Skip to main content

Install SDR orchestrator on Kubernetes

Important!

Some capabilities shown here may require additional enablement or licensing. Contact your Atlan representative for details.

This guide walks you through deploying the SDR Orchestrator on a Kubernetes cluster. You download the SDR package, fill in a single configuration file, install via Helm, and verify the connection in the Atlan UI. The SDR Orchestrator then automatically manages the full lifecycle of Atlan apps—installation, upgrades, health checks, and self-updates—without any manual intervention.

For Docker or Podman-based installations, see Install SDR Orchestrator on Docker/Podman.

System requirements

  • Kubernetes cluster: EKS, GKE, AKS, k3s, OpenShift, RKE2, or any CNCF-conformant distribution. See supported distributions.
  • Kubernetes version: 1.24+
  • CLI tools: kubectl and helm (v3+) configured with access to the target cluster
  • SDR Orchestrator resources:
    • CPU: 100m request, 500m limit
    • Memory: 256Mi request, 512Mi limit
  • Per app resources: 0.5–1 vCPU, 512 MB–1 GB memory (varies by app)

Prerequisites

Setup takes 10–15 minutes. Gather credentials from your infrastructure team beforehand.

Before you begin, verify you have:

  • kubectl and helm (v3+) configured with administrative access to the target cluster (ability to create namespaces, roles, deployments)
  • An OAuth client ID and client secret from your Atlan representative
  • A Docker Hub Personal Access Token (PAT) from your Atlan representative (required to pull private app images)
    • The PAT is regenerated periodically—contact your Atlan representative for the latest token.
  • Object storage: AWS S3, Google Cloud Storage, or Azure Blob Storage. See Dapr object store docs.
  • Secret store: AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, or HashiCorp Vault. See Dapr secret store docs.
  • Outbound network connectivity (HTTPS) from the cluster to:
    • <tenant>.atlan.com:Atlan API, auth, event ingress
    • <tenant>-temporal.atlan.com:443:Temporal workflow server
    • docker.io:pull app container images

Download SDR package

Download the SDR package from Atlan. This archive contains the Helm chart, a pre-filled values.yaml template, and a README.

curl -fSL -o sdr-orchestrator-k8s.tar.gz \
  https://atlan-public.s3.eu-west-1.amazonaws.com/sdr-orchestrator-k8s-app/sdr-orchestrator-k8s.tar.gz
tar -xzf sdr-orchestrator-k8s.tar.gz
cd sdr-orchestrator-k8s

The extracted directory contains the following files:

sdr-orchestrator-k8s/
├── chart/           # Helm chart (do not modify)
├── values.yaml      # Configuration file (edit this)
└── README.md        # Quick reference

Create namespace and registry credentials

Create the atlan namespace and a secret for pulling private app images from Docker Hub.

kubectl create namespace atlan

kubectl create secret docker-registry atlan-registry-creds \
  --namespace atlan \
  --docker-server=docker.io \
  --docker-username=YOUR_DOCKERHUB_USERNAME \
  --docker-password=YOUR_DOCKERHUB_PAT

Replace YOUR_DOCKERHUB_USERNAME and YOUR_DOCKERHUB_PAT with the credentials provided by your Atlan representative.

PAT rotation

The Docker Hub PAT is regenerated periodically. If pulls start failing, contact your Atlan representative for the latest token.

Configure values.yaml

Open values.yaml and fill in the required values. The SDR image tag is already pre-filled. Don't change it.

Atlan identity

  • deploymentName: A unique identifier for this SDR installation (for example, mycompany-eks). Lowercase letters, numbers, and hyphens only. Must start and end with a letter or number.
  • domain: Your Atlan tenant domain (for example, mycompany.atlan.com). Don't include https://.
sdr:
  enabled: true
  deploymentName: "mycompany-eks"

  credentials:
    clientId: "oauth-client-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    clientSecret: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

  config:
    domain: "mycompany.atlan.com"

Object storage

Self-Deployed Runtime needs a store for reading or writing files. Configure the object storage under sdr.config.components.

Did you know?

Dapr supports additional object stores. For more information, see Dapr object store documentation.

Add AWS S3 configuration. For more information, see AWS S3 Binding Spec.

sdr:
  config:
    components:
      objectstore:
        type: bindings.aws.s3
        version: v1
        metadata:
          - name: accessKey  # optional, leave empty for IAM / IRSA authentication
            value: ""
          - name: secretKey  # optional, leave empty for IAM / IRSA authentication
            value: ""
          - name: bucket     # required
            value: "<bucket-name>"
          - name: region     # required
            value: "<bucket-region>"
          - name: forcePathStyle
            value: "true"

Secret store

Self-Deployed Runtime fetches secrets from a secret store to connect to source systems. Configure the secret store under the same sdr.config.components section.

Did you know?

Dapr supports additional secret stores. For more information, see Dapr secret store documentation.

Add AWS Secrets Manager configuration. For more information, see AWS Secrets Manager.

sdr:
  config:
    components:
      secretstore:
        type: secretstores.aws.secretmanager
        version: v1
        metadata:
          - name: region  # required
            value: "<secret-region>"
          - name: accessKey  # optional, leave empty for IAM / IRSA
            value: ""
          - name: secretKey  # optional, leave empty for IAM / IRSA
            value: ""

Private container registry (optional)

If you mirror Atlan app images to your own registry, set containerRegistryBase in values.yaml to rewrite image URLs at deploy time. For example, atlanhq/atlan-oracle-app:1.0 becomes myregistry.io/atlan/atlan-oracle-app:1.0.

sdr:
  config:
    containerRegistryBase: "myregistry.io/atlan"

Leave this empty (or omit it) if pulling directly from Docker Hub.

