Secure Agent vs self-deployed runtime
This page provides a detailed comparison between Secure Agent and Self-Deployed Runtime (SDR) to help you understand what changes—and what stays the same—when you migrate.
Architecture comparison
| Aspect | Secure Agent | SDR Single App | SDR Orchestrator (recommended) |
|---|---|---|---|
| Core components | K3s + Argo Workflows + Agent Orchestrator + Health Monitor | App container + Dapr sidecar + Temporal Worker | SDR Orchestrator container + per-app containers + Dapr + Temporal Worker |
| Orchestration engine | Argo Workflows | Atlan-managed Temporal | |
| Job pickup | Polling every 5 minutes | Persistent gRPC (near-instant) | |
| Communication model | Outbound only (HTTPS) | Outbound only (HTTPS + gRPC) | |
| Atlan endpoints | <tenant>.atlan.com:443 | <tenant>.atlan.com:443 + <tenant>-temporal.atlan.com:443 | |
| App support per deployment | Yes (single deployment for multiple apps) | One app per source type | Yes (single deployment for multiple apps) |
Security comparison
| Aspect | Secure Agent | Self-Deployed Runtime | |
|---|---|---|---|
| Authentication | API key (shared across all workflows) | Per-app OAuth 2.0 client credentials | |
| Token lifecycle | 90–180 day API key (manual rotation) | 15-minute JWT (auto refresh) | |
| Image security | Public Docker Hub repository, no image signing | Private Docker Hub repository, Cosign-signed, Sigstore transparency log | |
| Container hardening | Standard K3s defaults | Non-root, read-only filesystem, no shell, distroless base | |
| Credential isolation | Shared API key for all connectors | Unique OAuth credentials per app | |
Deployment comparison
| Aspect | Secure Agent | SDR Single App | SDR Orchestrator (recommended) |
|---|---|---|---|
| Supported platforms | K3s on VM, AWS EKS | Docker, Podman, or Kubernetes | |
| Installation method | K3s bootstrap + Helm chart | Docker Compose or Helm | Download package, configure, docker compose up |
| Kubernetes required | Yes | Optional | |
| Scaling model | Argo parallelism settings | Deploy additional app containers | Deploy additional app instances from Atlan UI |
| App lifecycle management | Base images manual updates | Manual (docker/kubectl commands) | Automated from Atlan UI (install, update, remove) |
| Container runtime | K3s (embedded containerd) | Docker Engine 20.10+ or Podman 4.0+ or K8s 1.24+ | |
What's new in SDR
These capabilities are available in SDR but have no Secure Agent equivalent:
| Capability | Description |
|---|---|
| HashiCorp Vault support | Use HashiCorp Vault as your secret store via Dapr integration |
| Podman support | Deploy on Podman 4.0+ (rootless) as an alternative to Docker |
| Automated app lifecycle | SDR Orchestrator manages install, update, and removal of apps from the Atlan UI |
| Per-app OAuth credentials | Each app gets unique OAuth 2.0 credentials, limiting blast radius if compromised |
| Environment variable secrets | Use local environment variables as a lightweight secret store option |
| Distroless containers | Minimal container images with no shell access, reducing attack surface |
See also
- Configuration mapping: Translate your existing Secure Agent settings to SDR equivalents
- SDR Architecture: Deep dive into SDR components and data flow
- SDR Orchestrator Architecture: How the Orchestrator manages app containers
- SDR Security: Security model, container hardening, and compliance
- Secure Agent Deployment Architecture: Current Secure Agent architecture for reference
- Migration guide: Ready to migrate? Follow the end-to-end guide