功能描述

Helm chart development agent skill and plugin for Claude Code, Codex, Gemini CLI, Cursor, OpenClaw — chart scaffolding, values design, template patterns, dep...

使用说明 (SKILL.md)

Helm Chart Builder

Name: Helm Chart Builder
Author: alirezarezvani

Production-grade Helm charts. Sensible defaults. Secure by design. No cargo-culting.

Opinionated Helm workflow that turns ad-hoc Kubernetes manifests into maintainable, testable, reusable charts. Covers chart structure, values design, template patterns, dependency management, and security hardening.

Not a Helm tutorial — a set of concrete decisions about how to build charts that operators trust and developers don't fight.

Slash Commands

Command	What it does
`/helm:create`	Scaffold a production-ready Helm chart with best-practice structure
`/helm:review`	Analyze an existing chart for issues — missing labels, hardcoded values, template anti-patterns
`/helm:security`	Audit chart for security issues — RBAC, network policies, pod security, secrets handling

When This Skill Activates

Recognize these patterns from the user:

"Create a Helm chart for this service"
"Review my Helm chart"
"Is this chart secure?"
"Design a values.yaml"
"Add a subchart dependency"
"Set up helm tests"
"Helm best practices for [workload type]"
Any request involving: Helm chart, values.yaml, Chart.yaml, templates, helpers, _helpers.tpl, subcharts, helm lint, helm test

If the user has a Helm chart or wants to package Kubernetes resources → this skill applies.

Workflow

`/helm:create` — Chart Scaffolding

Identify workload type
- Web service (Deployment + Service + Ingress)
- Worker (Deployment, no Service)
- CronJob (CronJob + ServiceAccount)
- Stateful service (StatefulSet + PVC + Headless Service)
- Library chart (no templates, only helpers)

Scaffold chart structure

mychart/
├── Chart.yaml              # Chart metadata and dependencies
├── values.yaml             # Default configuration
├── values.schema.json      # Optional: JSON Schema for values validation
├── .helmignore             # Files to exclude from packaging
├── templates/
│   ├── _helpers.tpl        # Named templates and helper functions
│   ├── deployment.yaml     # Workload resource
│   ├── service.yaml        # Service exposure
│   ├── ingress.yaml        # Ingress (if applicable)
│   ├── serviceaccount.yaml # ServiceAccount
│   ├── hpa.yaml            # HorizontalPodAutoscaler
│   ├── pdb.yaml            # PodDisruptionBudget
│   ├── networkpolicy.yaml  # NetworkPolicy
│   ├── configmap.yaml      # ConfigMap (if needed)
│   ├── secret.yaml         # Secret (if needed)
│   ├── NOTES.txt           # Post-install usage instructions
│   └── tests/
│       └── test-connection.yaml
└── charts/                 # Subcharts (dependencies)

Apply Chart.yaml best practices

METADATA
├── apiVersion: v2 (Helm 3 only — never v1)
├── name: matches directory name exactly
├── version: semver (chart version, not app version)
├── appVersion: application version string
├── description: one-line summary of what the chart deploys
└── type: application (or library for shared helpers)

DEPENDENCIES
├── Pin dependency versions with ~X.Y.Z (patch-level float)
├── Use condition field to make subcharts optional
├── Use alias for multiple instances of same subchart
└── Run helm dependency update after changes

Generate values.yaml with documentation
- Every value has an inline comment explaining purpose and type
- Sensible defaults that work for development
- Override-friendly structure (flat where possible, nested only when logical)
- No hardcoded cluster-specific values (image registry, domain, storage class)

Validate

python3 scripts/chart_analyzer.py mychart/
helm lint mychart/
helm template mychart/ --debug

`/helm:review` — Chart Analysis

Check chart structure

Check	Severity	Fix
Missing _helpers.tpl	High	Create helpers for common labels and selectors
No NOTES.txt	Medium	Add post-install instructions
No .helmignore	Low	Create one to exclude .git, CI files, tests
Missing Chart.yaml fields	Medium	Add description, appVersion, maintainers
Hardcoded values in templates	High	Extract to values.yaml with defaults

