diff --git a/hub/cmd/hub/main.go b/hub/cmd/hub/main.go
index c096bd8..33cd43d 100644
--- a/hub/cmd/hub/main.go
+++ b/hub/cmd/hub/main.go
@@ -71,6 +71,14 @@ func main() {
 	// Load config
 	cfg := loadConfig(*configPath, logger)
 
+	// Environment variable overrides (for k8s Secrets)
+	if v := os.Getenv("REGISTRY_USERNAME"); v != "" {
+		cfg.Registry.Username = v
+	}
+	if v := os.Getenv("REGISTRY_TOKEN"); v != "" {
+		cfg.Registry.Token = v
+	}
+
 	// Ensure data dir exists
 	os.MkdirAll(cfg.Server.DataDir, 0755)
 
diff --git a/manifests/hub.yaml b/manifests/hub.yaml
index d56ddba..d08f2c2 100644
--- a/manifests/hub.yaml
+++ b/manifests/hub.yaml
@@ -84,8 +84,8 @@ data:
       resend_api_key: "re_XZZenCJs_LyJnU12jZWfEn9rK85Gc83DK"
     registry:
       image: "gitea.dooplex.hu/admin/felhom-controller"
-      username: "admin"
-      token: "e93ef87f90cc13a476964ee965bfe2e75d945a33"
+      # username + token injected via REGISTRY_USERNAME / REGISTRY_TOKEN env vars
+      # from Secret/gitea-creds (see Deployment below)
       check_interval: "6h"
       template_interval: "1h"
     server:
@@ -124,6 +124,16 @@ spec:
           env:
             - name: TZ
               value: "Europe/Budapest"
+            - name: REGISTRY_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: gitea-creds
+                  key: username
+            - name: REGISTRY_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: gitea-creds
+                  key: password
           resources:
             requests:
               memory: "64Mi"