OCI Registries and Distribution

In Chapters 1-6, you built Helm charts locally: templating logic, dependency composition, hooks, and validation. These charts work perfectly in your development environment. But when you need to share charts across teams, use them in production, or compose them as dependencies in other charts, storing them as directories on your laptop doesn't scale.

Helm solved this by adopting OCI (Open Container Initiative) standards. The same registry that stores your Docker images—Docker Hub, Amazon ECR, Azure Container Registry—now stores your Helm charts. This unifies distribution: one registry for both container images AND charts, one authentication mechanism, one versioning strategy.

This chapter teaches you how to package charts into distributable artifacts, authenticate with registries, push and pull charts, consume charts from OCI URLs, and implement a chart versioning strategy aligned with semantic versioning. By the end, you'll publish your AI agent's Helm chart to a shared registry where teammates and production systems can discover and install it.

---

What You'll Learn

This chapter covers the complete workflow for distributing Helm charts via OCI-compliant registries.

Concept Groups

Prerequisites

Before starting this chapter, you should have:

• ✅ Completed Chapters 1-6 (chart templating, dependencies, hooks, validation)
• ✅ A working Helm chart (from previous chapters or your own project)
• ✅ Docker CLI installed (for registry authentication)
• ✅ Access to an OCI registry (Docker Hub account, AWS ECR, or local registry)
• ✅ Kubernetes cluster running (Minikube, Kind, or cloud cluster) for installation testing

Time Estimate

• Reading & Concepts: 25 minutes
• Hands-On Exercises: 20 minutes
• Total: ~45 minutes

---

Concept 1: OCI Basics — Why Helm Adopted OCI for Charts

Before you can push a chart to a registry, understand what OCI is and why Helm moved from Helm repositories (custom format) to OCI.

The Problem: Two Distribution Systems

Before OCI adoption (Helm 2-early Helm 3):

• Container images → Docker registries (docker.io, gcr.io, etc.)
• Helm charts → Helm repositories (custom format, separate infrastructure)

Teams maintained two completely different distribution systems with different credentials, different APIs, different versioning semantics.

After OCI adoption (Helm 3.7+):

• Container images → OCI registries (same)
• Helm charts → OCI registries (same)

One registry. One authentication model. One API.

What is OCI?

OCI (Open Container Initiative) is a standardized format for packaging and distributing artifacts. Originally designed for container images, OCI is now a general-purpose artifact format that can store anything: images, charts, software bills of materials (SBOMs), vulnerability scan results.

An OCI registry is any system that follows the OCI Distribution Spec:

• Docker Hub
• Amazon ECR (Elastic Container Registry)
• Azure Container Registry
• Google Artifact Registry
• Private registries (Harbor, Artifactory)
• Local registries (for development)

A Helm chart stored in OCI format is just an artifact in these registries, no different from a Docker image.

How Helm Charts Fit into OCI

When you helm package a chart, Helm:

1. Creates a .tgz archive of your chart directory
2. Wraps it in OCI metadata (content type: application/vnd.cncf.helm.chart.v1.tar+gzip)
3. Stores it in the registry with a tag (like myapp-chart:1.2.3)

A Helm chart in a registry looks like this:

It's identical in structure to a Docker image reference:

Same registry. Same tagging system. Same authentication.

---

Concept 2: Packaging Charts — helm package

Before pushing to a registry, you must package your chart into a .tgz archive.

Creating a Chart Archive

Start with an existing chart (or the example from Lesson 1):

Output:

What helm package Does

1. Validates the chart (runs helm lint internally)
2. Creates a .tgz archive containing:
   • Chart.yaml
   • values.yaml
   • templates/
   • All other chart files
3. Names the file: {chart-name}-{version}.tgz
4. Stores it in the current directory (unless -d specifies destination)

Version Matters

The filename comes from Chart.yaml:

If you change version in Chart.yaml, helm package creates a new file:

Each version is a separate artifact. This is how semantic versioning works: 1.2.3 represents major.minor.patch. When you fix a bug, bump patch (1.2.4). When you add backwards-compatible features, bump minor (1.3.0). When you make breaking changes, bump major (2.0.0).

