fix: use appsmith-built mongodb image by default in helm chart

[wyattwalter]

Description

Tip

Add a TL;DR when the description is longer than 500 words or extremely technical (helps the content, marketing, and DevRel team).

Please also include relevant motivation and context. List any dependencies that are required for this change. Add links to Notion, Figma or any other documents that might be relevant to the PR.

This PR updates the default image for a MongoDB cluster managed by the chart to use an image that has been patched for the recent MongoBleed vulnerability, since Bitnami stopped publishing updates to their images.

While not ideal, I made a few time-boxed attempts after the deprecation to use a non-Bitnami image while maintaining compatibility with the chart, but the coupling is too tight to patch over reliably. Ultimately, we need to remove the Bitnami chart from our stack, but that carries too much risk for a simple and critical security patch.

Since the Bitnami images are licensed under Apache 2.0, I’ve forked their builder and published a set of images for each major MongoDB version with the MongoBleed patch included: 6.0.27, 7.0.28, and 8.0.17. I’ve tested deployments using each of these versions, including an upgrade scenario. If anyone reading this decides to upgrade to 7.x or 8.x, please be sure to follow the upstream MongoDB documentation about feature compatibility here, as we do not yet have an Appsmith-specific MongoDB upgrade guide and this is not automatically handled by MongoDB.

Automation

/ok-to-test tags=""

🔍 Cypress test results

Caution

If you modify the content in this section, you are likely to disrupt the CI result for your PR.

Communication

Should the DevRel and Marketing teams inform users about this change?

• Yes
• No

Summary by CodeRabbit

• Chores
  • Updated MongoDB to version 6.0.27
  • Bumped Helm chart version to 3.6.8

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Updates Helm chart version from 3.6.7 to 3.6.8 and modernizes MongoDB configuration by updating the image repository from bitnamilegacy/mongodb to appsmith/mongodb and versioning from 6.0.13/6.0.10 to 6.0.27 across dependencies and runtime values.

Changes

Cohort / File(s)	Summary
Helm Chart Configuration deploy/helm/Chart.yaml, deploy/helm/values.yaml	Chart version bumped to 3.6.8; MongoDB image repository migrated from bitnamilegacy/mongodb to appsmith/mongodb with unified version 6.0.27 across Chart.yaml appVersion and values.yaml image tag

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🚀 From legacy names to the future we go,
MongoDB dances from 6.0.13 to .27's glow,
Charts ascend higher, 3.6.8 takes flight,
Dependencies gleam with updated might! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: switching to an Appsmith-built MongoDB image in the Helm chart for security purposes.
Description check	✅ Passed	The description provides comprehensive context including motivation (MongoBleed vulnerability), implementation details, testing performed, and important upgrade guidance for future versions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 62fad5f and 0ab9bd9.

⛔ Files ignored due to path filters (1)

• deploy/helm/tests/__snapshot__/defaults_snapshot_test.yaml.snap is excluded by !**/*.snap

📒 Files selected for processing (2)

• deploy/helm/Chart.yaml
• deploy/helm/values.yaml

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-08-12T14:17:36.392Z

Learnt from: wyattwalter
Repo: appsmithorg/appsmith PR: 41176
File: deploy/helm/values.yaml:37-37
Timestamp: 2025-08-12T14:17:36.392Z
Learning: The bitnamilegacy/mongodb:6.0.13 Docker image tag exists and is functional, despite Docker Hub API queries suggesting otherwise. Direct docker pull commands are more reliable than API metadata for verifying image availability.

Applied to files:

• deploy/helm/Chart.yaml
• deploy/helm/values.yaml

🔇 Additional comments (3)

deploy/helm/Chart.yaml (2)

14-14: LGTM!

Appropriate patch version bump for the MongoDB image update.

---

24-24: LGTM!

The appVersion update to 6.0.27 correctly aligns with the image tag in values.yaml, resolving the previous version mismatch.

deploy/helm/values.yaml (1)

37-38: The appsmith/mongodb:6.0.27 image does not exist and must be built/published before merging.

Docker manifest inspection confirms the image is unavailable on Docker Hub. Without this image, Helm deployments will fail with ImagePullBackOff when the kubelet attempts to pull it. There is no build pipeline in the codebase to create appsmith/mongodb images. Either:

1. Build and publish the image to appsmith/mongodb:6.0.27 on Docker Hub, or
2. Revert to an existing image (e.g., bitnamilegacy/mongodb:6.0.27 or the standard Bitnami image) and document the security update separately, or
3. Add CI/CD infrastructure to automatically build and publish forked MongoDB images.

⛔ Skipped due to learnings

Learnt from: wyattwalter
Repo: appsmithorg/appsmith PR: 41176
File: deploy/helm/values.yaml:37-37
Timestamp: 2025-08-12T14:17:36.392Z
Learning: The bitnamilegacy/mongodb:6.0.13 Docker image tag exists and is functional, despite Docker Hub API queries suggesting otherwise. Direct docker pull commands are more reliable than API metadata for verifying image availability.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[subrata71]

Can you please help me understand why are we still relying on bitnami for chart dependencies?

[wyattwalter]

Switching off the Bitnami chart is the most difficult step here. They offered a well-supported chart that supported replicasets and made it easy, then the free offering was removed. The MongoDB chart for replicasets has been deprecated in favor of a Kubernetes operator-based system that's a much larger and complicated change. There are other charts that have popped up recently, but have varying levels of support/popularity.

We will likely migrate to one of those, but there will likely be changes incompatible with the Bitnami chart that we'll need to account for and assist with the migration. This is not the moment for that.

[subrata71]

Thanks for the detailed context in the description. One clarification I wanted to check: are the MongoDB 7.x and 8.x images you mentioned (7.0.28, 8.0.17) published under the official appsmith/mongodb namespace and intended to be supported long term, or were they built mainly for validation and testing purposes?

This would help clarify whether users can safely start new installations on 7.x or 8.x using Appsmith maintained images, or if 6.0.x is the only supported default for now.

[wyattwalter]

Appsmith works with MongoDB 6, 7, or 8. Some customers, on their own, upgraded to 7 and 8 using the Bitnami image so I wanted to give them a path in the short term. The change was basically the same and it was very low effort to relieve the pain, so I did it.

I would like to start pushing installs to version 7 and then 8 (you can't leap major versions, which makes this more complicated), but the Bitnami images/chart do not automatically upgrade the compatibility version so it's difficult to do with the existing tooling.

I'd like to be able to offer a patch for this vulnerability without making those kinds of changes just yet.