feat: prepare helm chart for kubernetes deployment options

.github/actions/changes/action.yaml

@@ -28,6 +28,9 @@ outputs:
   docker:
     description: "'true' if any Docker build files changed"
     value: ${{ steps.filter.outputs.docker }}
+  helm:
+    description: "'true' if any Helm chart files changed"
+    value: ${{ steps.filter.outputs.helm }}
 
 runs:
   using: "composite"
@@ -63,3 +66,9 @@ runs:
             - 'docker-bake.hcl'
             - 'docker/**'
             - 'Makefile'
+          helm:
+            - 'k8s/**'
+            - 'tools/lint/lint-helm.sh'
+            - '.github/workflows/ci.yaml'
+            - '.github/actions/changes/action.yaml'
+            - '.pre-commit-config.yaml'

.github/workflows/ci.yaml

@@ -31,6 +31,7 @@ jobs:
       web-studio: ${{ steps.changes.outputs.web-studio }}
       tools: ${{ steps.changes.outputs.tools }}
       docker: ${{ steps.changes.outputs.docker }}
+      helm: ${{ steps.changes.outputs.helm }}
     steps:
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
       - uses: ./.github/actions/changes
@@ -82,6 +83,120 @@ jobs:
           make docker-print TARGET=nmp-automodel
           make docker-print TARGET=nmp-unsloth
 
+  helm-lint:
+    name: Helm lint
+    needs: [changes]
+    if: >
+      !cancelled() && (
+        github.event_name == 'workflow_dispatch' ||
+        needs.changes.outputs.helm == 'true'
+      )
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    env:
+      HELM_FOLDER: k8s/helm
+      HELM_RELEASE_NAME: nemo-platform
+      KUBECONFORM_VERSION: v0.6.7
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - name: Install Helm
+        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
+      - name: Install kubeconform
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          mkdir -p "${RUNNER_TEMP}/kubeconform"
+          curl -fsSL \
+            -o "${RUNNER_TEMP}/kubeconform.tar.gz" \
+            "https://github.com/yannh/kubeconform/releases/download/${KUBECONFORM_VERSION}/kubeconform-linux-amd64.tar.gz"
+          tar -xzf "${RUNNER_TEMP}/kubeconform.tar.gz" -C "${RUNNER_TEMP}/kubeconform" kubeconform
+          chmod +x "${RUNNER_TEMP}/kubeconform/kubeconform"
+          echo "${RUNNER_TEMP}/kubeconform" >> "${GITHUB_PATH}"
+      - name: Add NVIDIA Helm repo
+        shell: bash
+        run: |
+          helm repo add nvidia https://helm.ngc.nvidia.com/nvidia
+          helm repo update
+      - name: Lint and validate Helm chart
+        shell: bash
+        run: tools/lint/lint-helm.sh
+      - name: Upload Helm lint artifacts
+        if: failure()
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: helm-lint-artifacts
+          retention-days: 7
+          if-no-files-found: ignore
+          path: |
+            k8s/helm/ci/*.output
+            k8s/helm/ci/*.kubeconform.json
+
+  helm-chart-verifier:
+    name: Helm chart verifier
+    needs: [changes]
+    if: >
+      !cancelled() && (
+        github.event_name == 'workflow_dispatch' ||
+        needs.changes.outputs.helm == 'true'
+      )
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    env:
+      CHART_VERIFIER_VERSION: "1.14.0"
+      HELM_FOLDER: k8s/helm
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - name: Install Helm
+        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
+      - name: Install chart-verifier
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          mkdir -p "${RUNNER_TEMP}/chart-verifier"
+          curl -fsSL \
+            -o "${RUNNER_TEMP}/chart-verifier.tar.gz" \
+            "https://github.com/redhat-certification/chart-verifier/releases/download/${CHART_VERIFIER_VERSION}/chart-verifier-${CHART_VERIFIER_VERSION}.tgz"
+          tar -xzf "${RUNNER_TEMP}/chart-verifier.tar.gz" -C "${RUNNER_TEMP}/chart-verifier" chart-verifier
+          chmod +x "${RUNNER_TEMP}/chart-verifier/chart-verifier"
+          echo "${RUNNER_TEMP}/chart-verifier" >> "${GITHUB_PATH}"
+      - name: Prepare Helm dependencies
+        shell: bash
+        run: |
+          helm repo add nvidia https://helm.ngc.nvidia.com/nvidia
+          helm repo update
+          helm dep update "${HELM_FOLDER}"
+      - name: Run chart verifier
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          report_json="${RUNNER_TEMP}/chart-verifier-report.json"
+          chart-verifier verify --enable helm-lint,is-helm-v3,contains-values,has-readme \
+            -o json "${HELM_FOLDER}" | tee "${report_json}"
+
+          python3 - "${report_json}" <<'PY'
+          import json
+          import sys
+
+          with open(sys.argv[1], encoding="utf-8") as report_file:
+              data = json.load(report_file)
+
+          failed = [
+              result.get("check", "?")
+              for result in data.get("results", [])
+              if result.get("outcome") == "FAIL"
+          ]
+          if failed:
+              print("chart-verifier failed checks: " + ", ".join(failed), file=sys.stderr)
+              sys.exit(1)
+          PY
+
   lint:
     name: Lint all
     runs-on: ubuntu-latest
@@ -782,6 +897,8 @@ jobs:
       - changes
       - actionlint
       - docker-bake-graph
+      - helm-lint
+      - helm-chart-verifier
       - lint
       - policy-wasm
       - python-unit-test-tools

