diff --git a/install/kots/manifests/gitpod-installer-job.yaml b/install/kots/manifests/gitpod-installer-job.yaml
index 43219a6d7678db..6d92a12b58869d 100644
--- a/install/kots/manifests/gitpod-installer-job.yaml
+++ b/install/kots/manifests/gitpod-installer-job.yaml
@@ -28,7 +28,7 @@ spec:
       containers:
         - name: installer
           # This will normally be the release tag
-          image: "eu.gcr.io/gitpod-core-dev/build/installer:sje-registry-s3-fork.3"
+          image: eu.gcr.io/gitpod-core-dev/build/installer:clu-multiple-pull-secrets.5
           volumeMounts:
             - mountPath: /config-patch
               name: config-patch
@@ -140,21 +140,19 @@ spec:
                 yq e -i ".database.inCluster = false" "${CONFIG_FILE}"
                 yq e -i ".database.external.certificate.kind = \"secret\"" "${CONFIG_FILE}"
                 yq e -i ".database.external.certificate.name = \"database\"" "${CONFIG_FILE}"
+
               fi
 
               if [ '{{repl HasLocalRegistry }}' = "true" ];
               then
                 echo "Gitpod: configuring mirrored container registry"
-
-                yq e -i ".containerRegistry.inCluster = false" "${CONFIG_FILE}"
-                yq e -i ".containerRegistry.external.url = \"{{repl LocalRegistryAddress }}\"" "${CONFIG_FILE}"
-                yq e -i ".containerRegistry.external.certificate.kind = \"secret\"" "${CONFIG_FILE}"
-                yq e -i ".containerRegistry.external.certificate.name = \"{{repl ImagePullSecretName }}\"" "${CONFIG_FILE}"
                 yq e -i ".repository = \"{{repl LocalRegistryAddress }}\"" "${CONFIG_FILE}"
                 yq e -i ".imagePullSecrets[0].kind = \"secret\"" "${CONFIG_FILE}"
                 yq e -i ".imagePullSecrets[0].name = \"{{repl ImagePullSecretName }}\"" "${CONFIG_FILE}"
                 yq e -i '.dropImageRepo = true' "${CONFIG_FILE}"
-              elif [ '{{repl ConfigOptionEquals "reg_incluster" "0" }}' = "true" ];
+              fi
+
+              if [ '{{repl ConfigOptionEquals "reg_incluster" "0" }}' = "true" ];
               then
                 echo "Gitpod: configuring external container registry"
 
@@ -162,6 +160,7 @@ spec:
                 yq e -i ".containerRegistry.external.url = \"{{repl ConfigOption "reg_url" }}\"" "${CONFIG_FILE}"
                 yq e -i ".containerRegistry.external.certificate.kind = \"secret\"" "${CONFIG_FILE}"
                 yq e -i ".containerRegistry.external.certificate.name = \"container-registry\"" "${CONFIG_FILE}"
+
               else
                 if [ '{{repl ConfigOptionEquals "reg_incluster_storage" "s3" }}' = "true" ];
                 then
@@ -175,6 +174,7 @@ spec:
                 fi
               fi
 
+
               if [ '{{repl ConfigOptionNotEquals "store_provider" "incluster" }}' = "true" ];
               then
                 echo "Gitpod: configuring the storage"
@@ -273,6 +273,36 @@ spec:
                 'del(select(.kind == "StatefulSet" and .metadata.name == "openvsx-proxy").status)' \
                 "${GITPOD_OBJECTS}/templates/gitpod.yaml"
 
