All Products
Search
Document Center

Container Registry:Push and pull charts with Helm 3.7 or later

Last Updated:Apr 29, 2026

In Helm 3, charts are pushed to and pulled from an OCI-compliant registry. An OCI registry stores and manages charts on resources such as a local file system, a network server, or cloud storage. Starting from Helm 3.7, charts are handled as OCI artifacts. An OCI (Open Container Initiative) artifact is a standard format for storing and distributing container-related files.

Step 1: Configure a Container Registry Enterprise Edition instance

  1. Create a namespace.

    1. Log on to the Container Registry console.

    2. In the left-side navigation pane, click Instances.

    3. On the Instances page, click the Enterprise Edition instance that you want to manage.

    4. On the management page of the instance, choose Repositories > Namespace.

    5. On the Namespace page, click Create Namespace.

    6. In the Create Namespace panel, enter a Namespace name, specify whether to enable Automatically Create Repository, and then click Confirm.

  2. Create an image repository.

    1. On the management page of the instance, choose Repository > Repositories.

    2. On the Repositories page, click Create Repository.

    3. In the Repository Info wizard, configure Namespace, Repository Name, Repository Type, Image Version, Accelerated Image, Summary, and Description. Then, click Next.

    4. In the Code Source wizard, configure Code Source, Build Settings, and Build Rules. Then, click Create Repository.

      Parameter

      Description

      Code Source

      Select a code source.

      Build Settings

      • Automatically build images when code changes: Automatically triggers an image build when code is committed to a branch.

      • Build With Servers Deployed Outside Chinese Mainland: Builds images on servers that are located outside the Chinese mainland and pushes the built images to the specified region. If the Dockerfile in your project needs to download files from sites outside the Chinese mainland and the cross-border network is unstable, enable Build With Servers Deployed Outside Chinese Mainland.

      • Build Without Cache: Forces a fresh pull of the base dependency images for every build, which may increase the build time. Turn off Build Without Cache to speed up image builds.

      On the Repositories page, click the target image repository. If Build appears in the left-side navigation pane, the image repository is successfully bound to the source code repository.

  3. Configure an access credential.

    Set a fixed or temporary password as the access credential. The following steps describe how to set a fixed password.

    1. On the management page of the instance, choose Instances > Access Credentials.

    2. On the Access Credentials page, click Set Password.

    3. In the Set Password dialog box, enter a password in the Password and Confirm Password fields, and click Confirm.

  4. Configure an access control policy.

    Enable internet access or add a specified VPC to enable access over a VPC so that you can upload images. This topic provides an example of how to configure internet access control. For more information about how to configure VPC access control, see Configure VPC access control.

    1. On the management page of the instance, choose Repository > Access Control.

    2. On the Access Control page, click the Internet tab.

    3. On the Internet tab, turn on Enable Access over Internet and click Add Internet Whitelist.

    4. In the Add Internet Whitelist dialog box, enter the allowed CIDR blocks and a description. Then, click Confirm.

  5. Turn on the Pull from Anonymous Users switch. (Optional)

    After you enable the Pull from Anonymous Users switch, you can pull images from public image repositories without logging in.

    1. Log on to the Container Registry console.

    2. In the top navigation bar, select a region.

    3. In the left-side navigation pane, click Instances.

    4. On the Instances page, click the Enterprise Edition instance that you want to manage.

    5. On the Overview page, in the Instance Settings section, turn on the Pull from Anonymous Users switch.

    6. In the Tips dialog box, click Confirm.

Step 2: Push and pull a chart

  1. Run the following command to enable the experimental OCI feature for your Helm 3.7 or later client.

    export HELM_EXPERIMENTAL_OCI=1
  2. Run the following command to log on to the Container Registry Enterprise Edition instance.

    Use your Alibaba Cloud account name as the username.

    Note

    If you push and pull charts from a public chart repository, you can enable the Overview switch on the Pull from Anonymous Users page in the Container Registry console. Then, you can pull charts from the public chart repository without logging on.

    helm3 registry login -u <registry-logon-name> <instance-name>-registry.cn-<region>.cr.aliyuncs.com

    Example:

    helm3 registry login -u acr_test_***@test.aliyunid.com ***-registry.cn-hangzhou.cr.aliyuncs.com

    When prompted, enter the fixed password that you configured.

  3. Run the following command to create a helloworld chart.

    helm3 create helloworld
  4. Run the following command to package the chart directory into a gzipped tar archive.

    tar -zcvf test.tgz helloworld
  5. Push and pull the chart.

    • Push the chart package to the image repository.

    • Note

      The push URI must specify the path to the namespace. The repository name is derived from the chart package.

      helm3 push test.tgz oci://<instance-name>-registry.cn-<region>.cr.aliyuncs.com/<namespace>

      Example:

      helm3 push test.tgz oci://***-registry.cn-hangzhou.cr.aliyuncs.com/test
    • Pull the chart package from the image repository.

      1. Run the following command to pull the chart package from the image repository.

      2. Note

        The pull URI must specify the path to the repository.

        helm3 pull oci://<instance-name>-registry.cn-<region>.cr.aliyuncs.com/<namespace-name>/<repository-name> --version <image-tag>

        Example:

        helm3 pull oci://***-registry.cn-hangzhou.cr.aliyuncs.com/test/trem --version helloworld
      3. Run the following command to decompress the chart package.

      4. tar -xzvf helloworld-[image-tag].tgz
      5. Run the following command to install the chart.

        helm3 install helloworld ./helloworld