Search everything...

Skill

helm-validator

Validates and audits Helm charts with linting, template rendering, YAML/schema checks, CRD verification, dry-runs, and security best practices.

Kubernetes

Bash

devops

security

Install

npx claudepluginhub akin-ozer/cc-devops-skills --plugin devops-skills

Tool Access

This skill uses the workspace's default tool permissions.

Preview

This skill provides a comprehensive validation and analysis workflow for Helm charts, combining Helm-native linting, template rendering, YAML validation, schema validation, CRD documentation lookup, and security best practices checking.

Supporting Assets

SKILL.md

Similar Skills

skill-lookup

Searches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.

prompts.chat

159.9k

prompt-lookup

Searches prompts.chat for AI prompt templates by keyword or category, retrieves by ID with variable handling, and improves prompts via AI. Use for discovering or enhancing prompts.

prompts.chat

159.9k

next-compile

1 file

Checks Next.js compilation errors using a running Turbopack dev server after code edits. Fixes actionable issues before reporting complete. Replaces `next build`.

vercel-next-js-2

139.2k

Stats

Parent Repo Stars139

Parent Repo Forks12

Last CommitMar 3, 2026

Actions

View Source View Plugin View on GitHub View README

helm-validator

From devops-skills

Validates and audits Helm charts with linting, template rendering, YAML/schema checks, CRD verification, dry-runs, and security best practices.

Install

npx claudepluginhub akin-ozer/cc-devops-skills --plugin devops-skills

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Supporting Assets

SKILL.md

Helm Chart Validator & Analysis Toolkit

Overview

IMPORTANT: This validator is read-only by default. It analyzes charts and proposes improvements. Only modify files when the user explicitly asks to apply fixes.

Trigger Cases

Use this skill when one or more of these top cases apply:

The user asks to validate, lint, check, test, or troubleshoot a Helm chart
Helm templates fail to render, lint, or produce valid Kubernetes YAML
A pre-deployment quality gate is needed (schema, dry-run, security checks)
CRD resources are present and their spec fields must be verified against docs
The user wants a severity-based validation report with proposed remediations

Trigger phrase examples:

"Validate this Helm chart before release"
"Why does helm template fail?"
"Check this chart for Kubernetes and security issues"

Out of scope by default:

New chart scaffolding or broad chart generation (use helm-generator)

Role Boundaries

This skill validates and reports; it does not silently rewrite user files.
It can propose concrete patches and apply them only when the user explicitly requests fixes.
If execution constraints block a stage, it must continue with reachable stages and document the skip reason.

Execution Model

Run stages in order (1 through 10).
Keep going after stage-level failures to collect complete findings, unless rendering fails and no manifests exist.
If Stage 4 produces no manifests, mark Stages 5 to 9 as blocked and continue to Stage 10 reporting.
Treat Stage 8 as environment-dependent optional; treat Stage 9 and Stage 10 as mandatory when manifests exist.
For every skipped stage, record the exact tool/environment reason in the final summary table.

Quick Execution Modes

Mode A: Local Validation (no cluster required)

bash scripts/setup_tools.sh
bash scripts/validate_chart_structure.sh <chart-directory>
helm lint <chart-directory> --strict
helm template <release-name> <chart-directory> --values <values-file> --debug --output-dir ./rendered
find ./rendered -type f \( -name "*.yaml" -o -name "*.yml" \) -exec yamllint -c assets/.yamllint {} +
find ./rendered -type f \( -name "*.yaml" -o -name "*.yml" \) -exec kubeconform -summary -verbose {} +

Mode B: Full Validation (cluster available)

Run Mode A plus Stage 8 dry-run commands in this document.

Validation & Testing Workflow

Follow this sequential validation workflow. Each stage catches different types of issues:

Stage 1: Tool Check

Before starting validation, verify required tools are installed:

bash scripts/setup_tools.sh

Required tools:

helm: Helm package manager for Kubernetes (v3+)
yamllint: YAML syntax and style linting
kubeconform: Kubernetes schema validation with CRD support
kubectl: Cluster dry-run testing (optional but recommended)

Fallback policy for unavailable tools or environment constraints:

Condition	Action	Stage status
`helm` missing	Run Stage 2 only, then report Stages 3 to 9 as skipped/blocked	⚠️ Warning
`yamllint` missing	Use `yq` syntax checks if available; otherwise skip Stage 5	⚠️ Warning
`kubeconform` missing	Skip Stage 7 and rely on Stage 6 CRD/manual checks	⚠️ Warning
`kubectl` missing or no kube-context	Skip Stage 8, continue with remaining stages	⚠️ Warning
No internet access for CRD docs	Use local CRD manifests and kubeconform output, mark doc lookup incomplete	⚠️ Warning

If tools are missing, provide installation instructions from scripts/setup_tools.sh output and continue with the fallback path above.

Stage 2: Helm Chart Structure Validation

Verify the chart follows the standard Helm directory structure:

bash scripts/validate_chart_structure.sh <chart-directory>

Expected structure:

mychart/
  Chart.yaml          # Chart metadata (required)
  values.yaml         # Default values (required)
  values.schema.json  # JSON Schema for values validation (optional)
  templates/          # Template directory (required)
    _helpers.tpl      # Template helpers (recommended)
    NOTES.txt         # Post-install notes (recommended)
    *.yaml            # Kubernetes manifest templates
  charts/             # Chart dependencies (optional)
  crds/               # Custom Resource Definitions (optional)
  .helmignore         # Files to ignore during packaging (optional)

Common issues caught:

Missing required files (Chart.yaml, values.yaml, templates/)
Invalid Chart.yaml syntax or missing required fields
Malformed values.schema.json
Incorrect file permissions

Stage 3: Helm Lint

Run Helm's built-in linter to catch chart-specific issues:

helm lint <chart-directory> --strict

Optional flags:

--values <values-file>: Test with specific values
--set key=value: Override specific values
--debug: Show detailed error information

Common issues caught:

Invalid Chart.yaml metadata
Template syntax errors
Missing or undefined values
Deprecated Kubernetes API versions
Chart best practice violations

Auto-fix approach:

For template errors, identify the problematic template file
Show the user the specific line causing issues
Propose a patch/diff for the fix
Apply fixes only if the user explicitly asks
Re-run helm lint after fixes are applied

Stage 4: Template Rendering

Render templates locally to verify they produce valid YAML:

helm template <release-name> <chart-directory> \
  --values <values-file> \
  --debug \
  --output-dir ./rendered

Options to consider:

--values values.yaml: Use specific values file
--set key=value: Override individual values
--show-only templates/deployment.yaml: Render specific template
--validate: Validate against Kubernetes OpenAPI schema
--include-crds: Include CRDs in rendered output
--is-upgrade: Simulate upgrade scenario
--kube-version 1.28.0: Target specific Kubernetes version

Common issues caught:

Template syntax errors (Go template issues)
Undefined variables or values
Type mismatches (string vs. integer)
Missing required values
Logic errors in conditionals or loops
Incorrect indentation in nested templates

For template errors:

Identify the template file and line number
Check if values are properly defined in values.yaml
Verify template function usage (quote, required, default, include, etc.)
Test with different value combinations

Stage 5: YAML Syntax Validation

Validate YAML syntax and formatting of rendered templates:

find ./rendered -type f \( -name "*.yaml" -o -name "*.yml" \) \
  -exec yamllint -c assets/.yamllint {} +

Common issues caught:

Indentation errors (tabs vs spaces)
Trailing whitespace
Line length violations
Syntax errors
Duplicate keys
Document start/end markers

