The username/networks/ip
under spec.configuration.users was the key to getting things to work.
It seems that "10.0.0.0/16" isn't enough.
Allowing all networks solved the problem.
Secrets can be mounted to environment variables under the extraEnvs
key.
The environment variable can then be referenced in the config with the syntax ${env:VARIABLE_NAME}
.