Open Container Initiative (OCI) Support in Cloudsmith

Nigel Douglas

3 min read
Open Container Initiative (OCI) Support in Cloudsmith

What Are Kubernetes Open Standards?

Kubernetes has become the de facto platform for orchestrating containers. Open standards complement Kubernetes by defining best practices for its implementation. These standards are developed by the open-source Kubernetes community (not a single vendor), ensuring vendor neutrality, easier integration with other tools, and overall system efficiency.

What is OCI anyways?

The Open Container Initiative (OCI), a Linux Foundation project, was created to establish open, industry-wide standards for container formats and runtimes. It focuses on two core specifications:

  1. runC: A reference container runtime engine used by most container platforms, including Docker. It serves as the foundation for many modern runtime environments.
  2. OCI Specification: Defines how containers are built, distributed, and executed. While Docker remains widely used, OCI represents the community's commitment to standardized, open container technologies.

OCI and Helm: What’s the Connection?

Starting with Helm v3, it became possible to use OCI-compliant container registries for storing and distributing chart packages. With the release of Helm v3.8.0, OCI support moved from experimental to stable and is now enabled by default.

This shift has driven demand for registries that support Helm chart storage in OCI format. Cloudsmith is proud to be one such registry, fully supporting Helm charts with OCI compliance.

Cloudsmith support moves from EA to GA for OCI

In the Cloudsmith changelog update released today (5th June 2025), we’re announcing full support for Helm OCI. Previously, Cloudsmith offered a Docker registry (docker.cloudsmith.io) that was fully compliant with the OCI v1.1 standard. While users could push any OCI artifact to this registry, non-Docker artifacts were still displayed as Docker packages.

This functionality had been marked as Early Access (EA) in our documentation, as the user experience was fully optimized only for Docker. Although users could technically push and pull any OCI artifact, display limitations persisted for non-Docker types.

With today’s update, we’ve significantly improved our support by fully enabling Helm OCI. We've reworked the implementation and introduced a dedicated endpoint (helm.oci.cloudsmith.io) which allows users to push and pull Helm charts as OCI artifacts, now correctly identified and displayed as Helm packages.

In addition, we're introducing a compatibility bridge that enables legacy Helm charts and OCI-based Helm charts to coexist. We are now in a unique position to support legacy Helm chart repositories and OCI, allowing our users to push via legacy means and pull via OCI - offering greater flexibility and smoother transitions.

ORAS and OCI 1.1

ORAS (OCI Registry As Storage) is a tool that enables pushing, pulling, and managing non-container artifacts in OCI-compliant registries. It extends the OCI specification beyond container images, turning registries into general-purpose artifact stores.

The OCI Artifacts project formalizes this approach, allowing for a broader range of artifacts, like SBOMs, Helm charts, and signatures, to be stored and retrieved without being disguised as container images. ORAS has become the de facto CLI tool for managing these artifacts.

At KubeCon Europe 2025, Jeremy Rickard and Andrew Block highlighted how ORAS is transforming registries into multi-purpose artifact platforms. They demonstrated pushing multi-architecture images along with their security metadata - all as native OCI artifacts.

As the ecosystem matures, there’s a clear trend: treating everything (from Helm charts to SBOMs) as first-class OCI artifacts. At Cloudsmith, we're seeing growing demand for comprehensive support of these use cases, including secure metadata attachments and provenance tracking.

Using ORAS with Cloudsmith

Cloudsmith is fully OCI v1.1 compliant, including support for the Referrers API, which allows artifacts to reference related files such as SBOMs, signatures, or provenance records.

Authenticate with ORAS:

$ oras login docker.cloudsmith.io
$ Username: USERNAME
$ Password: API-KEY

Push an Artifact:

$ oras push docker.cloudsmith.io/OWNER/REPOSITORY/ARTIFACT_NAME:TAG ./FILENAME_PATH

Specify artifact type if needed:

$ oras push docker.cloudsmith.io/OWNER/REPOSITORY/ARTIFACT_NAME:TAG \
--artifact-type application/vnd.cloudsmith.v1 ./FILENAME_PATH

Attach a File to an Existing Artifact:

$ oras attach --artifact-type application/vnd.cloudsmith.attachment.v1 \
docker.cloudsmith.io/OWNER/REPOSITORY/ARTIFACT_NAME:TAG ./FILE_TO_ATTACH

Pull an Artifact:

$ oras pull docker.cloudsmith.io/OWNER/REPOSITORY/ARTIFACT_NAME:TAG


Liked this article? Don\'t be selfish (:-), share with others:  



The source of truth for software everywhere.

Cloudsmith optimizes your software supply chain from source to delivery — with complete trust, control, and security.

Start Free Trial