Hamburger Cross Icon
GitOps Guardrails - Gitops Managed

Gitops Managed

gitops.gitops-managed

Coverage check: requires every component this policy targets (optionally narrowed to a tag) to actually be deployed by an ArgoCD Application — i.e. to have resolved .cd.gitops data, whether parsed locally or pushed by the argocd-deployment-tracking collector from a separate GitOps repo. Surfaces components that should be on GitOps but haven't been migrated. Unlike the other checks, absence of GitOps data is a failure here, not a skip — that's the whole point.

argocd gitops adoption coverage migration deployment visibility

Compatible Integrations

This guardrail works with the following integrations. Click to see how to use Gitops Managed with each collector.

Enable This Guardrail

Add the parent policy to your lunar-config.yml to enable this guardrail.

📄 lunar-config.yml
policies:
  - uses: github://earthly/lunar-lib/policies/gitops@v1.0.5
    include: [gitops-managed]
    # with: ...

How This Guardrail Works

This guardrail is part of the GitOps Guardrails policy. It evaluates data collected by integrations and produces a pass/fail check with actionable feedback.

When enabled, this check runs automatically on every PR and in AI coding workflows, providing real-time enforcement of your engineering standards.

Learn How Lunar Works
1
Integrations Gather Data
Collectors extract metadata from code, CI pipelines, tool outputs, and scans
2
{ } Centralized as JSON
All data merged into each component's unified metadata document
3
This Guardrail Checks Current
Gitops Managed runs and provides pass/fail feedback

Configuration Options

These inputs can be configured in your lunar-config.yml to customize how the parent policy (and this guardrail) behaves.

Input Required Default Description
allowed_source_repos Required Comma-separated allow-list of permitted Application source repoURLs for source-repo-allowlist. Required when that check is enabled (errors if empty).
allowed_destinations Required Comma-separated allow-list of permitted destinations for destination-allowlist. Each entry is `namespace` (allowed on any cluster) or `cluster/namespace` (pinned to one cluster — the cluster segment matches the Application destination's registered name or its server URL). Required when that check is enabled (errors if empty).
expected_tag Required For gitops-managed — only enforce coverage on components whose catalog tags (.catalog.entity.tags, e.g. from a Backstage catalog-info.yaml) include this value. Empty enforces on every component the policy targets (via on:).
GitOps Guardrails

GitOps Guardrails

This guardrail is part of the GitOps Guardrails policy, which includes 4 guardrails for deployment and infrastructure.

View Policy

Ready to Automate Your Standards?

See how Lunar can turn your AGENTS.md, engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 200+ built-in guardrails.

Works with any process
check AI agent rules & prompt files
check Post-mortem action items
check Security & compliance policies
check Testing & quality requirements
Automate Now
Paste your AGENTS.md or manual process doc and get guardrails in minutes
Book a Demo