---

Concept 3: OCI URL Format — How to Reference Charts

When you push a chart to an OCI registry, you reference it using oci:// URLs.

The OCI URL Pattern

Breaking this down:

Examples

Public chart on Docker Hub:

Private chart on Amazon ECR:

Local registry for development:

Compare to HTTP URLs

Before OCI, Helm used HTTP repository URLs (still supported):

The OCI approach is simpler: no separate repository infrastructure, same registry as your images.

---

Concept 4: Authenticating with Registries — helm registry login

Before you push or pull charts from a private registry, authenticate using helm registry login.

Logging In to Docker Hub

Output:

Using Docker Credentials

If you've already logged in with the Docker CLI:

Logging In to Private Registries

For Amazon ECR, Azure ACR, or other private registries:

Output:

Credentials Storage

Helm stores credentials in ~/.docker/config.json (same as Docker CLI). Each registry gets its own credential entry.

---

Concept 5: Pushing Charts — helm push

Once authenticated, push your packaged chart to an OCI registry using helm push.

Pushing to Docker Hub

Output:

Pushing to Private Registries

Output:

Chart Naming Convention

When you push, Helm separates chart name from version:

The version goes into the tag (after the colon), not the image name. This matches Docker convention:

• docker.io/myusername/myapp-image:1.2.3 (Docker image)
• docker.io/myusername/myapp-chart:1.2.3 (Helm chart)

---

Checkpoint: OCI Fundamentals

You've learned the foundation of OCI-based chart distribution.

Quick Reference:

Self-Check Questions:

1. Why did Helm adopt OCI standards instead of maintaining custom Helm repositories?

   • Answer: To unify distribution with container images—same registry, same authentication, same versioning

2. What file determines the name of the .tgz archive created by helm package?

   • Answer: Chart.yaml (name and version fields create {name}-{version}.tgz)

3. How does an OCI chart URL differ from a Docker image URL?

   • Answer: They're structurally identical (oci://registry/repo/name:tag), but the content type is different (charts vs images)

If you can't answer these, review Concepts 1-3 before continuing.

---

Concept 6: Pulling Charts — helm pull

Download charts from OCI registries using helm pull.

Pulling from Docker Hub

Output:

Pulling from Private Registries

Output:

Extracting and Inspecting

Output:

---

Checkpoint: Registry Operations

You've mastered the publish-and-consume workflow for OCI registries.

Quick Reference:

Self-Check Questions:

1. Where does Helm store registry credentials after helm registry login?

   • Answer: ~/.docker/config.json (same location as Docker CLI credentials)

2. What happens if you push a chart version that already exists in the registry?

   • Answer: Registry behavior varies—some overwrite, some reject. Best practice: never reuse versions (bump version instead)

3. Can you install a chart directly from an OCI URL without pulling first?

   • Answer: Yes, use helm install my-release oci://registry/repo/chart:version

If you can't answer these, review Concepts 4-6 before continuing.

---

Concept 7: Semantic Versioning for Charts

Helm charts follow semantic versioning (semver): MAJOR.MINOR.PATCH.

Understanding Semver for Charts

Practical Example: Versioning Your AI Agent Chart

Scenario 1: Fix indentation bug in service template

Scenario 2: Add optional monitoring sideca (optional feature)

Scenario 3: Add required field in values.yaml (for security context)

Version Tags in Registries

Output:

---

Concept 8: Installing Charts Directly from OCI URLs

Instead of downloading then installing, install directly from OCI URLs.

Installing from OCI

Output:

Upgrading from OCI URLs

Output:

---

Concept 9: Using OCI URLs in Chart Dependencies

In Lesson 4 (Chart Dependencies), you used HTTP URLs to reference external charts. You can also reference them via OCI.

Declaring OCI Dependencies in Chart.yaml

Updating Dependencies with OCI URLs

Output:

Mixed HTTP and OCI Dependencies

You can mix HTTP (traditional Helm repos) and OCI in the same chart:

Output:

---

Checkpoint: Versioning & Integration

You've learned production-grade versioning and chart composition strategies.