Auto-fix approach:

For simple issues (indentation, trailing spaces), propose fixes using the Edit tool
For template-generated issues, fix the source template, not rendered output
Always show the user what will be changed before applying fixes

Stage 6: CRD Detection and Documentation Lookup

Before schema validation, detect if the chart contains or renders Custom Resource Definitions:

# Check crds/ directory
if [ -d <chart-directory>/crds ]; then
  find <chart-directory>/crds -type f \( -name "*.yaml" -o -name "*.yml" \) \
    -exec bash scripts/detect_crd_wrapper.sh {} +
fi

# Check rendered templates
find ./rendered -type f \( -name "*.yaml" -o -name "*.yml" \) \
  -exec bash scripts/detect_crd_wrapper.sh {} +

The script outputs JSON with resource information:

[
  {
    "kind": "Certificate",
    "apiVersion": "cert-manager.io/v1",
    "group": "cert-manager.io",
    "version": "v1",
    "isCRD": true,
    "name": "example-cert"
  }
]

For each detected CRD:

Try context7 MCP first (preferred):

Use mcp__context7__resolve-library-id with the CRD project name
Example: "cert-manager" for cert-manager.io CRDs
         "prometheus-operator" for monitoring.coreos.com CRDs
         "istio" for networking.istio.io CRDs

Then use mcp__context7__query-docs with:
- libraryId from resolve step
- query: The CRD kind and relevant features (e.g., "Certificate spec required fields")

Fallback to web.search_query (web search) if Context7 fails:

Search query pattern:
"<kind>" "<group>" kubernetes CRD "<version>" documentation spec

Example:
"Certificate" "cert-manager.io" kubernetes CRD "v1" documentation spec
"Prometheus" "monitoring.coreos.com" kubernetes CRD "v1" documentation spec

Extract key information:
- Required fields in spec
- Field types and validation rules
- Examples from documentation
- Version-specific changes or deprecations
- Common configuration patterns

Why this matters: CRDs have custom schemas not available in standard Kubernetes validation tools. Understanding the CRD's spec requirements prevents validation errors and ensures correct resource configuration.

Stage 7: Schema Validation

Validate rendered templates against Kubernetes schemas:

find ./rendered -type f \( -name "*.yaml" -o -name "*.yml" \) -exec \
  kubeconform \
    -schema-location default \
    -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json' \
    -summary \
    -verbose \
    {} +

Options to consider:

Add -strict to reject unknown fields (recommended for production)
Add -ignore-missing-schemas if working with custom/internal CRDs
Add -kubernetes-version 1.28.0 to validate against specific K8s version
Add -output json for programmatic processing

Common issues caught:

Invalid apiVersion or kind
Missing required fields
Wrong field types
Invalid enum values
Unknown fields (with -strict)

For CRDs: If kubeconform reports "no schema found", this is expected. Use the documentation from Stage 6 to manually validate the spec fields.

Stage 7 success criteria (explicit):

✅ Passed: kubeconform exits 0, and no invalid resources are reported.
⚠️ Warning: only CRD schema-missing findings remain and Stage 6 documentation/manual verification is completed.
❌ Failed: any non-CRD schema violation, parse error, or unresolved required-field/type error.

Stage 8: Cluster Dry-Run (if available)

If kubectl is configured and cluster access is available, perform a server-side dry-run:

# Test installation
helm install <release-name> <chart-directory> \
  --dry-run=server \
  --debug \
  --values <values-file>

# Test upgrade
helm upgrade <release-name> <chart-directory> \
  --dry-run=server \
  --debug \
  --values <values-file>

If the Helm version does not support --dry-run=server, use --dry-run and document that only client-side Helm simulation was executed.

This catches:

Admission controller rejections
Policy violations (PSP, OPA, Kyverno, etc.)
Resource quota violations
Missing namespaces
Invalid ConfigMap/Secret references
Webhook validations
Existing resource conflicts

If dry-run is not possible:

Use kubectl with rendered templates: kubectl apply --dry-run=server -f ./rendered/
Skip if no cluster access
Document that cluster-specific validation was skipped

For updates to existing releases:

helm diff upgrade <release-name> <chart-directory>

This shows what would change, helping catch unintended modifications. (Requires helm-diff plugin)

Stage 8 success criteria (explicit):

✅ Passed: dry-run install and upgrade commands exit 0 with no admission/policy errors.
⚠️ Warning: stage skipped because kubectl/cluster context/access is unavailable, or only client-side fallback was possible.
❌ Failed: dry-run commands return non-zero due to admission webhooks, policy violations, namespace/quota errors, or reference errors.

Stage 9: Security Best Practices Check (MANDATORY)

IMPORTANT: This stage is MANDATORY. Analyze rendered templates for security best practices compliance.

Check rendered Deployment/Pod templates for:

Missing securityContext - Look for pods/containers without security settings:

# Check if pod-level securityContext exists
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    fsGroup: 2000

Missing container securityContext - Each container should have:

securityContext:
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  capabilities:
    drop:
      - ALL

Missing resource limits/requests - Check for:

resources:
  limits:
    cpu: "100m"
    memory: "128Mi"
  requests:
    cpu: "100m"
    memory: "128Mi"

Image tag issues - Flag if using :latest or no tag
Missing probes - Check for liveness/readiness probes

How to check: Read the rendered deployment YAML files and grep for these patterns:

# Check for securityContext
find ./rendered -type f \( -name "*.yaml" -o -name "*.yml" \) \
  -exec grep -l "securityContext" {} +

# Check for resources
find ./rendered -type f \( -name "*.yaml" -o -name "*.yml" \) \
  -exec grep -l "resources:" {} +

# Check for latest tag
find ./rendered -type f \( -name "*.yaml" -o -name "*.yml" \) \
  -exec grep "image:.*:latest" {} +

Stage 10: Final Report (MANDATORY)

IMPORTANT: This stage is MANDATORY even if all validations pass. You MUST complete ALL of the following actions.

Default behavior is read-only. Do not modify files unless the user explicitly asks you to apply fixes.

Step 1: Load Reference Files (MANDATORY when warnings exist)

If ANY warnings, errors, or security issues were found, you MUST read:

Read references/helm_best_practices.md
Read references/k8s_best_practices.md

Use these references to provide context and recommendations for each issue found.

Step 2: Present Validation Summary

Always present a validation summary formatted as a table showing:

Each validation stage executed (Stages 1-9)
Status of each stage (✅ Passed, ⚠️ Warning, ❌ Failed)
Count of issues found per stage

Example:

| Stage | Status | Issues |
|-------|--------|--------|
| 1. Tool Check | ✅ Passed | All tools available |
| 2. Structure | ⚠️ Warning | Missing: .helmignore, NOTES.txt |
| 3. Helm Lint | ✅ Passed | 0 errors |
| 4. Template Render | ✅ Passed | 5 templates rendered |
| 5. YAML Syntax | ✅ Passed | No yamllint errors |
| 6. CRD Detection | ✅ Passed | 1 CRD documented |
| 7. Schema Validation | ✅ Passed | All resources valid |
| 8. Dry-Run | ✅ Passed | No cluster errors |
| 9. Security Check | ⚠️ Warning | Missing securityContext |

Step 3: Categorize All Issues

Group findings by severity:

❌ Errors (must fix):

Template syntax errors
Missing required fields
Schema validation failures
Dry-run failures

⚠️ Warnings (should fix):

Deprecated Kubernetes APIs
Missing securityContext
Missing resource limits/requests
Using :latest image tag
Missing recommended files (_helpers.tpl, .helmignore, NOTES.txt)

