{"id":19292448,"url":"https://github.com/werf/nelm","last_synced_at":"2026-03-10T19:01:30.630Z","repository":{"id":214668078,"uuid":"737065751","full_name":"werf/nelm","owner":"werf","description":"Nelm is a Helm 4 alternative. It is a Kubernetes deployment tool that manages Helm Charts and deploys them to Kubernetes. The Nelm goal is to provide a modern alternative to Helm, with long-standing issues fixed and many new major features introduced.","archived":false,"fork":false,"pushed_at":"2026-02-24T14:00:07.000Z","size":5488,"stargazers_count":1031,"open_issues_count":45,"forks_count":25,"subscribers_count":9,"default_branch":"main","last_synced_at":"2026-02-24T18:51:26.408Z","etag":null,"topics":["cd","ci-cd","cicd","continuous-delivery","continuous-deployment","delivery","deploy","deployment","devops","golang","helm","helm-chart","iac","kubernetes","nelm","werf"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/werf.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2023-12-29T17:52:53.000Z","updated_at":"2026-02-24T15:25:07.000Z","dependencies_parsed_at":"2026-02-24T16:01:38.824Z","dependency_job_id":null,"html_url":"https://github.com/werf/nelm","commit_stats":null,"previous_names":["werf/nelm"],"tags_count":48,"template":false,"template_full_name":null,"purl":"pkg:github/werf/nelm","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/werf%2Fnelm","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/werf%2Fnelm/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/werf%2Fnelm/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/werf%2Fnelm/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/werf","download_url":"https://codeload.github.com/werf/nelm/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/werf%2Fnelm/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30348853,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-10T15:55:29.454Z","status":"ssl_error","status_checked_at":"2026-03-10T15:54:58.440Z","response_time":106,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cd","ci-cd","cicd","continuous-delivery","continuous-deployment","delivery","deploy","deployment","devops","golang","helm","helm-chart","iac","kubernetes","nelm","werf"],"created_at":"2024-11-09T22:30:57.576Z","updated_at":"2026-03-10T19:01:30.614Z","avatar_url":"https://github.com/werf.png","language":"Go","readme":"\u003c!-- \u003cp align=\"center\"\u003e\n  \u003ca href=\"https://godoc.org/github.com/werf/nelm\"\u003e\u003cimg src=\"https://godoc.org/github.com/werf/nelm?status.svg\" alt=\"GoDoc\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://qlty.sh/gh/werf/projects/nelm\"\u003e\u003cimg src=\"https://qlty.sh/gh/werf/projects/nelm/coverage.svg\" alt=\"Code Coverage\" /\u003e\u003c/a\u003e\n\u003c/p\u003e --\u003e\n\n**Nelm** is a Helm 4 alternative. It is a Kubernetes deployment tool that manages Helm Charts and deploys them to Kubernetes. It is also the deployment engine of [werf](https://github.com/werf/werf). Nelm does everything that Helm does, but better, and even quite some on top of it. Nelm is based on an improved and partially rewritten Helm codebase, to introduce:\n\n* `terraform plan`-like capabilities;\n* improved CRD management;\n* out-of-the-box secrets management;\n* advanced resource ordering capabilities;\n* advanced resource lifecycle capabilities;\n* improved resource state/error tracking;\n* continuous printing of logs, events, resource statuses, and errors during deployment;\n* fixed hundreds of Helm bugs, e.g. [\"no matches for kind Deployment in version apps/v1beta1\"](https://github.com/helm/helm/issues/7219);\n* performance and stability improvements and more.\n\nThe Nelm goal is to provide a modern alternative to Helm, with long-standing issues fixed and many new major features introduced. Nelm moves fast, but our focus remains on Helm Chart and Release compatibility, to ease the migration from Helm.\n\nNelm is production-ready: as the werf deployment engine, it was battle-tested across thousands of projects for years.\n\n![install](resources/images/nelm-release-install.png)\n\n## Table of Contents\n\n\u003c!-- START doctoc generated TOC please keep comment here to allow auto update --\u003e\n\u003c!