diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
index 1ced485..ea8a4b0 100644
--- a/.github/workflows/docker-image.yml
+++ b/.github/workflows/docker-image.yml
@@ -10,7 +10,7 @@ on:
       - ".github/workflows/docker-image.yml"
 
 env:
-  REGISTRY: ghcr.io
+  REGISTRY: digizuite.azurecr.io
   IMAGE_NAME: ${{ github.repository }}
 
 jobs:
@@ -32,8 +32,8 @@ jobs:
         uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          username: ${{ secrets.DIGIZUITE_DEV_ACR_USERNAME }}
+          password: ${{ secrets.DIGIZUITE_DEV_ACR_PASSWORD }}
 
       - name: Docker meta
         id: meta
diff --git a/charts/tailscale-outbound-proxy/Chart.yaml b/charts/tailscale-outbound-proxy/Chart.yaml
index 4596787..306bd90 100644
--- a/charts/tailscale-outbound-proxy/Chart.yaml
+++ b/charts/tailscale-outbound-proxy/Chart.yaml
@@ -5,9 +5,9 @@ home: https://github.com/digizuite/tailscale-outbound-proxy
 keywords:
   - operator
   - tailscale
-kubeVersion: ">= 1.25.0-0"
+kubeVersion: ">= 1.30.0-0"
 name: tailscale-outbound-proxy-operator
 sources:
  - https://github.com/digizuite/tailscale-outbound-proxy
-version: 0.0.7
+version: 0.0.8
 icon: https://github.com/digizuite/tailscale-outbound-proxy/raw/master/tailscale-logo-black.png
\ No newline at end of file
diff --git a/charts/tailscale-outbound-proxy/templates/crds.yaml b/charts/tailscale-outbound-proxy/templates/crds.yaml
index bea269d..5b84759 100644
--- a/charts/tailscale-outbound-proxy/templates/crds.yaml
+++ b/charts/tailscale-outbound-proxy/templates/crds.yaml
@@ -74,6 +74,14 @@ spec:
               proxyStateSecretName:
                 description: The secret to use for storing tailscales state. You do not have to create this secret yourself.
                 type: string
+              replacedServiceTailscaleImage:
+                description: A custom image to use for the tailscale proxy
+                nullable: true
+                type: string
+              replacedServiceTailscaleImagePullSecret:
+                description: A pull secret to use for the custom image. Do note proxies are started in the same namespace as this CRD instance, meaning the pull secret should be in the same namespace as this CRD instance.
+                nullable: true
+                type: string
               serviceAccount:
                 description: The service account the proxy pod should use.
                 type: string
diff --git a/charts/tailscale-outbound-proxy/templates/operator.yaml b/charts/tailscale-outbound-proxy/templates/operator.yaml
index d52fc25..ea1115e 100644
--- a/charts/tailscale-outbound-proxy/templates/operator.yaml
+++ b/charts/tailscale-outbound-proxy/templates/operator.yaml
@@ -175,10 +175,12 @@ spec:
         app.kubernetes.io/part-of: tailscale-outbound-proxy
     spec:
       serviceAccountName: tailscale-outbound-proxy
+      imagePullSecrets:
+        - name: {{ .Values.operator.imagePullSecret }}
       containers:
         - name: operator
-          image: ghcr.io/digizuite/tailscale-outbound-proxy:master
-          imagePullPolicy: Always
+          image: {{ .Values.operator.image }}
+          imagePullPolicy: {{ .Values.operator.imagePullPolicy }}
           env:
             - name: RUST_LOG
               value: "info"
diff --git a/charts/tailscale-outbound-proxy/values.yaml b/charts/tailscale-outbound-proxy/values.yaml
index 7c8b333..53ed4c1 100644
--- a/charts/tailscale-outbound-proxy/values.yaml
+++ b/charts/tailscale-outbound-proxy/values.yaml
@@ -1,5 +1,8 @@
 operator:
   enable: true
+  imagePullPolicy: Always
+  image: digizuite.azurecr.io/digizuite/tailscale-outbound-proxy:master
+  imagePullSecret: ""
   resources:
     limits:
       cpu: 100m
diff --git a/src/replace_service_reconciler.rs b/src/replace_service_reconciler.rs
index 6172e5d..747c57f 100644
