Helm is the de facto package manager for Kubernetes, and values.yaml is its primary interface for configuration. Yet for years, that interface has been completely unvalidated by default — a free-form YAML file where any key can be anything, where typos silently pass through, and where misconfigured deployments only reveal themselves when pods fail to start in production. The values.schema.json file changes that equation entirely. This article explains why schema validation matters, how to implement it properly, and how to integrate it into a modern CI/CD pipeline.
The Problem: Silent Failures in Production
Consider a platform team managing dozens of Helm releases across multiple clusters. A developer submits a values override file with replicaCount: "3" instead of replicaCount: 3 — a string where an integer is expected. Or they set image.pullPolicy: Allways with a typo. Or they omit a required secret reference that the application needs to boot. In all three cases, Helm without schema validation will happily render the templates, produce Kubernetes manifests, and apply them to the cluster. The failure surfaces later — sometimes much later — as a CrashLoopBackOff, an ImagePullBackOff, or a subtle runtime error that takes hours to debug.
This is not a hypothetical scenario. It is the daily reality for teams operating at scale without values validation. The root cause is architectural: Helm templates use Go’s text/template engine, which is weakly typed and permissive by design. A template that does {{ .Values.replicaCount }} will render whether the value is an integer, a string, or even a boolean. The resulting Kubernetes manifest may be invalid, but that error only surfaces when the Kubernetes API server rejects it — or worse, accepts it but interprets it differently than intended.
The consequences compound at scale. When a chart is used by multiple teams, the lack of a formal contract for acceptable values means every consumer has to read through template files and comments to understand what inputs are valid. There is no machine-readable specification. There is no IDE support. There is no guardrail. The only documentation is whatever the chart author happened to write in comments inside values.yaml — and comments do not stop a CI pipeline from shipping a broken deployment.
What Is values.schema.json
Since Helm 3.0.0, released in November 2019, Helm supports an optional values.schema.json file at the root of a chart directory — the same level as Chart.yaml and values.yaml. This file is a JSON Schema draft-07 document that formally describes the structure, types, constraints, and required fields for the chart’s values.
When this file is present, Helm automatically validates the merged values (defaults from values.yaml merged with any user-supplied overrides) against the schema at multiple points: during helm install, helm upgrade, helm template, and helm lint. If validation fails, Helm refuses to proceed and prints a human-readable error message identifying exactly which value failed and why. This transforms a class of runtime failures into build-time failures — the correct direction for any production system.
The choice of JSON Schema draft-07 specifically is worth noting. Draft-07 is widely supported by tooling, including the Red Hat YAML extension for VS Code, JetBrains IDEs, and most JSON Schema validators. It introduced the if/then/else conditional keywords that are particularly useful for Helm charts. More recent drafts (2019-09, 2020-12) offer additional features but have less universal tooling support, making draft-07 the pragmatic choice for chart authors today.
Chart Directory Structure
my-app/
├── Chart.yaml
├── values.yaml
├── values.schema.json ← lives here
├── charts/
└── templates/
├── deployment.yaml
├── service.yaml
├── ingress.yaml
└── _helpers.tplThe schema file is included when a chart is packaged with helm package and distributed through chart repositories. Consumers of the chart get schema validation automatically without any additional configuration — the guardrails ship with the chart itself.
How Helm Uses the Schema
Helm’s validation behavior is straightforward but has some nuances worth understanding. When Helm processes a release, it first merges all value sources in order of increasing precedence: chart defaults (values.yaml), parent chart values, -f value files, and finally --set flags. The merged result is then validated against the schema as a single operation.
This means the schema validates the effective values, not each source in isolation. A required field that has a default in values.yaml will pass validation even when not specified by the user, because the merged result includes the default. This is the correct behavior — it validates what will actually be used during rendering.