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE --\u003e\n\n- [Install](#install)\n- [Quickstart](#quickstart)\n- [CLI overview](#cli-overview)\n- [Helm compatibility](#helm-compatibility)\n- [Key features](#key-features)\n  - [Advanced resource ordering](#advanced-resource-ordering)\n  - [Advanced resource lifecycle capabilities](#advanced-resource-lifecycle-capabilities)\n  - [Resource state tracking](#resource-state-tracking)\n  - [Printing logs and events during deploy](#printing-logs-and-events-during-deploy)\n  - [Release planning](#release-planning)\n  - [Encrypted values and encrypted files](#encrypted-values-and-encrypted-files)\n  - [Improved CRD management](#improved-crd-management)\n- [Usage](#usage)\n  - [Encrypted values files](#encrypted-values-files)\n  - [Encrypted arbitrary files](#encrypted-arbitrary-files)\n- [Reference](#reference)\n  - [`werf.io/weight` annotation](#werfioweight-annotation)\n  - [`werf.io/deploy-dependency-\u003cid\u003e` annotation](#werfiodeploy-dependency-id-annotation)\n  - [`werf.io/delete-dependency-\u003cid\u003e` annotation](#werfiodelete-dependency-id-annotation)\n  - [`\u003cid\u003e.external-dependency.werf.io/resource` annotation](#idexternal-dependencywerfioresource-annotation)\n  - [`\u003cid\u003e.external-dependency.werf.io/name` annotation](#idexternal-dependencywerfioname-annotation)\n  - [`werf.io/ownership` annotation](#werfioownership-annotation)\n  - [`werf.io/deploy-on` annotation](#werfiodeploy-on-annotation)\n  - [`werf.io/delete-policy` annotation](#werfiodelete-policy-annotation)\n  - [`werf.io/delete-propagation` annotation](#werfiodelete-propagation-annotation)\n  - [`werf.io/track-termination-mode` annotation](#werfiotrack-termination-mode-annotation)\n  - [`werf.io/fail-mode` annotation](#werfiofail-mode-annotation)\n  - [`werf.io/failures-allowed-per-replica` annotation](#werfiofailures-allowed-per-replica-annotation)\n  - [`werf.io/no-activity-timeout` annotation](#werfiono-activity-timeout-annotation)\n  - [`werf.io/sensitive` annotation](#werfiosensitive-annotation)\n  - [`werf.io/sensitive-paths` annotation](#werfiosensitive-paths-annotation)\n  - [`werf.io/log-regex` annotation](#werfiolog-regex-annotation)\n  - [`werf.io/log-regex-for-\u003ccontainer_name\u003e` annotation](#werfiolog-regex-for-container_name-annotation)\n  - [`werf.io/log-regex-skip` annotation](#werfiolog-regex-skip-annotation)\n  - [`werf.io/log-regex-skip-for-\u003ccontainer_name\u003e` annotation](#werfiolog-regex-skip-for-container_name-annotation)\n  - [`werf.io/skip-logs` annotation](#werfioskip-logs-annotation)\n  - [`werf.io/skip-logs-for-containers` annotation](#werfioskip-logs-for-containers-annotation)\n  - [`werf.io/show-logs-only-for-number-of-replicas` annotation](#werfioshow-logs-only-for-number-of-replicas-annotation)\n  - [`werf.io/show-logs-only-for-containers` annotation](#werfioshow-logs-only-for-containers-annotation)\n  - [`werf.io/show-service-messages` annotation](#werfioshow-service-messages-annotation)\n  - [`werf_secret_file` function](#werf_secret_file-function)\n  - [`dump_debug` function](#dump_debug-function)\n  - [`printf_debug` function](#printf_debug-function)\n  - [`include_debug` function](#include_debug-function)\n  - [`tpl_debug` function](#tpl_debug-function)\n- [Feature gates](#feature-gates)\n  - [`NELM_FEAT_PREVIEW_V2` environment variable](#nelm_feat_preview_v2-environment-variable)\n  - [`NELM_FEAT_REMOTE_CHARTS` environment variable](#nelm_feat_remote_charts-environment-variable)\n  - [`NELM_FEAT_NATIVE_RELEASE_LIST` environment variable](#nelm_feat_native_release_list-environment-variable)\n  - [`NELM_FEAT_NATIVE_RELEASE_UNINSTALL` environment variable](#nelm_feat_native_release_uninstall-environment-variable)\n  - [`NELM_FEAT_PERIODIC_STACK_TRACES` environment variable](#nelm_feat_periodic_stack_traces-environment-variable)\n  - [`NELM_FEAT_FIELD_SENSITIVE` environment variable](#nelm_feat_field_sensitive-environment-variable)\n  - [`NELM_FEAT_CLEAN_NULL_FIELDS` environment variable](#nelm_feat_clean_null_fields-environment-variable)\n  - [`NELM_FEAT_MORE_DETAILED_EXIT_CODE_FOR_PLAN` environment variable](#nelm_feat_more_detailed_exit_code_for_plan-environment-variable)\n- [More documentation](#more-documentation)\n- [Limitations](#limitations)\n- [Contributing](#contributing)\n- [Special thanks](#special-thanks)\n- [Future plans](#future-plans)\n\n\u003c!-- END doctoc generated TOC please keep comment here to allow auto update --\u003e\n\n## Install\n\nFollow instructions on [GitHub Releases](https://github.com/werf/nelm/releases).\n\n## Quickstart\n\n1. Create a directory for a new chart:\n    ```bash\n    mkdir mychart\n    cd mychart\n    ```\n\n1. Create `Chart.yaml` with the following content:\n    ```yaml\n    apiVersion: v2\n    name: mychart\n    version: 1.0.0\n    dependencies:\n    - name: cert-manager\n      version: 1.13.3\n      repository: https://charts.jetstack.io\n    ```\n\n1. Generate `Chart.lock`:\n    ```bash\n    nelm chart dependency download\n    ```\n\n1. Create `values.yaml` with the following content:\n    ```yaml\n    cert-manager:\n      installCRDs: true\n      startupapicheck:\n        enabled: false\n    ```\n\n1. Deploy the first release:\n    ```bash\n    nelm release install -n myproject -r myproject\n    ```\n\n1. Plan the second release with an increased number of replicas, where only a single field in a single Deployment will be updated:\n    ```bash\n    nelm release plan install -n myproject -r myproject --set cert-manager.replicaCount=2\n    ```\n\n1. Deploy the second release, where only the Deployment will be updated:\n    ```bash\n    nelm release install -n myproject -r myproject --set cert-manager.replicaCount=2\n    ```\n   \n## CLI overview\n\n```yaml\nRelease commands:\n  release install                    Deploy a chart to Kubernetes.