--- a/src/replace_service_reconciler.rs
+++ b/src/replace_service_reconciler.rs
@@ -4,8 +4,8 @@ use crate::{ContextData, Error};
 use anyhow::{anyhow, Result};
 use k8s_openapi::api::apps::v1::{Deployment, DeploymentSpec, DeploymentStrategy, ReplicaSet};
 use k8s_openapi::api::core::v1::{
-    Capabilities, Container, Endpoints, EnvVar, EnvVarSource, Pod, PodSpec, PodTemplateSpec,
-    Secret, SecretKeySelector, SecurityContext, Service, ServicePort, ServiceSpec,
+    Capabilities, Container, Endpoints, EnvVar, EnvVarSource, LocalObjectReference, Pod, PodSpec,
+    PodTemplateSpec, Secret, SecretKeySelector, SecurityContext, Service, ServicePort, ServiceSpec,
 };
 use k8s_openapi::apimachinery::pkg::apis::meta::v1::{LabelSelector, ObjectMeta, OwnerReference};
 use k8s_openapi::apimachinery::pkg::util::intstr::IntOrString;
@@ -404,9 +404,20 @@ async fn ensure_tailscale_proxy(
                             ]),
                             ..Default::default()
                         }]),
+                        image_pull_secrets: resource
+                            .spec
+                            .replaced_service_tailscale_image_pull_secret
+                            .clone()
+                            .map(|s| vec![LocalObjectReference { name: s }]),
                         containers: vec![Container {
                             name: "tailscale".to_string(),
-                            image: Some("ghcr.io/digizuite/tailscale-fix:master".to_string()),
+                            image: resource
+                                .spec
+                                .replaced_service_tailscale_image
+                                .clone()
+                                .or_else(|| {
+                                    Some("ghcr.io/digizuite/tailscale-fix:master".to_string())
+                                }),
                             image_pull_policy: Some("Always".to_string()),
                             security_context: Some(SecurityContext {
                                 capabilities: Some(Capabilities {
@@ -447,7 +458,8 @@ async fn ensure_tailscale_proxy(
                                     name: "TS_AUTHKEY".to_string(),
                                     value_from: Some(EnvVarSource {
                                         secret_key_ref: Some(SecretKeySelector {
-                                            name: tailscale_proxy_secret_state_secret_name.to_string(),
+                                            name: tailscale_proxy_secret_state_secret_name
+                                                .to_string(),
                                             optional: Some(false),
                                             key: "TS_AUTHKEY".to_string(),
                                         }),
@@ -929,6 +941,6 @@ async fn change_keda_replicas(
                 Err(api_error.into())
             }
         }
-        Err(e) => Err(e.into())
+        Err(e) => Err(e.into()),
     }
 }
diff --git a/src/replaced_service.rs b/src/replaced_service.rs
index c6e69a2..b5d4d87 100644
--- a/src/replaced_service.rs
+++ b/src/replaced_service.rs
@@ -51,6 +51,14 @@ pub struct ReplacedServiceSpec {
 
     /// The name of a keda scaled object that might prevent downscaling of a deployment
     pub keda_scale_object_name: Option<String>,
+
+    /// A custom image to use for the tailscale proxy
+    pub replaced_service_tailscale_image: Option<String>,
+
+    /// A pull secret to use for the custom image. Do note proxies are started in the same
+    /// namespace as this CRD instance, meaning the pull secret should be in the same
+    /// namespace as this CRD instance.
+    pub replaced_service_tailscale_image_pull_secret: Option<String>
 }
 
 #[derive(Serialize, Deserialize, Debug, PartialEq, Clone, JsonSchema, Default)]