Docs Menu

Docs HomeMongoDB Atlas Kubernetes Operator

Configure Secret Storage

On this page

  • Considerations
  • Prerequisites
  • Procedure

You can choose where you store sensitive information for the components that Atlas Kubernetes Operator manages, but Atlas Kubernetes Operator must find the Kubernetes secrets it expects. You can store secrets for Atlas Kubernetes Operator in many ways, including the following methods:

  • Put sensitive information directly into Kubernetes secrets. All tutorials in the Atlas Kubernetes Operator documentation use Kubernetes secrets by default. To use Kubernetes secrets, follow the steps in the tutorials.

  • Put sensitive information in a Github repository following a GitOps flow. To store sensitive data in git securely you can use tools, such as Sealed Secrets, which encrypts secrets for the intended target cluster.

  • Put sensitive information in an external secret storage tool, such as HashiCorp Vault or Hyperscalers native secret management solutions. An intermediary secret provisioning tool fetches sensitive info from the external secret storage tool and creates Kubernetes secrets from the sensitive information. To learn more about the secret provisioning tool, see Considerations.

This tutorial sets up an external secret storage tool for use with Atlas Kubernetes Operator. This tutorial focuses on "secret-less" setups that don't require Atlas Kubernetes Operator to create and store a secret to provision secrets to their Kubernetes cluster.

The following tutorial installs or configures the following tools and options:

  • A secret provisioning tool. The secret provisioning tool uses one or more authentication mechanisms to retrieve the credentials from the secret management service and create secrets that Atlas Kubernetes Operator can use. This tutorial installs one of the following open-source secret provisioning tools:

  • Authentication to access secrets. You can use different methods to authenticate the service accounts and namespaces that can access secrets in HashiCorp Vault:

    • For External Secrets Operator, this tutorial uses OIDC JWT authentication. To learn more, see JWT/OIDC authentication.

    • For Secrets Store CSI Driver, this tutorial uses Kubernetes authentication.

    Alternatively, your cloud provider's KMS can use native IAM systems to provide this authentication, which isn't covered in this tutorial. To learn how to configure your cloud provider's KMS for authentication, see the following resources in the External Secrets Operator documentation:

Before you complete this tutorial, you need the following tools and configurations:

  • Running service accounts for Kubernetes, Atlas Kubernetes Operator, and Atlas and sufficient privileges to configure them.

    You need a running Kubernetes cluster with nodes running processors with the x86-64, AMD64, or ARM64 architecture. For this tutorial, the Kubernetes cluster is listening on the default port (443).

    You can access the Atlas Kubernetes Operator project on GitHub:

    To install the Atlas Kubernetes operator using the Atlas CLI, run the following command:

    atlas kubernetes operator install [options]

    To learn more about the command syntax and parameters, see the Atlas CLI documentation for atlas kubernetes operator install.


    See: Related Links

    To deploy the Atlas Kubernetes Operator, run the following command. Replace <version> with the latest release number.

    kubectl apply -f<version>/deploy/all-in-one.yaml

    To register for an Atlas account, see Create an Atlas Account.

  • API keys. You must create an API key and configure the API Access List.

    You need the following public API key, private API key, and the organization ID information to configure Atlas Kubernetes Operator access to Atlas.

    • If you want Atlas Kubernetes Operator to create a new Atlas project, Create an API (Application Programming Interface) Key in an Organization. If your organization requires an IP access list for the Atlas Administration API, you must also configure the API access list.


      You must assign the API key the Organization Project Creator organization role or higher.

    • If you want to work with an existing Atlas project, Create an API (Application Programming Interface) Key for a Project. If your organization requires an IP access list for the Atlas Administration API, you must also configure the API access list.


      You must assign the API key the Project Owner project role.

  • A secret storage vault. This tutorial uses HashiCorp Vault, which is a third-party service for secret storage, running at

    You can use other secret storage vaults with Atlas Kubernetes Operator as needed, including Cloud KMS from AWS, Azure, and Google.

  • Internal access only. To prevent exposing sensitive information over the public internet, the following components of the secret storage solution allow internal access only:

    • The HashiCorp Vault or KMS service.

    • The Kubernetes Cluster APIs service.

    • The internal network. This tutorial uses

    While the previous components allow internal access only, they allow access to each other and allow access to anyone within your team or organization. This is a best practice for security.

  • Public Certificate Authorities (CAs). You can use public CAs to avoid managing and distributing custom CA root certificates.

    You can automate CA cert management and renewal by using any of the following tools:

    In this tutorial:

    • All HTTPs services are internal addresses, but their HTTPS sites hold automatically renewed certificates signed by a public CA.

    • No mutual TLS (mTLS) is required for this integration because it performs only server-side HTTPS validation.

    • Clients can trust these service certificates without extra certificate provisioning.

Follow these steps to configure secret storage for Atlas Kubernetes Operator.


Select a secret provisioning tool to install it.


You can now deploy Atlas Kubernetes Operator custom resources. Atlas Kubernetes Operator authenticates with the Kubernetes secrets that reference your HashiCorp Vault. Adjust the timeout values as needed for your deployments.

kubectl apply -f ako/project.yaml
kubectl apply -f ako/deployment.yaml
kubectl apply -f ako/user.yaml
kubectl wait --for=condition=ready atlasdeployment/serverless-deployment --timeout=10m
kubectl wait --for=condition=ready atlasdatabaseuser/user --timeout=10m

To learn more about these custom resources, see Custom Resources.


To test your Atlas Kubernetes Operator deployment, run the following command:

export ATLAS_DEPLOYMENT_CONN_STR=$(kubectl get secrets/test-atlas-operator-project-test-serverless-deployment-dbuser -o jsonpath='{.data.connectionStringStandardSrv}' |base64 -d)
mongosh $(ATLAS_DEPLOYMENT_CONN_STR) --apiVersion 1 --eval "show dbs"

Atlas Kubernetes Operator returns a list of your database deployments.

←  Configure Access to AtlasConfigure Network Peering →