GitOps with FluxCD
Helm Controller and OCI Registry
What are OCI Artifacts
In this guide, you’ll discover how OCI Artifacts simplify storing and distributing a variety of Kubernetes-related resources in a single, unified registry. By leveraging any OCI-compliant registry, you benefit from consistent authentication, authorization, and versioning across:
- Container images
- Helm charts
- Kubernetes manifests
- Kustomize overlays
- OPA policies
Traditional vs. OCI-Based Storage
| Resource Type | Traditional Storage | Unified OCI Registry |
|---|---|---|
| Container images | Container registries | OCI-compliant registry |
| Helm charts | Artifact Hub or Helm registries | OCI-compliant registry |
| Kubernetes manifests & overlays | Git repositories | OCI-compliant registry |
| OPA policies | Open Policy Registry | OCI-compliant registry |
Note
An OCI registry implements the OCI Distribution Specification, enabling you to store any artifact type beyond container images.
OCI Registries and Repositories
An OCI Registry is a server-side component that hosts one or more repositories, each containing multiple artifacts at various tags or digests.
- Registry → Repository → Artifact
- Artifacts can be images, charts, manifests, or any OCI-compatible payload
Next, we’ll walk through pushing three artifact types—Docker images, Helm charts, and plain Kubernetes manifests—to GitHub Container Registry (ghcr.io). The workflow applies equally to Azure, GCR, ECR, and other OCI-compliant registries.
1. Pushing a Docker Image
- Authenticate with the registry.
- Tag your local image.
- Push it upstream.
# 1. Log in to ghcr.io
docker login ghcr.io \
--username sidd-harth \
--password <GH_PERSONAL_ACCESS_TOKEN>
# 2. Verify local image
docker images nginx
# REPOSITORY TAG IMAGE ID CREATED SIZE
# 3. Tag for ghcr.io
docker tag nginx ghcr.io/sidd-harth/nginx:1.1.0
# 4. Push the tagged image
docker push ghcr.io/sidd-harth/nginx:1.1.0
# The push refers to repository [ghcr.io/sidd-harth/nginx]
# 1.1.0: digest sha256:6ad839ec10c687385 size: 1570
Warning
Never commit your Personal Access Token or other credentials to version control. Store them securely with your CI/CD secrets manager.
2. Pushing a Helm Chart
- Generate a new chart.
- Package it into a
.tgz. - Authenticate via Helm.
- Push to the OCI registry.
# 1. Create a chart named "app1"
helm create app1
# 2. Package the chart
helm package app1
# 3. Log in to ghcr.io with Helm
helm registry login ghcr.io \
--username sidd-harth \
--password <GH_PERSONAL_ACCESS_TOKEN>
# 4. Push the chart to OCI
helm push app1-1.0.0.tgz oci://ghcr.io/sidd-harth/nginx
# Pushed: ghcr.io/sidd-harth/nginx/app1:1.0.0
# Digest: sha256:81de917eaf38536b1145bdde2984d2cfd14
3. Publishing Plain Kubernetes Manifests
Bundle your plain YAML manifests as an OCI artifact using the Flux CLI.
# Example directory layout
tree nginx/
├── manifests
│ ├── deployment.yaml
│ └── service.yaml
- Ensure you’re logged in (via Docker).
- Push the manifest directory.
# 1. Authenticate (if not already)
docker login ghcr.io \
--username sidd-harth \
--password <GH_PERSONAL_ACCESS_TOKEN>
# 2. Push manifests as OCI artifact
flux push artifact oci://ghcr.io/sidd-harth/nginx-2:$(git rev-parse --short HEAD) \
--path="./nginx/manifests" \
--source="$(git config --get remote.origin.url)" \
--revision="$(git branch --show-current)-$(git rev-parse HEAD)"
# ✓ pushing to ghcr.io/sidd-harth/nginx-2:1b31558
# artifact successfully pushed to ghcr.io/sidd-harth/nginx-2@sha256:235b486d4f4a38f0151
What’s Next?
With your artifacts securely stored in an OCI registry, you can seamlessly integrate any GitOps tool—such as Flux—to pull, verify, and deploy them into your Kubernetes clusters.
Links and References
- Open Container Initiative (OCI)
- OCI Distribution Specification
- GitHub Container Registry
- Helm OCI Registry Support
- Flux CLI: push artifact
Watch Video
Watch video content