Release Environments - Check and remediate impact of Bitnami chart/docker image changes

Important

This is a clone of production-engineering#27125 (closed), but specific for Release Environments.

Overview

Bitnami have announced that their large repository of open source charts/docker images are now being put behind a paywall effective August 28th:

• https://github.com/bitnami/charts/issues/35164
• https://news.broadcom.com/app-dev/broadcom-introduces-bitnami-secure-images-for-production-ready-containerized-applications

The current Debian-based images will be moved from the current public catalog docker.io/bitnami to a legacy catalog docker.io/bitnamilegacy, and will no longer receive any updates.

A limited number of new hardened images are available under a new catalog docker.io/bitnamisecure.

We need to evaluate the impact of this change in our image builds, Helm charts and Kubernetes workloads, and remediate it before August 28th.

See also:

• https://gitlab.com/gitlab-com/gl-infra/gitlab-dedicated/team/-/issues/9290
• production-engineering#27125 (closed)
• gitlab-org/charts/gitlab#6089 (closed)

Risks

Without any action from our part, from August 28th:

• Image builds pulling images from docker.io/bitnami will fail, breaking CI pipelines in multiple projects and affecting our ability to keep our tools and workloads up-to-date
• Kubernetes workloads using images from docker.io/bitnami will fail to start as they won't be able to pull those images anymore

This is the second time in 8 months that major Bitnami catalog changes are threatening our infrastructure, after the introduction of aggressive rate limits on their Helm charts registry to promote Bitnami Premium.

Summary

• bitnami/postgresql image is used by gitlab-prafect-db-automation job
• bitnami/external-dns image is used by external-dns
• All other images come from GitLab Helm chart.

Solutions

General evaluation

If we make an assumption that Distribution team will fix the Helm chart and backport it to the 3 maintained versions, then only gitlab-prafect-db-automation left to be fixed. However, even in that case, it means Release Environments won't work anymore with GitLab version < 18.0.

Plan of actions

• Short-term: Convert all bitnami/* images to bitnamilegacy/* images
  • Long-term: Following production-engineering#27125 (closed) to know our infrastructure-wise strategy, and making actions accordingly. At the time of writing this comment, we are checking if an open-source folk is available.
• Change gitlab-prafect-db-automation to use another image https://gitlab.com/gitlab-com/gl-infra/release-environments/-/merge_requests/383
• Evaluate possible solutions for external-dns, especially if they fix it on the upstream
  • Follow the progress of Replace the Bitnami external-dns Helm chart wit... (production-engineering#27243 - closed) - create a follow up issue #21442
  • https://gitlab.com/gitlab-com/gl-infra/release-environments/-/merge_requests/383+
• Evaluate if it is possible to override the image registry for postgres and redis related images on the GitLab Helm chart https://gitlab.com/gitlab-com/gl-infra/release-environments/-/merge_requests/403
• Monitor the actions in the GitLab Helm Chart repo gitlab-org/charts/gitlab@aeabf360