Skip to main content

Helm Charts in Azure Container Registry

· 7 min read

Storing Helm Charts in an Azure Container Registry (ACR) can be beneficial if you also intend to store you container images within the same registry. This allows use of a single artifact store for your products and a single point of reference.

Prior to Helm v3, the standard way of storing helm charts was using a Chart Repository. However since Helm 3 was released, Open Container Initiative (OCI) support was added as an experimental storage option whilst the implementation was still being designed. This allowed consistency between packaging Docker images and Helm Charts and the underlying registry hosting implementations could stay the same to support both.

Helm 3.8 finally announced the long awaited general availability of support from OCI, 2 years after the initial announcement for the experimental support.

If you have been developing Helm charts since Helm v2 there have been some notable, breaking changes in the Cli that if you have been on the bleeding edge of testing out OCI support, it has been an interesting journey! Below points out the main differences in commands you need to use between versions:

OptionHelm 2Helm 3.0 -> 3.6Helm 3.7Helm 3.8
OCI Format✅**✅**
Packagehelm packagehelm package helm chart savehelm packagehelm package
Pull Charthelm fetchhelm chart pull helm chart exporthelm pullhelm pull
Push Chartaz acr helm pushhelm chart pushhelm pushhelm push

** Introduced with expiremental support, by setting HELM_EXPERIMENTAL_OCI=1

Helm 2

No support for OCI in this version.

Packaging a chart saves it in tar/gzip format and can then be hosted in a Chart Repository. Azure container registry provided initial support for storing in the Chart Repository format using azure cli commands. This allowed you to interact with the ACR to push/pull charts but with the caveat that you could not see the charts in the Azure Portal as it was not supported.

OptionCommand
Package Charthelm package
Pull Charthelm fetch
Push Chartaz acr helm push

Helm 2 - Package and Push

Below shows the steps on how to package a local helm chart and push to a remote ACR.

# 1. Package your chart locally
helm package [CHART_PATH]

# 2. Login to Azure Cli
az login

# 3. Push your chart to the ACR
az acr helm push -n [ACR_NAME] [CHART_PATH]

Helm 2 - Pull and Deploy

Below describes how to deploy a chart stored in an ACR.

# 1. Log into Azure Cli
az login

# 2. Authenticate to the remote container registry
az acr helm repo add --name [ACR_NAME]

# 3. Review and update locally configured registries
helm repo list
helm repo update

# 4. Deploy helm chart
helm install [ACR_NAME]/[CHART_NAME]

These methods above can also be used for Helm 3. However, It is no longer recommended to use this option and will eventually be deprecated both by Azure & Helm.

Helm 3.0 -> 3.6

Helm 3 introduced initial implemental for the OCI format with experiemental support. To enable the commands in the Cli, it required setting an environment variable HELM_EXPERIMENTAL_OCI=1.

As OCI support was also added in ACR, this means you could continue to push/pull you charts from the registry as before. However, as it is now in the same format as your container images, you can see them in the Azure portal!

As storing the charts in ACR required authentication. Helm added functionality to log into an OCI compatiable registry using helm registry login. For ACR it must either be through a Service Principal that has permissions set on the registry or the Registry Admin Credentials (not recommended).

OptionCommand
Package Charthelm chart save
Pull Charthelm chart pull
Push Charthelm chart push

Helm 3.0 - Package and Push

# 1. Save Chart Locally and then in helm OCI cache
helm package [CHART_PATH]
helm chart save [CHART_PACKAGE_PATH] [REF] # myacr.azurecr.io/helm/my-chart:v1

# 2. Log into Registry
helm registry login [REGISTRY_URL] --username [USERNAME] --password [PASSWORD]

# 3. Push chart to repository
helm chart push [REF] # myacr.azurecr.io/helm/my-chart:v1

Helm 3.0 - Pull and Deploy

# 1. Log into Registry
helm registry login [REGISTRY_URL] --username [USERNAME] --password [PASSWORD]

# 2. Pull Chart from Registry
helm chart pull [REF] # myacr.azurecr.io/helm/my-chart:v1

# 3. Export from OCI cache to local tar/gzip
helm chart export [REF] # myacr.azurecr.io/helm/my-chart:v1

# 4. Deploy chart from local export
helm install [CHART_PATH]

Helm 3.7

In helm 3.7 OCI format was still in experiemental support, which meant the environment variable HELM_EXPERIMENTAL_OCI=1 was still required.

One of the notable breaking changes in this release version was the dropped chart sub commands. Also the dependency on a local helm chart cache was no longer needed which previously required an extra step in the process.

Lastly, one other breaking change in this release version was the change in the media type used to store the chart content layer. This was not recognized as an official media type by the IANA, meaning the chart content layer was changed from application/tar+gzip to application/vnd.cncf.helm.chart.content.v1.tar+gzip and helm 3.7 would no longer work with the older media type. If you had Helm charts stored in the older format, you would need to re-package and re-upload them with a newer version of helm.

OptionCommand
Package Charthelm package
Pull Charthelm pull
Push Charthelm push

Helm 3.7 - Package and Push

# 1. Package Chart
helm package [CHART_PATH] --version [VERSION]

# 2. Log into Registry
helm registry login [REGISTRY_URL] --username [USERNAME] --password [PASSWORD]

# 3. Push chart to repository
helm push [CHART_PACKAGE_PATH] [REMOTE] # oci://myacr.azurecr.io/helm/my-chart:v1

Helm 3.7 - Pull and Deploy

# 1. Log into Registry
helm registry login [REGISTRY_URL] --username [USERNAME] --password [PASSWORD]

# 2. Install chart directly from OCI store
# REF example: oci://myacr.azurecr.io/helm/my-chart
helm install [RELEASE_NAME] [REF] --version [VERSION]

Helm 3.8 and beyond

Finally in helm 3.8 the requirement for HELM_EXPERIMENTAL_OCI=1 was dropped. This is the GA implementation of OCI support and the recommended way of storing charts.

There were some small, final breaking changes noted here in this version.

One notable feature added in this version was the fact helm now uses the same structure for logging into a registry as Docker. This means the credentials were interchangeable and you could use az acr login to login to an Azure Container Registry for both Charts and container images.

OptionCommand
Package Charthelm package
Pull Charthelm pull
Push Charthelm push

Helm 3.8 - Package and Push

# 1. Package Chart
helm package [CHART_PATH] --version [VERSION]

# 2. Log into Azure Cli and Registry
az login
az acr login --name [REGISTRY_NAME]

# 3. Push chart to repository
helm push [CHART_PACKAGE_PATH] [REMOTE] # oci://myacr.azurecr.io/helm/my-chart:v1

Helm 3.8 - Pull and Deploy

# 1. Log into Azure Cli and Registry
az login
az acr login --name [REGISTRY_NAME]

# 2. Install chart directly from OCI store
# REF example: oci://myacr.azurecr.io/helm/my-chart
helm install [RELEASE_NAME] [REF] --version [VERSION]

Summary

As you can see, the final implementation of storing and using Helm Charts in ACR was made a lot simpler by the final implementation. But for an early adopter of the OCI format, it was a bit of a wild ride to try and keep up with the changes!

RollerCoaster