Bitnami Community Blog

 View Only

Seamless Transition: Migrating from Ingress API to Gateway API with NGINX Gateway Fabric

By Javier Salmeron
The Kubernetes networking landscape is evolving, and the General Availability of the Gateway API in 2023 marked a significant step forward from the Ingress API. As the preferred mechanism for managing external access to services, the Gateway API offers greater expressiveness, role-based configuration, and better standardization. For those looking to future-proof their Kubernetes deployments, migrating from the Ingress API is a necessary and beneficial journey. The Bitnami Secure Images (BSI) catalog provides several Gateway API implementations, including Apache APISIX , Envoy Gateway , Contour , Kong , and NGINX Gateway Fabric ...
0 comments

Never miss an important update with Notification Providers

By Ivan Lopez
Managing a containerized application catalog shouldn't mean constantly checking dashboards for updates. Whether it's new applications, registry health changes, or critical patches, your team needs to know about important events as they happen, not hours or days later. The Bitnami team is excited to introduce Notification Providers , a flexible notification system that brings Bitnami Secure Images updates directly to where your team works. What are Notification Providers? Notification Providers are customizable notification channels that automatically alert you about important events in your Bitnami Secure Images catalog. Configure once, ...
0 comments

FIPS dynamic feature, a new convenient way to configure FIPS modes in your containers and charts

By Alvaro Neira
By Álvaro Neira and Gonzalo Gómez What is Dynamic FIPS Feature? Hardened Bitnami Secure Images (BSI) are delivered with comprehensive FIPS preparation, including OpenSSL FIPS and compatible runtime configurations. While this ensures high security, we realized that a hard default could inadvertently restrict users who don't require FIPS compliance. This might impact the experience of using Bitnami Secure Images due to friction with FIPS for products that do not require it. To address this, our Dynamic FIPS Feature was developed, empowering users to easily configure FIPS mode levels directly within their containers and Helm charts, optimizing for ...
0 comments

Helm 4 Has Arrived: Implications for the Bitnami Secure Images Charts Catalog

By Juan Ariza
As announced during Atlanta’s KubeCon North America 2025, Helm 4 is finally available ! Helm v4 is a significant project milestone that introduces a series of architectural changes, enhanced features, and new patterns, while maintaining backward compatibility for existing charts . For a comprehensive understanding of all the details, we encourage you to consult the Official Helm 4 Overview . Is Helm 4 compatible with the Bitnami Secure Images (BSI) charts catalog? While Helm v4 has announced a Charts v3 specification in its roadmap, it is not yet available. Charts currently using the v2 specification, like those in the BSI charts ...
0 comments

Beyond the Pull Request: How to Confidently Assess a Bitnami Helm Chart Update for Your Production Cluster

By Alfredo García
GitOps has fundamentally changed how we deploy applications. With tools like ArgoCD and Renovate Bot , the deployment pipeline is reduced to a simple action: merging a Pull Request (PR). But what happens when that PR proposes an update to a critical production service, and you don't have a dedicated pre-production environment for testing? The real challenge in modern GitOps isn't automation—it's assessment . Every time an automated bot suggests a new version of a Bitnami Secure Images Helm chart, a DevOps engineer faces the "production update dilemma." Is the potential security gain worth the risk of disruption? This article walks ...
0 comments

NPM debug and chalk packages compromised

By Beltran Rueda Borrego
On September the 8th, the main developer of multiple and very popular NPM packages, Josh Junon posted his NPM account has been compromised . The attacker used his account to publish new versions of packages that contain a piece of code that would be executed on the client of a website, which silently intercepts crypto and web3 activity in the browser, manipulates wallet interactions, and rewrites payment destinations so that funds and approvals are redirected to attacker-controlled accounts without any obvious signs to the user. The packages and versions identified with malware at the time of writing this post are the following ones: ansi-styles@6.2.2 ...
0 comments

Size vs Security: Why Bitnami Secure Image Minimal Node.js Image is the Optimal Choice

