Bitnami’s Free Catalog Says Goodbye: Avoid Brownouts and a $72k Surprise

tldr

• Bitnami is narrowing public access to images and pausing updates to many chart artifacts. Expect brownouts as the cut-over window starts on Aug 28th with final public catalog deletion on Sept 29th
• The biggest risks:
  • Kubernetes ImagePullBackOff on restarts or during autoscaling,
  • Stale/unpatched images (CVE drift),
  • Chart drift and subchart dependencies that break upgrades.
• We're publishing CREs (Common Reliability Enumerations) that help you quickly identify Bitnami-related risks and resolve them.

Credit: stonesabe4 on reddit

Why Bitnami mattered

For years, Bitnami's images and Helm charts were the de-facto path to running popular apps on Kubernetes. Well-maintained images, sensible defaults, and easy Helm installs. Many teams pinned Bitnami images in deployments, CI pipelines, and internal charts.

What's changing

Bitnami is making a number of changes following their acquisition by Broadcom and renewed focus on a subscription model.

Catalog changes

The container repos are undergoing a major shift:

1. The existing docker.io/bitnami public repo will be deleted
2. A new repo docker.io/bitnamisecure will contain hardened community images, but there is a catch. It will only contain the latest tags and these images are intended for development only
3. Existing container images will be moved to a new repo docker.io/bitnamilegacy, but will receive no further updates

Charts stop updating

Bitnami's Pre-built Helm chart artifacts won't be updated anymore, so their defaults keep pointing to old images; you'll need to override image repos/tags or adopt alternatives.

Brownouts & cutoff windows

Bitnami has planned 24-hour outages for selected images. For each scheduled brownout, ten container images from docker.io/bitnami will be taken offline for a 24-hour period. The specific applications impacted will be shared on the day the brownout begins. Final cutoff will occur on Sept 29.

Bitnami Repo Deprecation Timeline

Who's affected

If you use any of these, read on:

• Pinned or Unpinned Bitnami image tags (e.g., docker.io/bitnami/postgresql:13.x, :latest) in Deployments/StatefulSets/Jobs
• Bitnami-based charts in helmfile/Argo CD/Flux pipelines
• CI pipelines that pull Bitnami tools (kubectl, kubectl-helm, db images, etc.)

What will the impact be?

• Kubernetes ErrImagePull / ImagePullBackOff on pod restarts, scale-outs, node drains, or fresh deploys
• Time-bomb restarts - Running pods look fine until the next pull (then fail)
• Security drift - Stale/archived images stop receiving fixes and lead to accumulated CVEs
• Chart drift - Defaults reference repos/tags that no longer update leading to failed upgrades or silent divergence

Doing a manual impact assessment

Here are a few steps you can take to understand your exposure and mitigate associated risk:

1. Inventory images:
   

   kubectl get pods -A -o json | jq -r '..|.image? // empty' | sort -u | grep -i bitnami
   

2. Search configs & charts: grep your helmfiles/values/overlays for bitnami and pinned tags

Automated Assessment: New CREs to help

We're publishing a focused set of Common Reliability Enumerations (CREs) to help you surface issues:

• PREQUEL-2025-0102 (Pulling Deprecated Bitnami Images) - Detects workloads pulling Bitnami images scheduled to be deleted or moved
• PREQUEL-2025-0103 (Pulling Unmaintained Bitnami Images) - Detects workloads pulling from unmaintained legacy repo
• PREQUEL-2025-0104 (Pulling Latest-Only-Non-Prod Images) - Detects workloads pulling images from the latest-only non-prod repo
• PREQUEL-2025-0105 (Deployment Tied to Deprecated Bitnami Images) Finds deployments that reference deprecated image locations

These CREs are cluster- and pipeline-friendly: run them pre-deployment (CI), in staging, and periodically in prod to address issues and ensure regressions don't occur.

Using Prequel to catch Bitnami risks before they break prod

Prequel is the enterprise reliability problem detection platform (from the team behind the open source Preq and CRE projects). It runs CREs continuously, examining and correlating cluster events/logs/configs, and providing guided fixes.

Why Prequel (vs. doing this by hand)

• Larger exclusive CRE library covering 100s of popular technologies maintained by the Prequel Reliability Research Team (PRRT).
• Distributed detection engine that connects the dots across nodes and clusters.
• Web UI with guided workflows for investigation & collaboration.
• Deep integrations (incident tracking, chat, CI/CD).
• Control plane to manage rules, sensors, and rollouts.

You can use Prequel to continuously scan for these and other risks. Sign up for a 30-day free trial. No credit card required

Sneak Peek of Prequel Rules Catalog

Pragmatic Bitnami risk migration options

Once you understand your exposure using an automated or manual method, there are a number of steps you can take:

• Identify new registries - Evaluate alternatives such as Docker Official or Hardened Images, Chainguard, to see what meets your needs and budget.
• Mirror first, then refactor - Point bitnami images to a private registry mirror for faster pulls and no cut off, then replace images/charts on your schedule.
• Pin by digest - Use immutable digests to lock the exact image you want, unlike tags which may move/disappear.
• Automate gates - Fail builds when CREs detect deprecated Bitnami pulls in manifests or pipelines.
• Prove in staging - Force a rolling restart before a cutoff window; verify image pulls and readiness gates.
• Document the new defaults - Put the new repo/tag/digest and patch cadence where your team can't miss it.

Wrap-up

Ecosystem shifts like this can break prod today, or break on your next upgrade. It is increasingly impossible to keep up with all the risks that affect your stack. If you need help, let Prequel keep watch for these and 100s of other daily risks.

Try Prequel and stay ahead of breaking ecosystem changes.