All Products
Search

This Product

    Container Registry:Use Helm 3.7 or a later version to push and pull charts

    Document Center

    Container Registry:Use Helm 3.7 or a later version to push and pull charts

    Last Updated:Mar 26, 2026

    Store and manage Helm charts as Open Container Initiative (OCI) artifacts in a Container Registry Enterprise Edition instance. OCI artifact support in Helm was stabilized in Helm 3.7, letting registries like ACR store charts alongside container images.

    Prerequisites

    Before you begin, ensure that you have:

    • Helm 3.7 or later installed. Run helm version to check

    • A Container Registry Enterprise Edition instance

    • An Alibaba Cloud account with access to the Container Registry console

    Step 1: Configure your Enterprise Edition instance

    Create a namespace

    1. Log on to the Container Registry console.

    2. Log on to the Container Registry console.

    3. In the left-side navigation pane, click Instances.

    4. On the Instances page, click the Enterprise Edition instance you want to manage.

    5. In the left-side navigation pane, choose Repository > Namespace.

    6. Click Create Namespace.

    7. In the Create Namespace dialog box, set Namespace, Automatically Create Repository, and Default Configurations for Automatically Created Repositories, then click Confirm.

    Create an image repository

    1. In the left-side navigation pane, choose Repository > Repositories.

    2. Click Create Repository.

    3. In the Repository Info step, set Namespace, Repository Name, Repository Type, Tags, Accelerated Images, Summary, and Description, then click Next.

    4. In the Code Source step, configure Code Source, Build Settings, and Build Rules, then click Create Repository. To confirm the repository is linked to a source code repository, click the repository on the Repositories page and check whether Build appears in the left-side navigation pane.

      Parameter Description
      Code Source The source code repository to link to this image repository
      Automatically Build Images When Code Changes Triggers a build automatically when code is committed to the linked branch
      Build With Servers Deployed Outside Chinese Mainland Builds images on servers outside the Chinese mainland. Enable this if your Dockerfile references resources outside the Chinese mainland and the cross-border connection is unstable
      Build Without Cache Pulls the base image fresh on every build. Disable to speed up builds by reusing cached layers

    Configure an access credential

    Set a password as the access credential for your Enterprise Edition instance.

    1. In the left-side navigation pane, choose Instances > Access Credential.

    2. Click Set Password.

    3. In the Set Password dialog box, enter and confirm your password, then click Confirm.

    You can also use a temporary token as the access credential instead of a password.

    Configure access policies

    Enable Internet access so that charts can be pushed to and pulled from the instance.

    1. In the left-side navigation pane, choose Repository > Access Control.

    2. Click the Internet tab.

    3. Turn on Access Portal, then click Add Internet Whitelist.

    4. In the Add Internet Whitelist dialog box, specify the CIDR block to allow and an optional description, then click Confirm.

    To use VPC access instead of Internet access, see Configure a VPC ACL.

    (Optional) Enable anonymous pull

    Turn on Pull from Anonymous Users to allow anyone to pull charts from public repositories in this instance without logging on.

    1. Log on to the Container Registry console.

    2. Log on to the Container Registry console.

    3. In the top navigation bar, select a region.

    4. In the left-side navigation pane, click Instances.

    5. Click the Enterprise Edition instance you want to manage.

    6. On the Overview page, in the Instance Settings section, turn on Pull from Anonymous Users.

    7. In the Tips dialog box, click Confirm.

    Step 2: Push and pull charts

    Enable OCI support

    Run the following command to enable OCI artifact support in Helm 3.7:

    export HELM_EXPERIMENTAL_OCI=1

    Log on to the instance

    Replace <registry-logon-name> with your Alibaba Cloud account and <instance-name> and <region-id> with your instance details.

    helm3 registry login -u <registry-logon-name> <instance-name>-registry.cn-<region-id>.cr.aliyuncs.com

    When prompted, enter the password you set in the previous step.

    Example:

    helm3 registry login -u acr_test_***@test.aliyunid.com ***-registry.cn-hangzhou.cr.aliyuncs.com
    If Pull from Anonymous Users is enabled on the Overview page, you can pull charts from public repositories without logging on.

    Create and package a chart

    1. Create a sample HelloWorld chart:

      helm3 create helloworld

    2. Package the chart directory into a compressed archive:

      tar -zcvf test.tgz helloworld

    Push a chart

    The OCI URI for pushing must end with the namespace, not the repository name. The repository name is read from the chart package itself.

    helm3 push test.tgz oci://<instance-name>-registry.cn-<region-id>.cr.aliyuncs.com/<namespace>

    Example:

    helm3 push test.tgz oci://***-registry.cn-hangzhou.cr.aliyuncs.com/test

    Pull and install a chart

    The OCI URI for pulling must end with the repository name, followed by --version to specify the image tag.

    1. Pull the chart package:

      helm3 pull oci://<instance-name>-registry.cn-<region-id>.cr.aliyuncs.com/<namespace>/<repository-name> --version <image-tag>

      Example:

      helm3 pull oci://***-registry.cn-hangzhou.cr.aliyuncs.com/test/trem --version helloworld

    2. Decompress the chart package:

      tar -xzvf helloworld-<image-tag>.tgz

    3. Install the chart:

      helm install helloworld ./helloworld

    What's next