Formats/Helm

Secure, cloud-native Helm chart repositories for Kubernetes teams

Cloudsmith gives you fully managed, private Helm chart repositories backed by a global CDN with 600+ edge points of presence. Push charts with the Helm CLI or Cloudsmith CLI, apply OPA policy controls, and serve charts to any cluster worldwide with consistent, low-latency delivery. No infrastructure to run, no index.yaml to manage.

Universal format support

One place for all your artifacts. Cloudsmith is a secure home for Helm charts alongside every other format your teams use.

  • Use Helm + 30 other formats
  • Store Docker images and Helm charts together in unified repositories
  • Centralize raw files, ML models, and OS packages alongside your Kubernetes deployments

How we support Helm

Cloudsmith gives you a fully managed, feature-complete Helm chart repository with global delivery, enterprise-grade access controls, and zero infrastructure overhead.
    Full Helm repository support
    Use native helm repo add, helm install, and helm upgrade commands against your Cloudsmith repository. Entitlement token, HTTP Basic, and API key authentication are all supported for private repositories.
    Global CDN delivery
    Charts are served from 600+ edge points of presence worldwide. Every cluster pull hits a local edge node, keeping deployment times fast and consistent regardless of where your infrastructure runs.
    Policy-driven governance
    Define governance policies governing which charts are permitted in your repositories. Block specific versions, require specific metadata fields, or quarantine charts that do not meet your criteria before any team member installs them.
    Provenance and chart signing
    Cloudsmith fully supports Helm provenance files for non-OCI charts. Upload signed charts and verify integrity at install time with helm install --verify. Where no provenance file is provided, Cloudsmith auto-generates one using the repository GPG signing key.
    Upstream proxying and caching
    Configure upstream Helm repositories and cache requested charts automatically. Teams get reliable, fast access to public charts while you retain full control over what enters your supply chain.

Why teams choose Cloudsmith for Helm

Self-hosted chart servers add operational burden and governance gaps. Cloudsmith removes both, giving teams faster deployments and tighter supply chain controls.
Without CloudsmithSelf-hosting ChartMuseum or managing static S3 buckets means your team owns the infrastructure, updates, and uptime. Any outage blocks every cluster deployment.
With CloudsmithCloudsmith is fully managed with no infrastructure to run. 99.9%+ availability backed by a global edge network means chart pulls never become a deployment blocker.
Without CloudsmithCharts uploaded to Git-backed or self-hosted repositories have no automated policy enforcement. Non-compliant or unvetted charts can reach production clusters undetected.
With CloudsmithDefine governance policies to block specific chart versions, enforce required metadata fields, or quarantine charts that do not meet your criteria. Nothing reaches your clusters that has not cleared your controls.
Without CloudsmithTeams pulling charts across regions hit slow index.yaml fetches and chart downloads from a single origin, adding latency to every CI pipeline and cluster upgrade.
With CloudsmithCloudsmith serves charts from 600+ edge PoPs worldwide. Multi-region teams get consistently fast pull times from the nearest edge node, cutting deployment overhead across every environment.

Signs you're ready to switch to Cloudsmith for Helm

If your chart infrastructure is slowing releases or creating governance blind spots, Cloudsmith is the upgrade your Kubernetes platform deserves.
    Your self-hosted repo can't keep up
    ChartMuseum and static S3 buckets require manual scaling, patching, and uptime monitoring. Cloudsmith is elastic by default and scales with your deployment volume automatically.
    No governance over what reaches your clusters
    Without policy controls, your teams have no way to enforce which chart versions or configurations are permitted. Cloudsmith lets you block specific versions, quarantine non-compliant charts, and require metadata fields before any install proceeds.
    Access control is all-or-nothing
    Basic auth on ChartMuseum gives everyone the same level of access. Cloudsmith gives you fine-grained RBAC, entitlement tokens, OIDC, SAML, and SCIM so you control exactly who can push and pull which charts.
    Slow chart pulls across distributed teams
    A single-region origin server means remote clusters and distributed engineering teams pay a latency penalty on every helm install. Cloudsmith's 600+ edge PoPs eliminate that penalty.
    Your chart repo is isolated from the rest of your supply chain
    Running a standalone Helm server alongside separate registries for Docker, Python, and other formats fragments your supply chain. Cloudsmith unifies 30+ formats in a single platform with consistent policies and observability.

Get started with Helm on Cloudsmith

Frequently asked questions

  1. Yes. Cloudsmith supports both the classic Helm chart repository protocol and OCI-based Helm chart storage. For the classic protocol, use standard helm repo add and helm install commands against your Cloudsmith repository URL. OCI support is currently in Early Access.

  2. Package your chart with helm package, then push using the Cloudsmith CLI: cloudsmith push helm OWNER/REPOSITORY your-chart-1.0.0.tgz. You can also upload via the Cloudsmith web app. Full contextual setup instructions, including copy-and-paste snippets pre-configured with your namespace and repo, are available inside every repository.

  3. Cloudsmith supports entitlement token authentication, HTTP Basic authentication with username and password, and HTTP Basic authentication with an API key. Private repositories require one of these methods. Credentials should be stored as secrets and never committed to source control or exposed in logs.

  4. Yes. You can create and enforce governance policies governing which charts are permitted in your repositories. Block specific versions, require specific metadata fields, or quarantine charts that do not meet your criteria before any team member installs them. This gives your platform team a consistent enforcement layer across every environment.

  5. Yes. Cloudsmith fully supports Helm provenance files for non-OCI Helm charts. You can upload signed charts packaged with helm package --sign, and verify them at install time with helm install --verify. If no provenance file is provided at upload, Cloudsmith automatically generates one using the repository GPG signing key.

  6. Yes. Cloudsmith upstream proxying lets you configure public or third-party Helm repositories as upstreams. Charts not present in your Cloudsmith repository are fetched from the upstream on demand and optionally cached, giving your teams a single, reliable source for both private and public charts.

  7. ChartMuseum requires you to provision, scale, patch, and maintain the server yourself. Cloudsmith is fully managed with no infrastructure overhead, automatic scaling, 99.9%+ availability, policy-driven governance, fine-grained access control, and global CDN delivery. You get all the Helm repository functionality with none of the operational burden.

  8. Yes. Cloudsmith supports 30+ artifact formats in unified repositories. You can store Helm charts, Docker images, raw files, and other package formats together under a single repository, applying consistent access control and policies across all of them.

  9. You can use the Cloudsmith CLI or web app to upload existing chart packages. Once uploaded, update your helm repo add command to point at your new Cloudsmith repository URL and run helm repo update. Cloudsmith's support team can assist with larger or more complex migrations.

  10. Cloudsmith gives you fine-grained RBAC at workspace and repository level, entitlement tokens for scoped download access, OIDC for keyless authentication in CI pipelines, and SAML or SCIM for enterprise SSO and user provisioning. You control exactly who can push charts, who can pull them, and under what conditions.

Formats

There’s more than just Helm on Cloudsmith