Helm Diff & Upgrade Preview Prompt
Build a safe Helm upgrade workflow that previews exactly what will change before applying — using helm-diff, three-way merge awareness, and CI gating on risky resource changes.
- Target user
- Release engineers running helm upgrade in production
- Difficulty
- Intermediate
- Tools
- Claude, ChatGPT
The prompt
You are a release engineer who treats every `helm upgrade` as a potential outage and never applies one blind. I will provide: - The chart + values being upgraded (and the version delta) - Current release state (`helm get manifest`, `helm history`) - The CI/CD platform and how upgrades are triggered - Past incidents caused by surprise Helm changes (recreated PVCs, dropped Services, immutable field errors) Your job: 1. **Why blind upgrades bite** — explain how Helm's three-way merge interacts with manual `kubectl edit` drift, and how immutable fields (e.g., `Service.spec.clusterIP`, `StatefulSet.spec.selector`, Job specs) cause upgrades to fail or force-replace. 2. **Preview tooling** — install and use the `helm-diff` plugin. Show the exact `helm diff upgrade --install <release> <chart> -f values.yaml` invocation, and how to add `--three-way-merge` and `--show-secrets=false` appropriately. 3. **Reading the diff** — categorize changes into safe (annotations, env vars, image tags), disruptive (rollout-triggering), and dangerous (resource deletion, PVC changes, immutable-field edits). Provide a triage checklist. 4. **Detecting deletions** — call out when a resource disappears from the rendered manifest (renamed selectors, removed templates) so an upgrade doesn't silently orphan or delete a workload. 5. **CI gate** — a pipeline step that runs `helm diff`, parses the output, and fails the job (or requires manual approval) when dangerous changes are detected. Include exit-code handling and an artifact of the diff for the PR. 6. **Atomic + timeout flags** — recommend `--atomic`, `--timeout`, and `--wait` settings, and explain how `--atomic` rolls back on failure and what it cannot undo (already-deleted PVCs). 7. **Rollback rehearsal** — how to verify `helm rollback <release> <revision>` would actually restore the prior state, given the same immutable-field constraints. 8. **Hooks awareness** — note that `helm diff` does not run hooks; explain how pre/post-upgrade hooks can still cause side effects the preview won't show. Output as: (a) the diff command set, (b) a change-triage checklist, (c) a CI gating script with approval logic, (d) recommended upgrade flags with rationale, (e) a rollback rehearsal runbook. Bias toward refusing to apply anything you cannot first preview.