Bitnami's Catalog Overhaul: Security, Scarcity, and the Future of Container Ecosystems

In a decision rippling through DevOps pipelines, Bitnami has unveiled plans to fundamentally reshape its public catalog of container images and Helm charts. Effective August 28, 2025, the company will migrate all existing versioned images (e.g., 2.50.0, 10.6) from its primary Docker Hub repository (docker.io/bitnami) to a new Bitnami Legacy repository (docker.io/bitnamilegacy). This archive will receive no further updates or security patches, effectively stranding users reliant on older tags unless they migrate. Concurrently, Bitnami is launching a restricted community offering: a curated set of free, hardened images available only under the latest tag via docker.io/bitnamisecure. Production-ready features—like long-term support (LTS), distroless runtimes, and comprehensive SBOMs—now reside exclusively behind the paywall of its Bitnami Secure Images enterprise tier.

The Three Pillars of Change

1. Community Catalog Downsizing

Bitnami will cease generating Debian-based images for its free tier and transition existing ones to the Legacy repository. The remaining free offering shrinks dramatically:
- Only a "focused set" of applications will be available.
- Access is restricted to the latest tag, eliminating version pinning for development use.
- Source code for Helm charts and images remains Apache 2-licensed on GitHub, but building from source becomes necessary for older versions.

2. Rise of Bitnami Secure Images

Positioned as the enterprise successor, this paid offering (accessible via Arrow Electronics) promises:

"Hardened, low-attack-surface operating systems, continuous SLSA Level 3 compliant rebuilds, VEX/KEV CVE transparency, and compliance artifacts for over 280 applications."
Notably, it includes minimal distroless images and LTS branches, catering to stringent security and regulatory demands.

3. Legacy Repository: A Temporary Lifeline

The docker.io/bitnamilegacy repository serves as an archive for deprecated images. While accessible, it carries critical caveats:
- Zero Updates: No security patches, bug fixes, or support.
- Migration Bridge: Intended solely as a stopgap for users updating Helm charts or CI/CD pipelines.
- Workaround Complexity: Helm users must manually override image repositories, as demonstrated in this code snippet from Bitnami's FAQ:

helm upgrade mypostgres oci://registry-1.docker.io/bitnamicharts/postgresql \
--version 16.7.0 \
--set image.repository=bitnamilegacy/postgresql \
--set volumePermissions.image.repository=bitnamilegacy/os-shell

Timeline and Developer Imperatives

• Immediate Action (Now – August 28, 2025): Audit deployments for Bitnami dependencies. Test the free hardened images and update Helm charts or Kubernetes manifests. Deprecation warnings are live in documentation.
• Cutover Date (August 28, 2025): The main Bitnami repository shifts to the limited free tier. All other assets move to Legacy.
• Post-Cutoff: Free users lose access to versioned tags entirely. Production systems require Bitnami Secure Images subscriptions for ongoing support.

Why This Matters Beyond Bitnami

This restructuring isn't just a vendor policy change—it's a microcosm of broader shifts in open-source infrastructure. As Log4j and similar crises highlight supply chain vulnerabilities, enterprises increasingly demand auditable, secure artifacts. Bitnami's bet on monetizing hardened images reflects this, but at a cost: developers face tighter constraints on free tooling and heightened migration burdens. Teams clinging to older Bitnami images risk unpatched CVEs, while those transitioning must weigh DIY builds against subscription fees. The move also pressures the wider ecosystem, potentially accelerating adoption of alternatives like Chainguard or Wolfi for truly open, secure bases. Ultimately, Bitnami’s pivot signals that the era of freely accessible, version-rich container catalogs may be waning, replaced by tiers where security is a premium service.

Source: GitHub Issue #35164 on bitnami/charts repository