Settings and Integrations

Settings is a resource that configures external integrations for PaletteAI. A Settings resource can contain the following integration types, with a maximum of one per type:

Palette (required) — Connects PaletteAI to the Spectro Cloud Palette platform for cluster lifecycle management.
Hugging Face (optional) — Provides API access to Hugging Face Hub for model management.
NVIDIA NGC (optional) — Provides credentials for pulling NVIDIA NIM container images.

A Palette integration is required to deploy AI/ML applications and models. PaletteAI uses the Palette integration to authenticate with the Palette API and deploy Compute Pools that host your applications and models.

Hugging Face and NVIDIA NGC integrations enable model management features at the Project level, allowing administrators to control which models and container images are available to teams.

Scope and Inheritance

Settings are namespace-scoped resources. A Tenant or Project references a Settings resource to determine which integrations are available.

Tenant-level — A Tenant's settingsRef points to a Settings resource that serves as the default for all Projects in that Tenant.
Project-level — A Project's settingsRef points to a Settings resource that overrides the Tenant default for that specific Project.

This allows you to use shared credentials for most Projects while configuring different credentials for specific Projects that need them. Refer to the Tenants and Projects page for more information on how Tenant and Project resources, such as Settings, interact.

Palette Integration

The Palette integration connects PaletteAI to the Spectro Cloud Palette platform. PaletteAI uses this connection to deploy, manage, and delete Kubernetes clusters via the Palette API when provisioning Compute Pools.

To add a Palette integration, create a Kubernetes Secret in the same namespace as the Settings resource. The Settings resource then references the secret through spec.integrations.palette.

info

A Palette integration must be unique for each Settings resource. You cannot have two Settings resources that reference the same Palette secret or secrets with identical credentials.

To use the same Palette credentials across multiple Projects, create a single Settings resource at the Tenant level and have all Projects inherit it. Alternatively, create a separate Settings resource for each project that uses different Palette credentials.

Palette Secret Fields

The Palette secret stores its configuration under a palette key as a JSON object. The following table describes the fields within the JSON object.

Field	Description	Required
`apiKey`	API key for the Palette tenant.	✅
`defaultProjectID`	Default Palette project ID.	✅
`hostUrl`	Palette API URL.	✅
`tenant`	Palette tenant name.	✅
`skipSSLCertificateVerification`	If `true`, the server's SSL certificate is not verified. Enable this only for servers that use a self-signed SSL certificate. Defaults to `false` if omitted.	❌
`tlsSecretRef`	Name of a Kubernetes Secret in the same namespace that contains a `ca.crt` key with a PEM-encoded CA certificate. Use this to verify servers with custom CA certificates. Required if `skipSSLCertificateVerification` is set to `true`.	❌

Custom CA Certificates

There are two ways for PaletteAI to communicate with a Palette environment using a self-signed SSL certificate:

Enable the skipSSLCertificateVerification flag in the Palette secret to skip SSL certificate verification.
Provide a custom CA certificate by setting tlsSecretRef to the name of a Kubernetes Secret in the same namespace that contains a ca.crt key with the PEM-encoded CA certificate.

This can be done using manifests or through the UI when adding a Palette integration to your Settings resource, either during or after project creation.

warning

We recommend leaving the skipSSLCertificateVerification flag disabled. All API calls to Palette will skip SSL certificate verification if this flag is enabled. The flag is useful for demo environments or when experimenting with PaletteAI, but for a production environment, we recommend using a valid SSL certificate signed by a trusted CA or providing a custom CA certificate.

The following example shows a Palette secret that references a custom CA certificate through tlsSecretRef. In this case, palette-ca-cert is the name of an existing Kubernetes Secret in the same namespace that contains a ca.crt key with the PEM-encoded CA certificate.

Example Palette secret with custom CA certificate
apiVersion: v1
kind: Secret
metadata:
  name: palette-api-secret
  namespace: primary-dev
type: Opaque
stringData:
  palette: |
    {
      "apiKey": "***************************",
      "defaultProjectID": "**************************",
      "hostUrl": "https://console.spectrocloud.com",
      "tenant": "docs",
      "skipSSLCertificateVerification": false,
      "tlsSecretRef": "palette-ca-cert"
    }

Example Kubernetes Secret linked to Palette secret with tlsSecretRef
apiVersion: v1
kind: Secret
metadata:
  name: palette-ca-cert
  namespace: primary-dev
type: Opaque
data:
  ca.crt: |
-----BEGIN CERTIFICATE-----
***************************
-----END CERTIFICATE-----

Palette Settings Reference

The Settings resource references the Palette secret by name and namespace.

