diff --git a/services/atlasbot/kustomization.yaml b/services/atlasbot/kustomization.yaml
index 387f428..4fe2c88 100644
--- a/services/atlasbot/kustomization.yaml
+++ b/services/atlasbot/kustomization.yaml
@@ -6,6 +6,8 @@ resources:
   - atlasbot-deployment.yaml
   - atlasbot-service.yaml
   - atlasbot-rbac.yaml
+  - secretproviderclass.yaml
+  - vault-sync-deployment.yaml
   - image.yaml
 images:
   - name: registry.bstein.dev/bstein/atlasbot
diff --git a/services/atlasbot/secretproviderclass.yaml b/services/atlasbot/secretproviderclass.yaml
new file mode 100644
index 0000000..f286b2f
--- /dev/null
+++ b/services/atlasbot/secretproviderclass.yaml
@@ -0,0 +1,21 @@
+# services/atlasbot/secretproviderclass.yaml
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: atlasbot-vault
+  namespace: ai
+spec:
+  provider: vault
+  parameters:
+    vaultAddress: "http://vault.vault.svc.cluster.local:8200"
+    roleName: "ai"
+    objects: |
+      - objectName: "harbor-pull__dockerconfigjson"
+        secretPath: "kv/data/atlas/shared/harbor-pull"
+        secretKey: "dockerconfigjson"
+  secretObjects:
+    - secretName: harbor-regcred
+      type: kubernetes.io/dockerconfigjson
+      data:
+        - objectName: harbor-pull__dockerconfigjson
+          key: .dockerconfigjson
diff --git a/services/atlasbot/vault-sync-deployment.yaml b/services/atlasbot/vault-sync-deployment.yaml
new file mode 100644
index 0000000..5efaf3a
--- /dev/null
+++ b/services/atlasbot/vault-sync-deployment.yaml
@@ -0,0 +1,34 @@
+# services/atlasbot/vault-sync-deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: atlasbot-vault-sync
+  namespace: ai
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: atlasbot-vault-sync
+  template:
+    metadata:
+      labels:
+        app: atlasbot-vault-sync
+    spec:
+      serviceAccountName: atlasbot
+      containers:
+        - name: sync
+          image: alpine:3.20
+          command: ["/bin/sh", "-c"]
+          args:
+            - "sleep infinity"
+          volumeMounts:
+            - name: vault-secrets
+              mountPath: /vault/secrets
+              readOnly: true
+      volumes:
+        - name: vault-secrets
+          csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: atlasbot-vault