diff --git a/backend/controller/artefacts/oci_registry.go b/backend/controller/artefacts/oci_registry.go
index 2ab98fa4a9..0748e16af0 100644
--- a/backend/controller/artefacts/oci_registry.go
+++ b/backend/controller/artefacts/oci_registry.go
@@ -28,16 +28,17 @@ import (
 var _ Service = &OCIArtifactService{}
 
 type RegistryConfig struct {
-	Registry      string `help:"OCI container registry, in the form host[:port]/repository" env:"FTL_ARTEFACTS_REGISTRY"`
-	Username      string `help:"OCI container registry username" env:"FTL_ARTEFACTS_USER"`
-	Password      string `help:"OCI container registry password" env:"FTL_ARTEFACTS_PWD"`
-	AllowInsecure bool   `help:"Allows the use of insecure HTTP based registries." env:"FTL_ARTEFACTS_ALLOW_INSECURE"`
+	Registry      string `help:"OCI container registry, in the form host[:port]/repository" env:"FTL_ARTEFACT_REGISTRY"`
+	Username      string `help:"OCI container registry username" env:"FTL_ARTEFACT_REGISTRY_USERNAME"`
+	Password      string `help:"OCI container registry password" env:"FTL_ARTEFACT_REGISTRY_PASSWORD"`
+	AllowInsecure bool   `help:"Allows the use of insecure HTTP based registries." env:"FTL_ARTEFACT_REGISTRY_ALLOW_INSECURE"`
 }
 
 type OCIArtifactService struct {
-	repository  string
-	repoFactory func() (*remote.Repository, error)
-	auth        authn.AuthConfig
+	repository    string
+	repoFactory   func() (*remote.Repository, error)
+	auth          authn.AuthConfig
+	allowInsecure bool
 }
 
 type ArtefactRepository struct {
@@ -80,9 +81,10 @@ func NewOCIRegistryStorage(c RegistryConfig) *OCIArtifactService {
 	}
 
 	return &OCIArtifactService{
-		repository:  c.Registry,
-		repoFactory: repoFactory,
-		auth:        authn.AuthConfig{Username: c.Username, Password: c.Password},
+		repository:    c.Registry,
+		repoFactory:   repoFactory,
+		auth:          authn.AuthConfig{Username: c.Username, Password: c.Password},
+		allowInsecure: c.AllowInsecure,
 	}
 }
 
