Resource Repositories

This page is the technical reference for built-in resource repositories. For an introduction to what resource repositories are and why they exist, see Concept: Resource Repositories.

OCI Resource Repository

Handles OCI artifacts stored in OCI-compliant registries.

Supported Access Types

Access Type
OCIImage/v1

Capabilities

OperationSupported
DownloadYes
UploadYes
Digest ProcessingYes

Credential Resolution

The credential consumer identity is derived from the imageReference field in the access specification. The registry hostname is extracted from the image reference to construct an identity of type OCIRegistry.

Example: For a resource with access imageReference: ghcr.io/acme/myapp:1.0.0, the resolved identity is:

AttributeValue
typeOCIRegistry
hostnameghcr.io
schemehttps

This identity is then matched against configured consumers in the credential system. See Credential Consumer Identities: OCIRegistry for matching rules.

Download Behavior

Downloads the complete OCI artifact (manifest and layers) from the registry. The returned blob represents the artifact in its OCI format.

Upload Behavior

Pushes an OCI artifact to the target registry. The resource descriptor is updated with the repository-specific access information (e.g., the final image reference with digest) after upload.

Digest Processing

The OCI resource repository also implements digest processing. When constructing a component version with a by-reference resource, OCM queries the registry to resolve and verify the artifact’s digest, ensuring the resource descriptor is pinned to an immutable reference.

Helm Resource Repository

Handles Helm charts stored in HTTP/HTTPS-based chart repositories.

Supported Access Types

Access Type
Helm/v1

Capabilities

OperationSupported
DownloadYes
UploadNo
Digest ProcessingYes

Upload is not supported because traditional Helm chart repositories are read-only HTTP servers that serve a static index.yaml and packaged chart archives. There is no standardized upload API.

For Helm charts stored in OCI registries, use the OCI resource repository with an OCIImage/v1 access type instead.

Credential Resolution

The credential consumer identity is derived from the helmRepository field in the access specification. The identity type is HelmChartRepository.

Example: For a resource with helmRepository: https://stefanprodan.github.io/podinfo:

AttributeValue
typeHelmChartRepository
hostnamestefanprodan.github.io
schemehttps
pathpodinfo

If the resource has no helmRepository (a local chart embedded via input), no credential identity is returned — local charts do not require remote authentication.

See [Credential Consumer Identities: HelmChartRepository] (/docs/reference/credential-consumer-identities/#helmchartrepository) for matching rules.

Download Behavior

Downloads the Helm chart (and optional .prov provenance file) from the remote repository. The chart is packaged into a tar archive and returned as an in-memory blob.

The helmChart and helmRepository fields from the access specification are combined to construct the full chart reference used for download.

Digest Processing

The Helm digest processor resolves chart digests from the remote repository. For HTTP/HTTPS repositories it downloads the index.yaml and extracts the digest for the specified chart and version. For OCI-based Helm repositories it resolves the OCI manifest digest via the registry API.

External Resource Repositories (Plugins)

External plugins declare supported access types in their capability specification and implement the same three operations (resolve credential identity, download, upload) over the plugin protocol. Once installed, OCM routes requests for matching access types to the plugin automatically.

See Concept: Plugin System for details on building and installing plugins.

Prev
Kubernetes Controllers
Next
Sign Component Versions