+              # If we have a airgap registry, cache it's credentials to be merged into whichever secret we use
+              # to access a registry for registry-facade
+              if [ '{{repl HasLocalRegistry }}' = "true" ]; then
+                echo "Gitpod: Found airgap registry information"
+                kubectl get secret "{{repl ImagePullSecretName }}" -o=jsonpath="{.data['\.dockerconfigjson']}" | base64 -d | yq -P - > registry-auth-airgap.yaml
+              fi
+
+              # if we successfully cached the airgap registry key, append it to the credentials we use for built in or external registry
+              if [ -f ./registry-auth-airgap.yaml ] && [ '{{repl ConfigOptionEquals "reg_incluster" "0" }}' = "true" ]; then
+                echo "Gitpod: Appending airgap registry to external registry list"
+                kubectl get secret "container-registry" -o=jsonpath="{.data['\.dockerconfigjson']}" | base64 -d | yq -P - > registry-auth-external.yaml
+                yq -o=json eval-all 'select(fi == 0) * select(filename == "registry-auth-airgap.yaml")' registry-auth-external.yaml registry-auth-airgap.yaml > merged-registry-auths.json
+
+                kubectl create secret generic container-registry \
+                  --save-config --dry-run=client \
+                  --from-file=.dockerconfigjson=./merged-registry-auths.json \
+                  -o yaml | kubectl apply -f -
+
+              elif [ -f ./registry-auth-airgap.yaml ]; then
+                echo "Gitpod: Appending airgap registry to internal registry list"
+                yq eval 'select(.kind == "Secret" and .metadata.name == "builtin-registry-auth").data.".dockerconfigjson"' \
+                "${GITPOD_OBJECTS}/templates/gitpod.yaml" | base64 -d | yq -P - > registry-auth-builtin.yaml
+
+                yq -o=json eval-all 'select(fi == 0) * select(filename == "registry-auth-airgap.yaml")' registry-auth-builtin.yaml registry-auth-airgap.yaml > merged-registry-auths.json
+
+                export NEW_SECRETS=$(base64 -w 0 merged-registry-auths.json)
+                yq e -i "select(.kind == \"Secret\" and .metadata.name == \"builtin-registry-auth\").data.\".dockerconfigjson\" = \"${NEW_SECRETS}\"" \
+                "${GITPOD_OBJECTS}/templates/gitpod.yaml"
+              fi
+
               echo "Gitpod: Escape any Golang template values"
               sed -i -r 's/(.*\{\{.*)/{{`\1`}}/' "${GITPOD_OBJECTS}/templates/gitpod.yaml"
 
diff --git a/install/kots/manifests/kots-config.yaml b/install/kots/manifests/kots-config.yaml
index 9e0116115af863..e801dea01728a2 100644
--- a/install/kots/manifests/kots-config.yaml
+++ b/install/kots/manifests/kots-config.yaml
@@ -28,7 +28,6 @@ spec:
         - name: reg_incluster
           title: Use in-cluster container registry
           type: bool
-          when: '{{repl eq HasLocalRegistry false }}'
           default: "1"
           help_text: You may either use an in-cluster container registry or configure your own external container registry for better performance. This container registry must be accessible from your Kubernetes cluster.
           recommended: false
@@ -85,27 +84,27 @@ spec:
         - name: reg_url
           title: Container registry URL
           type: text
-          when: '{{repl and (eq HasLocalRegistry false) (ConfigOptionEquals "reg_incluster" "0") }}'
+          when: '{{repl (ConfigOptionEquals "reg_incluster" "0") }}'
           required: true
           help_text: The container registry URL. This will usually be the fully qualified domain of your registry.
 
         - name: reg_server
           title: Container registry server
           type: text
-          when: '{{repl and (eq HasLocalRegistry false) (ConfigOptionEquals "reg_incluster" "0") }}'
+          when: '{{repl (ConfigOptionEquals "reg_incluster" "0") }}'
           help_text: The container registry server. This is used when [generating your credentials](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-secret-by-providing-credentials-on-the-command-line). Depending upon your provider, this may or may not be the same as the registry URL. If not specified, the URL will be used.
 
         - name: reg_username
           title: Container registry username
           type: text
-          when: '{{repl and (eq HasLocalRegistry false) (ConfigOptionEquals "reg_incluster" "0") }}'
+          when: '{{repl (ConfigOptionEquals "reg_incluster" "0") }}'
           required: true
           help_text: The username for your container registry.
 
         - name: reg_password
           title: Container registry password
           type: password
-          when: '{{repl and (eq HasLocalRegistry false) (ConfigOptionEquals "reg_incluster" "0") }}'
+          when: '{{repl (ConfigOptionEquals "reg_incluster" "0") }}'
           required: true
           help_text: The password for your container registry.