diff --git a/README.md b/README.md
index ceadff3..80850c9 100644
--- a/README.md
+++ b/README.md
@@ -48,6 +48,8 @@ A full-stack application boilerplate with a React frontend and Node.js backend 
   - [🆕 Recent Improvements \& Troubleshooting](#-recent-improvements--troubleshooting)
   - [🚀 Production Deployment Pipeline (CI/CD)](#-production-deployment-pipeline-cicd)
   - [CI/CD Kubernetes Deployment Setup](#cicd-kubernetes-deployment-setup)
+  - [Using Private Docker Registry with Kubernetes](#using-private-docker-registry-with-kubernetes)
+  - [Production Secrets Management (Gitea as Source of Truth)](#production-secrets-management-gitea-as-source-of-truth)
 
 ---
 
@@ -559,3 +561,49 @@ To enable automated deployment to your Kubernetes cluster from CI/CD (Gitea Acti
 6. **Your pipeline will now be able to deploy to your Kubernetes cluster.**
 
 ---
+
+## Using Private Docker Registry with Kubernetes
+
+If you use a private Docker registry (like registry.liquidrinu.com), you must create a Kubernetes secret and reference it in your deployments:
+
+1. **Create the registry secret:**
+   ```bash
+   kubectl create secret docker-registry regcred \
+     --docker-server=registry.liquidrinu.com \
+     --docker-username=YOUR_REGISTRY_USERNAME \
+     --docker-password=YOUR_REGISTRY_PASSWORD \
+     --docker-email=YOUR_EMAIL \
+     -n fusero-prod
+   ```
+
+2. **Reference the secret in your deployment YAMLs:**
+   In your deployment spec, add:
+   ```yaml
+   imagePullSecrets:
+     - name: regcred
+   ```
+   Example:
+   ```yaml
+   spec:
+     template:
+       spec:
+         imagePullSecrets:
+           - name: regcred
+         containers:
+           - name: backend
+             image: ...
+   ```
+
+This allows Kubernetes to authenticate to your private registry and pull images securely.
+
+---
+
+## Production Secrets Management (Gitea as Source of Truth)
+
+- In production, all sensitive values (like `POSTGRES_PASSWORD`, `DEFAULT_ADMIN_PASSWORD`, etc.) are managed as secrets in your Gitea repository (Settings → Secrets).
+- The CI/CD pipeline uses these secrets to generate `chart/secrets.prod.yaml` and other files at runtime.
+- Helm uses these generated files to set environment variables for your Kubernetes resources.
+- The Postgres password is set from the secret **only when the database is first initialized** (i.e., when the persistent volume is empty). Changing the secret later will not update the password for an existing database unless you reset the DB or delete the volume.
+- **Summary:** Gitea secrets are the source of truth for production. Always update secrets in Gitea and redeploy to apply changes to new pods.
+
+---