Helm Guardrails
Enforce Helm chart best practices including lint validation, semantic versioning, values schema presence, and dependency version pinning. Helps ensure charts are production-ready and maintainable.
helm to your lunar-config.yml:uses: github://earthly/lunar-lib/policies/helm@v1.0.5
Included Guardrails
This policy includes 4 guardrails that enforce standards for your deployment and infrastructure.
lint-passed
Validates that all Helm charts pass helm lint. Charts that fail linting may have template errors, missing required values, or invalid YAML that will cause deployment failures.
version-semver
Ensures Helm chart versions follow semantic versioning (semver). Consistent versioning enables reliable dependency resolution and rollback strategies.
values-schema
Requires Helm charts to include a values.schema.json file. A values schema validates user-provided values at install time, preventing misconfiguration.
dependencies-pinned
Ensures all Helm chart dependencies specify version constraints. Unpinned dependencies (using * or empty version) can pull breaking changes unexpectedly.
How Guardrails Fit into Lunar
Lunar guardrails define your engineering standards as code. They evaluate data collected by integrations and produce pass/fail checks with actionable feedback.
Policies support gradual enforcement—from silent scoring to blocking PRs or deployments—letting you roll out standards at your own pace without disrupting existing workflows.
Learn How Lunar Works →Required Integrations
This policy evaluates data gathered by one or more of the following integration(s).
Make sure to enable them in your lunar-config.yml.
Documentation
View on GitHubHelm Guardrails
Enforces Helm chart best practices for production-ready charts.
Overview
This policy validates Helm charts against best practices including lint validation, semantic versioning, values schema presence, and dependency version pinning. It helps ensure your Helm charts are well-structured, properly versioned, and safe to deploy.
Policies
This policy provides the following guardrails (use include to select a subset):
| Policy | Description | Failure Meaning |
|---|---|---|
lint-passed |
Validates charts pass helm lint | Chart has template or YAML errors |
version-semver |
Checks chart versions follow semver | Chart version is not valid semver |
values-schema |
Requires values.schema.json | Chart missing values input validation |
dependencies-pinned |
Checks dependency version constraints | Dependency using * or empty version |
Required Data
This policy reads from the following Component JSON paths:
| Path | Type | Provided By |
|---|---|---|
.k8s.helm.charts[] |
array | helm collector |
.k8s.helm.charts[].lint_passed |
boolean | helm collector |
.k8s.helm.charts[].lint_errors |
array | helm collector |
.k8s.helm.charts[].version |
string | helm collector |
.k8s.helm.charts[].version_is_semver |
boolean | helm collector |
.k8s.helm.charts[].has_values_schema |
boolean | helm collector |
.k8s.helm.charts[].dependencies[] |
array | helm collector |
.k8s.helm.charts[].dependencies[].name |
string | helm collector |
.k8s.helm.charts[].dependencies[].version |
string | helm collector |
.k8s.helm.charts[].dependencies[].is_pinned |
boolean | helm collector |
Note: Ensure the helm collector is configured before enabling this policy.
Installation
Add to your lunar-config.yml:
collectors:
- uses: github://earthly/lunar-lib/collectors/helm@v1.0.0
on: [kubernetes, helm]
policies:
- uses: github://earthly/lunar-lib/policies/helm@v1.0.0
on: [kubernetes, helm]
enforcement: report-pr
# include: [lint-passed, version-semver] # Only run specific checks
Examples
Passing Example
A compliant chart with proper versioning, lint results, schema, and pinned dependencies:
{
"k8s": {
"helm": {
"charts": [
{
"path": "charts/api",
"name": "api",
"version": "1.2.3",
"version_is_semver": true,
"lint_passed": true,
"lint_errors": [],
"has_values_schema": true,
"schema_path": "charts/api/values.schema.json",
"dependencies": [
{
"name": "postgresql",
"version": "~11.9.0",
"is_pinned": true
}
]
}
]
}
}
}
Failing Example
A chart with lint errors, non-semver version, no schema, and unpinned dependencies:
{
"k8s": {
"helm": {
"charts": [
{
"path": "charts/app",
"name": "app",
"version": "latest",
"version_is_semver": false,
"lint_passed": false,
"lint_errors": ["templates/deployment.yaml: error converting YAML to JSON"],
"has_values_schema": false,
"dependencies": [
{
"name": "redis",
"version": "*",
"is_pinned": false
}
]
}
]
}
}
}
Failure messages:
charts/app: Chart 'app' failed helm lint: templates/deployment.yaml: error converting YAML to JSONcharts/app: Chart 'app' version 'latest' is not valid semvercharts/app: Chart 'app' missing values.schema.jsoncharts/app: Dependency 'redis' version '*' is not pinned
Remediation
When this policy fails, resolve it by:
- For
lint-passedfailures: Runhelm lint <chart-dir>locally and fix reported errors - For
version-semverfailures: Update theversionfield in Chart.yaml to follow semver (e.g.,1.0.0) - For
values-schemafailures: Add avalues.schema.jsonfile to validate chart values at install time - For
dependencies-pinnedfailures: Replace*or empty versions in Chart.yaml dependencies with version constraints (e.g.,~1.2.0,^2.0.0,>=1.0.0 <2.0.0)
Open Source
This policy is open source and available on GitHub. Contribute improvements, report issues, or fork it for your own use.
Common Use Cases
Explore how individual guardrails work with specific integrations.
Ready to Automate Your Standards?
See how Lunar can turn your AGENTS.md, engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.
AI agent rules & prompt files
Post-mortem action items
Security & compliance policies
Testing & quality requirements