\n  release rollback                   Rollback to a previously deployed release.\n  release plan install               Plan a release install to Kubernetes.\n  release uninstall                  Uninstall a Helm Release from Kubernetes.\n  release list                       List all releases in a namespace.\n  release history                    Show release history.\n  release get                        Get information about a deployed release.\n\nChart commands:\n  chart lint                         Lint a chart.\n  chart render                       Render a chart.\n  chart download                     Download a chart from a repository.\n  chart upload                       Upload a chart to a repository.\n  chart pack                         Pack a chart into an archive to distribute via a repository.\n\nSecret commands:\n  chart secret key create            Create a new chart secret key.\n  chart secret key rotate            Reencrypt secret files with a new secret key.\n  chart secret values-file edit      Interactively edit encrypted values file.\n  chart secret values-file encrypt   Encrypt values file and print result to stdout.\n  chart secret values-file decrypt   Decrypt values file and print result to stdout.\n  chart secret file edit             Interactively edit encrypted file.\n  chart secret file encrypt          Encrypt file and print result to stdout.\n  chart secret file decrypt          Decrypt file and print result to stdout.\n\nDependency commands:\n  chart dependency download          Download chart dependencies from Chart.lock.\n  chart dependency update            Update Chart.lock and download chart dependencies.\n\nRepo commands:\n  repo add                           Set up a new chart repository.\n  repo remove                        Remove a chart repository.\n  repo update                        Update info about available charts for all chart repositories.\n  repo login                         Log in to an OCI registry with charts.\n  repo logout                        Log out from an OCI registry with charts.\n\nOther commands:\n  completion bash                    Generate the autocompletion script for bash\n  completion fish                    Generate the autocompletion script for fish\n  completion powershell              Generate the autocompletion script for powershell\n  completion zsh                     Generate the autocompletion script for zsh\n  version                            Show version.\n```\n   \n## Helm compatibility\n\nNelm is built upon the Helm codebase with some parts of Helm reimplemented. It is backward-compatible with Helm Charts and Helm Releases.\n\nHelm Charts can be deployed by Nelm with no changes. All the obscure Helm Chart features, such as `lookup` functions, are supported.\n\nTo store release information, Nelm uses Helm Releases. You can deploy the same release with Helm and Nelm interchangeably, and it will work just fine. No migration needed from/to Helm.\n\nNelm has a different CLI layout, flags and environment variables, but we largely support all the same features as Helm.\n\nHelm plugins support is not planned due to technical difficulties with the Helm plugins API. Instead, we intend to implement functionality of the most useful plugins natively, like we already did with `nelm release plan install` and `nelm chart secret`.\n\nGenerally, the migration from Helm to Nelm should be as simple as changing Helm commands to Nelm commands in your CI, for example:\n\n| Helm command | Nelm command equivalent |\n| -------- | ------- |\n| `helm upgrade --install --atomic --wait -n myns myrls ./chart` | `nelm release install --auto-rollback -n myns -r myrls ./chart` |\n| `helm uninstall -n myns myrls` | `nelm release uninstall -n myns -r myrls` |\n| `helm template ./chart` | `nelm chart render ./chart` |\n| `helm dependency build` | `nelm chart dependency download` |\n\n## Key features\n\n### Advanced resource ordering\n\nThe resource deployment subsystem of Helm is rewritten from scratch in Nelm. During the deployment, Nelm builds the Directed Acyclic Graph (DAG) of all operations we want to perform in the cluster to do the release, then the DAG is executed. The DAG allowed us to implement advanced resource ordering capabilities, such as:\n* The `werf.io/weight` annotation: similar to `helm.sh/hook-weight`, but also works for non-hook resources. Resources with the same weight deployed in parallel.