Skip to main content
GeneralDev/CloudOpsInternal Developer Platform (IDP)Software licenses

The Great Bitnami BSI Shift: What the New Costs and Licenses Mean for End Users

By August 26, 2025August 29th, 2025No Comments10 min read

Using Bitnami as an end user or service provider: Licensing questions and business model

Note: We've invested a lot of time and effort into this article to share our learnings, since we couldn't find satisfying answers ourselves. Please keep in mind that this is not legal advice, but solely an opinion based on the knowledge of the author. Our findings may be incomplete or contain errors. Use this article as guidance only, and consult professional advice if in doubt.

Fig. 0: Bitnami provides over 280 applications as Docker images, Helm charts and VM templates.

Bitnami's licensing model has never been easy to navigate, and the latest changes have posed a real challenge for us as a service provider. At first, we thought: "Okay, then we'll just pay." But the deeper we dug, the more questions came up. For example: if we paid, could we actually run a platform for our customers? (License issues, no ops.)? The lack of transparency was so frustrating that we fell back on an old craftsman's rule: "Measure twice, cut once." Bad luck for Bitnami and for now, we decided against buying.

Our Odyssey of Information Seeking

We started searching for answers. First stop: Bitnami directly and no success, no reply. Then we tried through Arrow Electronics, but got redirected to "the" partners. At that point, we just gave up.
We asked other service providers and many hadn't even heard about the changes. Frustration grew. The deadline was approaching, and nobody seemed truly prepared.

Our only option: dig in ourselves. Down the rabbit hole! After some initial despair (and a short gaming break), we picked the task back up. Here's what we found, to make your decision easier. This article focuses on the economic and legal aspects of the Bitnami shift.

Open-Source Licenses of the Applications

The licenses of the software included in Bitnami images (e.g., Redis, PostgreSQL, WordPress) remain unchanged. These licenses generally allow free use, distribution, and modification, including for commercial purposes. That doesn't change. You may continue to use this software as long as you comply with the respective license terms(e.g., providing license texts).

Licenses of the Bitnami Artifacts

The Bitnami Helm charts and the code Bitnami uses to build the images are also published under permissive open-source licenses (often Apache 2.0). This means you may continue to use these charts, adapt them, and include them in your own projects.

The New Pricing Model and Product: Bitnami Secure Images (BSI)

Bitnami's new pricing model, distributed in cooperation with Arrow Electronics, signals a clear strategic shift. The move from a primarily free community offering to a commercial enterprise model is unmistakable.

The product is called "Bitnami Secure Images" (sometimes "Bitnami Premium"). It's a paid subscription available via Arrow Electronics and cloud marketplaces like AWS or Azure.

How does it work?

  • Annual subscription model.
  • Grants companies unlimited access to all Bitnami container images and Helm charts.
  • Images are hardened (reduced attack surface, regular security patches).
  • Includes an improved secure software supply chain with metadata like Software Bills of Materials(SBOMs) and CVE transparency(VEX/KEV).
  • The free public docker.io/bitnami repository will mostly be moved to a "Legacy Repository" (docker.io/bitnamilegacy), which will no longer receive updates.

What Does It Cost?

  • Pricing is aimed at enterprise customers.
  • Reportssuggest $50,000 to $72,000 per year.
  • On AWS Marketplace, pricing is listed as $6,000 per month (12-month contract).
  • There is a free developer version, but it only includes the latest (: latest) tags and a very limited set of applications.

How Many Images and Charts Are Included?

Bitnami claims the paid offering covers "thousands" of hardened images for over 500 open-source applications.

Fig. 1: Thousands!

Since images and charts are tightly coupled, all related Helm charts are included in the subscription.

Fig. 2: Example of "Bitnami Secure Images" as listed on the Azure Marketplace

What Does This Mean for End Users?

As an end user (developer, DevOps, or platform engineer), you need to be aware of the far-reaching consequences of the August 28, 2025 change.

  • Check dependencies: Review all projects, CI/CD pipelines, and Kubernetes manifests referencing Bitnami images.
  • Missing updates: After the cutoff date, older versioned images in the legacy repository will no longer receive security patches. This creates a serious risk, especially for production workloads.
  • Missing availability: Your automation may fail if it tries to pull images from the no-longer-updated public repository.
  • Migration strategy: You need to plan one. Options include:
    • Switching to the paid Bitnami solution.
    • Switching to official images provided by the respective projects.
    • Building your own images from the Bitnami legacy charts and hosting them in a private registry (high effort).
    • Switching to another provider of hardened images (e.g., Chainguard).

You can find more specific tasks in this blog.

From a licensing perspective, the situation is clear, but the operational risks are high.

