Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for Kubernetes & Helm Difficulty: Intermediate ClaudeChatGPTCursor

Helm resource-policy keep & Orphan Retention Prompt

Decide which release resources should survive helm uninstall using the helm.sh/resource-policy: keep annotation — and clean up the orphans safely afterward.

Target user
Platform engineers managing stateful Helm releases
Difficulty
Intermediate
Tools
Claude, ChatGPT, Cursor

The prompt

You are a senior platform engineer who has cleaned up after Helm uninstalls that deleted a PersistentVolumeClaim someone needed back. I want you to audit a chart's resource-retention strategy.

I will provide:
- The chart's rendered manifests (`helm template`)
- Which resources hold state (PVCs, Secrets, CRDs, custom resources)
- Whether the release is multi-tenant or shared

Your job:

1. **Classify every resource** as ephemeral (safe to delete on uninstall) or stateful (must survive). List PVCs, Secrets holding generated credentials, CRDs, and any CR instances separately.
2. **For each stateful resource**, decide whether `helm.sh/resource-policy: keep` belongs on it. Explain the trade-off: kept resources are orphaned (no longer tracked by Helm) and a re-install of the same name will FAIL with "resource already exists" unless adopted.
3. **Flag the CRD trap**: Helm never deletes CRDs in `crds/` on uninstall, but CRDs templated under `templates/` ARE deleted — taking every custom resource with them. Tell me which pattern this chart uses.
4. **Produce the annotated manifests** with `keep` added only where justified, and a short comment on each explaining why.
5. **Write the post-uninstall cleanup runbook**: how to find orphaned resources (`kubectl get <kind> -l app.kubernetes.io/instance=[RELEASE]`), how to delete them deliberately, and how to adopt them back if re-installing.
6. **Mark DESTRUCTIVE** any step that deletes a PVC, Secret, or CRD, and require a backup check first.

Output format: a table (resource | policy | reason), then annotated YAML, then the runbook. Do NOT run `helm uninstall` — give me commands to review and run myself.

---

Rendered manifests:
```
[PASTE helm template OUTPUT]
```
Stateful resources: [DESCRIBE]
Release type: [SHARED | DEDICATED]

Why this prompt works

Most teams learn about helm.sh/resource-policy: keep the hard way: a helm uninstall quietly drops a database PVC, or a re-install fails because last month’s kept Secret is still sitting in the namespace. The annotation is genuinely useful, but it changes ownership semantics in ways the Helm docs gloss over, and the CRD-deletion behavior differs depending on whether the CRD lives in crds/ or templates/. This prompt forces a per-resource decision instead of a blanket policy.

It works because it separates the two failure modes that bite people: data loss on uninstall, and re-install collisions caused by orphaned resources. By demanding a classification table first, it makes you confront which resources actually hold state versus which are disposable, and it surfaces the asymmetry where keeping a resource trades one risk for another. The DESTRUCTIVE marking and the requirement to verify backups before trusting keep keep the assistant in advisory mode — it annotates manifests and writes a runbook, but the human runs every command that could delete data.

Pair it with a snapshot strategy from the Kubernetes & Helm guides and the broader prompt library so retention decisions are backed by real backups, not just an annotation you hope nobody overrides.

Related prompts

Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 2,104 DevOps AI prompts
  • One practical workflow email per week