\n* The `werf.io/deploy-dependency-\u003cid\u003e` annotation: do not deploy the annotated resource until the dependency is present or ready. This is the most powerful and effective way to enforce deployment order in Nelm.\n* The `\u003cid\u003e.external-dependency.werf.io/resource` annotation: do not deploy the annotated resource until the dependency is ready. The dependency can be an external, non-release resource, e.g. a resource created by a third-party operator.\n* Helm Hooks and their weights are supported, too.\n\n![ordering](resources/images/graph.png)\n\n### Advanced resource lifecycle capabilities\n\nHelm doesn't offer any resource lifecycle capabilities, except `helm.sh/resource-policy: keep` and `helm.sh/hook-delete-policy` for Hooks. On top of these, Nelm offers the following:\n* The `werf.io/delete-policy` annotation. Inspired by `helm.sh/hook-delete-policy`, but works for any resource. Set `before-creation` to always recreate the resource, `before-creation-if-immutable` to only recreate if the resource is immutable, `succeeded` or `failed` to delete the resource on success or failure. \n* The `werf.io/ownership` annotation. `anyone` allows to get Hook-like behavior for regular resources: don't delete the resource if it is removed from the Chart or when the whole release is removed, and never check or apply release annotations.\n* The `werf.io/deploy-on` annotation. Inspired by `helm.sh/hook`. Render and deploy the resource only on install/upgrade/rollback/uninstall in a pre/main/post stage.\n\nThese annotations make Helm Hooks obsolete: regular resources can do all the same things now.\n\n### Resource state tracking\n\nNelm has powerful resource tracking built from the ground up, much more advanced than what Helm has:\n* Reliable detection of resources readiness, presence, absence or failures.\n* Standard Kubernetes Resources have their own smart status trackers.\n* Popular Custom Resources have hand-crafted rules to detect their statuses.\n* For unknown Custom Resources, we heuristically determine their readiness by analyzing their status fields. Works for most Custom Resources. No false positives.\n* The table with statuses, errors, and other info about currently tracked resources is printed every few seconds during the deployment.\n\n![tracking](resources/images/nelm-release-install.gif)\n\n### Printing logs and events during deploy\n\nDuring the deployment, Nelm finds Pods of deploying resources and periodically prints their container logs. With annotation `werf.io/show-service-messages: \"true\"`, resource events are also printed. Can be configured with CLI flags and annotations.\n\n### Release planning\n\n`nelm release plan install` shows exactly what's going to happen in the cluster on the next release. It shows 100% accurate diffs between current and to-be resource versions, utilizing robust dry-run Server-Side Apply instead of client-side trickery.\n\n![planning](resources/images/nelm-release-plan-install.png)\n\n### Encrypted values and encrypted files\n\n`nelm chart secret` commands manage encrypted values files such as `secret-values.yaml` or encrypted arbitrary files like `secret/mysecret.txt`. These files are decrypted in-memory during templating and can be used in templates as `.Values.my.secret.value` and `{{ werf_secret_file \"mysecret.txt\" }}`, respectively.\n\n### Improved CRD management\n\nCRDs from the `crds/` directory of the chart deployed not only on the very first release install, but also on release upgrades. Also, CRDs not only can be created, but can be updated as well.\n\n## Usage\n\nNelm-specific features are described below. For general documentation, see [Helm docs](https://helm.sh/docs/) and [werf docs](https://werf.io/docs/v2/usage/deploy/overview.html).\n\n### Encrypted values files\n\nValues files can be encrypted and stored in a Helm chart or a git repo. Such values files are decrypted in-memory during templating.\n\nCreate a secret key:\n```bash\nexport NELM_SECRET_KEY=\"$(nelm chart secret key create)\"\n```\n\nCreate a new secret-values file:\n```bash\nnelm chart secret values-file edit secret-values.yaml\n```\n... with the following content:\n```yaml\npassword: verysecurepassword123\n```\n\nReference encrypted value in Helm templates:\n```yaml\npassword: {{ .Values.password }}\n```\n\nRender the chart:\n```bash\nnelm chart render\n```\n```yaml\npassword: verysecurepassword123\n```\n\nNOTE: `$NELM_SECRET_KEY` must be set for any command that encrypts/decrypts secrets, including `nelm chart render`.\n\n### Encrypted arbitrary files\n\nArbitrary files can be encrypted and stored in the `secret/` directory of a Helm chart. Such files are decrypted in-memory during templating.