NVIDIA · TaylorMutch · May 4, 2026 · May 5, 2026
@@ -63,7 +63,7 @@ The gateway Service uses ClusterIP. Access is via Envoy Gateway (port `8080`) or
 
 ### TLS behaviour
 
-`values-skaffold.yaml` sets `server.disableTls: true`, so Skaffold-based deploys run
+`ci/values-skaffold.yaml` sets `server.disableTls: true`, so Skaffold-based deploys run
 plaintext by default. To test with TLS enabled, comment out that line and redeploy.
 
 | Mode | `server.disableTls` | Gateway scheme |
@@ -157,7 +157,7 @@ imports the openshell realm from `scripts/keycloak-realm.json`, and prints a por
 command for acquiring tokens from the CLI.
 
 Then activate OIDC in the OpenShell Helm chart:
-1. Uncomment `#- values-keycloak.yaml` in `skaffold.yaml`
+1. Uncomment `#- ci/values-keycloak.yaml` in `skaffold.yaml`
 2. Redeploy: `mise run helm:skaffold:run`
 
 To remove Keycloak:
@@ -188,10 +188,12 @@ mise run helm:k3s:status
 |------|---------|
 | `deploy/helm/openshell/skaffold.yaml` | Skaffold config — images, Helm releases, values overlays |
 | `deploy/helm/openshell/values.yaml` | Default Helm values |
-| `deploy/helm/openshell/values-skaffold.yaml` | Dev overrides (image pull policy, local image names) |
-| `deploy/helm/openshell/values-cert-manager.yaml` | cert-manager TLS overlay (opt-in; disables pkiInitJob) |
-| `deploy/helm/openshell/values-gateway.yaml` | Envoy Gateway GRPCRoute + Gateway overlay |
-| `deploy/helm/openshell/values-keycloak.yaml` | Keycloak OIDC overlay |
+| `deploy/helm/openshell/ci/values-skaffold.yaml` | Dev overrides (image pull policy, TLS disabled for local Skaffold) |
+| `deploy/helm/openshell/ci/values-cert-manager.yaml` | cert-manager PKI overlay (opt-in; disables pkiInitJob) |
+| `deploy/helm/openshell/ci/values-gateway.yaml` | Envoy Gateway GRPCRoute + Gateway overlay |
+| `deploy/helm/openshell/ci/values-keycloak.yaml` | Keycloak OIDC overlay |
+| `deploy/helm/openshell/ci/values-tls-disabled.yaml` | Lint-only: TLS + auth disabled (reverse-proxy edge termination) |
 | `deploy/kube/manifests/envoy-gateway-openshell.yaml` | GatewayClass for Envoy Gateway (`mise run helm:gateway:apply`) |
 | `tasks/scripts/helm-k3s-local.sh` | k3d cluster create/delete/start/stop/status |
+| `tasks/scripts/helm-e2e.sh` | Bootstrap k3d cluster and run Rust + Python e2e via Helm |
 | `tasks/scripts/keycloak-k8s-setup.sh` | Keycloak deploy + realm import |
@@ -0,0 +1,57 @@
+# SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+name: Helm Lint
+
+on:
+  push:
+    branches:
+      - "pull-request/[0-9]+"
+    paths:
+      - "deploy/helm/**"
+  workflow_dispatch:
+
+env:
+  MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+permissions:
+  contents: read
+  packages: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  pr_metadata:
+    name: Resolve PR metadata
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+    outputs:
+      should_run: ${{ steps.gate.outputs.should_run }}
+    steps:
+      - uses: actions/checkout@v6
+
+      - id: gate
+        uses: ./.github/actions/pr-gate
+
+  helm-lint:
+    name: Helm Lint
+    needs: pr_metadata
+    if: needs.pr_metadata.outputs.should_run == 'true'
+    runs-on: linux-amd64-cpu8
+    container:
+      image: ghcr.io/nvidia/openshell/ci:latest
+      credentials:
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Install tools
+        run: mise install --locked
+
+      - name: Lint Helm chart
+        run: mise run helm:lint
@@ -19,8 +19,4 @@
 
 # Ignore development files
 skaffold.yaml
-values-keycloak.yaml
-values-ingress.yaml
-values-gateway.yaml
-values-cert-manager.yaml
-values-skaffold.yaml
+ci/
@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 
 # Merge after values.yaml when cert-manager CRDs are installed, e.g.:
-#   helm install ... -f values.yaml -f values-cert-manager.yaml
+#   helm install ... -f values.yaml -f ci/values-cert-manager.yaml
 # Or add this file to skaffold manifests.helm.releases[].valuesFiles.
 server:
   disableTls: false

@@ -5,7 +5,7 @@
 #
 # Requires Envoy Gateway in the cluster (installed via skaffold.yaml).
 # Add this file to the openshell release valuesFiles to activate:
-#   uncomment values-gateway.yaml in deploy/helm/openshell/skaffold.yaml
+#   uncomment ci/values-gateway.yaml in deploy/helm/openshell/skaffold.yaml
 #
 # Envoy Gateway will create an Envoy proxy Deployment and a LoadBalancer
 # Service (named envoy-<namespace>-<gateway-name>-*) in the openshell namespace.