Settings with Palette Integration
apiVersion: spectrocloud.com/v1alpha1
kind: Settings
metadata:
  name: dev-settings
  namespace: primary-dev
spec:
  integrations:
    palette:
      name: palette-api-secret
      namespace: primary-dev

Hugging Face Integration

The Hugging Face integration stores an API key for accessing the Hugging Face Hub. This integration enables model management features at the Project level, allowing administrators to control which Hugging Face model repositories are available to teams.

The Hugging Face secret is an Opaque secret with a token key containing the Hugging Face API token. The token must have at least read access.

Example Hugging Face secret
apiVersion: v1
kind: Secret
metadata:
  name: hf-secret
  namespace: primary-dev
  labels:
    palette.ai/integration-type: huggingface
type: Opaque
stringData:
  token: 'hf_xxxxxxxxxxxxxxxxxxxx'

The Settings resource references the secret through spec.integrations.huggingFace.apiKey.

Settings with Hugging Face integration
apiVersion: spectrocloud.com/v1alpha1
kind: Settings
metadata:
  name: dev-settings
  namespace: primary-dev
spec:
  integrations:
    palette:
      name: palette-api-secret
      namespace: primary-dev
    huggingFace:
      apiKey:
        name: hf-secret
        key: token

NVIDIA NGC Integration

The NVIDIA NGC integration stores credentials for authenticating with the NVIDIA NGC container registry (nvcr.io) to pull NIM (NVIDIA Inference Microservice) container images. Like Hugging Face, this integration enables model management features at the Project level.

The NVIDIA secret is a kubernetes.io/dockerconfigjson secret containing Docker registry credentials for nvcr.io. The same secret is used for both API authentication and as an image pull secret.

Example NVIDIA NGC secret
apiVersion: v1
kind: Secret
metadata:
  name: nvidia-secret
  namespace: primary-dev
  labels:
    palette.ai/integration-type: nvidia
type: kubernetes.io/dockerconfigjson
stringData:
  .dockerconfigjson: |
    {
      "auths": {
        "nvcr.io": {
          "username": "$oauthtoken",
          "password": "<your-ngc-api-key>"
        }
      }
    }

The Settings resource references the secret through both spec.integrations.nvidia.ngc.apiKey (for API authentication) and spec.integrations.nvidia.ngc.imagePullSecret (for pulling container images).

Settings with NVIDIA NGC integration
apiVersion: spectrocloud.com/v1alpha1
kind: Settings
metadata:
  name: dev-settings
  namespace: primary-dev
spec:
  integrations:
    palette:
      name: palette-api-secret
      namespace: primary-dev
    nvidia:
      ngc:
        apiKey:
          name: nvidia-secret
          key: .dockerconfigjson
        imagePullSecret:
          name: nvidia-secret

Project Model Settings

Hugging Face and NVIDIA NGC integrations at the Settings level unlock per-Project model governance through the Project resource's spec.modelSettings field. Model settings allow Project administrators to control which models and container images are available within their Project.

For each integration, you can configure whether the integration is active for the Project as well as an allow/disallow list that controls which models or container images can be used.

For example, a Project can allow all Hugging Face models except specific ones, or restrict NVIDIA NIM images to an approved set.

Example Project with model settings
apiVersion: spectrocloud.com/v1alpha1
kind: Project
metadata:
  name: project-a
  namespace: project-a
spec:
  displayName: 'Project A'
  tenantRef:
    name: primary-dev
  settingsRef:
    name: dev-settings
  computeConfigRef:
    name: edge-compute-config
    namespace: project-a
  roleMapping:
    viewer: [auditors]
    editor: [ml-engineers]
    admin: [admin]
  modelSettings:
    huggingFace:
      enabled: true
      modelRepositoryACL:
        allow:
          - '*'
        disallow:
          - 'restricted-org/private-model'
    nvidia:
      ngc:
        enabled: true
        nimsACL:
          allow:
            - 'nvcr.io/nvidia/pytorch:24.01-py3'

Model settings also support profile bundle mappings, which automatically select a Profile Bundle based on model source attributes. For example, you can map all Hugging Face models with app: vllm to a specific profile bundle optimized for vLLM workloads.

Example profile bundle mapping
modelSettings:
  profileBundleMappings:
    - source: HuggingFace
      sourceFilters:
        app: vllm
      profileBundleSelector:
        app: vllm

Scope and Inheritance​

Palette Integration​

Palette Secret Fields​

Custom CA Certificates​

Palette Settings Reference​

Hugging Face Integration​

NVIDIA NGC Integration​

Project Model Settings​