Check and remediate impact of Bitnami chart/docker image changes

Overview

Bitnami have announced that their large repository of open source charts/docker images are now being put behind a paywall effective August 28th:

• https://github.com/bitnami/charts/issues/35164
• https://news.broadcom.com/app-dev/broadcom-introduces-bitnami-secure-images-for-production-ready-containerized-applications

The current Debian-based images will be moved from the current public catalog docker.io/bitnami to a legacy catalog docker.io/bitnamilegacy, and will no longer receive any updates.

A limited number of new hardened images are available under a new catalog docker.io/bitnamisecure.

We need to evaluate the impact of this change in our image builds, Helm charts and Kubernetes workloads, and remediate it before August 28th.

See also: https://gitlab.com/gitlab-com/gl-infra/gitlab-dedicated/team/-/issues/9290

Risks

Without any action from our part, from August 28th:

• Image builds pulling images from docker.io/bitnami will fail, breaking CI pipelines in multiple projects and affecting our ability to keep our tools and workloads up-to-date
• Kubernetes workloads using images from docker.io/bitnami will fail to start as they won't be able to pull those images anymore

This is the second time in 8 months that major Bitnami catalog changes are threatening our infrastructure, after the introduction of aggressive rate limits on their Helm charts registry to promote Bitnami Premium.

Actions needed

Immediate remediation:

• Inventory all infrastructure Docker images, Helm charts and other Kubernetes deployments pulling images from docker.io/bitnami or docker.io/bitnamilegacy
• Replace docker.io/bitnami with docker.io/bitnamilegacy everywhere present
  • This should avoid incidents on August 28th, but we still won't be able to receive any new updates, including security updates

Long term remediation:

• Evaluate whether some images and workloads can safely be migrated to docker.io/bitnamisecure
• Consider migrating away entirely from Bitnami Helm charts and Docker images to more reliable providers

Exit Criteria

• August 28th is a normal day at GitLab
• We don't have any Docker image pulling from docker.io/bitnami
• We don't have any Kubernetes workload pulling images from docker.io/bitnami