Storing Helm Charts in an Azure Container Registry (ACR) can be beneficial if you also intend to store you container images within the same registry. This allows use of a single artifact store for your products and a single point of reference.
Prior to Helm v3, the standard way of storing helm charts was using a Chart Repository. However since Helm 3 was released, Open Container Initiative (OCI) support was added as an experimental storage option whilst the implementation was still being designed. This allowed consistency between packaging Docker images and Helm Charts and the underlying registry hosting implementations could stay the same to support both.
Helm 3.8 finally announced the long awaited general availability of support from OCI, 2 years after the initial announcement for the experimental support.
If you have been developing Helm charts since Helm v2 there have been some notable, breaking changes in the Cli that if you have been on the bleeding edge of testing out OCI support, it has been an interesting journey! Below points out the main differences in commands you need to use between versions:
| Option | Helm 2 | Helm 3.0 -> 3.6 | Helm 3.7 | Helm 3.8 |
|---|---|---|---|---|
| OCI Format | ❌ | ✅** | ✅** | ✅ |
| Package | helm package | helm package helm chart save | helm package | helm package |
| Pull Chart | helm fetch | helm chart pull helm chart export | helm pull | helm pull |
| Push Chart | az acr helm push | helm chart push | helm push | helm push |
** Introduced with expiremental support, by setting HELM_EXPERIMENTAL_OCI=1
Helm 2
No support for OCI in this version.
Packaging a chart saves it in tar/gzip format and can then be hosted in a Chart Repository. Azure container registry provided initial support for storing in the Chart Repository format using azure cli commands. This allowed you to interact with the ACR to push/pull charts but with the caveat that you could not see the charts in the Azure Portal as it was not supported.
| Option | Command |
|---|---|
| Package Chart | helm package |
| Pull Chart | helm fetch |
| Push Chart | az acr helm push |
Helm 2 - Package and Push
Below shows the steps on how to package a local helm chart and push to a remote ACR.
# 1. Package your chart locally
helm package [CHART_PATH]
# 2. Login to Azure Cli
az login
# 3. Push your chart to the ACR
az acr helm push -n [ACR_NAME] [CHART_PATH]
Helm 2 - Pull and Deploy
Below describes how to deploy a chart stored in an ACR.
# 1. Log into Azure Cli
az login
# 2. Authenticate to the remote container registry
az acr helm repo add --name [ACR_NAME]
# 3. Review and update locally configured registries
helm repo list
helm repo update
# 4. Deploy helm chart
helm install [ACR_NAME]/[CHART_NAME]
These methods above can also be used for Helm 3. However, It is no longer recommended to use this option and will eventually be deprecated both by Azure & Helm.
Helm 3.0 -> 3.6
Helm 3 introduced initial implemental for the OCI format with experiemental support. To enable the commands in the Cli, it required setting an environment variable HELM_EXPERIMENTAL_OCI=1.
As OCI support was also added in ACR, this means you could continue to push/pull you charts from the registry as before. However, as it is now in the same format as your container images, you can see them in the Azure portal!
As storing the charts in ACR required authentication. Helm added functionality to log into an OCI compatiable registry using helm registry login. For ACR it must either be through a Service Principal that has permissions set on the registry or the Registry Admin Credentials (not recommended).
| Option | Command |
|---|---|
| Package Chart | helm chart save |
| Pull Chart | helm chart pull |
| Push Chart | helm chart push |
Helm 3.0 - Package and Push
# 1. Save Chart Locally and then in helm OCI cache
helm package [CHART_PATH]
helm chart save [CHART_PACKAGE_PATH] [REF] # myacr.azurecr.io/helm/my-chart:v1
# 2. Log into Registry
helm registry login [REGISTRY_URL] --username [USERNAME] --password [PASSWORD]
# 3. Push chart to repository
helm chart push [REF] # myacr.azurecr.io/helm/my-chart:v1
Helm 3.0 - Pull and Deploy
# 1. Log into Registry
helm registry login [REGISTRY_URL] --username [USERNAME] --password [PASSWORD]
# 2. Pull Chart from Registry
helm chart pull [REF] # myacr.azurecr.io/helm/my-chart:v1
# 3. Export from OCI cache to local tar/gzip
helm chart export [REF] # myacr.azurecr.io/helm/my-chart:v1
# 4. Deploy chart from local export
helm install [CHART_PATH]
Helm 3.7
In helm 3.7 OCI format was still in experiemental support, which meant the environment variable HELM_EXPERIMENTAL_OCI=1 was still required.
One of the notable breaking changes in this release version was the dropped chart sub commands. Also the dependency on a local helm chart cache was no longer needed which previously required an extra step in the process.
Lastly, one other breaking change in this release version was the change in the media type used to store the chart content layer. This was not recognized as an official media type by the IANA, meaning the chart content layer was changed from application/tar+gzip to application/vnd.cncf.helm.chart.content.v1.tar+gzip and helm 3.7 would no longer work with the older media type. If you had Helm charts stored in the older format, you would need to re-package and re-upload them with a newer version of helm.
| Option | Command |
|---|---|
| Package Chart | helm package |
| Pull Chart | helm pull |
| Push Chart | helm push |
Helm 3.7 - Package and Push
# 1. Package Chart
helm package [CHART_PATH] --version [VERSION]
# 2. Log into Registry
helm registry login [REGISTRY_URL] --username [USERNAME] --password [PASSWORD]
# 3. Push chart to repository
helm push [CHART_PACKAGE_PATH] [REMOTE] # oci://myacr.azurecr.io/helm/my-chart:v1
Helm 3.7 - Pull and Deploy
# 1. Log into Registry
helm registry login [REGISTRY_URL] --username [USERNAME] --password [PASSWORD]
# 2. Install chart directly from OCI store
# REF example: oci://myacr.azurecr.io/helm/my-chart
helm install [RELEASE_NAME] [REF] --version [VERSION]
Helm 3.8 and beyond
Finally in helm 3.8 the requirement for HELM_EXPERIMENTAL_OCI=1 was dropped. This is the GA implementation of OCI support and the recommended way of storing charts.
There were some small, final breaking changes noted here in this version.
One notable feature added in this version was the fact helm now uses the same structure for logging into a registry as Docker. This means the credentials were interchangeable and you could use az acr login to login to an Azure Container Registry for both Charts and container images.
| Option | Command |
|---|---|
| Package Chart | helm package |
| Pull Chart | helm pull |
| Push Chart | helm push |
Helm 3.8 - Package and Push
# 1. Package Chart
helm package [CHART_PATH] --version [VERSION]
# 2. Log into Azure Cli and Registry
az login
az acr login --name [REGISTRY_NAME]
# 3. Push chart to repository
helm push [CHART_PACKAGE_PATH] [REMOTE] # oci://myacr.azurecr.io/helm/my-chart:v1
Helm 3.8 - Pull and Deploy
# 1. Log into Azure Cli and Registry
az login
az acr login --name [REGISTRY_NAME]
# 2. Install chart directly from OCI store
# REF example: oci://myacr.azurecr.io/helm/my-chart
helm install [RELEASE_NAME] [REF] --version [VERSION]
Summary
As you can see, the final implementation of storing and using Helm Charts in ACR was made a lot simpler by the final implementation. But for an early adopter of the OCI format, it was a bit of a wild ride to try and keep up with the changes!
