Image Pull Secrets

NVIDIA NIM and NVIDIA NeMo microservice images are hosted on NVIDIA NGC. The NVIDIA NIM Operator uses your API key as an image pull secret to download container images and models from NVIDIA NGC.

Refer to Generating Your NGC API Key in the NVIDIA NGC User Guide for more information.

Create NGC API Key Image Pull Secrets

The following is a list of default namespaces used in sample manifests throughout the documentation. Your cluster may use different namespaces.

• nim-service: The namespace where NIM microservices are deployed.

• nemo: The namespace where NeMo microservices are deployed.

Create the following secrets in all namespaces where you have the NIM Operator or NIM Operator managed services deployed. Update the namespace in the script below to apply to the different namespaces on your cluster.

1. Add a Docker registry secret for downloading container images from NVIDIA NGC:

   $ kubectl create secret -n nim-service docker-registry ngc-secret \
       --docker-server=nvcr.io \
       --docker-username='$oauthtoken' \
       --docker-password=<ngc-api-key>
   

2. Add a generic secret that the model puller containers uses to download the model from NVIDIA NGC:

   $ kubectl create secret -n nim-service generic ngc-api-secret \
       --from-literal=NGC_API_KEY=<ngc-api-key>
   

Note

By default, Kubernetes secrets are not encrypted. To secure your secrets, see Kubernetes secret best practices in the Kubernetes documentation.