[ISSUE] Ensure non-leaf YAML objects only contain known parameters

[leiicamundi]

Describe the issue:

Currently, the Helm chart’s JSON Schema validation allows unknown keys within intermediate (non-leaf) YAML objects when additionalProperties is not explicitly set to false.
As a result, typos or invalid nested keys are silently ignored instead of failing fast during validation.

Example:

global:
  identity:
    keycloak:
      urll: https://example.com  # typo (should be "url")

This configuration passes schema validation and renders successfully, but the incorrect property is ignored at runtime.

---

Actual behavior:

Running:

helm template camunda-platform \
  camunda/camunda-platform \
  --version 13.0.0 \
  --set global.identity.keycloak.urll=https://example.com

succeeds without any error, even though urll is not a valid property of global.identity.keycloak.

Helm produces manifests as if the property were absent, leading to silent misconfigurations.

---

Expected behavior:

Helm should fail schema validation when encountering unknown parameters inside defined object structures.

Example expected output:

Error: values don't meet the schema:
  global.identity.keycloak.urll: additional property urll is not allowed

Only explicitly defined properties (like url) should be accepted.

Top-level user-defined structures (e.g. YAML anchors) can remain flexible using patternProperties.

---

How to reproduce:

1. Run the following command:

   helm template camunda-platform \
     camunda/camunda-platform \
     --version 13.0.0 \
     --set global.identity.keycloak.urll=https://example.com

2. Observe that the command succeeds.

3. Check the rendered manifests — the urll property is ignored.

---

Logs:

No validation error or warning is shown.
Helm renders successfully, but the misconfigured value is dropped.

---

Environment:

• Platform:
• Helm CLI version:
• Chart version: 13.0.0
• Values file:

---

Proposed solution:

• Ensure that non-leaf YAML objects in the schema explicitly set "additionalProperties": false.
• Maintain flexibility at the root level to allow user-defined structures or YAML anchors using patternProperties.
• This could be automated in the schema generation script (make-schema-strict.sh or equivalent) to enforce the rule consistently.

---

Rationale / Benefits:

✅ Prevents silent configuration errors due to typos or invalid keys.
✅ Improves developer experience by providing immediate feedback.
✅ Reduces debugging time and increases confidence in chart configuration.
✅ Aligns with the strict schema validation initiative from PR [#4397](#4397).

[hisImminence]

Moving to backlog based on the internal discussion.

[leiicamundi]

@hisImminence for transparency, what is the expected status of this issue?

It will save a lot of time to everyone doing mistakes.
Also, considering that major charts all use it (https://github.com/cert-manager/cert-manager/blob/master/deploy/charts/cert-manager/values.schema.json)

Quoting argoproj/argo-helm#2157 (comment)

During kubecon 2024 it was also highlighted multiple times, that one of the issues with developer UX in k8s, is a lack of YAML validation tooling, and often you only realise that something was intended wrongly (but still resulted in valid YAML), when you deploy it.