\n\nCreate a secret key:\n```bash\nexport NELM_SECRET_KEY=\"$(nelm chart secret key create)\"\n```\n\nCreate a new secret file:\n```bash\nnelm chart secret file edit secret/config.yaml\n```\n... with the following content:\n```yaml\nuser: john-doe\npassword: verysecurepassword123\n```\n\nReference encrypted secret in Helm templates:\n```yaml\nconfig: {{ werf_secret_file \"config.yaml\" | nindent 4 }}\n```\n\nRender the chart:\n```bash\nnelm chart render\n```\n```yaml\nconfig:\n  user: john-doe\n  password: verysecurepassword123\n```\n\n## Reference\n\nNelm-specific features are described below. For general documentation, see [Helm docs](https://helm.sh/docs/) and [werf docs](https://werf.io/docs/v2/usage/deploy/overview.html).\n\n### `werf.io/weight` annotation \n\nThis annotation works the same as `helm.sh/hook-weight`, but can be used for both hooks and non-hook resources. Resources with the same weight are grouped together, then the groups deployed one after the other, from low to high weight. Resources in the same group are deployed in parallel. This annotation has higher priority than `helm.sh/hook-weight`, but lower than `werf.io/deploy-dependency-\u003cid\u003e`.\n\nExample:\n```yaml\nwerf.io/weight: \"10\"\nwerf.io/weight: \"-10\"\n```\nFormat:\n```\nwerf.io/weight: \"\u003cany number\u003e\"\n```\nDefault:\n```\n0\n```\n\n### `werf.io/deploy-dependency-\u003cid\u003e` annotation \n\nThe resource will deploy only after all of its dependencies are satisfied. It waits until the specified resource is just `present` or is also `ready`. It serves as a more powerful alternative to hooks and `werf.io/weight`. You can only point to resources in the release. This annotation has higher priority than `werf.io/weight` and `helm.sh/hook-weight`. This annotation has no effect if the resource on which we depend upon is outside the stage (pre, main, post, ...) of the resource with the annotation.\n\nExample:\n```yaml\nwerf.io/deploy-dependency-db: state=ready,kind=StatefulSet,name=postgres\nwerf.io/deploy-dependency-app: state=present,kind=Deployment,group=apps,version=v1,name=app,namespace=app\n```\nFormat:\n```\nwerf.io/deploy-dependency-\u003canything\u003e: state=ready|present[,name=\u003cname\u003e][,namespace=\u003cnamespace\u003e][,kind=\u003ckind\u003e][,group=\u003cgroup\u003e][,version=\u003cversion\u003e]\n```\n\n### `werf.io/delete-dependency-\u003cid\u003e` annotation\n\nThe resource will be deleted only after all of its dependencies are satisfied. It waits until the specified resource is `absent`. You can only point to resources in the release. This annotation has no effect if the resource on which we depend upon is outside the stage (pre, main, post, ...) of the resource with the annotation.\n\nExample:\n```yaml\nwerf.io/delete-dependency-db: state=absent,kind=StatefulSet,name=postgres\nwerf.io/delete-dependency-app: state=absent,kind=Deployment,group=apps,version=v1,name=app,namespace=app\n```\nFormat:\n```\nwerf.io/delete-dependency-\u003canything\u003e: state=absent[,name=\u003cname\u003e][,namespace=\u003cnamespace\u003e][,kind=\u003ckind\u003e][,group=\u003cgroup\u003e][,version=\u003cversion\u003e]\n```\n\n### `\u003cid\u003e.external-dependency.werf.io/resource` annotation \n\nThe resource will deploy only after all of its external dependencies are satisfied. It waits until the specified resource is `present` and `ready`. You can only point to resources outside the release.\n\nExample:\n```yaml\nsecret.external-dependency.werf.io/resource: secret/config\nsomeapp.external-dependency.werf.io/resource: deployments.v1.apps/app\n```\nFormat:\n```\n\u003canything\u003e.external-dependency.werf.io/resource: \u003ckind\u003e[.\u003cversion\u003e.\u003cgroup\u003e]/\u003cname\u003e\n```\n\n### `\u003cid\u003e.external-dependency.werf.io/name` annotation \n\nSet the namespace of the external dependency defined by `\u003cid\u003e.external-dependency.werf.io/resource`. `\u003cid\u003e` must match on both annotations. If not specified, the release namespace is used.\n\nExample:\n```yaml\nsomeapp.external-dependency.werf.io/name: someapp-production\n```\nFormat:\n```\n\u003canything\u003e.external-dependency.werf.io/name: \u003cname\u003e\n```\n\n### `werf.io/ownership` annotation \n\nInspired by Helm hooks. Sets the ownership of the resource. `release` means that the resource is deleted if removed from the chart or when the release is uninstalled, and release annotations of the resource are applied/validated during deploy. `anyone` means the opposite: resource is never deleted on uninstall or when removed from the chart, and release annotations are not applied/validated during deploy.\n\nExample:\n```yaml\nwerf.io/ownership: anyone\n```\nFormat:\n```\nwerf.io/ownership: anyone|release\n```\nDefault:\n```\n\"release\" for general resources, \"anyone\" for hooks and CRDs from \"crds/\" directory\n```\n\n### `werf.io/deploy-on` annotation \n\nInspired by `helm.sh/hook`. Render the resource for deployment only on the specified deploy types and stages. Has precedence over `helm.sh/hook`.