diff --git a/.github/workflows/yamllint.yaml b/.github/workflows/yamllint.yaml
index 61b95865..897b7528 100644
--- a/.github/workflows/yamllint.yaml
+++ b/.github/workflows/yamllint.yaml
@@ -18,23 +18,19 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - uses: azure/setup-kubectl@v3
-      - name: kustomize build operators
+      - uses: azure/setup-helm@v4.0.0
+      - uses: bmuschko/setup-kubeconform@v1
+      - name: validate kustomize with kubeconform
         run: |
-          for operator in $(find operators -maxdepth 1 -mindepth 1 -type d); do
-            echo "${operator}"
-            kubectl kustomize --enable-helm "${operator}" > /dev/null
-          done
-          echo "apps/operators"
-          kubectl kustomize apps/operators > /dev/null
-      - name: kustomize build components
-        run: |
-          for component in $(find components -maxdepth 1 -mindepth 1 -type d); do
-            if [[ "${component}" =~ "secrets" ]]; then
-              echo "Skipping secrets"
-            else
-              echo "${component}"
-              kubectl kustomize --enable-helm "${component}" > /dev/null
-            fi
+          set -o errexit
+          set -o pipefail
+          items=$(find bootstrap -maxdepth 2 -name kustomization.yaml -exec dirname {} \;)
+          items+=($(find operators -maxdepth 2 -name kustomization.yaml -exec dirname {} \;))
+          items+=($(find components -maxdepth 2 -name kustomization.yaml -exec dirname {} \;))
+          items+=($(find apps -maxdepth 2 -name kustomization.yaml -exec dirname {} \;))
+
+          for item in ${items}; do
+            echo "${item}"
+            kubectl kustomize --enable-helm "${item}" | \
+              kubeconform -skip=Secret -strict -ignore-missing-schemas
           done
-          echo "apps/components"
-          kubectl kustomize apps/components > /dev/null
diff --git a/components/10-keystone/README.md b/components/10-keystone/README.md
index 20c113fc..521991e2 100644
--- a/components/10-keystone/README.md
+++ b/components/10-keystone/README.md
@@ -21,7 +21,6 @@ git clone https://github.com/openstack/openstack-helm
 git clone https://github.com/openstack/openstack-helm-infra
 # update the dependencies cause we can't use real helm references
 ./scripts/openstack-helm-depend-sync.sh keystone
-cd components/10-keystone
 ```
 
 ## Deploy Keystone
@@ -41,7 +40,7 @@ Secrets Reference:
 helm --namespace openstack template \
     keystone \
     ./openstack-helm/keystone/ \
-    -f aio-values.yaml \
+    -f components/10-keystone/aio-values.yaml \
     --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \
     --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \
     --set endpoints.oslo_db.auth.keystone.password="$(kubectl --namespace openstack get secret keystone-db-password -o jsonpath='{.data.password}' | base64 -d)" \
diff --git a/scripts/openstack-helm-sealed-secrets.sh b/scripts/openstack-helm-sealed-secrets.sh
index e0574255..f85bdbdc 100755
--- a/scripts/openstack-helm-sealed-secrets.sh
+++ b/scripts/openstack-helm-sealed-secrets.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash -x
 
 # function to process each YAML file
 process_yaml() {
@@ -37,3 +37,4 @@ done
 
 # process the last one
 [[ -n $yaml_acc ]] && process_yaml "$yaml_acc"
+exit 0