Check template quality

Check	Severity	Fix
Missing standard labels	High	Use `app.kubernetes.io/*` labels via _helpers.tpl
No resource requests/limits	Critical	Add resources section with defaults in values.yaml
Hardcoded image tag	High	Use `{{ .Values.image.repository }}:{{ .Values.image.tag }}`
No imagePullPolicy	Medium	Default to `IfNotPresent`, overridable
Missing liveness/readiness probes	High	Add probes with configurable paths and ports
No pod anti-affinity	Medium	Add preferred anti-affinity for HA
Duplicate template code	Medium	Extract into named templates in _helpers.tpl

Check values.yaml quality

python3 scripts/values_validator.py mychart/values.yaml

Generate review report

HELM CHART REVIEW — [chart name]
Date: [timestamp]

CRITICAL: [count]
HIGH:     [count]
MEDIUM:   [count]
LOW:      [count]

[Detailed findings with fix recommendations]

`/helm:security` — Security Audit

Pod security audit

Check	Severity	Fix
No securityContext	Critical	Add runAsNonRoot, readOnlyRootFilesystem
Running as root	Critical	Set `runAsNonRoot: true`, `runAsUser: 1000`
Writable root filesystem	High	Set `readOnlyRootFilesystem: true` + emptyDir for tmp
All capabilities retained	High	Drop ALL, add only specific needed caps
Privileged container	Critical	Set `privileged: false`, use specific capabilities
No seccomp profile	Medium	Set `seccompProfile.type: RuntimeDefault`
allowPrivilegeEscalation true	High	Set `allowPrivilegeEscalation: false`

RBAC audit

Check	Severity	Fix
No ServiceAccount	Medium	Create dedicated SA, don't use default
automountServiceAccountToken true	Medium	Set to false unless pod needs K8s API access
ClusterRole instead of Role	Medium	Use namespace-scoped Role unless cluster-wide needed
Wildcard permissions	Critical	Use specific resource names and verbs
No RBAC at all	Low	Acceptable if pod doesn't need K8s API access

Network and secrets audit

Check	Severity	Fix
No NetworkPolicy	Medium	Add default-deny ingress + explicit allow rules
Secrets in values.yaml	Critical	Use external secrets operator or sealed-secrets
No PodDisruptionBudget	Medium	Add PDB with minAvailable for HA workloads
hostNetwork: true	High	Remove unless absolutely required (e.g., CNI plugin)
hostPID or hostIPC	Critical	Never use in application charts

Generate security report

SECURITY AUDIT — [chart name]
Date: [timestamp]

CRITICAL: [count]
HIGH:     [count]
MEDIUM:   [count]
LOW:      [count]

[Detailed findings with remediation steps]

Tooling

`scripts/chart_analyzer.py`

CLI utility for static analysis of Helm chart directories.

Features:

Chart structure validation (required files, directory layout)
Template anti-pattern detection (hardcoded values, missing labels, no resource limits)
Chart.yaml metadata checks
Standard labels verification (app.kubernetes.io/*)
Security baseline checks
JSON and text output

Usage:

# Analyze a chart directory
python3 scripts/chart_analyzer.py mychart/

# JSON output
python3 scripts/chart_analyzer.py mychart/ --output json

# Security-focused analysis
python3 scripts/chart_analyzer.py mychart/ --security

`scripts/values_validator.py`

CLI utility for validating values.yaml against best practices.