ℹ️ Info (recommendations):

Missing values.schema.json
Missing README.md
Optimization opportunities

Step 4: List Proposed Changes (DO NOT APPLY)

For each issue, provide a proposed fix with:

File path and line number (if applicable)
Before/after code blocks
Explanation of why this change is recommended

Example format:

## Proposed Changes

### 1. Add securityContext to Deployment
**File:** templates/deployment.yaml:25
**Severity:** ⚠️ Warning
**Reason:** Running containers as root is a security risk

**Current:**
```yaml
spec:
  containers:
    - name: app
      image: nginx:1.21

Proposed:

spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    fsGroup: 2000
  containers:
    - name: app
      image: nginx:1.21
      securityContext:
        allowPrivilegeEscalation: false
        readOnlyRootFilesystem: true
        capabilities:
          drop:
            - ALL

2. Add .helmignore file

File: .helmignore (new file) Severity: ⚠️ Warning Reason: Excludes unnecessary files from chart packaging

Proposed: Copy from assets/.helmignore


#### Step 5: Automation Opportunities

List all detected automation opportunities:
- If `_helpers.tpl` is missing → Recommend: `bash scripts/generate_helpers.sh <chart>`
- If `.helmignore` is missing → Recommend: Copy from `assets/.helmignore`
- If `values.schema.json` is missing → Recommend: Copy and customize from `assets/values.schema.json`
- If `NOTES.txt` is missing → Recommend: Create post-install notes template
- If `README.md` is missing → Recommend: Create chart documentation

#### Step 6: Final Summary

Provide a final summary:

Validation Summary

Chart: Status: ⚠️ Warnings Found (or ✅ Ready for Deployment)

Issues Found:

Errors: X
Warnings: Y
Info: Z

Proposed Changes: N changes recommended

Next Steps:

Review proposed changes above
Apply changes manually or use helm-generator skill
Re-run validation to confirm fixes


## Workflow Done Criteria

Validation is complete only when all of the following are true:
- A Stage 1 to Stage 10 status table is present with `✅ Passed`, `⚠️ Warning`, `❌ Failed`, or `⏭️ Skipped` for each stage.
- Every skipped stage includes a concrete tool or environment reason.
- Stage 7 and Stage 8 are evaluated against their explicit success criteria above.
- Severity totals are reported (`Errors`, `Warnings`, `Info`) with proposed remediation actions.
- Role boundary is respected: no file edits unless explicitly requested by the user.

## Helm Templating Automation & Best Practices

This section covers advanced Helm templating techniques, helper functions, and automation strategies.

### Template Helpers (`_helpers.tpl`)

Template helpers are reusable functions defined in `templates/_helpers.tpl`. They promote DRY principles and consistency.

**Standard helper patterns:**

1. **Chart name helper:**
```yaml
{{/*
Expand the name of the chart.
*/}}
{{- define "mychart.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}

Fullname helper:

{{/*
Create a default fully qualified app name.
*/}}
{{- define "mychart.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}

Chart reference helper:

{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "mychart.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}

Standard labels helper:

{{/*
Common labels
*/}}
{{- define "mychart.labels" -}}
helm.sh/chart: {{ include "mychart.chart" . }}
{{ include "mychart.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}

Selector labels helper:

{{/*
Selector labels
*/}}
{{- define "mychart.selectorLabels" -}}
app.kubernetes.io/name: {{ include "mychart.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}

ServiceAccount name helper:

{{/*
Create the name of the service account to use
*/}}
{{- define "mychart.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "mychart.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

When to create helpers:

Values used in multiple templates
Complex logic that's repeated
Label sets that should be consistent
Name generation patterns
Conditional resource inclusion

Essential Template Functions

Reference and use these Helm template functions for robust charts:

required - Enforce required values:

apiVersion: v1
kind: Service
metadata:
  name: {{ required "A valid service name is required!" .Values.service.name }}

default - Provide fallback values:

replicas: {{ .Values.replicaCount | default 1 }}

quote - Safely quote string values:

env:
  - name: DATABASE_HOST
    value: {{ .Values.database.host | quote }}

include - Use helpers with pipeline:

metadata:
  labels:
    {{- include "mychart.labels" . | nindent 4 }}

tpl - Render strings as templates:

{{- tpl .Values.customConfig . }}

toYaml - Convert objects to YAML:

{{- with .Values.resources }}
resources:
  {{- toYaml . | nindent 2 }}
{{- end }}

fromYaml - Parse YAML strings:

{{- $config := .Values.configYaml | fromYaml }}

merge - Merge maps:

{{- $merged := merge .Values.override .Values.defaults }}

lookup - Query cluster resources (use carefully):

{{- $secret := lookup "v1" "Secret" .Release.Namespace "my-secret" }}
{{- if $secret }}
  # Secret exists, use it
{{- else }}
  # Create new secret
{{- end }}

Advanced Template Patterns

Conditional resource creation:

{{- if .Values.ingress.enabled -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
# ... ingress definition
{{- end }}

Range over lists:

{{- range .Values.extraEnvVars }}
- name: {{ .name }}
  value: {{ .value | quote }}
{{- end }}

Range over maps:

{{- range $key, $value := .Values.configMap }}
{{ $key }}: {{ $value | quote }}
{{- end }}

With blocks for scoping:

{{- with .Values.nodeSelector }}
nodeSelector:
  {{- toYaml . | nindent 2 }}
{{- end }}

Named templates with custom context:

{{- include "mychart.container" (dict "root" . "container" .Values.mainContainer) }}

Values Structure Best Practices

Prefer flat structures when possible:

# Good - Flat structure
serverName: nginx
serverPort: 80

# Acceptable - Nested structure for related settings
server:
  name: nginx
  port: 80
  replicas: 3

Always provide defaults in values.yaml:

replicaCount: 1

image:
  repository: nginx
  pullPolicy: IfNotPresent
  tag: "1.21.0"

service:
  type: ClusterIP
  port: 80

resources:
  limits:
    cpu: 100m
    memory: 128Mi
  requests:
    cpu: 100m
    memory: 128Mi

Document all values:

# replicaCount is the number of pod replicas for the deployment
replicaCount: 1

# image configures the container image
image:
  # image.repository is the container image registry and name
  repository: nginx
  # image.tag overrides the image tag (default is chart appVersion)
  tag: "1.21.0"

Template Comments and Documentation

Use Helm template comments for documentation:

{{- /*
mychart.fullname generates the fullname for resources.
It supports nameOverride and fullnameOverride values.
Usage: {{ include "mychart.fullname" . }}
*/ -}}
{{- define "mychart.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name .Chart.Name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}

Use YAML comments for user-facing notes:

# WARNING: Changing the storage class will not migrate existing data
storageClass: "standard"

Whitespace Management

Use - to chomp whitespace in template directives:

{{- if .Values.enabled }}
  # Remove leading whitespace
{{- end }}

{{ .Values.name -}}
  # Remove trailing whitespace

Good formatting:

{{- if .Values.enabled }}
  key: value
{{- end }}

Bad formatting:

{{if .Values.enabled}}
key: value
{{end}}

Helper Patterns Reference

When analyzing charts, identify opportunities for helper functions:

Identify repetition:
- Same label sets across resources
- Repeated name generation logic
- Common conditional patterns
Common helper patterns to recommend:
- Chart name helper (.name)
- Fullname helper (.fullname)
- Chart version label (.chart)
- Common labels (.labels)
- Selector labels (.selectorLabels)
- ServiceAccount name (.serviceAccountName)
When to recommend helpers:
- Missing _helpers.tpl file
- Repeated code patterns across templates
- Inconsistent label usage
- Long resource names that need truncation

Best Practices Reference

For detailed Helm and Kubernetes best practices, load the references:

Read references/helm_best_practices.md
Read references/k8s_best_practices.md

These references include:

Chart structure and metadata
Template conventions and patterns
Values file organization
Security best practices
Resource limits and requests
Common validation issues and fixes

When to load: When validation reveals issues that need context, when implementing new features, or when the user asks about best practices.

