Secrets for Accessing NGC Catalog

Set up two basic secrets for accessing resources from the NGC catalog: a generic secret and an image pull secret. A generic secret is for accessing models from endpoints on the NGC catalog, and an image pull secret is for pulling container images from the NGC catalog.

Important

By default, Kubernetes secrets are not encrypted. To secure your secrets, refer to Kubernetes secret best practices in the Kubernetes documentation.

The secret values aren’t visible through the pod specs. Use secrets management solutions such as Vault along with external secrets to securely inject these secrets into the namespace.

Create a Generic Secret

Create a generic secret named ngc-api using the following command.

kubectl create secret generic ngc-api \
   --from-literal=NGC_API_KEY=$NGC_API_KEY

Use this secret to set the existingSecret value in the values.yaml file.

Create an Image Pull Secret

Create an image pull secret named nvcrimagepullsecret using the following command. Update the docker-server, docker-username, and docker-password values according to your environment if you are using private registry to store images.

kubectl --namespace <NAMESPACE> \
  create secret docker-registry nvcrimagepullsecret \
  --docker-server=nvcr.io \
  --docker-username='$oauthtoken' \
  --docker-password=$NGC_API_KEY

Use this secret to set the existingImagePullSecret value in the values.yaml file.

Create a Secret with NGC API Key in the Values File

This is an alternative option for local development environment and not recommended for production or shared environments. You can create secrets by providing your NGC API key in the ngcAPIKey and imagePullSecret fields and by leaving the existingSecret and existingImagePullSecret fields empty. This generates new secrets with your NGC API key during the installation process.

Important

This option exposes your NGC API key in the values.yaml file or when you run helm get values <release>.