7 min. read
NIS2 Requirements: Why Credential Security is Non-Optional
Explore key NIS2 requirements (Art. 21) regarding access control. Use our compliance checklist to align your credential security with Passbolt.
All articles
Bitnami Legacy Changes: Passbolt’s Migration Plan for Open-Source, Secure Helm Deployments
4 min. read
Bitnami (now under Broadcom) has introduced major changes to how their container images and Helm charts are distributed. Because the Passbolt Helm chart currently relies on Bitnami dependencies for MariaDB/MySQL and Redis, these changes directly affect Passbolt users. This update outlines what has changed, how it impacts your deployments, and what users can expect moving forward.
What changed with Bitnami?
Bitnami has significantly revised its public offering:
- Public docker.io/bitnami images have been moved into a “Bitnami Legacy” repository that receives no further updates, fixes, or security patches.
- A small subset of hardened “community-tier” images remains free, but full production-grade coverage is now behind the Bitnami Secure Images paid subscription.
- Their Helm charts remain open source, but the container images referenced by those charts may no longer be freely accessible or up to date.
In practical terms, relying on the free Bitnami images long term means either running outdated, unpatched images or taking on additional work to build, maintain, and mirror images yourself. For a security-sensitive application like Passbolt, neither is acceptable as a long-term solution.
How Bitnami’s changes affects the Passbolt Helm chart
The Passbolt Helm chart has historically included two Bitnami subcharts to simplify deployment: MariaDB (with an optional PostgreSQL example) and Redis (used for sessions and caching). This setup has helped users quickly get a running Passbolt environment without provisioning their own database or cache layer. Based on the information Bitnami has released and the changes underway:
- The current dependencies remain in place for now, as the team evaluates and tests open-source alternatives.
- Because Bitnami is deprecating the components Passbolt relies on, continuing to use these free Bitnami images introduces long-term risks around missing updates and security patches.
- Users who rely on Bitnami’s paid offering or maintain their own mirrored images may continue doing so according to their own processes and operational requirements.
- We recommend that users begin planning a migration path in anticipation of future changes, especially for production environments.
Our migration plan: MariaDB Operator and Valkey
The transition away from Bitnami will occur once the open-source replacement stack has been fully tested and proven stable. We want to ensure Passbolt users rely on open-source, community-driven infrastructure, not a commercial vendor’s catalog. The future of the Passbolt Helm chart is based on two components:
1. Relational database: MariaDB Operator
We plan to replace the Bitnami MariaDB/MySQL chart with the MariaDB Operator Helm chart, maintained by the MariaDB community. This provides:
- Kubernetes-native provisioning and management
- Built-in failover logic
- A more sustainable long-term approach than vendor-maintained static images
2. Cache and session storage: Valkey
For Redis-compatible caching, we will switch from the Bitnami Redis chart to the official Valkey Helm chart. Valkey is a fully open source, Linux Foundation–governed fork of Redis, offering the same high-performance key-value APIs without commercial licensing constraints.
Our aim is straightforward: Preserve the “easy install” experience, powered entirely by modern open-source projects.
Timeline: What to expect
In early 2026, we plan to release a new major version of the Passbolt Helm chart introducing new, open-source defaults: MariaDB Operator for the database and Valkey Helm chart for the session/cache layer. This update removes Bitnami subcharts as default dependencies and will constitute a breaking change. Migration guidance will be provided ahead of time. Timelines may shift based on testing outcomes, as stability and reliability for stateful components such as databases remain the top priority.
Practical next steps for users:
The available options depend on how you deploy Passbolt and your familiarity with Kubernetes.
1. Continuing with the current setup
The existing Passbolt Helm continues to reference current Bitnami dependencies while the transition work is underway. The setup remains as a temporary functional solution, but Bitnami’s deprecation means the free images will not receive updates or security patches anymore, making it unsafe for production use. Clear warnings will remain in the documentation to help users plan ahead.
2. Adopting the new components early (under your own responsibility)
Because the Passbolt Helm chart is designed to be flexible, users are free to use their own infrastructure instead of the defaults. To move ahead before the official migration, deploy your own alternative components and configure Passbolt to point to these services. This includes:
- The MariaDB Operator
- Valkey (or any Redis-compatible datastore)
- Any supported MySQL, MariaDB, or PostgreSQL database
The bundled dependencies can be disabled in values.yaml, allowing Passbolt to connect to the chosen services through custom configuration overrides.
Because high availability and certain operational features are not yet provided out of the box in the new stack, early adoption is under your own responsibility. This includes managing:
- High availability and failover
- Backups and recovery
- Monitoring and upgrades
- Secure configuration
Until the official migration is released, any troubleshooting may require reproducing issues using the current supported configuration.
Helpful resources for early adopters
These resources are available if you want to start experimenting with the upcoming components ahead of their official release:
- Passbolt Helm Chart Documentation (CE & PRO)
https://www.passbolt.com/docs/hosting/install/ce/helm-chart/
https://www.passbolt.com/blog/installing-passbolt-with-helm
- Passbolt Helm Chart Repository
https://github.com/passbolt/charts-passbolt
- MariaDB Operator Documentation
https://github.com/mariadb-operator/mariadb-operator
- Valkey Helm Chart Documentation
https://github.com/valkey-io/valkey-helm
What comes next
In the coming months, the team will:
- Finalize and test the MariaDB Operator + Valkey setup as the future default
- Prepare detailed migration guidance for users transitioning from Bitnami
- Share updates through the Passbolt Community Forum and the Passbolt Blog
If your organisation relies heavily on the Helm chart or is planning to modernise its Kubernetes deployment, we welcome your feedback in the community forum. Your input will help shape the next iteration of the Passbolt Helm chart and ensure a smooth transition away from Bitnami.