@@ -8,7 +8,7 @@
 #
 # Then layer this file on top of values.yaml when deploying:
 #   helm upgrade --install openshell . \
-#     -f values.yaml -f values-skaffold.yaml -f values-keycloak.yaml
+#     -f values.yaml -f ci/values-skaffold.yaml -f ci/values-keycloak.yaml
 #
 # Or add this file to skaffold.yaml valuesFiles for iterative dev.
 #

@@ -0,0 +1,10 @@
+# SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+# CI lint target: TLS disabled (plaintext HTTP, no client cert requirement).
+# Typical when a reverse proxy or tunnel terminates TLS at the edge.
+server:
+  disableTls: true
+  disableGatewayAuth: true
+pkiInitJob:
+  enabled: false
@@ -87,16 +87,16 @@ deploy:
         createNamespace: true
         valuesFiles:
           - values.yaml
-          - values-skaffold.yaml
-          # Add values-cert-manager.yaml here (and uncomment the cert-manager
+          - ci/values-skaffold.yaml
+          # Add ci/values-cert-manager.yaml here (and uncomment the cert-manager
           # release above) to switch from pkiInitJob to cert-manager for PKI.
-          #- values-cert-manager.yaml
+          #- ci/values-cert-manager.yaml
           # To enable OIDC with a local Keycloak instance, run the one-time
           # setup task first, then uncomment the line below:
           #   mise run keycloak:k8s:setup
-          #- values-keycloak.yaml
+          #- ci/values-keycloak.yaml
           # To enable the Gateway API HTTPRoute (requires Envoy Gateway above):
-          #- values-gateway.yaml
+          #- ci/values-gateway.yaml
         setValueTemplates:
           image.repository: '{{.IMAGE_REPO_openshell_gateway}}'
           image.tag: '{{.IMAGE_TAG_openshell_gateway}}'

@@ -4,9 +4,18 @@
 # Helm chart tasks
 
 ["helm:lint"]
-description = "Lint the openshell helm chart"
-run = "helm lint deploy/helm/openshell"
-hide = true
+description = "Lint the openshell Helm chart (defaults + all CI configuration variants)"
+run = """
+  set -e
+  echo "--- helm lint: defaults ---"
+  helm lint deploy/helm/openshell
+  for f in deploy/helm/openshell/ci/values-*.yaml; do
+    variant=$(basename "$f" .yaml | sed 's/values-//')
+    echo "--- helm lint: $variant ---"
+    helm lint deploy/helm/openshell -f "$f"
+  done
+  echo "All variants passed."
+"""
 
 ["helm:skaffold:dev"]
 description = "Run skaffold dev for deploy/helm/openshell (iterative deploy)"
@@ -59,3 +68,24 @@ hide = true
 ["helm:gateway:apply"]
 description = "Apply the Envoy GatewayClass manifest (run after helm:skaffold:run when gateway routing is enabled)"
 run = "kubectl apply -f deploy/kube/manifests/envoy-gateway-openshell.yaml"
+
+# Helm e2e — boots a k3d cluster via the Helm path and runs the Rust + Python suites
+
+["e2e:helm"]
+description = "Bootstrap Helm k3d cluster and run Rust + Python e2e suites"
+run = "tasks/scripts/helm-e2e.sh"
+
+["e2e:helm:rust"]
+description = "Bootstrap Helm k3d cluster and run Rust e2e only"
+env = { HELM_E2E_SUITE = "rust" }
+run = "tasks/scripts/helm-e2e.sh"
+
+["e2e:helm:python"]
+description = "Bootstrap Helm k3d cluster and run Python e2e only"
+env = { HELM_E2E_SUITE = "python" }
+run = "tasks/scripts/helm-e2e.sh"
+
+["e2e:helm:cert-manager"]
+description = "Bootstrap Helm k3d cluster with cert-manager PKI and run full e2e"
+env = { HELM_E2E_PKI = "cert-manager" }
+run = "tasks/scripts/helm-e2e.sh"