Features:

Documentation coverage (inline comments)
Type consistency checks
Hardcoded secrets detection
Default value quality analysis
Structure depth analysis
Naming convention validation
JSON and text output

Usage:

# Validate values.yaml
python3 scripts/values_validator.py values.yaml

# JSON output
python3 scripts/values_validator.py values.yaml --output json

# Strict mode (fail on warnings)
python3 scripts/values_validator.py values.yaml --strict

Template Patterns

Pattern 1: Standard Labels (_helpers.tpl)

{{/*
Common labels for all resources.
*/}}
{{- define "mychart.labels" -}}
helm.sh/chart: {{ include "mychart.chart" . }}
app.kubernetes.io/name: {{ include "mychart.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}

{{/*
Selector labels (subset of common labels — must be immutable).
*/}}
{{- define "mychart.selectorLabels" -}}
app.kubernetes.io/name: {{ include "mychart.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}

Pattern 2: Conditional Resources

{{- if .Values.ingress.enabled -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: {{ include "mychart.fullname" . }}
  labels:
    {{- include "mychart.labels" . | nindent 4 }}
  {{- with .Values.ingress.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
spec:
  {{- if .Values.ingress.tls }}
  tls:
    {{- range .Values.ingress.tls }}
    - hosts:
        {{- range .hosts }}
        - {{ . | quote }}
        {{- end }}
      secretName: {{ .secretName }}
    {{- end }}
  {{- end }}
  rules:
    {{- range .Values.ingress.hosts }}
    - host: {{ .host | quote }}
      http:
        paths:
          {{- range .paths }}
          - path: {{ .path }}
            pathType: {{ .pathType }}
            backend:
              service:
                name: {{ include "mychart.fullname" $ }}
                port:
                  number: {{ $.Values.service.port }}
          {{- end }}
    {{- end }}
{{- end }}

Pattern 3: Security-Hardened Pod Spec

spec:
  serviceAccountName: {{ include "mychart.serviceAccountName" . }}
  automountServiceAccountToken: false
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    fsGroup: 1000
    seccompProfile:
      type: RuntimeDefault
  containers:
    - name: {{ .Chart.Name }}
      securityContext:
        allowPrivilegeEscalation: false
        readOnlyRootFilesystem: true
        capabilities:
          drop:
            - ALL
      image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
      imagePullPolicy: {{ .Values.image.pullPolicy }}
      resources:
        {{- toYaml .Values.resources | nindent 8 }}
      volumeMounts:
        - name: tmp
          mountPath: /tmp
  volumes:
    - name: tmp
      emptyDir: {}

Values Design Principles

STRUCTURE
├── Flat over nested (image.tag > container.spec.image.tag)
├── Group by resource (service.*, ingress.*, resources.*)
├── Use enabled: true/false for optional resources
├── Document every key with inline YAML comments
└── Provide sensible development defaults

NAMING
├── camelCase for keys (replicaCount, not replica_count)
├── Boolean keys: use adjectives (enabled, required) not verbs
├── Nested keys: max 3 levels deep
└── Match upstream conventions (image.repository, image.tag, image.pullPolicy)

ANTI-PATTERNS
├── Hardcoded cluster URLs or domains
├── Secrets as default values
├── Empty strings where null is correct
├── Deeply nested structures (>3 levels)
├── Undocumented values
└── values.yaml that doesn't work without overrides

Dependency Management

SUBCHARTS
├── Use Chart.yaml dependencies (not requirements.yaml — Helm 3)
├── Pin versions: version: ~15.x.x (patch float)
├── Use condition: to make optional: condition: postgresql.enabled
├── Use alias: for multiple instances of same chart
├── Override subchart values under subchart name key in values.yaml
└── Run helm dependency update before packaging

LIBRARY CHARTS
├── type: library in Chart.yaml — no templates directory
├── Export named templates only — no rendered resources
├── Use for shared labels, annotations, security contexts
└── Version independently from application charts

Proactive Triggers

Flag these without being asked:

No _helpers.tpl → Create one. Every chart needs standard labels and fullname helpers.
Hardcoded image tag in template → Extract to values.yaml. Tags must be overridable.
No resource requests/limits → Add them. Pods without limits can starve the node.
Running as root → Add securityContext. No exceptions for production charts.
No NOTES.txt → Create one. Users need post-install instructions.
Secrets in values.yaml defaults → Remove them. Use placeholders with comments explaining how to provide secrets.
No liveness/readiness probes → Add them. Kubernetes needs to know if the pod is healthy.
Missing app.kubernetes.io labels → Add via _helpers.tpl. Required for proper resource tracking.