The validation happens before template rendering. If schema validation fails, Helm exits with a non-zero status code and prints all validation errors. The error output is structured and actionable:
$ helm install my-release ./my-app --set replicaCount=abc
Error: values don't meet the specifications of the schema(s) in the following chart(s):
my-app:
- replicaCount: Invalid type. Expected: integer, given: stringFor helm lint, which is typically used in CI pipelines without installing to a cluster, schema validation also runs. This makes helm lint a powerful pre-deployment gate when schema files are present.
IDE Benefits: Autocompletion and Inline Validation
Beyond Helm’s own validation, values.schema.json unlocks IDE support that significantly improves the developer experience when working with values files. The Red Hat YAML extension for VS Code can reference a JSON Schema file to provide autocompletion, type checking, and inline error highlighting for YAML files.
To enable this, add a yaml.schemas configuration to your VS Code workspace settings or the user settings file:
// .vscode/settings.json
{
"yaml.schemas": {
"./my-app/values.schema.json": "./my-app/values.yaml"
}
}With this configuration, editing values.yaml in VS Code will show autocompletion for defined keys, inline errors for type mismatches, and hover documentation pulled from the description fields in your schema. For platform teams maintaining internal Helm charts, this transforms the chart into a self-documenting, IDE-aware configuration interface — without any additional tooling investment.
JetBrains IDEs (IntelliJ IDEA, GoLand, etc.) support JSON Schema associations through the Languages & Frameworks > Schemas and DTDs > JSON Schema Mappings settings panel, providing equivalent functionality for teams using those tools.
Building the Schema: A Practical Guide
Let’s build a complete, realistic example. Start with a typical values.yaml for a web application chart:
# values.yaml
replicaCount: 2
image:
repository: myorg/my-app
tag: "1.0.0"
pullPolicy: IfNotPresent
service:
type: ClusterIP
port: 80
ingress:
enabled: false
hostname: ""
tls: false
resources:
requests:
cpu: "100m"
memory: "128Mi"
limits:
cpu: "500m"
memory: "512Mi"
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 10
targetCPUUtilizationPercentage: 80
config:
logLevel: info
databaseUrl: ""
nodeSelector: {}
tolerations: []
affinity: {}Now the full values.schema.json that validates this structure:
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "my-app Helm Chart Values",
"description": "Configuration values for the my-app Helm chart",
"type": "object",
"additionalProperties": false,
"required": ["image", "service"],
"$defs": {
"resourceQuantity": {
"type": "string",
"pattern": "^[0-9]+(\\.[0-9]+)?(m|Ki|Mi|Gi|Ti|Pi|Ei|k|M|G|T|P|E)?$",
"description": "A Kubernetes resource quantity (e.g. 100m, 128Mi, 1Gi)"
}
},
"properties": {
"replicaCount": {
"type": "integer",
"minimum": 0,
"maximum": 50,
"default": 2,
"description": "Number of pod replicas. Set to 0 to scale down."
},
"image": {
"type": "object",
"additionalProperties": false,
"required": ["repository", "tag"],
"description": "Container image configuration",
"properties": {
"repository": {
"type": "string",
"minLength": 1,
"description": "Container image repository"
},
"tag": {
"type": "string",
"pattern": "^[a-zA-Z0-9._-]+$",
"minLength": 1,
"description": "Image tag. Avoid using 'latest' in production."
},
"pullPolicy": {
"type": "string",
"enum": ["Always", "IfNotPresent", "Never"],
"default": "IfNotPresent",
"description": "Kubernetes imagePullPolicy"
}
}
},
"service": {
"type": "object",
"additionalProperties": false,
"required": ["type", "port"],
"properties": {
"type": {
"type": "string",
"enum": ["ClusterIP", "NodePort", "LoadBalancer", "ExternalName"],
"description": "Kubernetes Service type"
},
"port": {
"type": "integer",
"minimum": 1,
"maximum": 65535,
"description": "Service port"
}
}
},
"ingress": {
"type": "object",
"additionalProperties": false,
"properties": {
"enabled": {
"type": "boolean",
"default": false
},
"hostname": {
"type": "string",
"description": "Ingress hostname. Required when ingress.enabled is true."
