Helm in Practice

Chart Repositories vs. OCI Registries

Even if the purpose of both Helm chart repositories and OCI registries is to store and distribute Helm charts, there are some differences between the two approaches, but the main one is that Helm chart repositories are specifically designed for Helm charts, while OCI registries are a more general-purpose solution that can store various types of container images and artifacts, including Helm charts.

Another notable difference is that using a repository is a more established and widely adopted method for distributing Helm charts, while OCI registries are a relatively new addition to the Helm ecosystem. Thus, some tools and services may not yet fully support OCI registries for Helm charts. This is changing rapidly as OCI adoption grows and they are becoming the standard for Helm chart distribution.

Indeed, the repository approach is the old-style system based on a simple HTTP server that hosts an index.yaml file and chart archives (.tgz files). In contrast, the OCI approach is the modern method that reuses the container registry protocol.

These differences can impact the way you manage your charts.

Artifact Hub, a popular public web-based application that enables finding, installing, and publishing Helm charts, offers both classic Helm repositories and OCI registries. For example, the WordPress chart created by Bitnami is available in both formats.

Let's say we want to deploy WordPress v28.0.2 using Helm. These are the two ways to pull the chart and install it:

With classic Helm repositories, you must add a repository, then update it locally:

# Pull the WordPress chart from the Bitnami repository (classic Helm repo)
helm repo add bitnami https://charts.bitnami.com/bitnami

helm install my-wordpress bitnami/wordpress --version 28.0.2

# Delete the release after testing
helm uninstall my-wordpress

# Delete the repository if you don't need it anymore
helm repo remove bitnami

With OCI registries, you don't need to add or update anything. You log in to the registry once (if required), then you can pull or push charts directly using their full OCI URL:

# For private OCI registries, log in first
# helm registry login my-oci-registry.example.com

# Install the WordPress chart from the Bitnami OCI registry
helm install my-wordpress oci://registry-1.docker.io/bitnamicharts/wordpress \
  --version 28.0.2

# To pull the chart archive without installing it, use:
# helm pull oci://registry-1.docker.io/bitnamicharts/wordpress --version 28.0.2
# This will download the chart as a .tgz file in your current directory
# Delete the pulled chart archive if you don't need it anymore
# rm wordpress-28.0.2.tgz

# Delete the release after testing
helm uninstall my-wordpress

From a security perspective, OCI registries often provide better support for authentication and access control mechanisms, leveraging existing container registry features. The immutability of OCI artifacts also enhances security and reproducibility. Nothing prevents someone from re-uploading a chart with the same version to a classic Helm repository, which can lead to confusion and potential security risks. However, OCI artifacts are immutable, as they have an associated digest that uniquely identifies their content (SHA256 hash). This means that once a chart is pushed to an OCI registry, it cannot be modified or overwritten without changing its digest.

The following table summarizes what was explained above: