Skip to content
DevOps AI ToolKit
Newsletter
All guides
AI for Infrastructure as Code By James Joyner IV · · 11 min read

Using AI to Generate and Review Helm Charts

Helm templating is fiddly and easy to get subtly wrong. Here's how I use AI to scaffold charts and review values, with helm template and lint as the safety net.

  • #iac
  • #ansible
  • #ai
  • #helm
  • #kubernetes

Helm is the worst of both worlds for getting things right: it’s YAML (whitespace-sensitive, easy to break) wrapped in Go templates (a templating language with its own gotchas) producing Kubernetes manifests (where a typo in resources can crash a node). A Helm chart that renders is not a Helm chart that’s correct. This combination — tedious, error-prone, pattern-heavy — is exactly where AI helps most and where AI’s overconfidence hurts most.

I run AI as a fast junior engineer for chart work. It scaffolds templates and drafts values.yaml quickly, but I always render the chart and read the actual Kubernetes manifests it produces, and I lint everything before it goes near a cluster.

Why Helm templating bites

Go templates plus YAML is a uniquely sharp combination. Indentation matters, and the nindent/indent functions that keep it correct are easy to misuse. A template that produces valid-looking text can produce invalid YAML, and a chart that produces valid YAML can still produce a wrong Kubernetes spec. None of that fails at template time — it fails at helm install time, or worse, at runtime.

Scaffold with AI, but give it the values shape

AI writes decent Helm templates when it knows the values.yaml it’s templating over. So I lead with the values structure:

“Generate a Helm deployment template for a chart with these values: image.repository, image.tag, replicaCount, resources.limits, and an optional env list of name/value pairs. Use nindent correctly for YAML indentation, and quote string values.”

A reasonable result:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ include "app.fullname" . }}
spec:
  replicas: {{ .Values.replicaCount }}
  selector:
    matchLabels:
      {{- include "app.selectorLabels" . | nindent 6 }}
  template:
    metadata:
      labels:
        {{- include "app.selectorLabels" . | nindent 8 }}
    spec:
      containers:
        - name: {{ .Chart.Name }}
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
          resources:
            {{- toYaml .Values.resources | nindent 12 }}
          {{- with .Values.env }}
          env:
            {{- toYaml . | nindent 12 }}
          {{- end }}

The nindent numbers, the toYaml for nested structures, the with guard for the optional env block — these are the spots where charts break, and they’re the spots I review hardest.

The indentation numbers are the bug magnet

The single most common Helm bug AI produces is a wrong nindent value. Off by two and the YAML structure collapses or the keys land at the wrong nesting level. You can’t catch this by reading the template — the number looks arbitrary either way. You catch it by rendering:

helm template ./mychart --values values-test.yaml

That prints the fully-rendered manifests. I read them as Kubernetes specs, not as templated text, because that’s what the cluster sees. If resources ended up indented under the wrong key, the rendered output makes it obvious in a way the template never does.

Pro Tip: After AI generates any template using nindent or toYaml, render the chart and pipe it through kubeval or kubectl apply --dry-run=client -f -. The template “looking right” tells you nothing; the rendered manifest passing schema validation tells you everything.

Lint and dry-run as a gate

No chart reaches a cluster without passing two checks. First helm lint for chart-structure problems:

helm lint ./mychart

Then a server-side dry run that validates against the actual cluster’s API, catching things helm lint can’t — like a resources block the cluster’s LimitRange would reject:

helm install myapp ./mychart --dry-run --debug --values values-prod.yaml

--dry-run renders and validates without creating anything. --debug shows me the computed manifests. This is the Helm equivalent of Ansible’s check-mode, and I treat it with the same non-negotiable discipline: AI-generated charts go through it every time, no exceptions.

Review the values, not just the templates

Half of Helm’s real-world risk lives in values.yaml, not the templates. AI is good at drafting sensible defaults, but defaults are where prod incidents hide. I ask it specifically:

“Review this values.yaml for production-unsafe defaults: missing resource limits, latest image tags, replica counts of 1, disabled health checks, or overly-broad RBAC.”

A values.yaml with tag: latest and no resource limits will install fine and then cause a 3am page when the image changes underneath you or a pod eats a node. AI flags these reliably when asked, but I make the call on what’s actually safe for my environment — it doesn’t know our cluster’s capacity or our SLOs.

Keep secrets out of values and out of the prompt

Helm charts reference secrets constantly — registry credentials, database passwords, API tokens. None of those belong in values.yaml in plaintext, and none belong in an AI prompt. When I have AI draft a template that mounts a secret, it works with the secret’s name and shape, never its value:

        - name: {{ .Chart.Name }}
          envFrom:
            - secretRef:
                name: {{ .Values.existingSecret }}   # secret created out-of-band

The actual secret is created separately (sealed-secrets, an external secrets operator, or a manually-applied Secret), and AI never sees its contents. I never paste a real Secret manifest or a registry password into a prompt.

The same discipline scales to other IaC

This render-then-validate loop isn’t Helm-specific — it’s the same instinct as Ansible’s check-mode and CloudFormation’s change-sets. Whatever the tool, the rule is identical: AI drafts fast, you validate the output (not the source) against the real system, and a human reviews before anything ships. The testing Helm charts before they reach production guide goes deeper on the CI side, and the code review dashboard helps surface the risky bits of a chart diff.

Helm punishes overconfidence, and AI is nothing if not confident. Its charts render and look right and pass a casual read — which is exactly why you can’t stop at a casual read. Render the manifests, validate them against the cluster’s schema, lint the chart, review the values, and keep secrets out of the loop entirely. Do that and AI genuinely speeds up chart work; skip it and AI just helps you ship broken YAML faster. The rest of this series is in the IaC category, and Claude handles Go-template-plus-YAML generation about as well as anything I’ve used.

Scaffold fast, render everything, validate against the cluster, and never trust a template you haven’t seen rendered.

Free download · 368-page PDF

Download the Free 500-Prompt DevOps AI Toolkit

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.