},
"tls": {
"type": "boolean",
"default": false,
"description": "Enable TLS for the ingress"
}
},
"if": {
"properties": {
"enabled": { "const": true }
},
"required": ["enabled"]
},
"then": {
"required": ["hostname"],
"properties": {
"hostname": {
"minLength": 1,
"pattern": "^[a-zA-Z0-9]([a-zA-Z0-9\\-\\.]+)?[a-zA-Z0-9]$"
}
}
}
},
"resources": {
"type": "object",
"additionalProperties": false,
"properties": {
"requests": {
"type": "object",
"additionalProperties": false,
"properties": {
"cpu": { "$ref": "#/$defs/resourceQuantity" },
"memory": { "$ref": "#/$defs/resourceQuantity" }
}
},
"limits": {
"type": "object",
"additionalProperties": false,
"properties": {
"cpu": { "$ref": "#/$defs/resourceQuantity" },
"memory": { "$ref": "#/$defs/resourceQuantity" }
}
}
}
},
"autoscaling": {
"type": "object",
"additionalProperties": false,
"properties": {
"enabled": {
"type": "boolean",
"default": false
},
"minReplicas": {
"type": "integer",
"minimum": 1
},
"maxReplicas": {
"type": "integer",
"minimum": 1,
"maximum": 100
},
"targetCPUUtilizationPercentage": {
"type": "integer",
"minimum": 1,
"maximum": 100
}
},
"if": {
"properties": {
"enabled": { "const": true }
},
"required": ["enabled"]
},
"then": {
"required": ["minReplicas", "maxReplicas"]
}
},
"config": {
"type": "object",
"additionalProperties": false,
"properties": {
"logLevel": {
"type": "string",
"enum": ["debug", "info", "warn", "error"],
"default": "info",
"description": "Application log level"
},
"databaseUrl": {
"type": "string",
"description": "Database connection URL"
}
}
},
"nodeSelector": {
"type": "object",
"description": "Node selector labels for pod scheduling"
},
"tolerations": {
"type": "array",
"description": "Pod tolerations"
},
"affinity": {
"type": "object",
"description": "Pod affinity rules"
}
}
}Key Schema Patterns Explained
additionalProperties: false
This is arguably the most important pattern in a Helm schema. Without it, unknown keys pass validation silently — which defeats much of the purpose. With "additionalProperties": false, any key not listed in properties causes a validation error. This catches typos like repicaCount instead of replicaCount, which would otherwise silently use the default value and leave the developer wondering why their override had no effect.
Apply it at every nested object level, not just the root. A typo inside image: or resources: is just as dangerous as one at the top level.
$defs for Reusable Definitions
The $defs keyword (called definitions in earlier draft versions, though draft-07 supports both) provides a namespace for reusable schema fragments. In the example above, resourceQuantity is defined once and referenced via $ref in both requests and limits. This avoids duplication and ensures consistent validation logic across related fields.
For larger charts, $defs becomes essential. Common patterns include reusable schemas for image configurations, resource requirements, probe configurations, and environment variable maps.
Conditional Validation with if/then/else
The if/then/else construct in JSON Schema draft-07 is particularly powerful for Helm charts, where many values are conditional on a feature toggle. The ingress example above demonstrates this: when ingress.enabled is true, the hostname field becomes required and must match a valid hostname pattern. When ingress is disabled, the hostname can be empty or omitted entirely.
This pattern can be extended for more complex scenarios. For example, enforcing that when autoscaling.enabled is true, the standalone replicaCount should not be set (since the HPA controls replica count):
{
"if": {
"properties": {
"autoscaling": {
"properties": {
"enabled": { "const": true }
},
"required": ["enabled"]
}
}
},
"then": {
"properties": {
"replicaCount": {
"description": "replicaCount is ignored when autoscaling is enabled"
}
}
}
}Pattern Validation for Image Tags
The image tag field is a common source of production issues. Teams accidentally deploy with latest, which is non-deterministic and makes rollbacks unreliable. A pattern constraint can enforce semantic versioning or at least ban the latest tag in production charts:
"tag": {
"type": "string",
"not": {
"enum": ["latest", ""]
},
"pattern": "^[0-9]+\\.[0-9]+\\.[0-9]+",
"description": "Semantic version tag required. 'latest' is not permitted."
}This enforces that image tags start with a semantic version number, immediately rejecting latest, empty strings, or arbitrary branch names that would produce non-reproducible deployments.
Enum for Controlled Vocabularies
Fields with a fixed set of valid values — Kubernetes service types, image pull policies, log levels — should use enum. This is more precise than a pattern and produces clearer error messages. It also enables IDE autocompletion to show exactly the valid options as a pick-list, rather than requiring the developer to remember or look up acceptable values.
CI/CD Integration
GitHub Actions
The most direct integration point is helm lint, which runs schema validation as part of its checks. A minimal GitHub Actions workflow that validates a chart on every pull request looks like this:
# .github/workflows/helm-lint.yaml
name: Helm Lint
on:
pull_request:
paths:
- 'charts/**'
jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Helm
uses: azure/setup-helm@v4
with:
version: '3.14.0'
- name: Lint chart with default values
run: helm lint charts/my-app
- name: Lint chart with staging values
run: helm lint charts/my-app -f charts/my-app/ci/staging-values.yaml
- name: Lint chart with production values
run: helm lint charts/my-app -f charts/my-app/ci/production-values.yaml
- name: Validate template rendering
run: |
helm template my-app charts/my-app \
-f charts/my-app/ci/production-values.yaml \
--debug > /dev/nullThe ci/ directory convention (values files specifically for CI testing) is a pattern from the chart-testing tool and works well for validating multiple realistic value combinations, not just the defaults.
For teams using the ct (chart-testing) CLI tool from the Helm project, schema validation is automatically included in the ct lint command, which also handles chart versioning checks and YAML linting:
- name: Chart Testing lint
uses: helm/chart-testing-action@v2.6.1
- name: Run chart-testing lint
run: ct lint --target-branch ${{ github.event.repository.default_branch }}Pre-commit Hooks
For local development, pre-commit hooks catch issues before code is even pushed. The pre-commit framework makes this straightforward:
# .pre-commit-config.yaml
repos:
- repo: https://github.com/gruntwork-io/pre-commit
rev: v0.1.23
hooks:
- id: helmlint
- repo: local
hooks:
- id: helm-schema-validate
name: Helm Schema Validation
language: script
entry: scripts/validate-helm-schemas.sh
files: ^charts/.*values.*\.yaml$#!/usr/bin/env bash
# scripts/validate-helm-schemas.sh
set -euo pipefail
for chart_dir in charts/*/; do
if [[ -f "${chart_dir}/values.schema.json" ]]; then
echo "Linting ${chart_dir}..."
helm lint "${chart_dir}" --strict
fi
doneArgoCD and Flux Integration
Both ArgoCD and Flux (Helm Controller) invoke helm template internally when reconciling Helm releases. Since helm template runs schema validation when a schema file is present, any invalid values in an HelmRelease or ArgoCD Application manifest will cause the reconciliation to fail with a clear error message — visible in the controller logs and surface as a degraded resource status. No additional configuration is required; schema validation is automatic.
Generating Schemas from Existing Charts
For charts that already have a well-structured values.yaml, writing a schema from scratch is time-consuming but not starting from zero. Several tools can generate a draft schema that you then refine:
- helm-values-schema-json — a Helm plugin (
helm plugin install https://github.com/losisin/helm-values-schema-json) that introspectsvalues.yamland generates a draft schema with inferred types. Run withhelm schema-gen values.yaml. - json-schema-generator online tools — paste your values as JSON (convert YAML to JSON first) and get a draft schema back.
- Manually from scratch — for new charts, writing the schema alongside the values file from the beginning is the most accurate approach and requires no extra tooling.
Generated schemas are always starting points. They infer types from existing values but cannot know about intended constraints, enums, patterns, required fields in conditional cases, or additionalProperties: false at nested levels. Manual review and refinement is always necessary.