Working with Chart Dependencies

When a chart has dependencies (in Chart.yaml or charts/ directory):

Update dependencies:

helm dependency update <chart-directory>

List dependencies:

helm dependency list <chart-directory>

Validate dependencies:
- Check that dependency versions are available
- Verify dependency values are properly scoped
- Test templates with dependency resources
Override dependency values:

# values.yaml
postgresql:
  enabled: true
  postgresqlPassword: "secret"
  persistence:
    size: 10Gi

Error Handling Strategies

Tool Not Available

Run scripts/setup_tools.sh to check availability
Provide installation instructions
Skip optional stages but document what was skipped
Continue with available tools

Template Rendering Errors

Show the specific template file and line number
Check if values are defined in values.yaml
Verify template function syntax
Test with simpler value combinations
Use --debug flag for detailed error messages

Cluster Access Issues

Fall back to client-side validation
Use rendered templates with kubectl
Skip cluster validation if no kubectl config
Document limitations in validation report

CRD Documentation Not Found

Document that documentation lookup failed
Attempt validation with kubeconform CRD schemas

Suggest manual CRD inspection:

kubectl get crd <crd-name>.group -o yaml
kubectl explain <kind>

Validation Stage Failures

Continue to next stage even if one fails
Collect all errors before presenting to user
Prioritize fixing Helm lint errors first
Then fix template errors
Finally fix schema/validation errors

macOS Extended Attributes Issue

Symptom: Helm reports "Chart.yaml file is missing" even though the file exists and is readable.

Cause: On macOS, files created programmatically (via Write tool, scripts, or certain editors) may have extended attributes (e.g., com.apple.provenance, com.apple.quarantine) that interfere with Helm's file detection.

Diagnosis:

# Check for extended attributes
xattr /path/to/chart/Chart.yaml

# If attributes are present, you'll see output like:
# com.apple.provenance
# com.apple.quarantine

Solutions:

Remove extended attributes:

# Remove all extended attributes from a file
xattr -c /path/to/chart/Chart.yaml

# Remove all extended attributes recursively from chart directory
xattr -cr /path/to/chart/

Create files using shell commands instead:

# Use cat with heredoc instead of direct file writes
cat > Chart.yaml << 'EOF'
apiVersion: v2
name: mychart
version: 0.1.0
EOF

Copy from helm-created chart:

# Create a fresh chart and copy structure
helm create temp-chart
cp -r temp-chart/* /path/to/your/chart/
rm -rf temp-chart

Prevention: When creating new chart files on macOS, prefer using helm create as a base or use shell heredocs (cat > file << 'EOF') rather than direct file creation tools.

Communication Guidelines

When presenting validation results and fixes:

Be clear and concise about what was found
Explain why issues matter (e.g., "This will cause pod creation to fail")
Provide context from Helm best practices when relevant
Group related issues (e.g., all missing helper issues together)
Use file:line references when available
Show confidence level for auto-fixes (high confidence = syntax, low = logic changes)
Always provide a summary after proposing fixes (and after applying fixes when explicitly requested) including:
- What was changed and why
- File and line references for each fix
- Total count of issues resolved
- Final validation status
- Any remaining warnings or recommendations

Version Awareness

Always consider Kubernetes and Helm version compatibility:

Check for deprecated Kubernetes APIs
Ensure Helm chart apiVersion is v2 (for Helm 3+)
For CRDs, ensure the apiVersion matches what's in the cluster
Use kubectl api-versions to list available API versions
Reference version-specific documentation when available
Set kubeVersion constraint in Chart.yaml if needed

Chart Testing

For comprehensive testing, use Helm test resources:

Create test resources:

# templates/tests/test-connection.yaml
apiVersion: v1
kind: Pod
metadata:
  name: "{{ include "mychart.fullname" . }}-test-connection"
  annotations:
    "helm.sh/hook": test
spec:
  containers:
    - name: wget
      image: busybox
      command: ['wget']
      args: ['{{ include "mychart.fullname" . }}:{{ .Values.service.port }}']
  restartPolicy: Never

Run tests:

helm test <release-name>

Automation Opportunities Reference

During Stage 10 (Final Report), list all detected automation opportunities in the summary.

Do NOT ask user questions or modify files. Simply list recommendations.

Automation opportunities to detect and list:

Missing Item	Recommendation
`_helpers.tpl`	Run: `bash scripts/generate_helpers.sh <chart>`
`.helmignore`	Copy from: `assets/.helmignore`
`values.schema.json`	Copy and customize from: `assets/values.schema.json`
`NOTES.txt`	Create post-install notes template
`README.md`	Create chart documentation
Repeated patterns	Extract to helper functions

Security recommendations to include when issues found:

Issue	Recommendation
Missing pod securityContext	Add `runAsNonRoot: true`, `runAsUser: 1000`, `fsGroup: 2000`
Missing container securityContext	Add `allowPrivilegeEscalation: false`, `readOnlyRootFilesystem: true`, `capabilities.drop: [ALL]`
Missing resource limits	Add CPU/memory limits and requests
Using `:latest` tag	Pin to specific image version
Missing probes	Add liveness and readiness probes

Template improvement recommendations:

Issue	Recommendation
Using `template` instead of `include`	Replace with `include` for pipeline support
Missing `nindent`	Add `nindent` for proper YAML indentation
No default values	Add `default` function for optional values
Missing `required` function	Add `required` for critical values

Resources

scripts/

setup_tools.sh

Checks for required validation tools (helm, yamllint, kubeconform, kubectl)
Provides installation instructions for missing tools
Verifies versions of installed tools
Usage: bash scripts/setup_tools.sh

validate_chart_structure.sh

Validates Helm chart directory structure
Checks for required files (Chart.yaml, values.yaml, templates/)
Verifies file formats and syntax
Usage: bash scripts/validate_chart_structure.sh <chart-directory>

detect_crd_wrapper.sh

Wrapper script that handles Python dependency management
Automatically creates temporary venv if PyYAML is not available
Calls detect_crd.py to parse YAML files
Usage: bash scripts/detect_crd_wrapper.sh <file.yaml> [file2.yaml ...]

detect_crd.py

Parses YAML files to identify Custom Resource Definitions
Extracts kind, apiVersion, group, and version information
Outputs JSON for programmatic processing
Requires PyYAML (handled automatically by wrapper script)
Can be called directly: python3 scripts/detect_crd.py <file.yaml> [file2.yaml ...]

generate_helpers.sh

Generates standard Helm helpers (_helpers.tpl) for a chart
Creates fullname, labels, and selector helpers
Usage: bash scripts/generate_helpers.sh <chart-directory>

references/

helm_best_practices.md

Comprehensive guide to Helm chart best practices
Covers template patterns, helper functions, values structure
Common validation issues and how to fix them
Security and performance recommendations
Load when providing context for Helm-specific issues

k8s_best_practices.md

Comprehensive guide to Kubernetes YAML best practices
Covers metadata, labels, resource limits, security context
Common validation issues and how to fix them
Load when providing context for Kubernetes-specific issues

template_functions.md

Reference guide for Helm template functions
Examples of all built-in functions
Sprig function library reference
Custom function patterns
Load when implementing complex templates

assets/

.helmignore

Standard .helmignore file for excluding files from packaging
Pre-configured with common patterns

