Skip to content

fix: update image repositories to use Bitnami Legacy for compatibility #89

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
a-klos merged 2 commits into from
Sep 19, 2025
Merged

fix: update image repositories to use Bitnami Legacy for compatibility #89

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
826816f
fix: update image repositories to use Bitnami Legacy for compatibilit…
a-klos Sep 2, 2025
a3b4766
fix: update links in README for clarity and accuracy
a-klos Sep 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 55 additions & 0 deletions infrastructure/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,61 @@ The documentation is structured as follows:
- [2.2 Production setup instructions](#22-production-setup-instructions)
- [3. Contributing](#3-contributing)

## Temporary notice: Bitnami Legacy images and insecure images setting

We temporarily switched some dependencies from Bitnami to Bitnami Legacy images and enabled pulling insecure images. This is a short-term workaround.

- What changed
- Image repositories for certain dependencies under `langfuse` and `minio` now use `bitnamilegacy/*` (e.g., `bitnamilegacy/minio`, `bitnamilegacy/postgresql`, `bitnamilegacy/clickhouse`, `bitnamilegacy/zookeeper`, `bitnamilegacy/valkey`).
- In `rag/values.yaml`, `global.security.allowInsecureImages` is set to `true`.

- Why: Bitnami announced catalog changes where non-hardened, Debian-based images in the free tier are reducing versioned tags in the public catalog and prioritizing latest-only tags, with older/versioned tags migrated to the “Bitnami Legacy” repository (`docker.io/bitnamilegacy`). To maintain reproducibility with pinned versions, we temporarily use the legacy repositories. See:
- Bitnami Containers README – Important Notice: Upcoming changes to the Bitnami Catalog: [bitnami/containers](https://github.com/bitnami/containers)
- Bitnami Charts README – Important Notice: Upcoming changes to the Bitnami Catalog: [bitnami/charts](https://github.com/bitnami/charts)
- Related announcement: [bitnami/containers#83267](https://github.com/bitnami/containers/issues/83267)

- Important: Do not keep this setting for production. Re-enable secure images and switch back to standard Bitnami repositories (or pin by digest) before going live.

Reproducibility and security recommendations:

- In production, pin images by exact version tag.
- Set `global.security.allowInsecureImages: false` in production environments.
- Plan to migrate back to the standard Bitnami repositories (or alternative maintained images) once fixed-version tags are reliably available.

How to revert (recommended for production deployments):

1. Disable insecure images in the Helm values

```yaml
global:
security:
allowInsecureImages: false
```

1. Replace legacy repositories with standard Bitnami repositories where used, for example:

```yaml
minio:
image:
repository: bitnami/minio

langfuse:
postgresql:
image:
repository: bitnami/postgresql
clickhouse:
image:
repository: bitnami/clickhouse
zookeeper:
image:
repository: bitnami/zookeeper
valkey:
image:
repository: bitnami/valkey
```

Note: The exact locations may differ if you customized `values.yaml`. Search for `bitnamilegacy/` and replace with the corresponding `bitnami/` image repositories.

## 1. Components and Configuration Values to Adjust

This directory contains the Helm chart for the following RAG components:
Expand Down
21 changes: 21 additions & 0 deletions infrastructure/rag/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
global:
security:
# -- Allow insecure images to use bitnami legacy repository. Can be set to false if secure images are being used (Paid).
allowInsecureImages: true

features:
ollama:
enabled: false
Expand Down Expand Up @@ -446,19 +451,33 @@ shared:

langfuse:
minio:
image:
repository: bitnamilegacy/minio
deploy: false
valkey:
image:
repository: bitnamilegacy/valkey
deploy: false #<--- keydb is used instead of valkey
image:
repository: ghcr.io/langfuse/langfuse
pullPolicy: Always
tag: "3.27.2"
postgresql:
image:
repository: bitnamilegacy/postgresql
deploy: true
auth:
username: postgres
password: postgres
database: langfuse
clickhouse:
image:
repository: bitnamilegacy/clickhouse
zookeeper:
image:
repository: bitnamilegacy/zookeeper


langfuse:
nextauth:
url: http://localhost:3000
Expand Down Expand Up @@ -521,6 +540,8 @@ langfuse:
timeoutSeconds: 300

minio:
image:
repository: bitnamilegacy/minio
auth:
## @param auth.rootUser MinIO&reg; root username
##
Expand Down