Common Mistakes and How to Avoid Them
| Mistake | Symptom | Fix |
|---|---|---|
Missing additionalProperties: false | Typos in key names pass validation silently | Add it at every object level, including nested objects |
| Schema only at root level | Nested typos go undetected | Apply additionalProperties: false recursively |
| Not including defaults in schema | IDE shows fields as required when they are optional | Add default to all optional fields |
| Overly strict patterns blocking valid values | Legitimate deployments fail schema validation | Test patterns against your real value space before shipping |
Using definitions instead of $defs | Works in most tools but is draft-2019-09+ terminology | Use $defs for draft-07 compliance; both work in practice |
| Schema not committed to the chart repo | Consumers get no validation when pulling from repository | Always commit values.schema.json alongside the chart |
| Validating subchart values through parent schema | Schema errors for subchart values the parent doesn’t own | Do not attempt to validate subchart values in parent schema; each chart owns its own schema |
The Null Value Problem
A subtle but common issue: in YAML, an unset key with no value (key:) resolves to null, not an empty string or zero. If your schema defines a field as "type": "string", a null value will fail validation. To handle optional fields that users might leave blank, use a type union:
"databaseUrl": {
"type": ["string", "null"],
"description": "Database connection URL. Leave null to use the default."
}Alternatively, ensure your values.yaml defaults use empty strings ("") rather than bare keys, and document that convention for chart consumers.
Schema Drift
As charts evolve, new values get added to values.yaml without corresponding updates to values.schema.json. Over time the schema becomes stale and provides partial coverage. The fix is procedural: treat schema updates as part of the definition of done for any PR that modifies values. Code review should include checking that new or modified values have corresponding schema entries.
Frequently Asked Questions
Does values.schema.json validate subchart values?
No. Each chart in a dependency relationship validates only its own values against its own schema. If chart A depends on chart B, and chart B has a schema, chart B’s schema validates the values under the b: key in chart A’s values.yaml — but only when processed in the context of chart B itself. Chart A’s schema should not attempt to describe chart B’s values structure. This is by design: it maintains loose coupling between charts and allows subcharts to evolve their schemas independently.
Can I use JSON Schema draft-2020-12 instead of draft-07?
Technically, Helm does not strictly enforce which draft version you use — it uses the Go library github.com/xeipuuv/gojsonschema, which supports draft-04 through draft-07. Using newer draft keywords that are not supported by this library may cause them to be silently ignored rather than throwing an error. For IDE support, draft-07 has the broadest compatibility. If you need features from newer drafts (like unevaluatedProperties from 2020-12), test carefully to confirm they are enforced by Helm’s validator and not silently skipped.
How do I handle values that differ between environments without schema conflicts?
The schema should describe all valid values across all environments. Use enum to enumerate all valid values for a field, and use if/then/else for constraints that only apply in certain configurations. The schema is a contract for what the chart accepts, not a policy for what a specific environment should use. Environment-specific policies (such as “production must use a minimum of 3 replicas”) are better enforced at a higher level — through admission controllers like OPA Gatekeeper or Kyverno — rather than in the chart schema itself.
Does schema validation run when using helm template for dry runs?
Yes. helm template runs schema validation before rendering templates. This makes it useful as a validation step in CI pipelines even without a live cluster: helm template release-name ./chart -f values-override.yaml will fail with schema errors if the values are invalid, and will output the rendered manifests if they are valid. Piping the output to kubectl apply --dry-run=client -f - adds an additional layer of Kubernetes API validation for a thorough offline check.
Should I add values.schema.json to charts I don’t maintain (upstream charts)?
For upstream charts you consume but do not maintain (such as Bitnami charts, ingress-nginx, cert-manager), the recommended approach is to maintain a separate JSON Schema file in your own GitOps repository that validates your specific values overlay files. Tools like jsonschema (Python) or ajv (Node.js) can validate a YAML/JSON values file against a schema in CI without Helm being involved. This gives you schema validation for your environment-specific overrides without needing to modify upstream chart sources.