.yamllint

Pre-configured yamllint rules for Kubernetes YAML
Follows Kubernetes conventions (2-space indentation, line length, etc.)
Can be customized per project
Usage: yamllint -c assets/.yamllint <file.yaml>

values.schema.json

Example JSON Schema for values validation
Can be copied and customized for specific charts
Provides type safety and validation

Similar Skills

skill-lookup

Searches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.

prompts.chat

159.9k

prompt-lookup

Searches prompts.chat for AI prompt templates by keyword or category, retrieves by ID with variable handling, and improves prompts via AI. Use for discovering or enhancing prompts.

prompts.chat

159.9k

next-compile

1 file

Checks Next.js compilation errors using a running Turbopack dev server after code edits. Fixes actionable issues before reporting complete. Replaces `next build`.

vercel-next-js-2

139.2k

Stats

Parent Repo Stars139

Parent Repo Forks12

Last CommitMar 3, 2026

Actions

View Source View Plugin View on GitHub View README

Helm Chart Validator & Analysis Toolkit

Overview

IMPORTANT: This validator is read-only by default. It analyzes charts and proposes improvements. Only modify files when the user explicitly asks to apply fixes.

Trigger Cases

Use this skill when one or more of these top cases apply:

The user asks to validate, lint, check, test, or troubleshoot a Helm chart
Helm templates fail to render, lint, or produce valid Kubernetes YAML
A pre-deployment quality gate is needed (schema, dry-run, security checks)
CRD resources are present and their spec fields must be verified against docs
The user wants a severity-based validation report with proposed remediations

Trigger phrase examples:

"Validate this Helm chart before release"
"Why does helm template fail?"
"Check this chart for Kubernetes and security issues"

Out of scope by default:

New chart scaffolding or broad chart generation (use helm-generator)

Role Boundaries

This skill validates and reports; it does not silently rewrite user files.
It can propose concrete patches and apply them only when the user explicitly requests fixes.
If execution constraints block a stage, it must continue with reachable stages and document the skip reason.

Execution Model

Run stages in order (1 through 10).
Keep going after stage-level failures to collect complete findings, unless rendering fails and no manifests exist.
If Stage 4 produces no manifests, mark Stages 5 to 9 as blocked and continue to Stage 10 reporting.
Treat Stage 8 as environment-dependent optional; treat Stage 9 and Stage 10 as mandatory when manifests exist.
For every skipped stage, record the exact tool/environment reason in the final summary table.

Quick Execution Modes

Mode A: Local Validation (no cluster required)

bash scripts/setup_tools.sh
bash scripts/validate_chart_structure.sh <chart-directory>
helm lint <chart-directory> --strict
helm template <release-name> <chart-directory> --values <values-file> --debug --output-dir ./rendered
find ./rendered -type f \( -name "*.yaml" -o -name "*.yml" \) -exec yamllint -c assets/.yamllint {} +
find ./rendered -type f \( -name "*.yaml" -o -name "*.yml" \) -exec kubeconform -summary -verbose {} +

Mode B: Full Validation (cluster available)

Run Mode A plus Stage 8 dry-run commands in this document.

Validation & Testing Workflow

Follow this sequential validation workflow. Each stage catches different types of issues:

Stage 1: Tool Check

Before starting validation, verify required tools are installed:

bash scripts/setup_tools.sh

Required tools:

helm: Helm package manager for Kubernetes (v3+)
yamllint: YAML syntax and style linting
kubeconform: Kubernetes schema validation with CRD support
kubectl: Cluster dry-run testing (optional but recommended)

Fallback policy for unavailable tools or environment constraints:

Condition	Action	Stage status
`helm` missing	Run Stage 2 only, then report Stages 3 to 9 as skipped/blocked	⚠️ Warning
`yamllint` missing	Use `yq` syntax checks if available; otherwise skip Stage 5	⚠️ Warning
`kubeconform` missing	Skip Stage 7 and rely on Stage 6 CRD/manual checks	⚠️ Warning
`kubectl` missing or no kube-context	Skip Stage 8, continue with remaining stages	⚠️ Warning
No internet access for CRD docs	Use local CRD manifests and kubeconform output, mark doc lookup incomplete	⚠️ Warning

If tools are missing, provide installation instructions from scripts/setup_tools.sh output and continue with the fallback path above.

Stage 2: Helm Chart Structure Validation

Verify the chart follows the standard Helm directory structure:

bash scripts/validate_chart_structure.sh <chart-directory>

Expected structure:

mychart/
  Chart.yaml          # Chart metadata (required)
  values.yaml         # Default values (required)
  values.schema.json  # JSON Schema for values validation (optional)
  templates/          # Template directory (required)
    _helpers.tpl      # Template helpers (recommended)
    NOTES.txt         # Post-install notes (recommended)
    *.yaml            # Kubernetes manifest templates
  charts/             # Chart dependencies (optional)
  crds/               # Custom Resource Definitions (optional)
  .helmignore         # Files to ignore during packaging (optional)

Common issues caught:

Missing required files (Chart.yaml, values.yaml, templates/)
Invalid Chart.yaml syntax or missing required fields
Malformed values.schema.json
Incorrect file permissions

Stage 3: Helm Lint

Run Helm's built-in linter to catch chart-specific issues:

helm lint <chart-directory> --strict

Optional flags:

--values <values-file>: Test with specific values
--set key=value: Override specific values
--debug: Show detailed error information

Common issues caught:

Invalid Chart.yaml metadata
Template syntax errors
Missing or undefined values
Deprecated Kubernetes API versions
Chart best practice violations

Auto-fix approach:

For template errors, identify the problematic template file
Show the user the specific line causing issues
Propose a patch/diff for the fix
Apply fixes only if the user explicitly asks
Re-run helm lint after fixes are applied

Stage 4: Template Rendering

Render templates locally to verify they produce valid YAML:

helm template <release-name> <chart-directory> \
  --values <values-file> \
  --debug \
  --output-dir ./rendered

Options to consider:

--values values.yaml: Use specific values file
--set key=value: Override individual values
--show-only templates/deployment.yaml: Render specific template
--validate: Validate against Kubernetes OpenAPI schema
--include-crds: Include CRDs in rendered output
--is-upgrade: Simulate upgrade scenario
--kube-version 1.28.0: Target specific Kubernetes version

Common issues caught:

Template syntax errors (Go template issues)
Undefined variables or values
Type mismatches (string vs. integer)
Missing required values
Logic errors in conditionals or loops
Incorrect indentation in nested templates

For template errors:

Identify the template file and line number
Check if values are properly defined in values.yaml
Verify template function usage (quote, required, default, include, etc.)
Test with different value combinations

Stage 5: YAML Syntax Validation

Validate YAML syntax and formatting of rendered templates:

find ./rendered -type f \( -name "*.yaml" -o -name "*.yml" \) \
  -exec yamllint -c assets/.yamllint {} +

Common issues caught:

Indentation errors (tabs vs spaces)
Trailing whitespace
Line length violations
Syntax errors
Duplicate keys
Document start/end markers

Auto-fix approach:

For simple issues (indentation, trailing spaces), propose fixes using the Edit tool
For template-generated issues, fix the source template, not rendered output
Always show the user what will be changed before applying fixes