Installation

One-liner (any tool)

git clone https://github.com/alirezarezvani/claude-skills.git
cp -r claude-skills/engineering/helm-chart-builder ~/.claude/skills/

Multi-tool install

./scripts/convert.sh --skill helm-chart-builder --tool codex|gemini|cursor|windsurf|openclaw

OpenClaw

clawhub install cs-helm-chart-builder

Related Skills

senior-devops — Broader DevOps scope (CI/CD, IaC, monitoring). Complementary — use helm-chart-builder for chart-specific work, senior-devops for pipeline and infrastructure.
docker-development — Container building. Complementary — docker-development builds the images, helm-chart-builder deploys them to Kubernetes.
ci-cd-pipeline-builder — Pipeline construction. Complementary — helm-chart-builder defines the deployment artifact, ci-cd-pipeline-builder automates its delivery.
senior-security — Application security. Complementary — helm-chart-builder covers Kubernetes-level security (RBAC, pod security), senior-security covers application-level threats.

安全使用建议

This package looks like a legitimate Helm chart scaffolding and analysis tool. Before installing or running it: 1) Ensure you have the expected binaries (helm and a Python 3 interpreter) available — the skill's metadata did not declare them but SKILL.md expects them. 2) Inspect the bundled scripts (already included) yourself; they perform local static analysis only and do not contact external services. 3) Note the demo values include example secret-like strings — do not copy those into production charts. 4) Run the tool in a sandbox or on non-sensitive sample charts first to confirm behavior. If you want stronger guarantees, ask the skill author to add required-binaries metadata and to remove demo secrets from example data.

功能分析

Type: OpenClaw Skill Name: helm-chart-builder Version: 2.1.1 The 'helm-chart-builder' skill is a legitimate tool for scaffolding and auditing Kubernetes Helm charts. It includes two Python utilities, scripts/chart_analyzer.py and scripts/values_validator.py, which perform local static analysis to detect anti-patterns and security risks (e.g., hardcoded secrets, root containers). The analysis shows no evidence of data exfiltration, unauthorized network calls, or malicious prompt injection; the scripts use standard libraries for file parsing and regex matching without executing external commands or accessing sensitive system files.

能力评估

ℹ Purpose & Capability

Name/description, SKILL.md, reference docs, and the two analysis scripts all align with a Helm chart scaffolding/review/security-audit skill. One inconsistency: the instructions and examples assume the presence of the helm binary and python3 (e.g., 'helm lint', 'helm template', 'python3 scripts/chart_analyzer.py'), but the registry metadata lists no required binaries. The skill should declare at least 'helm' and 'python3' (or equivalent) as required.

✓ Instruction Scope

SKILL.md instructs the agent to read and analyze Helm chart directories, run local linters/templates, and produce reports — all within the expected scope. The instructions do not ask the agent to read unrelated system files, environment variables, or send data to external endpoints. They do instruct running local helm commands and the included Python scripts against user-provided chart directories, which is appropriate for the stated purpose.

✓ Install Mechanism

No install spec is provided (instruction-only). The two Python scripts are bundled with the skill; nothing is downloaded from an external URL or installed automatically. This is a low-risk install footprint.

ℹ Credentials

The skill declares no environment variables or credentials, which matches its local static-analysis purpose. A minor caution: the bundled demo values in values_validator.py include example secrets (e.g., PASSWORD: supersecret123, api-key: sk-12345). Those are demo/test artifacts inside the skill, not requests for user secrets, but they could be noisy or confusing and should not be copied into real charts. No env vars are requested or accessed by the scripts in the visible code.

✓ Persistence & Privilege

The skill does not request persistent/always-on privileges (always:false) and does not modify other skills or global agent config in the provided materials. It runs analyses on supplied chart directories only, which is appropriate.

版本历史

v2.1.1

v2.1.1: optimization, reference splits

元数据

Slug helm-chart-builder

版本 2.1.1

许可证 MIT-0

累计安装 3

当前安装数 3

历史版本数 1

常见问题