existing docker.io/bitnami public repo will be deleted.   
  2. A new repo docker.io/bitnamisecure will contain hardened community images, but there is a catch. It will only contain the latest tags and these images are intended for development only.     
  3. Existing container images will be moved to a new repo docker.io/bitnamilegacy, but will receive no further updates.
• Charts stop updating. Bitnami’s Pre-built Helm chart artifacts won’t be updated anymore, so their defaults keep pointing to old images; you’ll need to override image repos/tags or adopt alternatives.

Brownouts & cutoff windows. Bitnami has planned 24-hour outages for selected images. For each scheduled brownout, ten container images from docker.io/bitnami will be taken offline for a 24-hour period. The specific applications impacted will be shared on the day the brownout begins. Final cutoff will occur on Sept 29.

Who’s affected

If you use any of these, read on:

• Pinned or Unpinned Bitnami image tags (e.g., docker.io/bitnami/postgresql:13.x, :latest) in Deployments/StatefulSets/Jobs.
• Bitnami-based charts in helmfile/Argo CD/Flux pipelines.
• CI pipelines that pull Bitnami tools (kubectl, kubectl-helm, db images, etc.)

What will the impact be?

• Kubernetes ErrImagePull / ImagePullBackOff on pod restarts, scale-outs, node drains, or fresh deploys.
• Time-bomb restarts. Running pods look fine until the next pull (then fail).
• Security drift. Stale/archived images stop receiving fixes and lead to accumulated CVEs.
• Chart drift. Defaults reference repos/tags that no longer update leading to failed upgrades or silent divergence.

Doing a manual impact assessment

Here are a few steps you can take to understand your exposure and mitigate associated risk. 

1. Inventory images:
   kubectl get pods -A -o json | jq -r '..|.image? // empty' | sort -u | grep -i bitnami‍
2. Search configs & charts: grep your helmfiles/values/overlays for bitnami and pinned tags.

Automated Assessment: New CREs to help

We’re publishing a focused set of Common Reliability Enumerations (CREs) to help you surface issues:

• PREQUEL-2025-0102  (Pulling Deprecated Bitnami Images) - Detects workloads pulling Bitnami images scheduled to be deleted or moved.   
• PREQUEL-2025-0103 (Pulling Unmaintained Bitnami Images) - Detects workloads pulling from unmaintained repos. 
• PREQUEL-2025-0104 (Pulling Latest-Only-Non-Prod Bitnami Images) - Detects workloads pulling images from the latest-only non-prod repo. ‍
• PREQUEL-2025-0105 (Deployment Tied to Deprecated Bitnami Images) - Detects deployments who reference deprecated image locations.

These CREs are cluster- and pipeline-friendly: run them in dev, staging, and prod to address issues and ensure regressions don’t occur.

Using Prequel to catch Bitnami risks before they break prod

You can use prequel to continuously runs CREs, examining and correlating cluster events/logs/configs, and providing guided fixes.

Why Prequel (vs. doing this by hand)

• Large exclusive CRE library covering 100s of popular technologies maintained by the Prequel Reliability Research Team (PRRT).
• Distributed detection engine that connects the dots across nodes and clusters.
• Web UI with guided workflows for investigation & collaboration.
• Deep integrations with incident tracking, chat, CI/CD tools.
• Control plane to manage rules, sensors, and rollouts.

You can use Prequel to continuously scan for these and other risks. (Free 30-day free available)

‍

Pragmatic Bitnami risk migration options 

Once you understand your exposure using an automated or manual method, there are a number of steps you can take.   

• Identify and adopt new respos.  Evaluate alternatives such as Docker Official or Hardened Images, Chainguard, or others to see what meets your needs and budget. 
• Mirror first, then refactor. Point bitnami images to a private registry mirror for faster pulls and no cut off, then replace images/charts on your schedule.
• Pin by digest. Use immutable digests to lock the exact image you want, unlike tags which may move/disappear.
• Automate gates. Proactively fail builds when CREs detect deprecated Bitnami pulls in manifests or pipelines.
• Prove in staging. Force a rolling restart before a cutoff window; verify image pulls and readiness gates.
• Document the new defaults. Put the new repo/tag/digest and patch cadence where your team can’t miss it.

Wrap-up

Ecosystem shifts like this can break prod today, or break on your next upgrade. It is increasingly impossible to keep up with all the risks that affect your stack. Use CREs to keep watch for these and 1000s of other daily risks.  If you need help, try Prequel and stay ahead of breaking ecosystem changes.

‍