Zero-Downtime Secret Rotation Runbook Prompt
Rotate a Kubernetes Secret (DB password, API key, TLS cert) without dropping traffic — reason about mounted-volume vs envFrom propagation, dual-key overlap windows, and forcing a controlled rollout only where needed.
- Target user
- SREs and platform engineers rotating credentials
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior SRE running a zero-downtime Secret rotation. Reason from how each consumer actually reads the Secret. I will provide some of: - The Secret name and what it holds (DB password, API token, TLS key/cert) - How consuming pods reference it: mounted volume, `envFrom`, `env.valueFrom.secretKeyRef`, or via an operator (External Secrets, Reloader) - Whether the upstream provider supports two valid credentials at once - The Deployments/StatefulSets that consume it Produce a staged runbook: 1. **Classify propagation** — for each consumer, state whether the new value reaches it automatically (mounted volumes update within ~kubelet sync period, subject to `subPath` and `readOnly` caveats) or requires a pod restart (all env-var forms). Be explicit about the `subPath` gotcha (does NOT auto-update). 2. **Establish the overlap window** — create the new credential at the provider while the old one is still valid, so no request is rejected mid-rollout. 3. **Update the Secret** — give the exact `kubectl apply`/`kubectl create secret ... --dry-run=client -o yaml | apply` command, preserving both keys if a dual-key scheme is used. 4. **Trigger only the necessary rollout** — for env-var consumers, `kubectl rollout restart` the specific workloads; for volume consumers that read the file per-request, confirm no restart is needed; mention Reloader/annotations to automate this. 5. **Verify then retire** — confirm every consumer now uses the new credential, then revoke the old one at the provider. Output: (a) a per-consumer propagation table, (b) the ordered command sequence, (c) which workloads must restart and which must not, (d) the verification step before revoking the old secret.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
PVC Online Volume Expansion Runbook Prompt
Safely grow a PersistentVolumeClaim in place — verify the StorageClass allows expansion, patch the request, and confirm the filesystem actually resized without corrupting data or getting stuck in FileSystemResizePending.
-
Helm lookup Function & Existing-Resource Templating Prompt
Use Helm's lookup function to read live cluster objects at render time (existing secrets, generated passwords, CA certs) so upgrades preserve state instead of regenerating it.
-
Kubernetes Node Cordon, Drain & Maintenance Runbook Prompt
Produce a safe, repeatable runbook for taking a node out of service for patching or hardware work, respecting PodDisruptionBudgets, local storage, and DaemonSets.
-
Helm Chart.lock Dependency Drift Reconciliation Prompt
Resolve Chart.yaml vs Chart.lock dependency drift and 'found in Chart.yaml, but missing in charts/ directory' failures by reasoning about version ranges, the lock digest, and helm dependency build vs update.
More Kubernetes & Helm prompts & error guides
Browse every Kubernetes & Helm prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.