Is public.ecr.aws/bitnami an official Bitnami release channel? In light of #30850

[franklouwers]

Name and Version

bitnami/charts

What architecture are you using?

None

What steps will reproduce the bug?

Hi,

I was wondering if public.ecr.aws/bitnami is still considered an official release/mirror of bitnami?

If it isn't, please work with AWS to remove the "official" mark on the channel, as if Bitnami doesn't control it, it can be used by whoever contols it, to publish malware.

If it is, please add as an exception to #30850.

What do you see instead?

It's unclear what the official status of the ecr mirror is. There used to be an official Bitnami blogpost announcing (and recommending!) the mirror, but that post seems to be completely gone from the website. I don't find any mentions of it being removed, so completely unclear to me.

[carrodher]

Hi,

Yes, AWS Public ECR (public.ecr.aws/bitnami) is an official registry for Bitnami containers. However, it is not allowlisted in our Helm charts by default, meaning you need to enable the allowInsecureImages flag to use it.

This is because our testing and validation processes focus on ensuring that all Bitnami Helm charts work out of the box. To achieve this, we test them with multi-architecture containers (AMD and ARM), whereas AWS Public ECR only provides AMD images.

While AWS Public ECR remains an officially supported registry, it is not considered in the same category as DockerHub, which serves as the primary registry for our Helm charts and includes multi-architecture containers.

Let us know if you have any further questions!

[franklouwers]

Can you link to an official resource clarifying the status of public.ecr.aws/bitnami? I can find old blogposts which are now deleted but nothing more. Do they clarify the difference between unofficial, unofficial-but-not-to-be-used and official?

So to be clear, you expect your users to explicitly set a flag with the name 'insecure' in it, when they want to use an "officially supported registry". Correct? If your answer would be yes. Please re-read my question followed by your answer.

[carrodher]

Can you link to an official resource clarifying the status of public.ecr.aws/bitnami? I can find old blogposts which are now deleted but nothing more. Do they clarify the difference between unofficial, unofficial-but-not-to-be-used and official?

The Bitnami blog was migrated from blog.bitnami.com to the Broadcom Communities, with a redirection in place.

As part of this migration, only the most recent blog posts were transferred, which is why the announcement regarding AWS Public Gallery is no longer available. However, this does not imply any change in its status.

For clarification, you can consider my previous comment as the official statement regarding public.ecr.aws/bitnami.

So to be clear, you expect your users to explicitly set a flag with the name 'insecure' in it, when they want to use an "officially supported registry". Correct? If your answer would be yes. Please re-read my question followed by your answer.

Yes, as I mentioned earlier, AWS Public Gallery is an official registry for container images but not for Helm charts, for the reasons stated above.

[franklouwers]

So it's NOT an official repository for helm, it's only official for non-helm deploys. It's considered "insecure" for helm use. Is that a correct statement?