Developer Onboarding

Welcome to the Open Component Model (OCM). This page gives you everything you need to orient yourself in the project, understand how it is built, and find the right starting point for your interests.

Prerequisites

  • To use the OCM CLI

    Basic command-line experience and familiarity with container images or software packaging concepts.

  • To use the Kubernetes controllers

    Working knowledge of Kubernetes (clusters, manifests, custom resources).

  • To contribute code

    The core libraries, CLI, and controllers are written in Go (1.26+) and use Task as their build runner. Contributions in other areas - such as language bindings, documentation, the website, or tooling - may use different languages and are equally welcome.

What is OCM?

OCM is a standard and toolkit for describing, signing, transporting, and deploying software artifacts as a single, versioned unit. These overview pages explain the model in depth:

How OCM Works

The Pack-Sign-Transport-Deploy lifecycle.

Benefits of OCM

Supply chain protection, traceability, and air-gap support.

The OCM Core Model

Components, resources, sources, references, and identity.

Getting Started

The getting-started guides walk you through the full workflow - from installing the CLI to deploying with Kubernetes controllers. The first two guides (CLI installation and creating a component version) require no Kubernetes knowledge.

Getting Started

Install the CLI, create your first component version, set up controllers, and deploy.

Advanced Topics

Once you are comfortable with the basics, explore these concept pages for a deeper technical understanding:

Component Identity

Naming, versioning, and coordinate notation.

Signing and Verification

Digest calculation, normalization, and trust models.

Transfer and Transport

Moving components between registries and air-gapped environments.

Kubernetes Controllers

Reconciliation chain and controller architecture.

Plugin System

Extending OCM with custom repository types, credentials, and signing handlers.

The Mono-Repository

All active OCM development happens in a single repository: open-component-model. The mono-repo contains the Go library, the CLI, the Kubernetes controllers, conformance tests, and this website - all sharing one dependency tree and one test suite.

  graph TD
    Root["open-component-model/"]
    Bindings["bindings/\nLanguage bindings (currently Go)"]
    CLI["cli/\nOCM CLI"]
    K8s["kubernetes/controller/\nOCM Kubernetes Controller Toolkit"]
    Website["website/\nProject website"]
    Conformance["conformance/\nConformance tests"]
    Docs["docs/\nCommunity docs & governance"]

    Root --> Bindings
    Root --> CLI
    Root --> K8s
    Root --> Website
    Root --> Conformance
    Root --> Docs
Legacy repositories

The ocm and ocm-controller repositories are the previous generation of OCM tooling. They are maintained but no longer receive new features. All new development targets the mono-repo above. Read the OCM v2 announcement for background on the rewrite.

Technical Layers

OCM is built as a stack of layers. Each layer builds on the one below it:

  flowchart TD
    Spec["OCM Specification\n(defines the model)"]
    Go["Go Bindings\n(bindings/go/)"]
    CLI["OCM CLI\n(cli/)"]
    Controllers["OCM Kubernetes Controller Toolkit\n(kubernetes/controller/)"]
    ODG["Open Delivery Gear\n(separate repository, Python)"]

    Spec --> Go
    Spec -.->|"implements spec\n(via Python/cc-utils)"| ODG
    Go --> CLI
    Go --> Controllers

OCM Specification

The formal standard that defines how components, resources, and signatures are represented. It is technology-agnostic and lives in its own repository.

Specification Document

Table of contents for the full spec: model, processing, persistence, extensions, and guidelines.

Glossary

Definitions of key terms used throughout the specification.

Go Bindings

The reference implementation of the specification in Go, located in bindings/go/. The bindings/ directory is structured to welcome implementations in other languages in the future. This library provides the core types and operations (creating, signing, resolving, transferring component versions) that the CLI and controllers build on.

Module Overview

Available modules, their purpose, and how to import them.

Guided Tour (Examples)

Progressive learning path with runnable Go tests.

Contributing to Go Bindings

Workspace setup, testing, module lifecycle, and releases.

OCM CLI

A command-line tool for the Pack-Sign-Transport workflow, located in cli/. Built on the Go bindings, it is designed for interactive use and CI/CD pipelines. Start with Install the OCM CLI.

CLI README

Installation from source, quick start, and plugin system.

Command Reference

Full reference for all OCM CLI commands.

Contributing to the CLI

CLI-specific development workflow and conventions.

OCM Kubernetes Controller Toolkit

A set of controllers that handle deployment and verification of OCM component versions in Kubernetes clusters, located in kubernetes/controller/. They use a dependency chain of custom resources: Repository, Component, Resource, and Deployer.

Deploy Helm Charts

Tutorial: deploy a Helm chart from an OCM component version with controllers, kro, and Flux.

Deployment Examples

Deployment examples: Helm, Kustomize, signing, nested deployments.

Contributing to Controllers

Controller development, testing, and CRD conventions.

Open Delivery Gear

A compliance automation engine that subscribes to OCM component versions and continuously scans delivery artifacts for security and compliance issues, located in its own repository. ODG tracks findings against configurable SLAs, supports assisted rescoring, and provides a Delivery Dashboard UI for both platform operators and application teams. It is designed for public and sovereign cloud scenarios where trust-but-verify assurance is required.

ODG Documentation

Getting started, data model, extensions, and HTTP API reference.

Project Organization

OCM is an open standard contributed to the Linux Foundation under the NeoNephos Foundation. A Technical Steering Committee (TSC) provides technical oversight, sets project direction, and coordinates across working groups. Specific technical areas are owned by Special Interest Groups (SIGs). Currently, SIG Runtime maintains the Go bindings, CLI, and Kubernetes controllers.

Governance

TSC membership, project charter, and SIG framework.

How We Work

Meetings, planning rituals, project boards, and decision-making.

SIG Handbook

How to join or propose a new Special Interest Group.

TSC Meeting Notes

Public monthly meeting notes from the Technical Steering Committee.

Contributing and Engaging

Ready to contribute or connect with the community? If you are looking for something to work on, check the kind/good-first-issue label across our repositories.

Contributing Guide

Fork-and-pull workflow, pull request process, DCO sign-off, and AI-generated code guidelines.

Community Engagement

Communication channels (Slack, Zulip), community calls, and how to reach the team.

Say Hello

The easiest way to get started is to say hello. Join our monthly community call or ask for an invite to the daily standup - it is a casual sync, not mandatory, and not necessarily work-related. You can reach us on Slack or Zulip anytime.

Next
Contributing to OCM