diff --git a/doc/source/index.rst b/doc/source/index.rst
index 2693117..89dadb3 100644
--- a/doc/source/index.rst
+++ b/doc/source/index.rst
@@ -232,6 +232,13 @@ verbatim):
    apiVersion: zuul-ci.org/v1alpha2
    kind: Zuul
    spec:
+     imagePrefix: docker.io/zuul
+     imagePullSecrets:
+       - name: my-docker-secret
+     zuulImageVersion: latest
+     zuulPreviewImageVersion: latest
+     zuulRegistryImageVersion: latest
+     nodepoolImageVersion: latest
      database:
        secretName: mariadbSecret
      zookeeper:
@@ -288,6 +295,17 @@ verbatim):
          (``zuul-executor``, etc).  However, changing the prefix will
          allow you to use custom images or private registries.
 
+      .. attr:: imagePullSecrets
+         :type: list
+         :default: []
+
+         If supplied, this value is passed through to Kubernetes.  It
+         should be a list of secrets.
+
+         .. attr:: name
+
+            The name of the image pull secret.
+
       .. attr:: zuulImageVersion
          :default: latest
 
@@ -298,6 +316,11 @@ verbatim):
 
          The image tag to append to the Zuul Preview images.
 
+      .. attr:: zuulRegistryImageVersion
+         :default: latest
+
+         The image tag to append to the Zuul Registry images.
+
       .. attr:: nodepoolImageVersion
          :default: latest
 
diff --git a/zuul_operator/operator.py b/zuul_operator/operator.py
index de9c547..f65d9eb 100644
--- a/zuul_operator/operator.py
+++ b/zuul_operator/operator.py
@@ -146,11 +146,11 @@ def update_fn(name, namespace, logger, old, new, memo, **kwargs):
     if new.get('connections') != old.get('connections'):
         logger.info("Connections changed")
         conf_changed = True
-    if new.get('imagePrefix') != old.get('imagePrefix'):
-        logger.info("Image prefix changed")
-        spec_changed = True
     for key in ['executor', 'merger', 'scheduler', 'registry',
-                'launcher', 'connections', 'externalConfig']:
+                'launcher', 'connections', 'externalConfig',
+                'imagePrefix', 'imagePullSecrets', 'zuulImageVersion',
+                'zuulPreviewImageVersion', 'zuulRegistryImageVersion',
+                'nodepoolImageVersion']:
         if new.get(key) != old.get(key):
             logger.info(f"{key} changed")
             spec_changed = True
diff --git a/zuul_operator/templates/nodepool-launcher.yaml b/zuul_operator/templates/nodepool-launcher.yaml
index f281196..226523d 100644
--- a/zuul_operator/templates/nodepool-launcher.yaml
+++ b/zuul_operator/templates/nodepool-launcher.yaml
@@ -27,6 +27,7 @@ spec:
         app.kubernetes.io/component: nodepool-launcher
         operator.zuul-ci.org/nodepool-provider: {{ provider_name }}
     spec:
+      imagePullSecrets: {{ spec.imagePullSecrets }}
       containers:
       - name: launcher
         image: {{ spec.imagePrefix }}/nodepool-launcher:{{ spec.nodepoolImageVersion }}
diff --git a/zuul_operator/templates/zuul-registry.yaml b/zuul_operator/templates/zuul-registry.yaml
index 7ff9be7..e286b62 100644
--- a/zuul_operator/templates/zuul-registry.yaml
+++ b/zuul_operator/templates/zuul-registry.yaml
@@ -71,6 +71,7 @@ spec:
         app.kubernetes.io/part-of: zuul
         app.kubernetes.io/component: zuul-registry
     spec:
+      imagePullSecrets: {{ spec.imagePullSecrets }}
       containers:
       - name: registry
         image: {{ spec.imagePrefix }}/zuul-registry:{{ spec.zuulImageVersion }}
diff --git a/zuul_operator/templates/zuul.yaml b/zuul_operator/templates/zuul.yaml
index e073be0..b93c0a2 100644
--- a/zuul_operator/templates/zuul.yaml
+++ b/zuul_operator/templates/zuul.yaml
@@ -140,6 +140,7 @@ spec:
       annotations:
         zuulConfSha: "{{ zuul_conf_sha }}"
     spec:
+      imagePullSecrets: {{ spec.imagePullSecrets }}
       containers:
       - name: scheduler
         image: {{ spec.imagePrefix }}/zuul-scheduler:{{ spec.zuulImageVersion }}
@@ -221,6 +222,7 @@ spec:
       annotations:
         zuulConfSha: "{{ zuul_conf_sha }}"
     spec:
+      imagePullSecrets: {{ spec.imagePullSecrets }}
       containers:
       - name: web
         image: {{ spec.imagePrefix }}/zuul-web:{{ spec.zuulImageVersion }}
@@ -269,6 +271,7 @@ spec:
       annotations:
         zuulConfSha: "{{ zuul_conf_sha }}"
     spec:
+      imagePullSecrets: {{ spec.imagePullSecrets }}
       containers:
       - name: fingergw
         image: {{ spec.imagePrefix }}/zuul-fingergw:{{ spec.zuulImageVersion }}
@@ -318,6 +321,7 @@ spec:
       annotations:
         zuulConfSha: "{{ zuul_conf_sha }}"
     spec:
+      imagePullSecrets: {{ spec.imagePullSecrets }}
       securityContext:
         runAsUser: 10001
         runAsGroup: 10001
@@ -415,6 +419,7 @@ spec:
       annotations:
         zuulConfSha: "{{ zuul_conf_sha }}"
     spec:
+      imagePullSecrets: {{ spec.imagePullSecrets }}
       securityContext:
         runAsUser: 10001
         runAsGroup: 10001
@@ -502,6 +507,7 @@ spec:
         app.kubernetes.io/part-of: zuul
         app.kubernetes.io/component: zuul-preview
     spec:
+      imagePullSecrets: {{ spec.imagePullSecrets }}
       containers:
       - name: preview
         image: {{ spec.imagePrefix }}/zuul-preview:{{ spec.zuulPreviewImageVersion }}
diff --git a/zuul_operator/zuul.py b/zuul_operator/zuul.py
index 6d6935d..9fc712c 100644
--- a/zuul_operator/zuul.py
+++ b/zuul_operator/zuul.py
@@ -83,6 +83,7 @@ class Zuul:
         registry_tls.setdefault('secretName', 'zuul-registry-tls')
 
         self.spec.setdefault('imagePrefix', 'docker.io/zuul')
+        self.spec.setdefault('imagePullSecrets', [])
         self.spec.setdefault('zuulImageVersion', 'latest')
         self.spec.setdefault('zuulPreviewImageVersion', 'latest')
         self.spec.setdefault('zuulRegistryImageVersion', 'latest')