\n\nBeware that with `werf.io/ownership: release` if the resource is rendered for install, but, for example, not for upgrade, then it is going to be deployed on install, but then deleted on upgrade, so you might want to consider `werf.io/ownership: anyone`.\n\nExample:\n```yaml\nwerf.io/deploy-on: pre-install,upgrade\n```\nFormat:\n```\nwerf.io/deploy-on: [pre-install][,install][,post-install][,pre-upgrade][,upgrade][,post-upgrade][,pre-rollback][,rollback][,post-rollback][,pre-uninstall][,uninstall][,post-uninstall]\n```\nDefault:\n```\n\"install,upgrade,rollback\" for general resources, populated from \"helm.sh/hook\" for hooks\n```\n\n### `werf.io/delete-policy` annotation \n\nInspired by `helm.sh/hook-delete-policy`. Controls resource deletions during resource deployment. `before-creation` means always recreate the resource, `before-creation-if-immutable` means recreate the resource only when we got \"field is immutable\" error during its update, `succeeded` means delete the resource at the end of the current deployment stage if the resource was successfully deployed, `failed` means delete the resource if it's readiness check failed. Has precedence over `helm.sh/hook-delete-policy`.\n\nExample:\n```yaml\nwerf.io/delete-policy: before-creation,succeeded\n```\nFormat:\n```\nwerf.io/delete-policy: [before-creation][,before-creation-if-immutable][,succeeded][,failed]\n```\nDefault:\n```\nnothing for general resources (unless Job, then \"before-creation-if-immutable\"), mapped from \"helm.sh/hook-delete-policy\" for hooks\n```\n\n### `werf.io/delete-propagation` annotation\n\nSet the deletion propagation policy for the resource. `Foreground` means delete the resource after deleting all of its dependents, `Background` means delete the resource immediately, and delete all of its dependents in the background, and `Orphan` means delete the resource, but leave all of its dependents untouched.\n\nExample:\n```yaml\nwerf.io/delete-propagation: Background\n```\nFormat:\n```\nwerf.io/delete-propagation: Foreground|Background|Orphan\n```\nDefault:\n```\nForeground\n```\n\n### `werf.io/track-termination-mode` annotation \n\nConfigure when to stop resource readiness tracking:\n* `WaitUntilResourceReady`: wait until the resource is `ready`.\n* `NonBlocking`: don't wait until the resource is `ready`.\n\nExample:\n```yaml\nwerf.io/track-termination-mode: NonBlocking\n```\nFormat:\n```\nwerf.io/track-termination-mode: WaitUntilResourceReady|NonBlocking\n```\nDefault:\n```\nWaitUntilResourceReady\n```\n\n### `werf.io/fail-mode` annotation \n\nConfigure what should happen when errors during tracking for the resource exceeded `werf.io/failures-allowed-per-replica`:\n* `FailWholeDeployProcessImmediately`: fail the release.\n* `IgnoreAndContinueDeployProcess`: do nothing.\n\nExample:\n```yaml\nwerf.io/fail-mode: IgnoreAndContinueDeployProcess\n```\nFormat:\n```\nwerf.io/fail-mode: FailWholeDeployProcessImmediately|IgnoreAndContinueDeployProcess\n```\nDefault:\n```\nFailWholeDeployProcessImmediately\n```\n\n### `werf.io/failures-allowed-per-replica` annotation \n\nSet the number of allowed errors during resource tracking. When exceeded, act according to `werf.io/fail-mode`.\n\nExample:\n```yaml\nwerf.io/failures-allowed-per-replica: \"0\"\n```\nFormat:\n```\nwerf.io/failures-allowed-per-replica: \"\u003cany positive number or zero\u003e\"\n```\nDefault:\n```\n1\n```\n\n### `werf.io/no-activity-timeout` annotation \n\nTake it as a resource tracking error if no new events or resource updates are received during resource tracking for the specified time.\n\nExample:\n```yaml\nwerf.io/no-activity-timeout: 8m30s\n```\nFormat ([more info](https://pkg.go.dev/time#ParseDuration)):\n```\nwerf.io/no-activity-timeout: \u003cgolang duration\u003e\n```\nDefault:\n```\n4m\n```\n\n### `werf.io/sensitive` annotation \n\nDEPRECATED. Use `werf.io/sensitive-paths` instead.\n\nDon't show diffs for the resource.\n\n`NELM_FEAT_FIELD_SENSITIVE` feature gate alters behavior of this annotation.\n\nExample:\n```yaml\nwerf.io/sensitive: \"true\"\n```\nFormat:\n```\nwerf.io/sensitive: \"true|false\"\n```\nDefault:\n```\n\"false\", but for \"v1/Secret\" — \"true\"\n```\n\n### `werf.io/sensitive-paths` annotation \n\nDon't show diffs for resource fields that match specified JSONPath expressions. Overrides the behavior of `werf.io/sensitive`.\n\nExample:\n```yaml\nwerf.io/sensitive-paths: \"$.spec.template.spec.containers[*].env[*].value,$.data.*\"\n```\nFormat:\n```\nwerf.io/sensitive-paths: \u003cJSONPath\u003e,\u003cJSONPath\u003e,...\n```\n\n### `werf.io/log-regex` annotation \n\nOnly show log lines that match the specified regex.\n\nExample:\n```yaml\nwerf.io/log-regex: \".*ERR|err|WARN|warn.*\"\n```\nFormat ([more info](https://github.com/google/re2/wiki/Syntax)):\n```\nwerf.io/log-regex: \u003cre2 regex\u003e\n```\n\n### `werf.io/log-regex-for-\u003ccontainer_name\u003e` annotation \n\nFor the specified container, only show log lines that match the specified regex.