diff --git a/deploy/helm/quarks-secret/templates/service-account-pull-secret.yaml b/deploy/helm/quarks-secret/templates/service-account-pull-secret.yaml
new file mode 100644
index 00000000..a04e3937
--- /dev/null
+++ b/deploy/helm/quarks-secret/templates/service-account-pull-secret.yaml
@@ -0,0 +1,11 @@
+{{- if .Values.global.image.credentials }}
+---
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/dockerconfigjson
+metadata:
+  name: {{ template "quarks-secret.serviceAccountName" . }}-pull-secret
+  namespace: {{ .Release.Namespace }}
+data:
+  .dockerconfigjson: {{ printf "{%q:{%q:{%q:%q,%q:%q,%q:%q}}}" "auths" .Values.global.image.credentials.servername "username" .Values.global.image.credentials.username "password" .Values.global.image.credentials.password "auth" (printf "%s:%s" .Values.global.image.credentials.username .Values.global.image.credentials.password | b64enc) | b64enc }}
+{{- end }}
diff --git a/deploy/helm/quarks-secret/templates/service-account.yaml b/deploy/helm/quarks-secret/templates/service-account.yaml
index c29fcd1a..067339e1 100644
--- a/deploy/helm/quarks-secret/templates/service-account.yaml
+++ b/deploy/helm/quarks-secret/templates/service-account.yaml
@@ -4,6 +4,10 @@ kind: ServiceAccount
 metadata:
   name: {{ template "quarks-secret.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
+{{- if .Values.global.image.credentials }}
+imagePullSecrets:
+- name: {{ template "quarks-secret.serviceAccountName" . }}-pull-secret
+{{- end }}
 {{- end }}
 
 {{- if .Values.global.rbac.create }}
diff --git a/deploy/helm/quarks-secret/values.yaml b/deploy/helm/quarks-secret/values.yaml
index 68821757..287d36c7 100644
--- a/deploy/helm/quarks-secret/values.yaml
+++ b/deploy/helm/quarks-secret/values.yaml
@@ -50,6 +50,10 @@ global:
   image:
     # pullPolicy defines the policy used for pulling docker images.
     pullPolicy: IfNotPresent
+    credentials: ~
+      # username:
+      # password:
+      # servername:
   # monitoredID is a string that has to match the content of the 'monitored' label in each monitored namespace.
   # The monitoredID helper uses the release fullname, unless this is set.
   monitoredID: