Secrets

Use a Kubernetes Secret to store application credentials and other sensitive configuration in your RemoteGPU namespace.

Before you create a secret

Before you create a Secret:

• Make sure kubectl works with your namespace kubeconfig.
• Decide whether the workload needs the Secret as environment variables, files, or an image pull credential.

For kubeconfig setup, read Kubernetes overview.

Create a secret

Create an Opaque Secret for application configuration or credentials.

kubectl --kubeconfig ./kubeconfig-team-ml.yaml create secret generic app-config \
  --from-literal=API_TOKEN=replace-with-token \
  --from-literal=MODEL_PROFILE=production

Use kubectl get secret to confirm that Kubernetes created the Secret:

kubectl --kubeconfig ./kubeconfig-team-ml.yaml get secret app-config

The command output shows the Secret name, type, and key count. It does not show Secret values.

Use a secret as environment variables

Reference one Secret key when the container needs a single environment variable.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: config-demo
spec:
  # This fragment omits non-Secret Deployment fields, including
  # spec.replicas, spec.selector, spec.template.metadata, and
  # spec.template.spec.containers[].image.
  template:
    spec:
      containers:
        - name: app
          env:
            - name: API_TOKEN
              valueFrom:
                secretKeyRef:
                  name: app-config
                  key: API_TOKEN

Reference every key in a Secret when the container expects each key as an environment variable.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: config-demo
spec:
  # This fragment omits non-Secret Deployment fields, including
  # spec.replicas, spec.selector, spec.template.metadata, and
  # spec.template.spec.containers[].image.
  template:
    spec:
      containers:
        - name: app
          envFrom:
            - secretRef:
                name: app-config

Mount a secret as files

Mount a Secret when the application reads credentials from files.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: config-demo
spec:
  # This fragment omits non-Secret Deployment fields, including
  # spec.replicas, spec.selector, spec.template.metadata, and
  # spec.template.spec.containers[].image.
  template:
    spec:
      containers:
        - name: app
          volumeMounts:
            - name: app-config
              mountPath: /etc/config
              readOnly: true
      volumes:
        - name: app-config
          secret:
            secretName: app-config

Each Secret key becomes a file under the mount path. In this example, the container can read /etc/config/API_TOKEN.

Use a private image registry

Create a Docker registry Secret when a deployment pulls images from a private registry.

kubectl --kubeconfig ./kubeconfig-team-ml.yaml create secret docker-registry app-registry \
  --docker-server=registry.example.com \
  --docker-username=replace-with-username \
  --docker-password=replace-with-password \
  [email protected]

Reference the registry Secret from the pod template.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: private-image-demo
spec:
  replicas: 1
  selector:
    matchLabels:
      app: private-image-demo
  template:
    metadata:
      labels:
        app: private-image-demo
        remotegpu.ai/runtime-sku: cpu-shared-8g
    spec:
      imagePullSecrets:
        - name: app-registry
      containers:
        - name: app
          image: registry.example.com/team/app:1.0.0

Supported secret profile

RemoteGPU supports standard namespace-scoped Kubernetes Secrets with these limits.

Area	Supported value
Access path	kubectl
Namespace quota	Up to 128 Secrets per namespace
Secret types	Standard Kubernetes Secret types except kubernetes.io/service-account-token
Reserved names	Secret names and generateName prefixes must not start with rgpu- or remotegpu-
Finalizers	Customer-created Secrets must not set metadata.finalizers

Creating a TLS Secret does not change RemoteGPU-managed public ingress TLS. For managed apps.remotegpu.ai hostnames, use the ingress TLS profile described in Ingresses.

Troubleshooting

Symptom	What to check
Secret creation is rejected	Check the Secret name, type, finalizers, and namespace Secret quota.
Pod cannot read an environment variable	Confirm the Secret name and key in secretKeyRef, then restart the pod if the application only reads environment variables at startup.
Secret volume is empty or missing a file	Confirm the workload references the correct secretName and Secret key.
Private image pull fails	Check the registry server, username, password, image name, and imagePullSecrets reference.
Another user in the namespace can read the Secret	Move the workload to a separate namespace when you need a separate access boundary.

For detailed Kubernetes events, use kubectl describe pod on the affected pod.

Read next

• Read Deployments to run workloads that reference Secrets.
• Read Kubernetes overview for the namespace access model.