.gitignore

@@ -61,20 +61,10 @@ services/core/auth/src/nmp/core/auth/assets/policy.wasm
 logs/*
 *.log
 *.log.jsonl
-helm/platform/charts/
-helm/platform/Chart.lock
-helm/platform/components/*/Chart.lock
-helm/platform/components/*/charts/*.tgz
-helm/platform-ea/components/*/charts/*.tgz
-helm/platform-ea/charts/
-helm/platform-ea/Chart.lock
-helm/platform-ea/components/*/Chart.lock
-deploy/helm/platform/charts/
-deploy/helm/platform/Chart.lock
-deploy/helm/platform/components/*/Chart.lock
-deploy/helm/platform/components/*/charts/*.tgz
+k8s/helm/Chart.lock
+k8s/helm/charts/
 chart-tmp
-nemo-microservices-helm-chart-*.tgz
+nemo-platform-*.tgz
 # Visual Studio Code config
 .vscode/
 # PyCharm config

.pre-commit-config.yaml

@@ -70,10 +70,10 @@ repos:
     rev: "v1.14.2"
     hooks:
       - id: helm-docs-container
-        files: '^deploy\/helm\/platform\/values.yaml$'
+        files: '^k8s\/helm\/values.yaml$'
         args:
-          - --chart-search-root=deploy/helm/platform/
-          - --template-files=deploy/helm/platform/helm-docs-template/nemo-helm-readme.md.gotmpl
+          - --chart-search-root=k8s/helm/
+          - --template-files=k8s/helm/helm-docs-template/nemo-helm-readme.md.gotmpl
 
   - repo: local
     hooks:

AGENTS.md

@@ -204,7 +204,7 @@ Pre-commit hooks run automatically before commits and pushes to ensure code qual
 - **Type checking (ty)** - Runs type checks on Python code (may need manual fixes)
 - **uv lock** - Automatically updates `uv.lock` when `pyproject.toml` changes
 - **uv lock check** - Verifies `uv.lock` is in sync with `pyproject.toml`
-- **Helm Docs Container** - Runs `helm-docs` container to regenerate Helm documentation in `deploy/helm/platform/README.md`
+- **Helm Docs Container** - Runs `helm-docs` container to regenerate Helm documentation in `k8s/helm/README.md`
 - **Check merge conflicts** - Detects merge conflict markers
 - **OpenAPI generator** (manual stage) - Regenerates OpenAPI spec when API files change
 - **Check policy WASM** (pre-push only) - Verifies OPA policy WASM is up-to-date

k8s/helm/.helmignore

@@ -0,0 +1,28 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+# Ignore CI sources
+ci/
+
+# helm docs template
+helm-docs-template/

k8s/helm/Chart.yaml

@@ -0,0 +1,18 @@
+apiVersion: v2
+name: nemo-platform
+maintainers:
+  - name: NVIDIA, Inc.
+    url: https://www.nvidia.com
+description: NeMo Platform Helm Chart
+type: application
+# version is the version of the Helm chart, and can be different from the appVersion.
+version: 0.1.0
+# appVersion is the version of the application deployed in the chart.
+appVersion: "0.2.0"
+home: https://nvidia.com
+dependencies:
+  ## NMP dependencies
+  - name: k8s-nim-operator
+    condition: k8s-nim-operator.enabled
+    repository: https://helm.ngc.nvidia.com/nvidia/
+    version: "~3.1.0"