The real issue isn't about license violation, but about a conflict in business models. The underlying open-source licenses allow for "commercial use" (e.g., using Redis for your own paid product). What Bitnami now sells is a "commercial service" and the effort to harden, patch, and maintain images. By continuing to use the free legacy images for a professional, paid service, you are essentially monetizing Bitnami's work without contributing.

This leads to significant operational risks and responsibilities. As a user of the free legacy repository, you alone are responsible for monitoring, detecting, and fixing every vulnerability that arises. For a professional service, this is a heavy and costly burden. A single security breach from an unpatched component could lead to legal disputes, a loss of customer trust, and severe reputational damage. Bitnami's paid subscription, on the other hand, offers a clear commitment to providing secure and up-to-date images, effectively offloading that critical responsibility.

What Must Service Providers Consider?

For service providers offering managed services based on Bitnami Helm charts (e.g., Managed Redis), the situation is far more complex than for end-users. Your business model is directly affected by Bitnami's shift, as your service's reliability and security depend on the components you use.

Licensing and Business Model

Bitnami Helm charts and the open-source applications themselves are under permissive licenses (Apache 2.0, MIT). These licenses allow use and redistribution, including commercially. Bitnami's licensing is not about use, but about distributing hardened images and the support that comes with them.

By offering a managed service, you benefit primarily from the hardened, patched images Bitnami now sells as part of its subscription. And that's exactly what Bitnami now charges for.
At this point, you should reach out to Bitnami to clarify whether offering a managed service (e.g., Redis) based on their hardened images and Helm charts would raise any licensing issues. In addition, check whether running the underlying application itself in this way might also involve separate license restrictions.

Risk and responsibility

If you continue to use the free legacy repository, you assume full operational and legal responsibility:

  • Security burden: You must monitor, patch, and document every vulnerability yourself.
  • Cost impact: Continuous monitoring and backporting security fixes require significant time and resources.
  • Exposure in case of breach: An exploit from an unpatched component can result in legal disputes, customer loss, and reputational damage.

Bottom Line

The real risk is not legal, but operational.

  • Legacy repository: Maximum responsibility, high risk.
  • Secure Images (paid): Responsibility remains with you, but the critical work of patching and hardening is offloaded to Bitnami.

Conclusion for Service Providers

Using the free legacy repository carries significant operational risk. If you want to provide a professional, secure, and reliable managed service, you must either:

  • patch and harden the images yourself (very costly), or
  • purchase the paid Bitnami Secure Images subscription.

What Bitnami is really selling is the effort they put into maintaining and securing these images and that value is the foundation of your own service offering.

⚠️ Important to note: Even with Secure Images, responsibility for secure operations remains with you as the operator. Bitnami commits to providing hardened and updated images, but does not accept liability for damages caused by exploited vulnerabilities. With Secure Images, you buy reliability and support, but not indemnification in case of an exploit.

Conclusion for us as a service provider

Act early before it is too late.
We already have workflows in place through forking and mirroring to ensure service integrity. Going forward, maintain a matrix of tools, dependencies, contributors, and licenses. React to changes early to minimize impact and always define alternatives such as Operators or Managed Services. This has proven effective, as seen with the Bitnami change, and it has reinforced our previous decisions.

Involve Legal for review and risk mitigation just like code reviews. Build the platform to be both technically adaptable and resilient to license changes. In the long term, buying licenses may reduce cognitive load if the cost benefit is right.

Most important: we run KumoOps. Regardless of licenses or vendors, failures cause reputational not contractual damage. Customers do not care what licenses were purchased. Responsibility always lies with Ops and relying only on licenses or guarantees is not enough.

What Alternatives Exist to Bitnami?

When considering alternatives, keep in mind that Bitnami offered more than hardened container images: it provided an extensive Helm chart library as well. This combination made Bitnami the de facto standard for "applications on Kubernetes."

One frequently mentioned alternative is Chainguard.dev. The company focuses on extremely minimal, security-hardened container images, based on its own "Linux undistro" called Wolfi.

Chainguard closes the gap in secure images very well, but does not fully replace Bitnami. The maintenance burden for Helm charts remains with the user, or must be sourced elsewhere.

In the article, we outline what a "Quick Fix" solution looks like (to get you home by dinner) and what a "Long Fix"strategy looks like for long-term stability.

Fig. 3: Overview of Quick-Fix and Long-Fix strategies for dealing with Bitnami.

Further exciting topics

Artem Lajko

Artem Lajko, certified Kubestronaut and Platform Engineer at iits-consulting, specializes in GitOps and Kubernetes scalability. He's a published author of the book "Implementing GitOps with Kubernetes", co-founder of connectii.io, and IT freelancer, writing for ITNEXT on Medium. Dedicated to Open Source, Artem helps companies select suitable products, promoting tech adoption and innovation.

Follow us on social media