diff --git a/databases/postgresql/ghcr-pull-externalsecret.yaml b/databases/postgresql/ghcr-pull-externalsecret.yaml
new file mode 100644
index 0000000..c4e96cb
--- /dev/null
+++ b/databases/postgresql/ghcr-pull-externalsecret.yaml
@@ -0,0 +1,28 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: postgresql-ghcr-pull
+  namespace: database
+spec:
+  refreshInterval: 1m
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-platform
+  target:
+    name: postgresql-ghcr-pull
+    creationPolicy: Owner
+    template:
+      type: kubernetes.io/dockerconfigjson
+      engineVersion: v2
+      data:
+        .dockerconfigjson: |
+          {"auths":{"ghcr.io":{"username":"{{ .username }}","password":"{{ .token }}","auth":"{{ printf "%s:%s" .username .token | b64enc }}"}}}
+  data:
+    - secretKey: username
+      remoteRef:
+        key: database/ghcr-pull
+        property: username
+    - secretKey: token
+      remoteRef:
+        key: database/ghcr-pull
+        property: token
diff --git a/databases/postgresql/kustomization.yaml b/databases/postgresql/kustomization.yaml
index e1833ef..98aa075 100644
--- a/databases/postgresql/kustomization.yaml
+++ b/databases/postgresql/kustomization.yaml
@@ -5,6 +5,7 @@ resources:
   - oci-repository.yaml
   - helmrelease.yaml
   - externalsecret.yaml
+  - ghcr-pull-externalsecret.yaml
   - stunnel-externalsecret.yaml
   - stunnel-server-configmap.yaml
   - stunnel-server-deployment.yaml
diff --git a/databases/postgresql/stunnel-client-deployment.yaml b/databases/postgresql/stunnel-client-deployment.yaml
index bb074ba..c3dd5cb 100644
--- a/databases/postgresql/stunnel-client-deployment.yaml
+++ b/databases/postgresql/stunnel-client-deployment.yaml
@@ -13,6 +13,8 @@ spec:
       labels:
         app: postgresql-stunnel-client
     spec:
+      imagePullSecrets:
+        - name: postgresql-ghcr-pull
       containers:
         - name: stunnel-client
           image: dweomer/stunnel:latest
diff --git a/databases/postgresql/stunnel-server-deployment.yaml b/databases/postgresql/stunnel-server-deployment.yaml
index 0a28f86..7d5b749 100644
--- a/databases/postgresql/stunnel-server-deployment.yaml
+++ b/databases/postgresql/stunnel-server-deployment.yaml
@@ -13,6 +13,8 @@ spec:
       labels:
         app: postgresql-stunnel-server
     spec:
+      imagePullSecrets:
+        - name: postgresql-ghcr-pull
       containers:
         - name: stunnel-server
           image: dweomer/stunnel:latest
diff --git a/databases/postgresql/values.yaml b/databases/postgresql/values.yaml
index 76042a0..1491028 100644
--- a/databases/postgresql/values.yaml
+++ b/databases/postgresql/values.yaml
@@ -6,6 +6,9 @@ image:
   tag: "17.9"
   pullPolicy: IfNotPresent
 
+imagePullSecrets:
+  - postgresql-ghcr-pull
+
 auth:
   username: postgres
   database: postgres