Quick Reference:

Self-Check Questions:

1. When should you bump the MAJOR version of a Helm chart?

   • Answer: When making breaking changes (new required fields, changed chart name, incompatible template changes)

2. Can you install a chart from an OCI registry without downloading it first?

   • Answer: Yes, helm install and helm upgrade accept OCI URLs directly

3. What's the advantage of using OCI URLs in Chart.yaml dependencies instead of HTTP repository URLs?

   • Answer: Unified authentication, same registry as container images, simpler infrastructure

If you can't answer these, review Concepts 7-9 before continuing.

---

Common Mistakes

Before starting the exercises, avoid these frequent errors:

Mistake 1: Forgetting to Authenticate Before Push

Wrong:

Right:

Why: Private registries (and even public pushes) require authentication. Always helm registry login before pushing.

---

Mistake 2: Mismatched Chart Version and Tag

Wrong:

Right:

Why: The version in Chart.yaml determines both the .tgz filename and the registry tag. Keep them synchronized.

---

Mistake 3: Using Docker Pull on Helm Charts

Wrong:

Right:

Why: Helm charts are stored in OCI registries but aren't Docker images. Use helm pull, not docker pull.

---

Mistake 4: Including Trailing Slash Incorrectly in OCI URLs

Wrong:

Right:

Why: helm push expects a repository path (directory), while helm pull and helm install expect a full artifact reference (chart name + version).

---

Mistake 5: Reusing Version Numbers After Pushing

Wrong:

Right:

Why: Reusing versions creates ambiguity. Consumers can't tell if they have the buggy or fixed version. Follow semantic versioning: always bump version for changes.

---

Exercise 1: Package Your Chart

Create a simple chart and package it:

Output:

---

Exercise 2: Create a Docker Hub Account (Public Registry)

For learning, use a public registry to avoid authentication complexity:

1. Go to https://hub.docker.com

2. Click "Sign up"

3. Create account: username, email, password

4. Verify email

5. On your local machine:

   bash

   WrapCopy

   helm registry login docker.io # Use your Docker Hub username and password

Output:

---

Exercise 3: Push Your Chart to OCI

Using the packaged chart and Docker Hub credentials:

Output:

---

Exercise 4: Pull Your Chart from OCI

Download your published chart:

Output:

---

Exercise 5: Install Directly from OCI URL

Deploy using the OCI chart reference without downloading first:

Output:

---

Exercise 6: Update Chart and Push a New Version

Modify your chart and publish version 1.1.0:

Output:

---

Note: Local Registry for Private/Development Environments

If you don't have access to Docker Hub or prefer to keep charts private during development, you can run a local OCI registry:

Output:

---

Try With AI

Step 1: Initial Request

Ask AI to explain the differences between pushing Helm charts to OCI registries versus traditional Helm repositories:

Prompt: "Explain the key differences between distributing Helm charts via OCI registries (like Docker Hub) versus traditional Helm repositories. Why did Helm move to OCI standards?"

Step 2: Critical Evaluation

Review AI's response. Ask yourself:

• Does it explain why OCI provides a simpler distribution model?
• Does it mention shared authentication and versioning?
• Does it clarify that OCI registries store both images AND charts?

Step 3: Constraint Teaching

If AI missed important details, refine your question:

"Also explain how authentication works—what credentials do I need to push to Docker Hub for both images and Helm charts?"

Step 4: Refinement

Ask AI to validate how you'd push a chart to a private Amazon ECR registry:

"Walk me through the steps to push a Helm chart to a private ECR repository in AWS. What commands do I run, and what credentials do I need?"

Step 5: Final Check

Compare what you learned from AI to the concepts in this chapter:

• Can you explain why oci:// URLs replace HTTP repository URLs?
• Can you describe the semantic versioning strategy for charts?
• Can you walk through the complete workflow: package → authenticate → push → pull → install?
• Did AI's explanations match the examples in this chapter?

---

Reflect on Your Skill

You built a helm-chart skill in Chapter

0. Test and improve it based on what you learned.

Test Your Skill

Identify Gaps

Ask yourself:

• Did my skill use helm package to create .tgz archives?
• Did it demonstrate helm registry login authentication?
• Does it understand oci:// URL format for registries?
• Did it explain semantic versioning for chart releases?

Improve Your Skill

If you found gaps: