Why do I see HTTP 429 when pulling Helm charts from an OCI registry?

The registry is rate limiting manifest or blob requests. Lower parallel helm pull or install jobs, respect Retry-After headers in your retry wrapper, add jitter between attempts, and consider a regional mirror or pull-through cache so CI does not hammer a single shard across borders.

How do I fix HTTP 401 Unauthorized from helm registry login or helm pull?

Verify the token is still valid, the account has pull scope for the chart repository, and the OCI reference matches the registry host in the credential. Re-login per job on shared runners, avoid stale config under HELM_CONFIG_HOME, and separate read versus write tokens so rotation does not break unrelated pipelines.

How do I troubleshoot x509 certificate errors against a private chart registry?

Install the registry CA into the system trust store Helm uses, align the hostname in oci:// with the certificate SAN, and set SSL_CERT_FILE if you bundle a PEM for air-gapped roots. Avoid insecure-skip-tls-verify outside controlled labs.

When is --plain-http acceptable for helm install or helm pull?

Only on isolated lab registries without credential reuse. Production and shared remote Mac pools should use TLS; if you must use plain HTTP, gate it with network policy, rotate credentials aggressively, and never reuse the same secret across environments.

2026 Remote Mac CI: Helm OCI & Chart Registry Pull Matrix

Who this helps: platform teams running Helm against OCI-backed chart registries (Harbor, ECR, ACR, Artifact Registry, self-hosted distribution) from remote Mac CI over long-haul links. You get: a failure-type checklist, a decision matrix (concurrent installs, --plain-http, auth, backoff), copy-paste commands, and FAQ. Pair with the blog index, container registry pull matrix, Nix substituter CI matrix, and MacPull home—public pages only.

Scenarios & risks: Helm / OCI pull failure types in CI

On Apple Silicon CI, Helm’s path to an OCI chart is not “one big download” like a classic helm repo add index fetch. The client negotiates manifests, then pulls chart blobs and optional provenance layers. Cross-border runs therefore fail in a small set of recurring patterns. Treat each incident as one primary label so you do not stack incompatible mitigations.

Auth and token drift. HTTP 401 often means an expired robot token, a PAT rotated without updating CI, or a chart scope mismatch (pull allowed for repository A but the job references B). On shared remote Mac hosts, leftover credentials under a persistent HELM_CONFIG_HOME can mask the real error until a cold worker appears.

Rate limits and shard hot spots. HTTP 429 appears when too many parallel helm pull or helm install jobs hit the same registry front door, or when a regional link is lossy and clients retry aggressively. Without Retry-After discipline, “fixing” concurrency by adding more jobs makes the problem worse.

TLS, proxies, and name mismatch. Private CAs, corporate TLS inspection, and DNS that resolves to different regions than your certificate SAN all surface as x509 or sudden disconnects mid-blob. Mixed use of IP addresses versus hostnames in oci:// references is a common self-inflicted failure.

Concurrency collisions. Parallel helm upgrade --install against the same release, or many dependency resolves at once, can contend on Helm’s cache directory and Kubernetes API rate limits even when the registry is healthy. Separate registry backoff from cluster backoff in your runbooks.

Manifest versus blob errors: log whether the failure happens at tag resolution or during layer fetch—different teams (registry versus network) own the fix.

Cross-border bursts: align release trains so ten pipelines do not pin the same chart digest within the same five-minute window unless a cache warms first.

Disk on Mac runners: Helm caches expand quickly; pair chart pulls with the same APFS headroom discipline you use for Docker layers (see build pool pull & disk FAQ).

Decision matrix: concurrent install, `--plain-http`, registry auth, retry backoff

The table below is a starting point for 2026-era Helm 3 on remote Mac CI. Measure your registry’s 429 rate, chart pull p95, and failed job share for two weeks before moving to a more aggressive column.

Runner profile	Parallel chart operations	`--plain-http` policy	Registry auth & token rotation	HTTP 429 backoff (s, + jitter)	HTTP 401 / 5xx / connect backoff (s, cap)
Conservative (shared pool, fragile WAN)	≤2 concurrent `helm pull` / install per host; serialize by release with a CI mutex	Off in prod; lab only with signed exception	Robot token 30–60d wall clock; re-login every job; never share one secret across products	Respect `Retry-After`; else 4 → 8 → 16 → 32 → 64 (max 120)	1 → 3 → 9 → 27 → 60 (max 300)
Balanced (stable egress, NVMe)	3–4 concurrent pulls; cap orchestrator matrix legs with `resource_group` or pool tags	Off; use TLS + private CA import instead	Rotate at 50% TTL; split read vs write tokens; weekly drift check in CI	2 → 4 → 8 → 16 → 32 (max 90)	1 → 2 → 6 → 18 → 45 (max 180)
Aggressive (dedicated Mac, same-region registry)	Up to 6 pulls only if API server and disk queues stay flat	Off; if forced HTTP in air-gap, isolate network segment	Short-lived tokens 12–24h + automated midnight refresh; OIDC where the registry supports it	1 → 2 → 4 → 8 → 16 (max 60) — safe mainly behind your own cache	0.5 → 1 → 3 → 9 (max 60)

Policy note: --plain-http disables transport security for the registry connection. Use it only when your platform team has already isolated the segment. For cross-border traffic, prefer TLS with a correctly trusted CA over turning HTTP on.

