diff --git a/keystone/templates/secret-credential-keys.yaml b/keystone/templates/secret-credential-keys.yaml
index 8a2c5eb5b3..302f31dad3 100644
--- a/keystone/templates/secret-credential-keys.yaml
+++ b/keystone/templates/secret-credential-keys.yaml
@@ -22,6 +22,7 @@ metadata:
 {{- if .Values.helm3_hook }}
   annotations:
     "helm.sh/hook": pre-install
+    "helm.sh/resource-policy": keep
 {{- end }}
 type: Opaque
 data:
diff --git a/keystone/templates/secret-fernet-keys.yaml b/keystone/templates/secret-fernet-keys.yaml
index 8af0973098..603964ae1b 100644
--- a/keystone/templates/secret-fernet-keys.yaml
+++ b/keystone/templates/secret-fernet-keys.yaml
@@ -23,6 +23,7 @@ metadata:
 {{- if .Values.helm3_hook }}
   annotations:
     "helm.sh/hook": pre-install
+    "helm.sh/resource-policy": keep
 {{- end }}
 type: Opaque
 data:
diff --git a/releasenotes/notes/keystone-56908951efdcc19e.yaml b/releasenotes/notes/keystone-56908951efdcc19e.yaml
new file mode 100644
index 0000000000..a20b77fa71
--- /dev/null
+++ b/releasenotes/notes/keystone-56908951efdcc19e.yaml
@@ -0,0 +1,9 @@
+---
+keystone:
+  - |
+    Annotate credential and fernet keys secrets with the Helm keep policy.
+    While helm does not clean up hook resources today, their documentation
+    says that it is coming and users should annotate resources they do not
+    expect to be deleted appropriately. Some GitOps tools like ArgoCD
+    implement the cleanup today as part of their Helm support.
+...