By David Gomez
The base image is a critical factor in determining a containerized application's overall responsiveness, resource efficiency, and security. A Bitnami Secure Image (BSI) Node.js Minimal provides a secure and efficient alternative to standard Node.js images. Let's explore why. What is a BSI Node.js Minimal Image? The BSI Node.js Minimal image ( bitnamisecure/node-min:latest ) is a specialized container that contains only the necessary components to run a Node.js application. This approach removes unnecessary binaries such as npm and yarn, along with other libraries and dependencies, making the image significantly smaller and more secure. ...
0 comments

Using Bitnami Secure Images to build minimal, distroless-based containers for Golang apps

By Juan Ariza
Bitnami Secure Images (BSI) provides a secure, transparent, robust and reliable solution for deploying applications in containerized environments. By leveraging Bitnami Secure Images, developers and operations teams can deploy applications with confidence and transparency, knowing they are running on a secure, optimized, and well-maintained foundation and reducing NIST Accreditation time up to 80%. Community-Tier public catalog While production users should subscribe to Bitnami Secure Images for full version support, a limited community-tier subset of container images are publicly available at Docker Hub for development and trial for potential customer ...
0 comments

How to prepare for the Bitnami Changes coming soon

By Beltran Rueda Borrego
Update After evaluating the impact and community feedback, the Bitnami team has postponed the deletion of the Bitnami public catalog ( docker.io/bitnami ) until September 29th to give users more time to adapt to the upcoming changes. To raise awareness before the registry deletion, we will run a series of brownouts over the coming weeks. During each brownout, a set of 10 container images from docker.io/bitnami will be temporarily unavailable for 24 hours. The scheduled brownouts are: August 28, 08:00 UTC → August 29, 08:00 UTC September 2, 08:00 UTC → September 3, 08:00 UTC September 17, 08:00 UTC → September 19, 08:00 UTC The list ...
0 comments

Unlocking Efficiency: When Bitnami Secure Image Java Minimal is the Perfect Fit

By Ivan Lopez
In the world of containerized applications, selecting the right base image is crucial for performance, security, and resource management. While upstream Java images serve their purposes, there are specific use cases where a Bitnami Secure Image Java Minimal image can offer significant advantages. Let’s explore when opting for a minimal image is the optimal choice. What is a Bitnami Secure Image Java Minimal Image? A Bitnami Secure Image Java Minimal image is a streamlined container image designed to include only the essential components required to run a Java application. This stripped-down approach eliminates unnecessary libraries, tools, and dependencies, ...
0 comments

Enhancing OSS vulnerability response prioritization with Tanzu Application Catalog and VulnCheck

By Martin Perez
In a moment where the number of vulnerabilities increases 38% YoY , having the ability to separate what matters from what does not and focus on the important issues is more crucial than ever. A few months ago, we added support for the CISA KEV catalog inside our Tanzu Application Catalog (TAC) product. This is a way to provide information on whether certain vulnerabilities are known to be exploited or not. In this blog post, we’ll go over a recent enhancement on this capability, which is our new integration with the VulnCheck vulnerability intelligence platform. One of the most important events in the CyberSecurity industry within the last ...
0 comments

Critical Security Fix Released for Python – CVE-2025-4517

By Carlos Rodriguez
The Python project has released new versions across all supported branches to address a critical security vulnerability ( CVE-2025-4517 , CVSS 9.4/10). This vulnerability impacts core components of the Python runtime and could lead to unexpected behavior or potential exploitation in certain environments. The different versions containing the fix are: 3.13.4 3.12.11 3.11.13 3.10.18 3.9.23 Tanzu Application Catalog promptly built, tested, and published the updated container images across all supported platforms in under an hour after the official release , ensuring users had immediate access to the fixed version. ...
0 comments

Reducing vulnerabilities with Red Hat Minimal images

By Alvaro Neira
One of the biggest headaches for any company’s security team is dealing with vulnerabilities. Imagine a huge company running thousands of products across tons of servers, each one potentially packed with vulnerabilities just waiting to be exploited. It’s a serious daily risk, and naturally, businesses want their products to have as few vulnerabilities as possible. At Tanzu Application Catalog, we take security seriously. We’ve put a lot of effort into building processes that help us release products with the lowest possible number of vulnerabilities, while making sure to track down and fix the critical ones. In this article, we’re going to walk you ...
0 comments

