diff --git a/k8s/configuration/secret.yaml b/k8s/configuration/secret.yaml
index d8802ea2..7ea83cb1 100644
--- a/k8s/configuration/secret.yaml
+++ b/k8s/configuration/secret.yaml
@@ -1,7 +1,11 @@
-# All secret data should be base64 encoded before embedding them here by
-# using `echo "secret string" | base64 -w 0 > secret.string.b64` and then
-# copy the resulting value here.
+# All secret data should be base64 encoded before embedding them here.
+# Short strings can be encoded using, e.g.
+# echo "secret string" | base64 -w 0 > secret.string.b64
+# Files (e.g. certificates) can be encoded using, e.g.
+# cat cert.pem | base64 -w 0 > cert.pem.b64
+# then copy the contents of cert.pem.b64 (for example) below.
 # Ref: https://kubernetes.io/docs/concepts/configuration/secret/
+# Unused values can be set to ""
 
 apiVersion: v1
 kind: Secret
@@ -10,8 +14,8 @@ metadata:
   namespace: default
 type: Opaque
 data:
-  # This is the API Key obtained from MongoDB Cloud Manager
-  api-key: "<b64 encoded api key>"
+  # Base64-encoded Agent API Key (obtained from MongoDB Cloud Manager)
+  api-key: "<b64 encoded Agent API Key>"
 ---
 apiVersion: v1
 kind: Secret
@@ -20,7 +24,8 @@ metadata:
   namespace: default
 type: Opaque
 data:
-  private.key: "<b64 encoded private key>"
+  # Base64-encoded BigchainDB private key of *this* node
+  private.key: "<b64 encoded BigchainDB private key>"
 ---
 apiVersion: v1
 kind: Secret
@@ -29,9 +34,12 @@ metadata:
   namespace: default
 type: Opaque
 data:
-  mdb-instance.pem: "<b64 encoded, concatanated public and private keys>"
-  ca.pem: "<b64 encoded CA public key>" 
-  mdb-crl.pem: "<b64 encoded CRL data>" 
+  # Base64-encoded, concatenated certificate and private key
+  mdb-instance.pem: "<b64 encoded, concatenated certificate and private key>"
+  # Base64-encoded CA certificate (ca.crt)
+  ca.pem: "<b64 encoded CA certificate>"
+  # Base64-encoded MongoDB CRL
+  mdb-crl.pem: "<b64 encoded CRL data>"
 ---
 apiVersion: v1
 kind: Secret
@@ -40,8 +48,10 @@ metadata:
   namespace: default
 type: Opaque
 data:
-  mdb-mon-instance.pem: "<b64 encoded, concatanated public and private keys>"
-  ca.pem: "<b64 encoded CA public key>" 
+  # Base64-encoded, concatenated certificate and private key
+  mdb-mon-instance.pem: "<b64 encoded, concatenated certificate and private key>"
+  # Base64-encoded CA certificate (ca.crt)
+  ca.pem: "<b64 encoded CA certificate>" 
 ---
 apiVersion: v1
 kind: Secret
@@ -50,8 +60,10 @@ metadata:
   namespace: default
 type: Opaque
 data:
-  mdb-bak-instance.pem: "<b64 encoded, concatanated public and private keys>"
-  ca.pem: "<b64 encoded CA public key>" 
+  # Base64-encoded, concatenated certificate and private key
+  mdb-bak-instance.pem: "<b64 encoded, concatenated certificate and private key>"
+  # Base64-encoded CA certificate (ca.crt)
+  ca.pem: "<b64 encoded CA certificate>"
 ---
 apiVersion: v1
 kind: Secret
@@ -60,8 +72,10 @@ metadata:
   namespace: default
 type: Opaque
 data:
-  bdb-instance.pem: "<b64 encoded, concatanated public and private keys>"
-  ca.pem: "<b64 encoded CA public key>" 
+  # Base64-encoded, concatenated certificate and private key
+  bdb-instance.pem: "<b64 encoded, concatenated certificate and private key>"
+  # Base64-encoded CA certificate (ca.crt)
+  ca.pem: "<b64 encoded CA certificate>"
 ---
 apiVersion: v1
 kind: Secret
@@ -70,7 +84,9 @@ metadata:
   namespace: default
 type: Opaque
 data:
+  # Base64-encoded HTTPS private key
   cert.key: "<b64 encoded HTTPS private key>"
+  # Base64-encoded HTTPS Signed Certificate or Certificate Chain
   cert.pem: "<b64 encoded HTTPS Signed Certificate or Certificate Chain>"
 ---
 apiVersion: v1