From b79f65cd30324ea9adf1156d8bbaf2dc67ca7838 Mon Sep 17 00:00:00 2001
From: Taylor Mutch <taylormutch@gmail.com>
Date: Wed, 6 May 2026 16:46:02 -0700
Subject: [PATCH 1/2] test(helm): Reorganize values under /ci, update mise
 helm:lint task loop

WIP
---
 .agents/skills/helm-dev-environment/SKILL.md    | 13 +++++++------
 deploy/helm/openshell/.helmignore               |  6 +-----
 .../openshell/{ => ci}/values-cert-manager.yaml |  2 +-
 .../helm/openshell/{ => ci}/values-gateway.yaml |  2 +-
 .../openshell/{ => ci}/values-keycloak.yaml     |  2 +-
 .../openshell/{ => ci}/values-skaffold.yaml     |  0
 .../helm/openshell/ci/values-tls-disabled.yaml  | 10 ++++++++++
 deploy/helm/openshell/skaffold.yaml             | 10 +++++-----
 tasks/helm.toml                                 | 17 ++++++++++++++---
 9 files changed, 40 insertions(+), 22 deletions(-)
 rename deploy/helm/openshell/{ => ci}/values-cert-manager.yaml (84%)
 rename deploy/helm/openshell/{ => ci}/values-gateway.yaml (92%)
 rename deploy/helm/openshell/{ => ci}/values-keycloak.yaml (95%)
 rename deploy/helm/openshell/{ => ci}/values-skaffold.yaml (100%)
 create mode 100644 deploy/helm/openshell/ci/values-tls-disabled.yaml

diff --git a/.agents/skills/helm-dev-environment/SKILL.md b/.agents/skills/helm-dev-environment/SKILL.md
index 986ce1490..18d8c241e 100644
--- a/.agents/skills/helm-dev-environment/SKILL.md
+++ b/.agents/skills/helm-dev-environment/SKILL.md
@@ -63,7 +63,7 @@ The gateway Service uses ClusterIP. Access is via Envoy Gateway (port `8080`) or
 
 ### TLS behaviour
 
-`values-skaffold.yaml` sets `server.disableTls: true`, so Skaffold-based deploys run
+`ci/values-skaffold.yaml` sets `server.disableTls: true`, so Skaffold-based deploys run
 plaintext by default. To test with TLS enabled, comment out that line and redeploy.
 
 | Mode | `server.disableTls` | Gateway scheme |
@@ -160,7 +160,7 @@ imports the openshell realm from `scripts/keycloak-realm.json`, and prints a por
 command for acquiring tokens from the CLI.
 
 Then activate OIDC in the OpenShell Helm chart:
-1. Uncomment `#- values-keycloak.yaml` in `skaffold.yaml`
+1. Uncomment `#- ci/values-keycloak.yaml` in `skaffold.yaml`
 2. Redeploy: `mise run helm:skaffold:run`
 
 To remove Keycloak:
@@ -191,10 +191,11 @@ mise run helm:k3s:status
 |------|---------|
 | `deploy/helm/openshell/skaffold.yaml` | Skaffold config — images, Helm releases, values overlays |
 | `deploy/helm/openshell/values.yaml` | Default Helm values |
-| `deploy/helm/openshell/values-skaffold.yaml` | Dev overrides (image pull policy, local image names) |
-| `deploy/helm/openshell/values-cert-manager.yaml` | cert-manager TLS overlay (opt-in; disables pkiInitJob) |
-| `deploy/helm/openshell/values-gateway.yaml` | Envoy Gateway GRPCRoute + Gateway overlay |
-| `deploy/helm/openshell/values-keycloak.yaml` | Keycloak OIDC overlay |
+| `deploy/helm/openshell/ci/values-skaffold.yaml` | Dev overrides (image pull policy, TLS disabled for local Skaffold) |
+| `deploy/helm/openshell/ci/values-cert-manager.yaml` | cert-manager PKI overlay (opt-in; disables pkiInitJob) |
+| `deploy/helm/openshell/ci/values-gateway.yaml` | Envoy Gateway GRPCRoute + Gateway overlay |
+| `deploy/helm/openshell/ci/values-keycloak.yaml` | Keycloak OIDC overlay |
+| `deploy/helm/openshell/ci/values-tls-disabled.yaml` | Lint-only: TLS + auth disabled (reverse-proxy edge termination) |
 | `deploy/kube/manifests/envoy-gateway-openshell.yaml` | GatewayClass for Envoy Gateway (`mise run helm:gateway:apply`) |
 | `tasks/scripts/helm-k3s-local.sh` | k3d cluster create/delete/start/stop/status |
 | `tasks/scripts/keycloak-k8s-setup.sh` | Keycloak deploy + realm import |
diff --git a/deploy/helm/openshell/.helmignore b/deploy/helm/openshell/.helmignore
index 798d0e7c8..a12325802 100644
--- a/deploy/helm/openshell/.helmignore
+++ b/deploy/helm/openshell/.helmignore
@@ -19,8 +19,4 @@
 