Stage 6: CRD Detection and Documentation Lookup

Before schema validation, detect if the chart contains or renders Custom Resource Definitions:

# Check crds/ directory
if [ -d <chart-directory>/crds ]; then
  find <chart-directory>/crds -type f \( -name "*.yaml" -o -name "*.yml" \) \
    -exec bash scripts/detect_crd_wrapper.sh {} +
fi

# Check rendered templates
find ./rendered -type f \( -name "*.yaml" -o -name "*.yml" \) \
  -exec bash scripts/detect_crd_wrapper.sh {} +

The script outputs JSON with resource information:

[
  {
    "kind": "Certificate",
    "apiVersion": "cert-manager.io/v1",
    "group": "cert-manager.io",
    "version": "v1",
    "isCRD": true,
    "name": "example-cert"
  }
]

For each detected CRD:

Try context7 MCP first (preferred):

Use mcp__context7__resolve-library-id with the CRD project name
Example: "cert-manager" for cert-manager.io CRDs
         "prometheus-operator" for monitoring.coreos.com CRDs
         "istio" for networking.istio.io CRDs

Then use mcp__context7__query-docs with:
- libraryId from resolve step
- query: The CRD kind and relevant features (e.g., "Certificate spec required fields")

Fallback to web.search_query (web search) if Context7 fails:

Search query pattern:
"<kind>" "<group>" kubernetes CRD "<version>" documentation spec

Example:
"Certificate" "cert-manager.io" kubernetes CRD "v1" documentation spec
"Prometheus" "monitoring.coreos.com" kubernetes CRD "v1" documentation spec

Extract key information:
- Required fields in spec
- Field types and validation rules
- Examples from documentation
- Version-specific changes or deprecations
- Common configuration patterns

Stage 7: Schema Validation

Validate rendered templates against Kubernetes schemas:

find ./rendered -type f \( -name "*.yaml" -o -name "*.yml" \) -exec \
  kubeconform \
    -schema-location default \
    -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json' \
    -summary \
    -verbose \
    {} +

Options to consider:

Add -strict to reject unknown fields (recommended for production)
Add -ignore-missing-schemas if working with custom/internal CRDs
Add -kubernetes-version 1.28.0 to validate against specific K8s version
Add -output json for programmatic processing

Common issues caught:

Invalid apiVersion or kind
Missing required fields
Wrong field types
Invalid enum values
Unknown fields (with -strict)

For CRDs: If kubeconform reports "no schema found", this is expected. Use the documentation from Stage 6 to manually validate the spec fields.

Stage 7 success criteria (explicit):

✅ Passed: kubeconform exits 0, and no invalid resources are reported.
⚠️ Warning: only CRD schema-missing findings remain and Stage 6 documentation/manual verification is completed.
❌ Failed: any non-CRD schema violation, parse error, or unresolved required-field/type error.

Stage 8: Cluster Dry-Run (if available)

If kubectl is configured and cluster access is available, perform a server-side dry-run:

# Test installation
helm install <release-name> <chart-directory> \
  --dry-run=server \
  --debug \
  --values <values-file>

# Test upgrade
helm upgrade <release-name> <chart-directory> \
  --dry-run=server \
  --debug \
  --values <values-file>

If the Helm version does not support --dry-run=server, use --dry-run and document that only client-side Helm simulation was executed.

This catches:

Admission controller rejections
Policy violations (PSP, OPA, Kyverno, etc.)
Resource quota violations
Missing namespaces
Invalid ConfigMap/Secret references
Webhook validations
Existing resource conflicts

If dry-run is not possible:

Use kubectl with rendered templates: kubectl apply --dry-run=server -f ./rendered/
Skip if no cluster access
Document that cluster-specific validation was skipped

For updates to existing releases:

helm diff upgrade <release-name> <chart-directory>

This shows what would change, helping catch unintended modifications. (Requires helm-diff plugin)

Stage 8 success criteria (explicit):

✅ Passed: dry-run install and upgrade commands exit 0 with no admission/policy errors.
⚠️ Warning: stage skipped because kubectl/cluster context/access is unavailable, or only client-side fallback was possible.
❌ Failed: dry-run commands return non-zero due to admission webhooks, policy violations, namespace/quota errors, or reference errors.

Stage 9: Security Best Practices Check (MANDATORY)

IMPORTANT: This stage is MANDATORY. Analyze rendered templates for security best practices compliance.

Check rendered Deployment/Pod templates for:

Missing securityContext - Look for pods/containers without security settings:

# Check if pod-level securityContext exists
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    fsGroup: 2000

Missing container securityContext - Each container should have:

securityContext:
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  capabilities:
    drop:
      - ALL

Missing resource limits/requests - Check for:

resources:
  limits:
    cpu: "100m"
    memory: "128Mi"
  requests:
    cpu: "100m"
    memory: "128Mi"

Image tag issues - Flag if using :latest or no tag
Missing probes - Check for liveness/readiness probes

How to check: Read the rendered deployment YAML files and grep for these patterns:

# Check for securityContext
find ./rendered -type f \( -name "*.yaml" -o -name "*.yml" \) \
  -exec grep -l "securityContext" {} +

# Check for resources
find ./rendered -type f \( -name "*.yaml" -o -name "*.yml" \) \
  -exec grep -l "resources:" {} +

# Check for latest tag
find ./rendered -type f \( -name "*.yaml" -o -name "*.yml" \) \
  -exec grep "image:.*:latest" {} +

Stage 10: Final Report (MANDATORY)

IMPORTANT: This stage is MANDATORY even if all validations pass. You MUST complete ALL of the following actions.

Default behavior is read-only. Do not modify files unless the user explicitly asks you to apply fixes.

Step 1: Load Reference Files (MANDATORY when warnings exist)

If ANY warnings, errors, or security issues were found, you MUST read:

Read references/helm_best_practices.md
Read references/k8s_best_practices.md

Use these references to provide context and recommendations for each issue found.

Step 2: Present Validation Summary

Always present a validation summary formatted as a table showing:

Each validation stage executed (Stages 1-9)
Status of each stage (✅ Passed, ⚠️ Warning, ❌ Failed)
Count of issues found per stage

Example:

| Stage | Status | Issues |
|-------|--------|--------|
| 1. Tool Check | ✅ Passed | All tools available |
| 2. Structure | ⚠️ Warning | Missing: .helmignore, NOTES.txt |
| 3. Helm Lint | ✅ Passed | 0 errors |
| 4. Template Render | ✅ Passed | 5 templates rendered |
| 5. YAML Syntax | ✅ Passed | No yamllint errors |
| 6. CRD Detection | ✅ Passed | 1 CRD documented |
| 7. Schema Validation | ✅ Passed | All resources valid |
| 8. Dry-Run | ✅ Passed | No cluster errors |
| 9. Security Check | ⚠️ Warning | Missing securityContext |

Step 3: Categorize All Issues

Group findings by severity:

❌ Errors (must fix):

Template syntax errors
Missing required fields
Schema validation failures
Dry-run failures

⚠️ Warnings (should fix):

Deprecated Kubernetes APIs
Missing securityContext
Missing resource limits/requests
Using :latest image tag
Missing recommended files (_helpers.tpl, .helmignore, NOTES.txt)

ℹ️ Info (recommendations):

Missing values.schema.json
Missing README.md
Optimization opportunities

Step 4: List Proposed Changes (DO NOT APPLY)

For each issue, provide a proposed fix with:

File path and line number (if applicable)
Before/after code blocks
Explanation of why this change is recommended

Example format:

