robusta-dev · Avi-Robusta · Jun 18, 2026 · Jun 18, 2026 · Jun 18, 2026
diff --git a/docs/setup-robusta/proxies.rst b/docs/setup-robusta/proxies.rst
@@ -113,6 +113,26 @@ When deploying Robusta in a tightly restricted environment, the runner needs out
 
 If you mirror images to a private registry, override ``image.registry`` (and the per-component ``image:`` fields) in your Helm values and you can drop the public registries from the allowlist.
 
+If your private registry requires authentication, set ``global.imagePullSecrets``. This applies the
+pull secret to the runner, kubewatch, and the pods the runner launches at runtime (e.g. KRR, Popeye,
+via the runner ServiceAccount). To also cover HolmesGPT, set ``holmes.imagePullSecrets`` — HolmesGPT
+is a subchart, so set it explicitly alongside the global value:
+
+.. code-block:: yaml
+
+    global:
+      imagePullSecrets:
+        - name: my-registry-secret
+
+    # HolmesGPT is a subchart — set its pull secret as well
+    holmes:
+      imagePullSecrets:
+        - name: my-registry-secret
+
+A per-component value (e.g. ``runner.imagePullSecrets``, ``kubewatch.imagePullSecrets``,
+``holmes.imagePullSecrets``) overrides the global one for that component. Leaving
+``global.imagePullSecrets`` empty keeps the previous behavior.
+
 Verifying the Allowlist
 ----------------------------------------
 

diff --git a/helm/robusta/templates/forwarder.yaml b/helm/robusta/templates/forwarder.yaml
@@ -31,9 +31,10 @@ spec:
       serviceAccountName: {{ include "robusta.fullname" . }}-forwarder-service-account
       {{- end }}
       automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
-      {{- if .Values.kubewatch.imagePullSecrets }}
+      {{- $pullSecrets := .Values.kubewatch.imagePullSecrets | default .Values.global.imagePullSecrets }}
+      {{- if $pullSecrets }}
       imagePullSecrets:
-      {{- toYaml .Values.kubewatch.imagePullSecrets | nindent 6 }}
+      {{- toYaml $pullSecrets | nindent 6 }}
       {{- end }}
       {{- with .Values.kubewatch.securityContext.pod }}
       securityContext:

diff --git a/helm/robusta/templates/runner-service-account.yaml b/helm/robusta/templates/runner-service-account.yaml
@@ -556,9 +556,10 @@ metadata:
     {{- toYaml . | nindent 4}}
   {{- end }}
   {{- end }}
-{{- if .Values.runnerServiceAccount.imagePullSecrets }}
+{{- $pullSecrets := .Values.runnerServiceAccount.imagePullSecrets | default .Values.global.imagePullSecrets }}
+{{- if $pullSecrets }}
 imagePullSecrets:
-{{- toYaml .Values.runnerServiceAccount.imagePullSecrets | nindent 2}}
+{{- toYaml $pullSecrets | nindent 2}}
 {{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1

diff --git a/helm/robusta/templates/runner.yaml b/helm/robusta/templates/runner.yaml
@@ -34,9 +34,10 @@ spec:
       serviceAccountName: {{ include "robusta.fullname" . }}-runner-service-account
       {{- end }}
       automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
-      {{- if .Values.runner.imagePullSecrets }}
+      {{- $pullSecrets := .Values.runner.imagePullSecrets | default .Values.global.imagePullSecrets }}
+      {{- if $pullSecrets }}
       imagePullSecrets:
-      {{- toYaml .Values.runner.imagePullSecrets | nindent 6 }}
+      {{- toYaml $pullSecrets | nindent 6 }}
       {{- end }}
       {{- with .Values.runner.securityContext.pod }}
       securityContext:

diff --git a/helm/robusta/values.yaml b/helm/robusta/values.yaml
@@ -33,6 +33,12 @@ clusterZone: ""
 
 global:
   clusterDomain: "cluster.local"
+  # Optional image pull secrets applied to the runner, kubewatch, and the runtime pods
+  # created by the runner (e.g. KRR, Popeye, via the runner ServiceAccount).
+  # A component's own imagePullSecrets (e.g. runner.imagePullSecrets), when set, is used
+  # instead of this global; otherwise the component inherits this global. Leave empty to
+  # keep existing behavior. HolmesGPT is a separate subchart - set holmes.imagePullSecrets.
+  imagePullSecrets: []
 
 automountServiceAccountToken: true
 
@@ -648,6 +654,7 @@ kubewatch:
   tolerations: []
   annotations: {}
   nodeSelector: ~
+  # set to override global.imagePullSecrets for kubewatch; leave empty to inherit the global
   imagePullSecrets: []
   config:
     namespace: ""
@@ -707,6 +714,7 @@ grafanaRenderer:
 # parameters for the robusta runner service account
 runnerServiceAccount:
   # image pull secrets added to the runner service account. Any pod using the service account will get those
+  # set to override global.imagePullSecrets; leave empty to inherit the global
   imagePullSecrets: []
   # Additional annotations for the ServiceAccount.
   annotations: {}
@@ -737,6 +745,7 @@ runner:
   annotations: {}
   nodeSelector: ~
   customClusterRoleRules: []
+  # set to override global.imagePullSecrets for the runner; leave empty to inherit the global
   imagePullSecrets: []
   extraVolumes: []
   extraVolumeMounts: []