Helm is the de facto package manager for Kubernetes, and values.yaml is its primary interface for configuration. Yet for years, that interface has been completely unvalidated by default — a free-form YAML file where any key can be anything, where typos silently pass through, and where misconfigured deployments only reveal themselves when pods fail to start in production. The values.schema.json file changes that equation entirely. This article explains why schema validation matters, how to implement it properly, and how to integrate it into a modern CI/CD pipeline.
The Problem: Silent Failures in Production
Consider a platform team managing dozens of Helm releases across multiple clusters. A developer submits a values override file with replicaCount: "3" instead of replicaCount: 3 — a string where an integer is expected. Or they set image.pullPolicy: Allways with a typo. Or they omit a required secret reference that the application needs to boot. In all three cases, Helm without schema validation will happily render the templates, produce Kubernetes manifests, and apply them to the cluster. The failure surfaces later — sometimes much later — as a CrashLoopBackOff, an ImagePullBackOff, or a subtle runtime error that takes hours to debug.
This is not a hypothetical scenario. It is the daily reality for teams operating at scale without values validation. The root cause is architectural: Helm templates use Go’s text/template engine, which is weakly typed and permissive by design. A template that does {{ .Values.replicaCount }} will render whether the value is an integer, a string, or even a boolean. The resulting Kubernetes manifest may be invalid, but that error only surfaces when the Kubernetes API server rejects it — or worse, accepts it but interprets it differently than intended.
The consequences compound at scale. When a chart is used by multiple teams, the lack of a formal contract for acceptable values means every consumer has to read through template files and comments to understand what inputs are valid. There is no machine-readable specification. There is no IDE support. There is no guardrail. The only documentation is whatever the chart author happened to write in comments inside values.yaml — and comments do not stop a CI pipeline from shipping a broken deployment.
What Is values.schema.json
Since Helm 3.0.0, released in November 2019, Helm supports an optional values.schema.json file at the root of a chart directory — the same level as Chart.yaml and values.yaml. This file is a JSON Schema draft-07 document that formally describes the structure, types, constraints, and required fields for the chart’s values.
When this file is present, Helm automatically validates the merged values (defaults from values.yaml merged with any user-supplied overrides) against the schema at multiple points: during helm install, helm upgrade, helm template, and helm lint. If validation fails, Helm refuses to proceed and prints a human-readable error message identifying exactly which value failed and why. This transforms a class of runtime failures into build-time failures — the correct direction for any production system.
The choice of JSON Schema draft-07 specifically is worth noting. Draft-07 is widely supported by tooling, including the Red Hat YAML extension for VS Code, JetBrains IDEs, and most JSON Schema validators. It introduced the if/then/else conditional keywords that are particularly useful for Helm charts. More recent drafts (2019-09, 2020-12) offer additional features but have less universal tooling support, making draft-07 the pragmatic choice for chart authors today.
Chart Directory Structure
my-app/
├── Chart.yaml
├── values.yaml
├── values.schema.json ← lives here
├── charts/
└── templates/
├── deployment.yaml
├── service.yaml
├── ingress.yaml
└── _helpers.tpl
The schema file is included when a chart is packaged with helm package and distributed through chart repositories. Consumers of the chart get schema validation automatically without any additional configuration — the guardrails ship with the chart itself.
How Helm Uses the Schema
Helm’s validation behavior is straightforward but has some nuances worth understanding. When Helm processes a release, it first merges all value sources in order of increasing precedence: chart defaults (values.yaml), parent chart values, -f value files, and finally --set flags. The merged result is then validated against the schema as a single operation.
This means the schema validates the effective values, not each source in isolation. A required field that has a default in values.yaml will pass validation even when not specified by the user, because the merged result includes the default. This is the correct behavior — it validates what will actually be used during rendering.
The validation happens before template rendering. If schema validation fails, Helm exits with a non-zero status code and prints all validation errors. The error output is structured and actionable:
$ helm install my-release ./my-app --set replicaCount=abc
Error: values don't meet the specifications of the schema(s) in the following chart(s):
my-app:
- replicaCount: Invalid type. Expected: integer, given: string
For helm lint, which is typically used in CI pipelines without installing to a cluster, schema validation also runs. This makes helm lint a powerful pre-deployment gate when schema files are present.
IDE Benefits: Autocompletion and Inline Validation
Beyond Helm’s own validation, values.schema.json unlocks IDE support that significantly improves the developer experience when working with values files. The Red Hat YAML extension for VS Code can reference a JSON Schema file to provide autocompletion, type checking, and inline error highlighting for YAML files.