## Proposed Changes

### 1. Add securityContext to Deployment
**File:** templates/deployment.yaml:25
**Severity:** ⚠️ Warning
**Reason:** Running containers as root is a security risk

**Current:**
```yaml
spec:
  containers:
    - name: app
      image: nginx:1.21

Proposed:

spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    fsGroup: 2000
  containers:
    - name: app
      image: nginx:1.21
      securityContext:
        allowPrivilegeEscalation: false
        readOnlyRootFilesystem: true
        capabilities:
          drop:
            - ALL

2. Add .helmignore file

File: .helmignore (new file) Severity: ⚠️ Warning Reason: Excludes unnecessary files from chart packaging

Proposed: Copy from assets/.helmignore


#### Step 5: Automation Opportunities

List all detected automation opportunities:
- If `_helpers.tpl` is missing → Recommend: `bash scripts/generate_helpers.sh <chart>`
- If `.helmignore` is missing → Recommend: Copy from `assets/.helmignore`
- If `values.schema.json` is missing → Recommend: Copy and customize from `assets/values.schema.json`
- If `NOTES.txt` is missing → Recommend: Create post-install notes template
- If `README.md` is missing → Recommend: Create chart documentation

#### Step 6: Final Summary

Provide a final summary:

Validation Summary

Chart: Status: ⚠️ Warnings Found (or ✅ Ready for Deployment)

Issues Found:

Errors: X
Warnings: Y
Info: Z

Proposed Changes: N changes recommended

Next Steps:

Review proposed changes above
Apply changes manually or use helm-generator skill
Re-run validation to confirm fixes


## Workflow Done Criteria

Validation is complete only when all of the following are true:
- A Stage 1 to Stage 10 status table is present with `✅ Passed`, `⚠️ Warning`, `❌ Failed`, or `⏭️ Skipped` for each stage.
- Every skipped stage includes a concrete tool or environment reason.
- Stage 7 and Stage 8 are evaluated against their explicit success criteria above.
- Severity totals are reported (`Errors`, `Warnings`, `Info`) with proposed remediation actions.
- Role boundary is respected: no file edits unless explicitly requested by the user.

## Helm Templating Automation & Best Practices

This section covers advanced Helm templating techniques, helper functions, and automation strategies.

### Template Helpers (`_helpers.tpl`)

Template helpers are reusable functions defined in `templates/_helpers.tpl`. They promote DRY principles and consistency.

**Standard helper patterns:**

1. **Chart name helper:**
```yaml
{{/*
Expand the name of the chart.
*/}}
{{- define "mychart.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}

Fullname helper:

{{/*
Create a default fully qualified app name.
*/}}
{{- define "mychart.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}

Chart reference helper:

{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "mychart.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}

Standard labels helper:

{{/*
Common labels
*/}}
{{- define "mychart.labels" -}}
helm.sh/chart: {{ include "mychart.chart" . }}
{{ include "mychart.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}

Selector labels helper:

{{/*
Selector labels
*/}}
{{- define "mychart.selectorLabels" -}}
app.kubernetes.io/name: {{ include "mychart.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}

ServiceAccount name helper:

{{/*
Create the name of the service account to use
*/}}
{{- define "mychart.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "mychart.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

When to create helpers:

Values used in multiple templates
Complex logic that's repeated
Label sets that should be consistent
Name generation patterns
Conditional resource inclusion

Essential Template Functions

Reference and use these Helm template functions for robust charts:

required - Enforce required values:

apiVersion: v1
kind: Service
metadata:
  name: {{ required "A valid service name is required!" .Values.service.name }}

default - Provide fallback values:

replicas: {{ .Values.replicaCount | default 1 }}

quote - Safely quote string values:

env:
  - name: DATABASE_HOST
    value: {{ .Values.database.host | quote }}

include - Use helpers with pipeline:

metadata:
  labels:
    {{- include "mychart.labels" . | nindent 4 }}

tpl - Render strings as templates:

{{- tpl .Values.customConfig . }}

toYaml - Convert objects to YAML:

{{- with .Values.resources }}
resources:
  {{- toYaml . | nindent 2 }}
{{- end }}

fromYaml - Parse YAML strings:

{{- $config := .Values.configYaml | fromYaml }}

merge - Merge maps:

{{- $merged := merge .Values.override .Values.defaults }}

lookup - Query cluster resources (use carefully):

{{- $secret := lookup "v1" "Secret" .Release.Namespace "my-secret" }}
{{- if $secret }}
  # Secret exists, use it
{{- else }}
  # Create new secret
{{- end }}

Advanced Template Patterns

Conditional resource creation:

{{- if .Values.ingress.enabled -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
# ... ingress definition
{{- end }}

Range over lists:

{{- range .Values.extraEnvVars }}
- name: {{ .name }}
  value: {{ .value | quote }}
{{- end }}

Range over maps:

{{- range $key, $value := .Values.configMap }}
{{ $key }}: {{ $value | quote }}
{{- end }}

With blocks for scoping:

{{- with .Values.nodeSelector }}
nodeSelector:
  {{- toYaml . | nindent 2 }}
{{- end }}

Named templates with custom context:

{{- include "mychart.container" (dict "root" . "container" .Values.mainContainer) }}

Values Structure Best Practices

Prefer flat structures when possible:

# Good - Flat structure
serverName: nginx
serverPort: 80

# Acceptable - Nested structure for related settings
server:
  name: nginx
  port: 80
  replicas: 3

Always provide defaults in values.yaml:

replicaCount: 1

image:
  repository: nginx
  pullPolicy: IfNotPresent
  tag: "1.21.0"

service:
  type: ClusterIP
  port: 80

resources:
  limits:
    cpu: 100m
    memory: 128Mi
  requests:
    cpu: 100m
    memory: 128Mi

Document all values:

# replicaCount is the number of pod replicas for the deployment
replicaCount: 1

# image configures the container image
image:
  # image.repository is the container image registry and name
  repository: nginx
  # image.tag overrides the image tag (default is chart appVersion)
  tag: "1.21.0"

Template Comments and Documentation

Use Helm template comments for documentation:

{{- /*
mychart.fullname generates the fullname for resources.
It supports nameOverride and fullnameOverride values.
Usage: {{ include "mychart.fullname" . }}
*/ -}}
{{- define "mychart.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name .Chart.Name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}

Use YAML comments for user-facing notes:

# WARNING: Changing the storage class will not migrate existing data
storageClass: "standard"

Whitespace Management

Use - to chomp whitespace in template directives:

{{- if .Values.enabled }}
  # Remove leading whitespace
{{- end }}

{{ .Values.name -}}
  # Remove trailing whitespace

Good formatting:

{{- if .Values.enabled }}
  key: value
{{- end }}

Bad formatting:

{{if .Values.enabled}}
key: value
{{end}}

Helper Patterns Reference

When analyzing charts, identify opportunities for helper functions:

Identify repetition:
- Same label sets across resources
- Repeated name generation logic
- Common conditional patterns
Common helper patterns to recommend:
- Chart name helper (.name)
- Fullname helper (.fullname)
- Chart version label (.chart)
- Common labels (.labels)
- Selector labels (.selectorLabels)
- ServiceAccount name (.serviceAccountName)
When to recommend helpers:
- Missing _helpers.tpl file
- Repeated code patterns across templates
- Inconsistent label usage
- Long resource names that need truncation

Best Practices Reference

For detailed Helm and Kubernetes best practices, load the references:

Read references/helm_best_practices.md
Read references/k8s_best_practices.md

These references include:

Chart structure and metadata
Template conventions and patterns
Values file organization
Security best practices
Resource limits and requests
Common validation issues and fixes

When to load: When validation reveals issues that need context, when implementing new features, or when the user asks about best practices.