Sample values.yaml files

Below are complete, copy-paste-ready values.yaml snippets for common infrastructure combinations. Replace placeholder values with your actual credentials.

image:
  repository: atlanhq/atlan-sdr-orchestrator-k8s
  tag: "latest"   # pre-filled by Atlan—don't change
  pullPolicy: Always

sdr:
  enabled: true
  deploymentName: "mycompany-eks"

  credentials:
    clientId: "oauth-client-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    clientSecret: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

  imagePullSecrets:
    - name: atlan-registry-creds

  config:
    domain: "mycompany.atlan.com"
    components:
      objectstore:
        type: bindings.aws.s3
        version: v1
        metadata:
          - name: bucket
            value: "<your-bucket-name>"
          - name: region
            value: "us-east-1"
          - name: forcePathStyle
            value: "true"

      secretstore:
        type: secretstores.aws.secretmanager
        version: v1
        metadata:
          - name: region
            value: "us-east-1"

Install SDR Orchestrator

Run helm install with the release name atlan-sdr-<deployment_name>. The release name must follow this pattern—it's required for the automatic self-update mechanism.

helm install atlan-sdr-<DEPLOYMENT_NAME> ./chart \
  --namespace atlan \
  -f values.yaml

Replace <DEPLOYMENT_NAME> with the value you set in sdr.deploymentName. For example:

helm install atlan-sdr-mycompany-eks ./chart \
  --namespace atlan \
  -f values.yaml

Helm creates all required resources in one command:

ResourceNamePurpose
Deploymentatlan-sdr-<name>SDR orchestrator pod
Secretatlan-sdr-<name>-credentialsOAuth + deployment credentials
ConfigMapatlan-sdr-<name>-configDomain, Dapr component specs
ServiceAccountatlan-sdr-<name>-serviceaccountK8s API identity
Roleatlan-sdr-<name>-roleNamespace-scoped permissions
RoleBindingatlan-sdr-<name>-rolebindingBinds role to service account

For full details on what each resource does, see SDR Orchestrator on Kubernetes.

Verify installation

  1. Check the SDR pod is running:

    kubectl get pods -n atlan -l app=atlan-sdr

    Expected output:

    NAME                                        READY   STATUS    RESTARTS   AGE
    atlan-sdr-mycompany-eks-xxxxx-xxxxx         1/1     Running   0          2m

  2. Check logs for "K8s SDR worker listening on task_queue" which confirms Temporal connectivity:

    kubectl logs -n atlan -l app=atlan-sdr --tail=50

    You can see:

    [entrypoint] Starting K8s SDR agent...
    [entrypoint] deployment_name=mycompany-eks
    [entrypoint] Generating SDR Dapr components from config.yaml...
    ...
    K8s SDR worker listening on task_queue=atlan-sdr-mycompany-eks

  3. Verify in Atlan UI: Go to Settings > Self-Deployed Runtimes. Your deployment appears as "Connected."

  4. Install apps: From the Atlan UI, navigate to the Marketplace, select an app, and choose your SDR as the deployment target. The SDR automatically creates the app Deployment with all necessary configurations.

Automatic updates

The SDR Orchestrator manages two types of automatic updates:

  • App updates: When a new app version is published to the marketplace, the reconciler detects the version mismatch and triggers an update via the SDR (checked every 60 minutes). The SDR runs helm upgrade --install with the new image tag, and K8s performs a rolling update.

  • SDR self-updates: The SDR Orchestrator itself is also a marketplace app. When a new SDR version is published, the same reconciler triggers a self-update. The SDR runs helm upgrade --reuse-values with the new image tag, and K8s rolls the SDR pod to the new version.

No manual intervention is required for either type of update.

Uninstall

To remove the SDR orchestrator and all managed apps:

# List all Helm releases in the atlan namespace
helm list -n atlan

# Uninstall each app first
helm uninstall oracle -n atlan
helm uninstall redshift -n atlan
# ... uninstall other apps

# Uninstall the SDR
helm uninstall atlan-sdr-<DEPLOYMENT_NAME> -n atlan

# Clean up remaining resources
kubectl delete secret atlan-registry-creds -n atlan
kubectl delete namespace atlan
warning

Deleting the namespace removes all resources in it, including any app Deployments managed by the SDR.

Need help

If the SDR pod isn't starting or apps aren't deploying, check the logs:

kubectl logs -n atlan -l app=atlan-sdr --tail=100

Common issues:

  • "IP address not allowed": Your cluster's egress IP needs to be allowlisted on the Atlan tenant. Contact your Atlan representative.
  • "Authentication token refresh failed": Check OAuth credentials in values.yaml (sdr.credentials.clientId and sdr.credentials.clientSecret).
  • "ImagePullBackOff": Check registry credentials (atlan-registry-creds Secret). The Docker Hub PAT may need rotation.
  • Pod stuck in Pending: Check cluster resource availability with kubectl describe pod -n atlan.
  • App pod CrashLoopBackOff: Check the app pod logs. Common causes: misconfigured object storage or secret store in values.yaml.

For additional troubleshooting, see the SDR Orchestrator FAQ.

Next steps

Once the SDR shows as Connected in Atlan UI:

  1. Navigate to the Marketplace and pick an app (for example, Oracle connector).
  2. Click Install and select your SDR as the deployment target.
  3. The SDR handles everything—creating the Deployment, configuring Dapr components, health checking, and reporting success back to Atlan. No terminal commands are needed.

See also