diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go
index fd854563a06..16206517d17 100644
--- a/openapi/generated_openapi/zz_generated.openapi.go
+++ b/openapi/generated_openapi/zz_generated.openapi.go
@@ -50215,6 +50215,13 @@ func schema_openshift_api_operator_v1_OpenShiftControllerManagerSpec(ref common.
 							Ref:         ref("k8s.io/apimachinery/pkg/runtime.RawExtension"),
 						},
 					},
+					"imageRegistryAuthTokenType": {
+						SchemaProps: spec.SchemaProps{
+							Description: "imageRegistryAuthTokenType directs the openshift-controller-manager to use either a legacy,(unbound, long-lived) service acccount tokens or a bound service account token when generating image pull secrets for the integrated image registry.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
 				},
 				Required: []string{"managementState"},
 			},
diff --git a/openapi/openapi.json b/openapi/openapi.json
index 3e29fa5f4ec..482ee950b33 100644
--- a/openapi/openapi.json
+++ b/openapi/openapi.json
@@ -29375,6 +29375,10 @@
         "managementState"
       ],
       "properties": {
+        "imageRegistryAuthTokenType": {
+          "description": "imageRegistryAuthTokenType directs the openshift-controller-manager to use either a legacy,(unbound, long-lived) service acccount tokens or a bound service account token when generating image pull secrets for the integrated image registry.",
+          "type": "string"
+        },
         "logLevel": {
           "description": "logLevel is an intent based logging for an overall component.  It does not give fine grained control, but it is a simple way to manage coarse grained logging choices that operators have to interpret for their operands.\n\nValid values are: \"Normal\", \"Debug\", \"Trace\", \"TraceAll\". Defaults to \"Normal\".",
           "type": "string"
diff --git a/operator/v1/0000_50_cluster-openshift-controller-manager-operator_02_config.crd.yaml b/operator/v1/0000_50_cluster-openshift-controller-manager-operator_02_config.crd.yaml
index 08c53a233da..84cfc9c24ca 100644
--- a/operator/v1/0000_50_cluster-openshift-controller-manager-operator_02_config.crd.yaml
+++ b/operator/v1/0000_50_cluster-openshift-controller-manager-operator_02_config.crd.yaml
@@ -39,6 +39,16 @@ spec:
             type: object
           spec:
             properties:
+              imageRegistryAuthTokenType:
+                default: Bound
+                description: imageRegistryAuthTokenType directs the openshift-controller-manager
+                  to use either a legacy,(unbound, long-lived) service acccount tokens
+                  or a bound service account token when generating image pull secrets
+                  for the integrated image registry.
+                enum:
+                - Legacy
+                - Bound
+                type: string
               logLevel:
                 default: Normal
                 description: "logLevel is an intent based logging for an overall component.
diff --git a/operator/v1/stable.openshiftcontrollermanager.testsuite.yaml b/operator/v1/stable.openshiftcontrollermanager.testsuite.yaml
index 05c1cf66fd4..dd9ae1b488a 100644
--- a/operator/v1/stable.openshiftcontrollermanager.testsuite.yaml
+++ b/operator/v1/stable.openshiftcontrollermanager.testsuite.yaml
@@ -12,5 +12,6 @@ tests:
       apiVersion: operator.openshift.io/v1
       kind: OpenShiftControllerManager
       spec:
+        imageRegistryAuthTokenType: Bound
         logLevel: Normal
         operatorLogLevel: Normal
diff --git a/operator/v1/types_openshiftcontrollermanager.go b/operator/v1/types_openshiftcontrollermanager.go
index fc7cc1086be..9199643c99f 100644
--- a/operator/v1/types_openshiftcontrollermanager.go
+++ b/operator/v1/types_openshiftcontrollermanager.go
@@ -28,8 +28,23 @@ type OpenShiftControllerManager struct {
 
 type OpenShiftControllerManagerSpec struct {
 	OperatorSpec `json:",inline"`
+
+	// imageRegistryAuthTokenType directs the openshift-controller-manager to use either a
+	// legacy,(unbound, long-lived) service acccount tokens or a bound service account
+	// token when generating image pull secrets for the integrated image registry.
+	// +kubebuilder:default=Bound
+	// +kubebuilder:validation:Enum=Legacy;Bound
+	// +optional
+	ImageRegistryAuthTokenType ServiceAccountTokenType `json:"imageRegistryAuthTokenType,omitempty"`
 }
 
+type ServiceAccountTokenType string
+
+const (
+	ServiceAccountLegacyTokenType ServiceAccountTokenType = "Legacy"
+	ServiceAccountBoundTokenType  ServiceAccountTokenType = "Bound"
+)
+
 type OpenShiftControllerManagerStatus struct {
 	OperatorStatus `json:",inline"`
 }
diff --git a/operator/v1/zz_generated.swagger_doc_generated.go b/operator/v1/zz_generated.swagger_doc_generated.go
index 48133af8df4..ef91df8de1b 100644
--- a/operator/v1/zz_generated.swagger_doc_generated.go
+++ b/operator/v1/zz_generated.swagger_doc_generated.go
@@ -1648,6 +1648,14 @@ func (OpenShiftControllerManagerList) SwaggerDoc() map[string]string {
 	return map_OpenShiftControllerManagerList
 }
 
+var map_OpenShiftControllerManagerSpec = map[string]string{
+	"imageRegistryAuthTokenType": "imageRegistryAuthTokenType directs the openshift-controller-manager to use either a legacy,(unbound, long-lived) service acccount tokens or a bound service account token when generating image pull secrets for the integrated image registry.",
+}
+
+func (OpenShiftControllerManagerSpec) SwaggerDoc() map[string]string {
+	return map_OpenShiftControllerManagerSpec
+}
+
 var map_KubeScheduler = map[string]string{
 	"":         "KubeScheduler provides information to configure an operator to manage scheduler.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
 	"metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",