\n\nExample:\n```yaml\nwerf.io/log-regex-for-backend: \".*ERR|err|WARN|warn.*\"\n```\nFormat ([more info](https://github.com/google/re2/wiki/Syntax)):\n```\nwerf.io/log-regex-for-backend: \u003cre2 regex\u003e\n```\n\n### `werf.io/log-regex-skip` annotation \n\nDon't show log lines that match the specified regex.\n\nExample:\n```yaml\nwerf.io/log-regex-skip: \".*TRACE|trace|DEBUG|debug.*\"\n```\nFormat ([more info](https://github.com/google/re2/wiki/Syntax)):\n```\nwerf.io/log-regex-skip: \u003cre2 regex\u003e\n```\n\n### `werf.io/log-regex-skip-for-\u003ccontainer_name\u003e` annotation \n\nFor the specified container, exclude log lines that match the specified regex.\n\nExample:\n```yaml\nwerf.io/log-regex-skip-for-backend: \".*ERR|err|WARN|warn.*\"\n```\nFormat ([more info](https://github.com/google/re2/wiki/Syntax)):\n```\nwerf.io/log-regex-skip-for-backend: \u003cre2 regex\u003e\n```\n\n### `werf.io/skip-logs` annotation \n\nDon't print container logs during resource tracking.\n\nExample:\n```yaml\nwerf.io/skip-logs: \"true\"\n```\nFormat:\n```\nwerf.io/skip-logs: \"true|false\"\n```\nDefault:\n```\nfalse\n```\n\n### `werf.io/skip-logs-for-containers` annotation \n\nDon't print logs for specified containers during resource tracking.\n\nExample:\n```yaml\nwerf.io/skip-logs-for-containers: \"backend,frontend\"\n```\nFormat:\n```\nwerf.io/skip-logs-for-containers: \u003ccontainer_name\u003e[,\u003ccontainer_name\u003e...]\n```\n\n### `werf.io/show-logs-only-for-number-of-replicas` annotation \n\nPrint logs only for the specified number of replicas during resource tracking. We print logs only for a single replica by default to avoid excessive log output and to optimize resource usage.\n\nExample:\n```yaml\nwerf.io/show-logs-only-for-number-of-replicas: \"999\"\n```\nFormat:\n```\nwerf.io/show-logs-only-for-number-of-replicas: \"\u003cany positive number or zero\u003e\"\n```\nDefault:\n```\n1\n```\n\n### `werf.io/show-logs-only-for-containers` annotation \n\nPrint logs only for specified containers during resource tracking.\n\nExample:\n```yaml\nwerf.io/show-logs-only-for-containers: \"backend,frontend\"\n```\nFormat:\n```\nwerf.io/show-logs-only-for-containers: \u003ccontainer_name\u003e[,\u003ccontainer_name\u003e...]\n```\n\n### `werf.io/show-service-messages` annotation \n\nShow resource events during resource tracking.\n\nExample:\n```yaml\nwerf.io/show-service-messages: \"true\"\n```\nFormat:\n```\nwerf.io/show-service-messages: \"true|false\"\n```\nDefault:\n```\nfalse\n```\n\n### `werf_secret_file` function \n\nRead the specified secret file from the `secret/` directory of the Helm chart.\n\nExample:\n```\nconfig: {{ werf_secret_file \"config.yaml\" | nindent 4 }}\n```\nFormat:\n```\n{{ werf_secret_file \"\u003cfilename, relative to secret/ dir\u003e\" }}\n```\n\n### `dump_debug` function \n\nIf the log level is `debug`, then pretty-dumps the passed value to the logs. Handles just fine any kind of complex types, including .Values, or event root context. Never prints to the templating output.\n\nExample:\n```\n{{ dump_debug $ }}\n```\nFormat:\n```\n{{ dump_debug \"\u003cvalue of any type\u003e\" }}\n```\n\n### `printf_debug` function \n\nIf the log level is `debug`, then prints the result to the logs. Never prints to the templating output.\n\nExample:\n```\n{{ printf_debug \"myval: %s\" .Values.myval }}\n```\nFormat:\n```\n{{ printf_debug \"\u003cformat string\u003e\" \u003cargs...\u003e }}\n```\n\n### `include_debug` function \n\nWorks exactly like the `include` function, but if the log level is `debug`, then also prints various include-related debug information to the logs. Useful for debugging complex includes/defines.\n\nExample:\n```\n{{ include_debug \"mytemplate\" . }}\n```\nFormat:\n```\n{{ include_debug \"\u003ctemplate name\u003e\" \u003ccontext\u003e }}\n```\n\n### `tpl_debug` function \n\nWorks exactly like the `tpl` function, but if the log level is `debug`, then also prints various tpl-related debug information to the logs. Useful for debugging complex tpl templates.\n\nExample:\n```\n{{ tpl_debug \"{{ .Values.myval }}\" . }}\n```\nFormat:\n```\n{{ tpl_debug \"\u003ctemplate string\u003e\" \u003ccontext\u003e }}\n```\n\n## Feature gates\n\n### `NELM_FEAT_PREVIEW_V2` environment variable\n\nActivates all feature gates that will be enabled by default in v2.\n\nExample:\n```shell\nexport NELM_FEAT_PREVIEW_V2=true\nnelm release list\n```\n\n### `NELM_FEAT_REMOTE_CHARTS` environment variable\n\nAllows specifying not only local, but also remote charts as a command-line argument to commands such as `nelm release install`. Adds the `--chart-version` option as well.\n\nWill be the default in the next major release.