diff --git a/qhub/deploy.py b/qhub/deploy.py
index 852cfee75..0e892d1a5 100644
--- a/qhub/deploy.py
+++ b/qhub/deploy.py
@@ -123,8 +123,8 @@ def guided_install(
                 f'"{config["domain"]}" [Press Enter when Complete]'
             )
 
-        # Now Keycloak Helm chart
-        targets = ["module.kubernetes-keycloak-helm"]
+        # Now Keycloak Helm chart (External Docker Registry before that if we need one)
+        targets = ["module.external-container-reg", "module.kubernetes-keycloak-helm"]
         logger.info(f"Running Terraform Stage: {targets}")
         terraform.apply(
             directory="infrastructure",
diff --git a/qhub/template/{{ cookiecutter.repo_directory }}/infrastructure/kubernetes.tf b/qhub/template/{{ cookiecutter.repo_directory }}/infrastructure/kubernetes.tf
index 63f552c10..89f2491f7 100644
--- a/qhub/template/{{ cookiecutter.repo_directory }}/infrastructure/kubernetes.tf	
+++ b/qhub/template/{{ cookiecutter.repo_directory }}/infrastructure/kubernetes.tf	
@@ -177,6 +177,20 @@ module "kubernetes-ingress" {
 
 ### Keycloak
 
+
+module "external-container-reg" {
+  source = "./modules/extcr"
+
+  count = {{ cookiecutter.external_container_reg.enabled | default(false,true) | jsonify }} ? 1 : 0
+
+  namespace         = var.environment
+  access_key_id     = "{{ cookiecutter.external_container_reg.access_key_id | default("",true) }}"
+  secret_access_key = "{{ cookiecutter.external_container_reg.secret_access_key | default("",true) }}"
+  extcr_account     = "{{ cookiecutter.external_container_reg.extcr_account | default("",true) }}"
+  extcr_region      = "{{ cookiecutter.external_container_reg.extcr_region | default("",true) }}"
+}
+
+
 resource "random_password" "keycloak-qhub-bot-password" {
   length  = 32
   special = false
@@ -204,7 +218,8 @@ module "kubernetes-keycloak-helm" {
 
 
   depends_on = [
-    module.kubernetes-ingress
+    module.kubernetes-ingress,
+    module.external-container-reg
   ]
 }
 
@@ -294,14 +309,6 @@ module "qhub" {
 
   dask_gateway_extra_config = file("dask_gateway_config.py.j2")
 
-  extcr_config = {
-    enabled : {{ cookiecutter.external_container_reg.enabled | default(false,true) | jsonify }}
-    access_key_id : "{{ cookiecutter.external_container_reg.access_key_id | default("",true) }}"
-    secret_access_key : "{{ cookiecutter.external_container_reg.secret_access_key | default("",true) }}"
-    extcr_account : "{{ cookiecutter.external_container_reg.extcr_account | default("",true) }}"
-    extcr_region : "{{ cookiecutter.external_container_reg.extcr_region | default("",true) }}"
-  }
-
   forwardauth-callback-url-path = local.forwardauth-callback-url-path
 
   OAUTH_CLIENT_ID        = local.jupyterhub-keycloak-client-id
diff --git a/qhub/template/{{ cookiecutter.repo_directory }}/infrastructure/modules/kubernetes/services/extcr/main.tf b/qhub/template/{{ cookiecutter.repo_directory }}/infrastructure/modules/extcr/main.tf
similarity index 100%
rename from qhub/template/{{ cookiecutter.repo_directory }}/infrastructure/modules/kubernetes/services/extcr/main.tf
rename to qhub/template/{{ cookiecutter.repo_directory }}/infrastructure/modules/extcr/main.tf
diff --git a/qhub/template/{{ cookiecutter.repo_directory }}/infrastructure/modules/kubernetes/services/extcr/variables.tf b/qhub/template/{{ cookiecutter.repo_directory }}/infrastructure/modules/extcr/variables.tf
similarity index 100%
rename from qhub/template/{{ cookiecutter.repo_directory }}/infrastructure/modules/kubernetes/services/extcr/variables.tf
rename to qhub/template/{{ cookiecutter.repo_directory }}/infrastructure/modules/extcr/variables.tf
diff --git a/qhub/template/{{ cookiecutter.repo_directory }}/infrastructure/modules/kubernetes/keycloak-helm/values.yaml b/qhub/template/{{ cookiecutter.repo_directory }}/infrastructure/modules/kubernetes/keycloak-helm/values.yaml
index 16bb4e3c6..d6519edf5 100644
--- a/qhub/template/{{ cookiecutter.repo_directory }}/infrastructure/modules/kubernetes/keycloak-helm/values.yaml	
+++ b/qhub/template/{{ cookiecutter.repo_directory }}/infrastructure/modules/kubernetes/keycloak-helm/values.yaml	
@@ -3,6 +3,9 @@ ingress:
   # we will need to define our own IngressRoute elsewhere.
   enabled: false
 
