diff --git a/tripleo_ansible/roles/tripleo_podman/defaults/main.yml b/tripleo_ansible/roles/tripleo_podman/defaults/main.yml
index e32738633..096984f3b 100644
--- a/tripleo_ansible/roles/tripleo_podman/defaults/main.yml
+++ b/tripleo_ansible/roles/tripleo_podman/defaults/main.yml
@@ -24,3 +24,28 @@ tripleo_podman_packages: "{{ _tripleo_podman_packages | default([]) }}"
 tripleo_podman_purge_packages: "{{ _tripleo_podman_purge_packages | default([]) }}"
 tripleo_podman_tls_verify: true
 tripleo_podman_debug: false
+tripleo_podman_unqualified_search_registries:
+  - registry.redhat.io
+  - registry.access.redhat.com
+  - registry.fedoraproject.org
+  - registry.centos.org
+  - docker.io
+tripleo_podman_insecure_registries: "{{ tripleo_container_registry_insecure_registries }}"
+# tripleo_podman_registries requires a list of dictionaries
+# Example:
+# tripleo_podman_registries:
+#   - prefix: docker.io
+#     insecure: false
+#     location: docker.io
+#     mirrors:
+#       - location: 192.168.0.1:8787
+#         insecure: true
+#   - prefix: registry.redhat.io
+#     insecure: false
+#     location: registry.redhat.io
+#     mirrors:
+#       - location: 192.168.0.2:8787
+#         insecure: false
+#   - prefix: registry.fedoraproject.org
+#     blocked: true
+tripleo_podman_registries: []
diff --git a/tripleo_ansible/roles/tripleo_podman/tasks/tripleo_podman_install.yml b/tripleo_ansible/roles/tripleo_podman/tasks/tripleo_podman_install.yml
index ac59245fc..240be8f1e 100644
--- a/tripleo_ansible/roles/tripleo_podman/tasks/tripleo_podman_install.yml
+++ b/tripleo_ansible/roles/tripleo_podman/tasks/tripleo_podman_install.yml
@@ -48,11 +48,11 @@
       when:
         - podman_bridge_config.stat.exists | bool
 
-    - name: configure insecure registries /etc/containers/registries.conf
-      ini_file:
-        path: /etc/containers/registries.conf
-        section: 'registries.insecure'
-        option: registries
-        value: "{{ tripleo_container_registry_insecure_registries }}"
-      when:
-        - (tripleo_container_registry_insecure_registries | length) > 0
+    - name: Write containers registries.conf
+      template:
+        src: registries.conf.j2
+        dest: /etc/containers/registries.conf
+        owner: root
+        group: root
+        setype: etc_t
+        mode: '0644'
diff --git a/tripleo_ansible/roles/tripleo_podman/templates/registries.conf.j2 b/tripleo_ansible/roles/tripleo_podman/templates/registries.conf.j2
new file mode 100644
index 000000000..4e97d8885
--- /dev/null
+++ b/tripleo_ansible/roles/tripleo_podman/templates/registries.conf.j2
@@ -0,0 +1,27 @@
+# This file is managed via tripleo-ansible
+
+unqualified-search-registries = {{ tripleo_podman_unqualified_search_registries | list }}
+
+# registries configuration
+{% for reg in tripleo_podman_registries %}
+[[registry]]
+prefix = "{{ reg.prefix }}"
+location = "{{ reg.location | default(reg.prefix) }}"
+insecure = {{ reg.insecure | default(False) | bool | ternary('true', 'false') }}
+blocked = {{ reg.blocked | default(False) | bool | ternary('true', 'false') }}
+{% if 'mirrors' in reg %}
+{% for mirror in reg.mirrors %}
+[[registry.mirror]]
+location = "{{ mirror.location }}"
+insecure = {{ mirror.insecure | default(False) | bool | ternary('true', 'false') }}
+{% endfor %}
+{% endif %}
+{% endfor %}
+
+# insecure registry list
+{% for reg in tripleo_podman_insecure_registries %}
+[[registry]]
+prefix = "{{ reg }}"
+insecure = true
+location = "{{ reg }}"
+{% endfor %}