Argo CD fix for critical CVE-2025-47933

By Beltran Rueda Borrego
The Argo CD project just released new versions of all the supported branches for fixing a critical security issue, CVE-2025-47933 Argo CD allows cross-site scripting on repositories page . This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources. Due to the improper filtering of URL protocols in the repository page, an attacker can achieve cross-site scripting with permission to edit the repository. The Argo CD project has already released fixed versions for the Argo CD UI: v3.0.4 v2.14.13 v2.13.8 Tanzu Application Catalog already ...
0 comments

Tanzu Application Catalog Customizations

By Javier Aguadero Garcia
What are Tanzu Application Catalog customizations? Tanzu Application Catalog enables you to curate a customized set of trusted, pre-packaged application components that are continuously maintained and verifiably tested for production use. When setting up your catalog, you can choose which application to include and specify the base image of your choice. Tanzu Application Catalog then builds these applications on top of the selected base image using a default configuration that includes all necessary packages and dependencies. In some scenarios, however, the default configuration and included packages may not meet all your requirements. In such cases, ...
0 comments

Building your own Tanzu Application Catalog MCP server with Spring AI

By Martin Perez
Model Context Protocol (MCP) has taken the world by storm and that is understandable. What previously were ad hoc integrations with specific LLMs and data sources can now be replaced with a common protocol that promises a write-once-integrate-with-all-LLMs experience and while the frameworks and implementations are still immature in terms of cross-cutting concerns like security, authentication or logging, the truth is that it opens endless possibilities specially for agent-to-agent architectures driven by natural language. As a way to explore MCP, I wanted to show how easy it would be to write, in just a few minutes, an MCP server exposing the information ...
0 comments

Expanding the ClickHouse Ecosystem: New Operator and Keeper Support in the Bitnami Helm Charts

By Juan Ariza
We’re excited to announce that we’ve expanded Tanzu Application Catalog , Bitnami Premium and Bitnami Application Catalog, enriching the ways you can deploy and manage ClickHouse solutions. First, we've introduced a new Helm chart for the most popular ClickHouse Operator , enabling more advanced and automated management of ClickHouse installations. Additionally, we’ve added support for ClickHouse Keeper as a built-in alternative to ZooKeeper in the existing ClickHouse Helm chart , offering more flexibility for coordinating your deployments. ClickHouse Operator Based on the Altinity Kubernetes Operator for ClickHouse , this ...
0 comments

Bitnami Helm Charts and CIS Kubernetes Benchmark: Now Using Secret Volumes Files by Default

By Miguel Ruiz
We are excited to announce an important security enhancement across our Bitnami Helm charts: Secrets are now mounted as volume files by default, in alignment with the CIS Kubernetes Benchmark . This change is part of our ongoing security hardening efforts to ensure Bitnami charts follow modern Kubernetes security best practices out of the box. What have we changed? Previously, the Bitnami Helm charts used application secrets via environment variables using the secretKeyRef approach: - name: APPNAME_PASSWORD valueFrom: secretKeyRef: name: secret-name key: secret-key With this update, we’ve transitioned to using *_FILE environment ...
0 comments

Bitnami Ingress-nginx fix for critical CVE-2025-1974 or IngressNightmare

By Beltran Rueda Borrego
Wiz Research team discovered a series of unauthenticated Remote Code Execution vulnerabilities in Ingress NGINX Controller for Kubernetes . Today the Ingress-nginx team released a new version fixing critical security issues. The most critical one is the CVE-2025-1974 : ingress-nginx admission controller RCE escalation. Under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution (RCE) in the context of the ingress-nginx controller. This could lead to the disclosure of Secrets accessible to the controller. The CVE-2025-1974 means that anything on the Pod network has a good chance ...
0 comments

Introducing Minimal Application Runtimes in Tanzu Application Catalog and Bitnami Premium

By Carlos Rodriguez
Recently, we announced the general availability of Bitnami Premium , a new commercial upgrade to Bitnami, as well as a new partnership with Arrow Electronics who facilitate a streamlined purchasing process and support experience. Today we are happy to announce an expansion of our commercial offerings with a new set of optimized, performant, minimal, and highly secure application runtimes for the most popular programming languages. This set of new minimal container images is available now and ready to use in the two commercial versions of Bitnami: Bitnami Premium built on Debian 12, and Tanzu Application Catalog (TAC) built on Photon OS. In this ...
0 comments