+imagePullSecrets:
+  - name: "extcrcreds"
+
 extraEnv: |
   - name: PROXY_ADDRESS_FORWARDING
     value: "true"
diff --git a/qhub/template/{{ cookiecutter.repo_directory }}/infrastructure/modules/kubernetes/services/jupyterhub/values.yaml b/qhub/template/{{ cookiecutter.repo_directory }}/infrastructure/modules/kubernetes/services/jupyterhub/values.yaml
index caa57cd75..b97d51b7c 100644
--- a/qhub/template/{{ cookiecutter.repo_directory }}/infrastructure/modules/kubernetes/services/jupyterhub/values.yaml	
+++ b/qhub/template/{{ cookiecutter.repo_directory }}/infrastructure/modules/kubernetes/services/jupyterhub/values.yaml	
@@ -21,6 +21,8 @@ scheduling:
     enabled: false
     replicas: 1
 
+imagePullSecrets:
+  - extcrcreds
 
 singleuser:
   defaultUrl: "/lab"
diff --git a/qhub/template/{{ cookiecutter.repo_directory }}/infrastructure/modules/kubernetes/services/meta/qhub/main.tf b/qhub/template/{{ cookiecutter.repo_directory }}/infrastructure/modules/kubernetes/services/meta/qhub/main.tf
index 1b4b248dc..71bdd5474 100644
--- a/qhub/template/{{ cookiecutter.repo_directory }}/infrastructure/modules/kubernetes/services/meta/qhub/main.tf	
+++ b/qhub/template/{{ cookiecutter.repo_directory }}/infrastructure/modules/kubernetes/services/meta/qhub/main.tf	
@@ -394,15 +394,3 @@ resource "kubernetes_manifest" "forwardauth" {
     }
   }
 }
-
-module "external-container-reg" {
-  source = "../../extcr"
-
-  count = var.extcr_config.enabled ? 1 : 0
-
-  namespace         = var.namespace
-  access_key_id     = var.extcr_config.access_key_id
-  secret_access_key = var.extcr_config.secret_access_key
-  extcr_account     = var.extcr_config.extcr_account
-  extcr_region      = var.extcr_config.extcr_region
-}
diff --git a/qhub/template/{{ cookiecutter.repo_directory }}/infrastructure/modules/kubernetes/services/meta/qhub/variables.tf b/qhub/template/{{ cookiecutter.repo_directory }}/infrastructure/modules/kubernetes/services/meta/qhub/variables.tf
index 1a12a4f43..882b0f673 100644
--- a/qhub/template/{{ cookiecutter.repo_directory }}/infrastructure/modules/kubernetes/services/meta/qhub/variables.tf	
+++ b/qhub/template/{{ cookiecutter.repo_directory }}/infrastructure/modules/kubernetes/services/meta/qhub/variables.tf	
@@ -100,11 +100,6 @@ variable "certificate-secret-name" {
   default     = ""
 }
 
-variable "extcr_config" {
-  description = "Customer's access details for external container reg"
-  type        = map(any)
-}
-
 variable "forwardauth-callback-url-path" {
   description = "Callback URL Path for ForwardAuth"
   type        = string