diff --git a/puppet/services/docker.yaml b/puppet/services/docker.yaml
index e54ce599d8..b1ff095a40 100644
--- a/puppet/services/docker.yaml
+++ b/puppet/services/docker.yaml
@@ -74,6 +74,23 @@ parameters:
     description: Flag to disable docker reconfiguration during stack update.
     tags:
       - role_specific
+  ContainerImageRegistryLogin:
+    type: boolean
+    default: false
+    description: Flag to enable container registry login actions during the deployment.
+                 Setting this to true will cause login calls to be performed during the
+                 deployment.
+  ContainerImageRegistryCredentials:
+    type: json
+    hidden: true
+    default: {}
+    description: |
+      Mapping of image registry hosts to login credentials. Must be in the following example format
+
+        docker.io:
+          username: pa55word
+        '192.0.2.1:8787':
+          registry_username: password
 
 resources:
   # Merging role-specific parameters (RoleParameters) with the default parameters.
@@ -122,9 +139,23 @@ outputs:
               container_registry_mirror: {get_param: DockerRegistryMirror}
               container_registry_network_options: {get_param: DockerNetworkOptions}
               container_registry_skip_reconfiguration: {get_attr: [RoleParametersValue, value, DockerSkipUpdateReconfiguration]}
+              container_registry_login: {get_param: ContainerImageRegistryLogin}
+              # default that is overwritten by the heat -> dict conversion
+              container_registry_logins: {}
+              container_registry_logins_json: {get_param: ContainerImageRegistryCredentials}
+          - name: Convert logins json to dict
+            set_fact:
+              container_registry_logins: "{{ container_registry_logins_json | from_json }}"
+            when:
+              - container_registry_login | bool
+              - (container_registry_logins_json | length) > 0
           - include_role:
               name: container-registry
               tasks_from: docker
+          - include_role:
+              name: container-registry
+              tasks_from: docker-login
+            when: container_registry_login|bool
       service_config_settings:
         neutron_l3:
           docker_additional_sockets: {get_param: DockerAdditionalSockets}
diff --git a/releasenotes/notes/add-container-registry-login-08d6a87586c84a99.yaml b/releasenotes/notes/add-container-registry-login-08d6a87586c84a99.yaml
new file mode 100644
index 0000000000..f1e3dd7257
--- /dev/null
+++ b/releasenotes/notes/add-container-registry-login-08d6a87586c84a99.yaml
@@ -0,0 +1,10 @@
+---
+features:
+  - |
+    `ContainerImageRegistryLogin` has been added to indicate if login calls
+    should be issued by the container engine on deployment. The default is
+    set to `false`.
+  - |
+    Values specified in `ContainerImageRegistryCredentials` will now be used to
+    issue a login call when deploying the container engine on the hosts if
+    `ContainerImageRegistryLogin` is set to `true`