To enable this, add a yaml.schemas configuration to your VS Code workspace settings or the user settings file:
// .vscode/settings.json
{
"yaml.schemas": {
"./my-app/values.schema.json": "./my-app/values.yaml"
}
}
With this configuration, editing values.yaml in VS Code will show autocompletion for defined keys, inline errors for type mismatches, and hover documentation pulled from the description fields in your schema. For platform teams maintaining internal Helm charts, this transforms the chart into a self-documenting, IDE-aware configuration interface — without any additional tooling investment.
JetBrains IDEs (IntelliJ IDEA, GoLand, etc.) support JSON Schema associations through the Languages & Frameworks > Schemas and DTDs > JSON Schema Mappings settings panel, providing equivalent functionality for teams using those tools.
Building the Schema: A Practical Guide
Let’s build a complete, realistic example. Start with a typical values.yaml for a web application chart:
# values.yaml
replicaCount: 2
image:
repository: myorg/my-app
tag: "1.0.0"
pullPolicy: IfNotPresent
service:
type: ClusterIP
port: 80
ingress:
enabled: false
hostname: ""
tls: false
resources:
requests:
cpu: "100m"
memory: "128Mi"
limits:
cpu: "500m"
memory: "512Mi"
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 10
targetCPUUtilizationPercentage: 80
config:
logLevel: info
databaseUrl: ""
nodeSelector: {}
tolerations: []
affinity: {}
Now the full values.schema.json that validates this structure:
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "my-app Helm Chart Values",
"description": "Configuration values for the my-app Helm chart",
"type": "object",
"additionalProperties": false,
"required": ["image", "service"],
"$defs": {
"resourceQuantity": {
"type": "string",
"pattern": "^[0-9]+(\\.[0-9]+)?(m|Ki|Mi|Gi|Ti|Pi|Ei|k|M|G|T|P|E)?$",
"description": "A Kubernetes resource quantity (e.g. 100m, 128Mi, 1Gi)"
}
},
"properties": {
"replicaCount": {
"type": "integer",
"minimum": 0,
"maximum": 50,
"default": 2,
"description": "Number of pod replicas. Set to 0 to scale down."
},
"image": {
"type": "object",
"additionalProperties": false,
"required": ["repository", "tag"],
"description": "Container image configuration",
"properties": {
"repository": {
"type": "string",
"minLength": 1,
"description": "Container image repository"
},
"tag": {
"type": "string",
"pattern": "^[a-zA-Z0-9._-]+$",
"minLength": 1,
"description": "Image tag. Avoid using 'latest' in production."
},
"pullPolicy": {
"type": "string",
"enum": ["Always", "IfNotPresent", "Never"],
"default": "IfNotPresent",
"description": "Kubernetes imagePullPolicy"
}
}
},
"service": {
"type": "object",
"additionalProperties": false,
"required": ["type", "port"],
"properties": {
"type": {
"type": "string",
"enum": ["ClusterIP", "NodePort", "LoadBalancer", "ExternalName"],
"description": "Kubernetes Service type"
},
"port": {
"type": "integer",
"minimum": 1,
"maximum": 65535,
"description": "Service port"
}
}
},
"ingress": {
"type": "object",
"additionalProperties": false,
"properties": {
"enabled": {
"type": "boolean",
"default": false
},
"hostname": {
"type": "string",
"description": "Ingress hostname. Required when ingress.enabled is true."
},
"tls": {
"type": "boolean",
"default": false,
"description": "Enable TLS for the ingress"
}
},
"if": {
"properties": {
"enabled": { "const": true }
},
"required": ["enabled"]
},
"then": {
"required": ["hostname"],
"properties": {
"hostname": {
"minLength": 1,
"pattern": "^[a-zA-Z0-9]([a-zA-Z0-9\\-\\.]+)?[a-zA-Z0-9]$"
}
}
}
},
"resources": {
"type": "object",
"additionalProperties": false,
"properties": {
"requests": {
"type": "object",
"additionalProperties": false,
"properties": {
"cpu": { "$ref": "#/$defs/resourceQuantity" },
"memory": { "$ref": "#/$defs/resourceQuantity" }
}
},
"limits": {
"type": "object",
"additionalProperties": false,
"properties": {
"cpu": { "$ref": "#/$defs/resourceQuantity" },
"memory": { "$ref": "#/$defs/resourceQuantity" }
}
}
}
},
"autoscaling": {
"type": "object",
"additionalProperties": false,
"properties": {
"enabled": {
"type": "boolean",
"default": false
},
"minReplicas": {
"type": "integer",
"minimum": 1
},
"maxReplicas": {
"type": "integer",
"minimum": 1,
"maximum": 100
},
"targetCPUUtilizationPercentage": {
"type": "integer",
"minimum": 1,
"maximum": 100
}
},
"if": {
"properties": {
"enabled": { "const": true }
},
"required": ["enabled"]
},
"then": {
"required": ["minReplicas", "maxReplicas"]
}
},
"config": {
"type": "object",
"additionalProperties": false,
"properties": {
"logLevel": {
"type": "string",
"enum": ["debug", "info", "warn", "error"],
"default": "info",
"description": "Application log level"
},
"databaseUrl": {
"type": "string",
"description": "Database connection URL"
}
}
},
"nodeSelector": {
"type": "object",
"description": "Node selector labels for pod scheduling"
},
"tolerations": {
"type": "array",
"description": "Pod tolerations"
},
"affinity": {
"type": "object",
"description": "Pod affinity rules"
}
}
}
Key Schema Patterns Explained
additionalProperties: false
This is arguably the most important pattern in a Helm schema. Without it, unknown keys pass validation silently — which defeats much of the purpose. With "additionalProperties": false, any key not listed in properties causes a validation error. This catches typos like repicaCount instead of replicaCount, which would otherwise silently use the default value and leave the developer wondering why their override had no effect.
Apply it at every nested object level, not just the root. A typo inside image: or resources: is just as dangerous as one at the top level.
$defs for Reusable Definitions
The $defs keyword (called definitions in earlier draft versions, though draft-07 supports both) provides a namespace for reusable schema fragments. In the example above, resourceQuantity is defined once and referenced via $ref in both requests and limits. This avoids duplication and ensures consistent validation logic across related fields.
For larger charts, $defs becomes essential. Common patterns include reusable schemas for image configurations, resource requirements, probe configurations, and environment variable maps.
Conditional Validation with if/then/else
The if/then/else construct in JSON Schema draft-07 is particularly powerful for Helm charts, where many values are conditional on a feature toggle. The ingress example above demonstrates this: when ingress.enabled is true, the hostname field becomes required and must match a valid hostname pattern. When ingress is disabled, the hostname can be empty or omitted entirely.
This pattern can be extended for more complex scenarios. For example, enforcing that when autoscaling.enabled is true, the standalone replicaCount should not be set (since the HPA controls replica count):
{
"if": {
"properties": {
"autoscaling": {
"properties": {
"enabled": { "const": true }
},
"required": ["enabled"]
}
}
},
"then": {
"properties": {
"replicaCount": {
"description": "replicaCount is ignored when autoscaling is enabled"
}
}
}
}
Pattern Validation for Image Tags
The image tag field is a common source of production issues. Teams accidentally deploy with latest, which is non-deterministic and makes rollbacks unreliable. A pattern constraint can enforce semantic versioning or at least ban the latest tag in production charts:
"tag": {
"type": "string",
"not": {
"enum": ["latest", ""]
},
"pattern": "^[0-9]+\\.[0-9]+\\.[0-9]+",
"description": "Semantic version tag required. 'latest' is not permitted."
}
This enforces that image tags start with a semantic version number, immediately rejecting latest, empty strings, or arbitrary branch names that would produce non-reproducible deployments.
Enum for Controlled Vocabularies
Fields with a fixed set of valid values — Kubernetes service types, image pull policies, log levels — should use enum. This is more precise than a pattern and produces clearer error messages. It also enables IDE autocompletion to show exactly the valid options as a pick-list, rather than requiring the developer to remember or look up acceptable values.
CI/CD Integration
GitHub Actions
The most direct integration point is helm lint, which runs schema validation as part of its checks. A minimal GitHub Actions workflow that validates a chart on every pull request looks like this:
# .github/workflows/helm-lint.yaml
name: Helm Lint
on:
pull_request:
paths:
- 'charts/**'
jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Helm
uses: azure/setup-helm@v4
with:
version: '3.14.0'
- name: Lint chart with default values
run: helm lint charts/my-app
- name: Lint chart with staging values
run: helm lint charts/my-app -f charts/my-app/ci/staging-values.yaml
- name: Lint chart with production values
run: helm lint charts/my-app -f charts/my-app/ci/production-values.yaml
- name: Validate template rendering
run: |
helm template my-app charts/my-app \
-f charts/my-app/ci/production-values.yaml \
--debug > /dev/null
The ci/ directory convention (values files specifically for CI testing) is a pattern from the chart-testing tool and works well for validating multiple realistic value combinations, not just the defaults.
For teams using th