Working with Chart Dependencies

When a chart has dependencies (in Chart.yaml or charts/ directory):

Update dependencies:

helm dependency update <chart-directory>

List dependencies:

helm dependency list <chart-directory>

Validate dependencies:
- Check that dependency versions are available
- Verify dependency values are properly scoped
- Test templates with dependency resources
Override dependency values:

# values.yaml
postgresql:
  enabled: true
  postgresqlPassword: "secret"
  persistence:
    size: 10Gi

Error Handling Strategies

Tool Not Available

Run scripts/setup_tools.sh to check availability
Provide installation instructions
Skip optional stages but document what was skipped
Continue with available tools

Template Rendering Errors

Show the specific template file and line number
Check if values are defined in values.yaml
Verify template function syntax
Test with simpler value combinations
Use --debug flag for detailed error messages

Cluster Access Issues

Fall back to client-side validation
Use rendered templates with kubectl
Skip cluster validation if no kubectl config
Document limitations in validation report

CRD Documentation Not Found

Document that documentation lookup failed
Attempt validation with kubeconform CRD schemas

Suggest manual CRD inspection:

kubectl get crd <crd-name>.group -o yaml
kubectl explain <kind>

Validation Stage Failures

Continue to next stage even if one fails
Collect all errors before presenting to user
Prioritize fixing Helm lint errors first
Then fix template errors
Finally fix schema/validation errors

macOS Extended Attributes Issue

Symptom: Helm reports "Chart.yaml file is missing" even though the file exists and is readable.

Diagnosis:

# Check for extended attributes
xattr /path/to/chart/Chart.yaml

# If attributes are present, you'll see output like:
# com.apple.provenance
# com.apple.quarantine

Solutions:

Remove extended attributes:

# Remove all extended attributes from a file
xattr -c /path/to/chart/Chart.yaml

# Remove all extended attributes recursively from chart directory
xattr -cr /path/to/chart/

Create files using shell commands instead:

# Use cat with heredoc instead of direct file writes
cat > Chart.yaml << 'EOF'
apiVersion: v2
name: mychart
version: 0.1.0
EOF

Copy from helm-created chart:

# Create a fresh chart and copy structure
helm create temp-chart
cp -r temp-chart/* /path/to/your/chart/
rm -rf temp-chart

Prevention: When creating new chart files on macOS, prefer using helm create as a base or use shell heredocs (cat > file << 'EOF') rather than direct file creation tools.

Communication Guidelines

When presenting validation results and fixes:

Be clear and concise about what was found
Explain why issues matter (e.g., "This will cause pod creation to fail")
Provide context from Helm best practices when relevant
Group related issues (e.g., all missing helper issues together)
Use file:line references when available
Show confidence level for auto-fixes (high confidence = syntax, low = logic changes)
Always provide a summary after proposing fixes (and after applying fixes when explicitly requested) including:
- What was changed and why
- File and line references for each fix
- Total count of issues resolved
- Final validation status
- Any remaining warnings or recommendations

Version Awareness

Always consider Kubernetes and Helm version compatibility:

Check for deprecated Kubernetes APIs
Ensure Helm chart apiVersion is v2 (for Helm 3+)
For CRDs, ensure the apiVersion matches what's in the cluster
Use kubectl api-versions to list available API versions
Reference version-specific documentation when available
Set kubeVersion constraint in Chart.yaml if needed

Chart Testing

For comprehensive testing, use Helm test resources:

Create test resources:

# templates/tests/test-connection.yaml
apiVersion: v1
kind: Pod
metadata:
  name: "{{ include "mychart.fullname" . }}-test-connection"
  annotations:
    "helm.sh/hook": test
spec:
  containers:
    - name: wget
      image: busybox
      command: ['wget']
      args: ['{{ include "mychart.fullname" . }}:{{ .Values.service.port }}']
  restartPolicy: Never

Run tests:

helm test <release-name>

Automation Opportunities Reference

During Stage 10 (Final Report), list all detected automation opportunities in the summary.

Do NOT ask user questions or modify files. Simply list recommendations.

Automation opportunities to detect and list:

Missing Item	Recommendation
`_helpers.tpl`	Run: `bash scripts/generate_helpers.sh <chart>`
`.helmignore`	Copy from: `assets/.helmignore`
`values.schema.json`	Copy and customize from: `assets/values.schema.json`
`NOTES.txt`	Create post-install notes template
`README.md`	Create chart documentation
Repeated patterns	Extract to helper functions

Security recommendations to include when issues found:

Issue	Recommendation
Missing pod securityContext	Add `runAsNonRoot: true`, `runAsUser: 1000`, `fsGroup: 2000`
Missing container securityContext	Add `allowPrivilegeEscalation: false`, `readOnlyRootFilesystem: true`, `capabilities.drop: [ALL]`
Missing resource limits	Add CPU/memory limits and requests
Using `:latest` tag	Pin to specific image version
Missing probes	Add liveness and readiness probes

Template improvement recommendations:

Issue	Recommendation
Using `template` instead of `include`	Replace with `include` for pipeline support
Missing `nindent`	Add `nindent` for proper YAML indentation
No default values	Add `default` function for optional values
Missing `required` function	Add `required` for critical values

Resources

scripts/

setup_tools.sh

Checks for required validation tools (helm, yamllint, kubeconform, kubectl)
Provides installation instructions for missing tools
Verifies versions of installed tools
Usage: bash scripts/setup_tools.sh

validate_chart_structure.sh

Validates Helm chart directory structure
Checks for required files (Chart.yaml, values.yaml, templates/)
Verifies file formats and syntax
Usage: bash scripts/validate_chart_structure.sh <chart-directory>

detect_crd_wrapper.sh

Wrapper script that handles Python dependency management
Automatically creates temporary venv if PyYAML is not available
Calls detect_crd.py to parse YAML files
Usage: bash scripts/detect_crd_wrapper.sh <file.yaml> [file2.yaml ...]

detect_crd.py

Parses YAML files to identify Custom Resource Definitions
Extracts kind, apiVersion, group, and version information
Outputs JSON for programmatic processing
Requires PyYAML (handled automatically by wrapper script)
Can be called directly: python3 scripts/detect_crd.py <file.yaml> [file2.yaml ...]

generate_helpers.sh

Generates standard Helm helpers (_helpers.tpl) for a chart
Creates fullname, labels, and selector helpers
Usage: bash scripts/generate_helpers.sh <chart-directory>

references/

helm_best_practices.md

Comprehensive guide to Helm chart best practices
Covers template patterns, helper functions, values structure
Common validation issues and how to fix them
Security and performance recommendations
Load when providing context for Helm-specific issues

k8s_best_practices.md

Comprehensive guide to Kubernetes YAML best practices
Covers metadata, labels, resource limits, security context
Common validation issues and how to fix them
Load when providing context for Kubernetes-specific issues

template_functions.md

Reference guide for Helm template functions
Examples of all built-in functions
Sprig function library reference
Custom function patterns
Load when implementing complex templates

assets/

.helmignore

Standard .helmignore file for excluding files from packaging
Pre-configured with common patterns

.yamllint

Pre-configured yamllint rules for Kubernetes YAML
Follows Kubernetes conventions (2-space indentation, line length, etc.)
Can be customized per project
Usage: yamllint -c assets/.yamllint <file.yaml>

values.schema.json

Example JSON Schema for values validation
Can be copied and customized for specific charts
Provides type safety and validation