 # Ignore development files
 skaffold.yaml
-values-keycloak.yaml
-values-ingress.yaml
-values-gateway.yaml
-values-cert-manager.yaml
-values-skaffold.yaml
+ci/
diff --git a/deploy/helm/openshell/values-cert-manager.yaml b/deploy/helm/openshell/ci/values-cert-manager.yaml
similarity index 84%
rename from deploy/helm/openshell/values-cert-manager.yaml
rename to deploy/helm/openshell/ci/values-cert-manager.yaml
index bb024d716..ed99c8b46 100644
--- a/deploy/helm/openshell/values-cert-manager.yaml
+++ b/deploy/helm/openshell/ci/values-cert-manager.yaml
@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 
 # Merge after values.yaml when cert-manager CRDs are installed, e.g.:
-#   helm install ... -f values.yaml -f values-cert-manager.yaml
+#   helm install ... -f values.yaml -f ci/values-cert-manager.yaml
 # Or add this file to skaffold manifests.helm.releases[].valuesFiles.
 server:
   disableTls: false
diff --git a/deploy/helm/openshell/values-gateway.yaml b/deploy/helm/openshell/ci/values-gateway.yaml
similarity index 92%
rename from deploy/helm/openshell/values-gateway.yaml
rename to deploy/helm/openshell/ci/values-gateway.yaml
index c43a4cd45..196192213 100644
--- a/deploy/helm/openshell/values-gateway.yaml
+++ b/deploy/helm/openshell/ci/values-gateway.yaml
@@ -5,7 +5,7 @@
 #
 # Requires Envoy Gateway in the cluster (installed via skaffold.yaml).
 # Add this file to the openshell release valuesFiles to activate:
-#   uncomment values-gateway.yaml in deploy/helm/openshell/skaffold.yaml
+#   uncomment ci/values-gateway.yaml in deploy/helm/openshell/skaffold.yaml
 #
 # Envoy Gateway will create an Envoy proxy Deployment and a LoadBalancer
 # Service (named envoy-<namespace>-<gateway-name>-*) in the openshell namespace.
diff --git a/deploy/helm/openshell/values-keycloak.yaml b/deploy/helm/openshell/ci/values-keycloak.yaml
similarity index 95%
rename from deploy/helm/openshell/values-keycloak.yaml
rename to deploy/helm/openshell/ci/values-keycloak.yaml
index 42bb2ad4e..cc6ca658b 100644
--- a/deploy/helm/openshell/values-keycloak.yaml
+++ b/deploy/helm/openshell/ci/values-keycloak.yaml
@@ -8,7 +8,7 @@
 #
 # Then layer this file on top of values.yaml when deploying:
 #   helm upgrade --install openshell . \
-#     -f values.yaml -f values-skaffold.yaml -f values-keycloak.yaml
+#     -f values.yaml -f ci/values-skaffold.yaml -f ci/values-keycloak.yaml
 #
 # Or add this file to skaffold.yaml valuesFiles for iterative dev.
 #
diff --git a/deploy/helm/openshell/values-skaffold.yaml b/deploy/helm/openshell/ci/values-skaffold.yaml
similarity index 100%
rename from deploy/helm/openshell/values-skaffold.yaml
rename to deploy/helm/openshell/ci/values-skaffold.yaml
diff --git a/deploy/helm/openshell/ci/values-tls-disabled.yaml b/deploy/helm/openshell/ci/values-tls-disabled.yaml
new file mode 100644
index 000000000..ea7c7900c
--- /dev/null
+++ b/deploy/helm/openshell/ci/values-tls-disabled.yaml
@@ -0,0 +1,10 @@
+# SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+# CI lint target: TLS disabled (plaintext HTTP, no client cert requirement).
+# Typical when a reverse proxy or tunnel terminates TLS at the edge.
+server:
+  disableTls: true
+  disableGatewayAuth: true
+pkiInitJob:
+  enabled: false
diff --git a/deploy/helm/openshell/skaffold.yaml b/deploy/helm/openshell/skaffold.yaml
index fe7b96cf2..2de9ee4e6 100644
--- a/deploy/helm/openshell/skaffold.yaml
+++ b/deploy/helm/openshell/skaffold.yaml
@@ -87,16 +87,16 @@ deploy:
         createNamespace: true
         valuesFiles:
           - values.yaml
-          - values-skaffold.yaml
-          # Add values-cert-manager.yaml here (and uncomment the cert-manager
+          - ci/values-skaffold.yaml
+          # Add ci/values-cert-manager.yaml here (and uncomment the cert-manager
           # release above) to switch from pkiInitJob to cert-manager for PKI.
-          #- values-cert-manager.yaml
+          #- ci/values-cert-manager.yaml
           # To enable OIDC with a local Keycloak instance, run the one-time
           # setup task first, then uncomment the line below:
           #   mise run keycloak:k8s:setup
-          #- values-keycloak.yaml
+          #- ci/values-keycloak.yaml
           # To enable the Gateway API HTTPRoute (requires Envoy Gateway above):
-          #- values-gateway.yaml
+          #- ci/values-gateway.yaml
         setValueTemplates:
           image.repository: '{{.IMAGE_REPO_openshell_gateway}}'
           image.tag: '{{.IMAGE_TAG_openshell_gateway}}'
diff --git a/tasks/helm.toml b/tasks/helm.toml
index c7949865b..2c878e7d4 100644
--- a/tasks/helm.toml
+++ b/tasks/helm.toml
@@ -4,9 +4,20 @@
 # Helm chart tasks
 