\n\nExample:\n```shell\nexport NELM_FEAT_REMOTE_CHARTS=true\nnelm release install -n myproject -r myproject --chart-version 19.1.1 bitnami/nginx\n```\n\n### `NELM_FEAT_NATIVE_RELEASE_LIST` environment variable\n\nUse native Nelm implementation of the `release list` command instead of `helm list` exposed as `release list`. Implementations differ a bit, but serve the same purpose.\n\nWill be the default in the next major release.\n\nExample:\n```shell\nexport NELM_FEAT_NATIVE_RELEASE_LIST=true\nnelm release list\n```\n\n### `NELM_FEAT_NATIVE_RELEASE_UNINSTALL` environment variable\n\nUse a new native Nelm implementation of the `release uninstall` command. Not fully backwards compatible with previous implementation.\n\nWill be the default in the next major release.\n\nExample:\n```shell\nexport NELM_FEAT_NATIVE_RELEASE_UNINSTALL=true\nnelm release uninstall -n myproject -r myproject\n```\n\n### `NELM_FEAT_PERIODIC_STACK_TRACES` environment variable\n\nEvery few seconds print stack traces of all goroutines. Useful for debugging purposes.\n\nExample:\n```shell\nexport NELM_FEAT_PERIODIC_STACK_TRACES=true\nnelm release install -n myproject -r myproject\n```\n\n### `NELM_FEAT_FIELD_SENSITIVE` environment variable\n\nWhen showing diffs for Secrets or `werf.io/sensitive: \"true\"` annotated resources, instead of hiding the entire resource diff hide only the actual secret fields: `$.data`, `$.stringData`.\n\nWill be the default in the next major release.\n\nExample:\n```shell\nexport NELM_FEAT_FIELD_SENSITIVE=true\nnelm release plan install -n myproject -r myproject\n```\n\n### `NELM_FEAT_CLEAN_NULL_FIELDS` environment variable\n\nImprove Helm chart compatibility. When rendering charts, remove keys with `null` values from the rendered resource manifests, before applying them. Otherwise, SSA often fail on `null` values, which didn't happen with 3WM.\n\nWill be the default in the next major release.\n\nExample:\n```shell\nexport NELM_FEAT_CLEAN_NULL_FIELDS=true\nnelm release install -n myproject -r myproject\n```\n\n### `NELM_FEAT_MORE_DETAILED_EXIT_CODE_FOR_PLAN` environment variable\n\nWhen the `--exit-code` flag is specified for `nelm release plan install`, return exit code 3, if no resource changes planned, but release still must be installed. Previously, exit code 2 was returned in this case.\n\nWill be the default in the next major release.\n\nExample:\n```shell\nexport NELM_FEAT_MORE_DETAILED_EXIT_CODE_FOR_PLAN=true\nnelm release plan install -n myproject -r myproject --exit-code\n```\n\n## More documentation\n\nFor documentation on regular Helm features, see [Helm docs](https://helm.sh/docs/). A lot of useful documentation can be found in [werf docs](https://werf.io/docs/v2/usage/deploy/overview.html).\n\n## Limitations\n\n* Nelm requires Server-Side Apply enabled in Kubernetes. It is enabled by default since Kubernetes 1.16. In Kubernetes 1.14-1.15 it can be enabled, but disabled by default. Kubernetes 1.13 and older doesn't have Server-Side Apply, thus Nelm won't work with it.\n* *Helm sometimes uses Values from the previous Helm release to deploy a new release*. This is to make Helm easier to use without a proper CI/CD process. This is dangerous, goes against IaC and this is not what users expect. Nelm will never do this: what you explicitly pass via `--values` and `--set` options will be merged with chart values files, then applied to the cluster, as expected.\n\n## Contributing\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md).\n\n## Special thanks\n\n- Helm developers for the Helm codebase that Nelm is built upon.\n- [@DmitryBochkarev](https://github.com/DmitryBochkarev) for the [TypeScript support](https://github.com/werf/nelm/pull/502) in charts.\n- [@kuzaxak](https://github.com/kuzaxak) for the [werf.io/sensitive-paths](https://github.com/werf/nelm/pull/364) annotation.\n\n## Future plans\n\n- [x] Nelm CLI.\n- [x] Nelm v1.\n- [x] Refactor, stabilize.\n- [x] Advanced resource lifecycle management.\n- [x] Advanced Kubeconform-based local validation.\n- [ ] Nelm v2.\n- [ ] Migration to Helm v4.\n- [ ] The Nelm operator, which can integrate with ArgoCD/Flux ([#494](https://github.com/werf/nelm/issues/494)).\n- [ ] An alternative to Helm templating ([#54](https://github.com/werf/nelm/issues/54)).\n- [ ] Resource patching support ([#115](https://github.com/werf/nelm/issues/115)).\n- [ ] DRY values.yaml files ([#495](https://github.com/werf/nelm/issues/495)).\n- [ ] Downloading charts directly from Git.\n- [ ] Migrate the built-in secrets management to Mozilla SOPS ([#62](https://github.com/werf/nelm/issues/62)).\n- [ ] Nelmfile.\n","funding_links":[],"categories":["Go","Configuration Management","\u003ca name=\"Go\"\u003e\u003c/a\u003eGo"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwerf%2Fnelm","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwerf%2Fnelm","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwerf%2Fnelm/lists"}