When charts still bundle container images pulled at install time, combine this matrix with the layer-level tuning in GHCR vs private registry matrix so image pulls and chart pulls share one backoff story.

Executable checklist: login, `helm pull oci://`, env isolation, timeouts

Replace placeholders in ALL_CAPS. Run from the same user account your CI job uses so HELM_CONFIG_HOME matches production.

Isolate config per job (recommended on shared Macs):

export HELM_CONFIG_HOME="${WORKSPACE}/.helm-config"
export HELM_CACHE_HOME="${WORKSPACE}/.helm-cache"
mkdir -p "$HELM_CONFIG_HOME" "$HELM_CACHE_HOME"

Authenticate to the OCI registry (non-interactive):

echo "${REGISTRY_TOKEN}" | helm registry login "${REGISTRY_HOST}" \
  --username "${REGISTRY_USER}" --password-stdin

Pull a version-pinned chart (fail early if the tag moves):

helm pull "oci://${REGISTRY_HOST}/${CHART_PATH}" \
  --version "${CHART_VERSION}" \
  --destination "${WORKSPACE}/charts"

Install from OCI with explicit timeouts (tune to your cluster SLA):

helm upgrade --install "${RELEASE_NAME}" "oci://${REGISTRY_HOST}/${CHART_PATH}" \
  --version "${CHART_VERSION}" --namespace "${NAMESPACE}" --create-namespace \
  --wait --timeout 20m --atomic

Lab-only HTTP registry: append --plain-http to helm pull / helm install only on approved hosts. Never mix those credentials with production namespaces.

Retry wrapper sketch (bash): wrap helm pull in a loop; sleep with the 429 ladder from the matrix; parse Retry-After when your registry returns it in logs. Keep jitter ($RANDOM % 5 seconds) so N jobs do not realign on the same second.

Environment variables to remember: HELM_CONFIG_HOME, HELM_CACHE_HOME, and optionally SSL_CERT_FILE when you ship an internal CA PEM with the runner. For Go’s TLS stack used underneath Helm, keeping proxy variables (HTTPS_PROXY, NO_PROXY) consistent between login and pull avoids “works once, fails later” behaviour through a corporate proxy.

FAQ: HTTP 429, HTTP 401, certificate errors

429 Too Many Requests. Confirm whether limits come from the registry, an upstream CDN, or your own egress NAT. Drop parallel Helm jobs per host, honour backoff headers, widen spacing between matrix legs, and add a regional pull-through cache if the same chart version is fetched dozens of times per hour.

401 Unauthorized. Re-check robot account scope, chart project visibility, and that helm registry login targeted the same host as oci://. On shared runners, wipe per-job HELM_CONFIG_HOME or always inject fresh credentials so you never depend on a stale login from yesterday’s build.

Certificate or TLS handshake errors. Import the registry CA to the trust store Helm relies on, align DNS names with certificate SANs, and test with openssl s_client -connect host:443 -servername host from the runner. Avoid blanket --insecure-skip-tls-verify except in disposable labs; it hides real attacks on cross-border paths.

Still stuck? Compare notes with pull stability FAQ for generic retry patterns, and keep Git & Docker pull acceleration open when charts pull large images during install.

Summary: pick nodes for cross-border Helm pulls, then buy predictable capacity

Effective Helm OCI CI on remote Mac comes down to three controls: per-job auth with rotation before shared credentials rot, a decision matrix row that matches your WAN (not your laptop), and bounded retries that respect 429 semantics instead of amplifying them. Layer disk and parallel install caps so Helm cache growth and Kubernetes API limits do not masquerade as registry outages.

Choosing MacPull nodes for cross-border chart pulls: prefer dedicated Apple Silicon capacity in the region closest to your registry or mirror so TLS and long-lived caches pay off; use shared pool profiles only after you enforce per-job HELM_CONFIG_HOME and the conservative concurrency row. Compare plans publicly, then scale runners when p95 pull times stop improving with backoff alone.

Explore pricing and purchase, read the help center, browse the technical blog, or return to the homepage—all pages are available without logging in.

Remote Mac CI built for registry-heavy pipelines

Dedicated Mac Mini–class nodes, SSH/VNC access, and room to tune Helm and Docker together. View public plans and guides—no account required to read.

View Pricing Buy a Plan Help Blog

2026 Remote Mac CI: Helm OCI & Chart Registry Pulls—Auth Rotation, Concurrency & Backoff