πŸ“šBook Signing at KubeCon EU 2026Meet us at Booking.com HQ (Mon 18:30-21:00) & vCluster booth #521 (Tue 24 Mar, 12:30-1:30pm) β€” free book giveaway!RSVP Booking.com Event
KubernetesRecipes
Helm intermediate ⏱ 15 minutes K8s 1.28+

Helm OCI Registry for Charts Explained

Store and manage Helm charts in OCI-compliant registries like GHCR, ECR, ACR, and Quay. Push, pull, and version charts using standard container registries.

By Luca Berton β€’ β€’ πŸ“– 5 min read

πŸ’‘ Quick Answer: Use helm push mychart-1.0.0.tgz oci://ghcr.io/myorg/charts to store charts in OCI registries. Pull with helm pull oci://ghcr.io/myorg/charts/mychart --version 1.0.0. Install directly: helm install myrelease oci://ghcr.io/myorg/charts/mychart --version 1.0.0. No helm repo add needed β€” OCI registries replace traditional chart repos.

The Problem

Traditional Helm chart repositories (index.yaml-based) require dedicated infrastructure, don’t support fine-grained access control, and lack the mature tooling of container registries. You want to use the same registry for images AND charts.

The Solution

Login to OCI Registry

# GitHub Container Registry
echo $GITHUB_TOKEN | helm registry login ghcr.io -u USERNAME --password-stdin

# AWS ECR
aws ecr get-login-password | helm registry login AWS_ACCOUNT.dkr.ecr.REGION.amazonaws.com --password-stdin

# Azure Container Registry
helm registry login myregistry.azurecr.io -u $SP_ID -p $SP_SECRET

# Quay.io
helm registry login quay.io -u $QUAY_USER -p $QUAY_TOKEN

Package and Push

# Package chart
helm package ./mychart
# Creates: mychart-1.0.0.tgz

# Push to OCI registry
helm push mychart-1.0.0.tgz oci://ghcr.io/myorg/charts

# Push with specific tag
helm push mychart-1.0.0.tgz oci://ghcr.io/myorg/charts
# Chart stored at: ghcr.io/myorg/charts/mychart:1.0.0

Pull and Install

# Pull chart archive
helm pull oci://ghcr.io/myorg/charts/mychart --version 1.0.0

# Install directly from OCI
helm install myrelease oci://ghcr.io/myorg/charts/mychart --version 1.0.0

# Install with values
helm install myrelease oci://ghcr.io/myorg/charts/mychart \
  --version 1.0.0 \
  --values production-values.yaml

# Template (dry run)
helm template myrelease oci://ghcr.io/myorg/charts/mychart --version 1.0.0

Show Chart Info

# View chart metadata
helm show chart oci://ghcr.io/myorg/charts/mychart --version 1.0.0

# View default values
helm show values oci://ghcr.io/myorg/charts/mychart --version 1.0.0

# View README
helm show readme oci://ghcr.io/myorg/charts/mychart --version 1.0.0

CI/CD Pipeline (GitHub Actions)

name: Publish Helm Chart
on:
  push:
    tags: ['v*']

jobs:
  publish:
    runs-on: ubuntu-latest
    permissions:
      packages: write
    steps:
      - uses: actions/checkout@v4
      
      - name: Install Helm
        uses: azure/setup-helm@v4
      
      - name: Login to GHCR
        run: echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io -u ${{ github.actor }} --password-stdin
      
      - name: Package chart
        run: helm package ./charts/mychart
      
      - name: Push chart
        run: helm push mychart-*.tgz oci://ghcr.io/${{ github.repository_owner }}/charts

OCI as Helm Dependency

# Chart.yaml
dependencies:
  - name: postgresql
    version: "15.5.0"
    repository: "oci://registry-1.docker.io/bitnamicharts"
  - name: redis
    version: "19.0.0"
    repository: "oci://registry-1.docker.io/bitnamicharts"
helm dependency update ./mychart

Common Issues

IssueCauseFix
unauthorized: authentication requiredNot logged inRun helm registry login first
chart metadata name mismatchChart.yaml name β‰  filenameEnsure name in Chart.yaml matches
version already existsPushing same version twiceBump version or use --force (if supported)
Can’t list chartsOCI has no index.yamlUse registry UI or API to browse
helm repo add doesn’t workOCI doesn’t use repo protocolUse oci:// prefix directly

Best Practices

  1. Use semantic versioning β€” OCI tags are the chart version
  2. Sign charts with cosign β€” cosign sign ghcr.io/myorg/charts/mychart:1.0.0
  3. Use GitHub Packages for open source β€” Free for public repos
  4. Mirror public charts β€” Pull from upstream OCI and push to your registry
  5. Don’t use latest tag β€” Always pin chart versions in production

Key Takeaways

  • OCI registries replace traditional index.yaml Helm repositories
  • Same registry hosts both container images and Helm charts
  • No helm repo add/update needed β€” reference charts directly with oci://
  • All major registries support OCI charts: GHCR, ECR, ACR, Quay, Docker Hub
  • CI/CD pipelines push charts alongside images for atomic releases
#helm #oci #registry #charts #ghcr
Luca Berton
Written by Luca Berton

Principal Solutions Architect specializing in Kubernetes, AI/GPU infrastructure, and cloud-native platforms. Author of Kubernetes Recipes and creator of CopyPasteLearn courses.

🌐 πŸ’Ό πŸ’»

πŸŽ“ Deepen Your Skills β€” Hands-on Courses

⚑
Ansible Quickstart

Automate cluster bootstrapping and node configuration with Ansible.

Start Learning β†’

Courses by CopyPasteLearn.com β€” Learn IT by Doing

Kubernetes Recipes book cover

Want More Kubernetes Recipes?

This recipe is from Kubernetes Recipes, our 750-page practical guide with hundreds of production-ready patterns.

Get the Book β†’ ← More Helm Recipes
← Back to All Recipes
Luca Berton Ansible Pilot Ansible by Example Open Empower K8s Recipes Terraform Pilot CopyPasteLearn ProteinLens