Skip to content

Add OCI publishing for Helm charts to GHCR #8878

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
willianpaixao wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Add OCI publishing for Helm charts to GHCR #8878

willianpaixao wants to merge 4 commits into from
+101 −6

Conversation

@willianpaixao
Copy link

@willianpaixao willianpaixao commented Dec 3, 2025
edited
Loading

Pull Request Description

What type of PR is this?

/kind feature
/area helm-charts
/area cluster-autoscaler

What this PR does / why we need it:

This PR adds OCI (Open Container Initiative) publishing for Helm charts to GitHub Container Registry (GHCR).

Helm 3.8+ supports OCI-based chart distribution as a GA feature, and many CNCF projects have adopted this approach (e.g., prometheus-community/helm-charts). This provides users with an alternative installation method that doesn't require adding a Helm repository first.

Changes:

  • Updated .github/workflows/chart-release.yaml to push charts to GHCR after release
  • Upgraded Helm from v3.4.0 to v3.19.2 (OCI support requires 3.8+)
  • Added packages: write permission for GHCR access
  • Updated chart READMEs with OCI installation instructions

After this change, users can install charts via:

helm install my-release oci://ghcr.io/kubernetes/charts/cluster-autoscaler
helm install my-release oci://ghcr.io/kubernetes/charts/vertical-pod-autoscaler

The classic Helm repository continues to work alongside OCI.

Which issue(s) this PR fixes:

Fixes #7086

Special notes for your reviewer:

  • The implementation follows the pattern used by prometheus-community/helm-charts
  • No changes to chart structure or content are required
  • Uses the existing GITHUB_TOKEN secret already available in the workflow

Does this PR introduce a user-facing change?

Helm charts are now published as OCI artifacts to ghcr.io/kubernetes/charts. Users with Helm can install charts directly via `helm install my-release oci://ghcr.io/kubernetes/charts/cluster-autoscaler` without adding a Helm repository first.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@willianpaixao
feat: add OCI publishing for Helm charts to GHCR
6cd2e73 
Publish Helm charts as OCI artifacts to GitHub Container Registry
(ghcr.io) in addition to the classic Helm repository. This enables
users to install charts using the OCI protocol available in Helm 3.8+.

Changes:
- Add GHCR login and helm push steps to chart-release workflow
- Update chart READMEs with OCI installation instructions

Charts will be available at:
- oci://ghcr.io/kubernetes/charts/cluster-autoscaler
- oci://ghcr.io/kubernetes/charts/vertical-pod-autoscaler

Signed-off-by: Willian Paixao <willian@ufpa.br>
Copilot AI review requested due to automatic review settings December 3, 2025 13:48
@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. area/helm-charts area/cluster-autoscaler cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Dec 3, 2025
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Dec 3, 2025

Welcome @willianpaixao!

It looks like this is your first PR to kubernetes/autoscaler 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/autoscaler has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Dec 3, 2025
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Dec 3, 2025

Hi @willianpaixao. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added area/vertical-pod-autoscaler size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Dec 3, 2025
Copilot AI reviewed Dec 3, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds OCI (Open Container Initiative) publishing support for Helm charts to GitHub Container Registry (GHCR), enabling users to install charts directly without adding a Helm repository first. The implementation upgrades the Helm version to support OCI features and adds new workflow steps to push released charts to GHCR.

Key changes:

  • Added OCI publishing workflow steps with GHCR authentication and chart push logic
  • Upgraded Helm from v3.4.0 to v3.19.2 and updated GitHub Actions dependencies
  • Updated chart READMEs with OCI installation instructions alongside existing Helm repository method

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.

File Description
.github/workflows/chart-release.yaml Added GHCR login and chart push steps for both CA and VPA jobs; upgraded action versions and Helm version; added packages: write permission
cluster-autoscaler/charts/cluster-autoscaler/README.md Added "Using OCI Registry" section with helm install examples for both autodiscovery and manual configuration methods
vertical-pod-autoscaler/charts/vertical-pod-autoscaler/README.md Added "Installation" section with both Helm repository and OCI registry installation methods

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@willianpaixao
fix: addressing Copilot's comments
e500a25 
Signed-off-by: Willian Paixao <willian@ufpa.br>
@willianpaixao willianpaixao requested a review from Copilot December 3, 2025 14:21
Copilot AI reviewed Dec 3, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@willianpaixao
Copy link
Author

willianpaixao commented Dec 3, 2025

/assign gjtempleton

@willianpaixao
feat: add manual packaging for workflow_dispatch testing
6fb9552 
Signed-off-by: Willian Paixao <willian@ufpa.br>
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Dec 3, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: willianpaixao
Once this PR has been reviewed and has the lgtm label, please ask for approval from gjtempleton. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

adrianmoisey
adrianmoisey reviewed Dec 13, 2025
View reviewed changes
.github/workflows/chart-release.yaml
set -e
shopt -s nullglob
for pkg in .cr-release-packages/*; do
helm push "${pkg}" "oci://ghcr.io/${GITHUB_REPOSITORY_OWNER}/charts"
Copy link
Member

@adrianmoisey adrianmoisey Dec 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see that the container registry is per "owner" (ie, in our case that would be kubernetes, not kubernetes/autoscaler)

I have no idea what the permission model is around that

Copy link
Author

@willianpaixao willianpaixao Dec 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to find out whether the kubernetes org allows workflows to create new packages. This is controlled by the org's "Packages" settings. If package creation is restricted, the first push would fail and we'd need an org admin to either pre-create the package or adjust the org settings.

I can add a note in the PR description about this, or we could do a test run with workflow_dispatch to verify it works before merging. What do you think?

@adrianmoisey
Copy link
Member

adrianmoisey commented Dec 13, 2025

@jackfrancis what are your thoughts on this? I like it, but I don't know if we have permission to do it.

@willianpaixao
feat: update README.md.gotmpl
347fec8 
Signed-off-by: Willian Paixao <willian@ufpa.br>
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Dec 13, 2025
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Dec 15, 2025

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adrianmoisey adrianmoisey adrianmoisey left review comments

Copilot code review Copilot Copilot left review comments

@gjtempleton gjtempleton Awaiting requested review from gjtempleton

Assignees

@gjtempleton gjtempleton

Labels

area/cluster-autoscaler area/helm-charts area/vertical-pod-autoscaler cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Publish helm charts also as an OCI package

4 participants

@willianpaixao @k8s-ci-robot @adrianmoisey @gjtempleton