 ["helm:lint"]
-description = "Lint the openshell helm chart"
-run = "helm lint deploy/helm/openshell"
-hide = true
+description = "Lint the openshell Helm chart (defaults + all CI configuration variants)"
+run = """
+  set -e
+  echo "--- helm lint: defaults ---"
+  echo "values files: deploy/helm/openshell/values.yaml"
+  helm lint deploy/helm/openshell
+  for f in deploy/helm/openshell/ci/values-*.yaml; do
+    variant=$(basename "$f" .yaml | sed 's/values-//')
+    echo "--- helm lint: $variant ---"
+    echo "values files: deploy/helm/openshell/values.yaml, $f"
+    helm lint deploy/helm/openshell -f "$f"
+  done
+  echo "All variants passed."
+"""
 
 ["helm:skaffold:dev"]
 description = "Run skaffold dev for deploy/helm/openshell (iterative deploy)"

From ddca7ab4c13fcb0f5deaf1b11a0b20a7785d5cc5 Mon Sep 17 00:00:00 2001
From: Taylor Mutch <taylormutch@gmail.com>
Date: Wed, 6 May 2026 16:49:36 -0700
Subject: [PATCH 2/2] ci: Add a helm lint job to validate helm linting passes
 on changes

---
 .github/workflows/helm-lint.yml | 57 +++++++++++++++++++++++++++++++++
 1 file changed, 57 insertions(+)
 create mode 100644 .github/workflows/helm-lint.yml

diff --git a/.github/workflows/helm-lint.yml b/.github/workflows/helm-lint.yml
new file mode 100644
index 000000000..8b7184133
--- /dev/null
+++ b/.github/workflows/helm-lint.yml
@@ -0,0 +1,57 @@
+# SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+name: Helm Lint
+
+on:
+  push:
+    branches:
+      - "pull-request/[0-9]+"
+    paths:
+      - "deploy/helm/**"
+  workflow_dispatch:
+
+env:
+  MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+permissions:
+  contents: read
+  packages: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  pr_metadata:
+    name: Resolve PR metadata
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+    outputs:
+      should_run: ${{ steps.gate.outputs.should_run }}
+    steps:
+      - uses: actions/checkout@v6
+
+      - id: gate
+        uses: ./.github/actions/pr-gate
+
+  helm-lint:
+    name: Helm Lint
+    needs: pr_metadata
+    if: needs.pr_metadata.outputs.should_run == 'true'
+    runs-on: linux-amd64-cpu8
+    container:
+      image: ghcr.io/nvidia/openshell/ci:latest
+      credentials:
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Install tools
+        run: mise install --locked
+
+      - name: Lint Helm chart
+        run: mise run helm:lint