@@ -170,7 +172,11 @@ func (s *OCIArtifactService) Download(ctx context.Context, dg sha256.SHA256) (io
 	// ORAS is really annoying, and needs you to know the size of the blob you're downloading
 	// So we are using google's go-containerregistry to do the actual download
 	// This is not great, we should remove oras at some point
-	newDigest, err := name.NewDigest(fmt.Sprintf("%s@sha256:%s", s.repository, dg.String()))
+	opts := []name.Option{}
+	if s.allowInsecure {
+		opts = append(opts, name.Insecure)
+	}
+	newDigest, err := name.NewDigest(fmt.Sprintf("%s@sha256:%s", s.repository, dg.String()), opts...)
 	if err != nil {
 		return nil, fmt.Errorf("unable to create digest '%s': %w", dg, err)
 	}
diff --git a/charts/ftl/Chart.lock b/charts/ftl/Chart.lock
index f4782a2fed..ed97e6bde9 100644
--- a/charts/ftl/Chart.lock
+++ b/charts/ftl/Chart.lock
@@ -2,8 +2,5 @@ dependencies:
 - name: postgresql
   repository: oci://registry-1.docker.io/bitnamicharts
   version: 15.5.38
-- name: harbor
-  repository: https://helm.goharbor.io
-  version: 1.15.1
-digest: sha256:5a14d0cc902b2697bdf1f726abbe44a58c75a9d54b4c5f8780d44136003153a5
-generated: "2024-10-14T00:01:15.60650687Z"
+digest: sha256:67269c8ba9048da425bdc3e6f8e28bff54bdb98e1c53a8dc0feb0b77363b48a9
+generated: "2024-11-06T10:54:22.116589+11:00"
diff --git a/charts/ftl/Chart.yaml b/charts/ftl/Chart.yaml
index 0862a09853..7d6332889e 100644
--- a/charts/ftl/Chart.yaml
+++ b/charts/ftl/Chart.yaml
@@ -9,8 +9,4 @@ dependencies:
   - name: postgresql
     version: 15.5.38
     repository: oci://registry-1.docker.io/bitnamicharts
-    condition: postgresql.enabled
-  - name: harbor
-    version: v1.15.1
-    repository: https://helm.goharbor.io
-    condition: harbor.enabled
+    condition: postgresql.enabled
\ No newline at end of file
diff --git a/charts/ftl/templates/controller.yaml b/charts/ftl/templates/controller.yaml
index 4be8b4dfe8..132e09ee30 100644
--- a/charts/ftl/templates/controller.yaml
+++ b/charts/ftl/templates/controller.yaml
@@ -57,6 +57,22 @@ spec:
             - name: FTL_KMS_URI
               value: "{{ .Values.controller.kmsUri }}"
             {{- end }}
+            - name: FTL_ARTEFACT_REGISTRY
+              value: "{{ .Values.registry.repository }}"
+            - name: FTL_ARTEFACT_REGISTRY_ALLOW_INSECURE
+              value: "{{ .Values.registry.allowInsecure }}"
+            - name: FTL_ARTEFACT_REGISTRY_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "ftl.fullname" . }}-secrets
+                  key: FTL_CONTROLLER_REGISTRY_USERNAME
+                  optional: true
+            - name: FTL_ARTEFACT_REGISTRY_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "ftl.fullname" . }}-secrets
+                  key: FTL_CONTROLLER_REGISTRY_PASSWORD
+                  optional: true
           ports:
             {{- range .Values.controller.ports }}
             - name: {{ .name }}
diff --git a/charts/ftl/templates/registry.yaml b/charts/ftl/templates/registry.yaml
new file mode 100644
index 0000000000..10220329eb
--- /dev/null
+++ b/charts/ftl/templates/registry.yaml
@@ -0,0 +1,37 @@
+{{- if .Values.registry.create }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: registry
+  name: registry
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: registry
+  template:
+    metadata:
+      labels:
+        app: registry
+    spec:
+      containers:
+        - name: registry
+          image: registry:2
+          ports:
+            - containerPort: 5000
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "ftl.fullname" . }}-registry
+spec:
+  ports:
+    - name: http
+      port: 5000
+      protocol: TCP
+      targetPort: 5000
+  selector:
+    app: registry
+  type:  "ClusterIP"
+{{- end }}
\ No newline at end of file
diff --git a/charts/ftl/templates/runner.yaml b/charts/ftl/templates/runner.yaml
index 79701be75e..d7fdcfde51 100644
--- a/charts/ftl/templates/runner.yaml
+++ b/charts/ftl/templates/runner.yaml
@@ -59,6 +59,22 @@ data:
                 {{- if .Values.runner.env }}
                 {{- toYaml .Values.runner.env | nindent 16 }}
                 {{- end }}
+                - name: FTL_ARTEFACT_REGISTRY
+                  value: "{{ .Values.registry.repository }}"
+                - name: FTL_ARTEFACT_REGISTRY_ALLOW_INSECURE
+                  value: "{{ .Values.registry.allowInsecure }}"
+                - name: FTL_ARTEFACT_REGISTRY_USERNAME
+                  valueFrom:
+                    secretKeyRef:
+                      name: {{ include "ftl.fullname" . }}-secrets
+                      key: FTL_RUNNER_REGISTRY_USERNAME
+                      optional: true
+                - name: FTL_ARTEFACT_REGISTRY_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      name: {{ include "ftl.fullname" . }}-secrets
+                      key: FTL_RUNNER_REGISTRY_PASSWORD
+                      optional: true
               ports:
                 {{- range .Values.runner.ports }}
                 - name: {{ .name }}
diff --git a/charts/ftl/templates/secrets.yaml b/charts/ftl/templates/secrets.yaml
index 09de4fcf5e..12479b6cbf 100644
--- a/charts/ftl/templates/secrets.yaml
+++ b/charts/ftl/templates/secrets.yaml
@@ -8,3 +8,7 @@ type: Opaque
 stringData:
   FTL_LOG_ENCRYPTION_KEY: {{ .Values.secrets.logEncryptionKey }}
   FTL_ASYNC_ENCRYPTION_KEY: {{ .Values.secrets.asyncEncryptionKey }}
+  FTL_CONTROLLER_REGISTRY_USERNAME: {{ .Values.secrets.controllerRegistryUsername }}
+  FTL_CONTROLLER_REGISTRY_PASSWORD: {{ .Values.secrets.controllerRegistryPassword }}
+  FTL_RUNNER_REGISTRY_USERNAME: {{ .Values.secrets.runnerRegistryUsername }}
+  FTL_RUNNER_REGISTRY_PASSWORD: {{ .Values.secrets.runnerRegistryPassword }}
\ No newline at end of file
diff --git a/charts/ftl/values.yaml b/charts/ftl/values.yaml
index 4c15842d68..982177667f 100644
--- a/charts/ftl/values.yaml
+++ b/charts/ftl/values.yaml
@@ -9,6 +9,10 @@ ingress:
 secrets:
   logEncryptionKey: null
   asyncEncryptionKey: null
+  controllerRegistryUsername: null
+  controllerRegistryPassword: null
+  runnerRegistryUsername: null
+  runnerRegistryPassword: null
 
 dbMigration:
   enabled: true
@@ -211,16 +215,6 @@ runner:
   topologySpreadConstraints: null
   tolerations: null
 
-harbor:
-  enabled: false
-  expose:
-    tls:
-      enabled: false
-    type: nodePort
-  persistence:
-    enabled: true
-    resourcePolicy: ""
-
 postgresql:
   enabled: true
   architecture: standalone
@@ -238,4 +232,9 @@ postgresql:
         database: ftl
 
 istio:
-  enabled: false # set to true to have this chart install the grpc config to enable trailers
\ No newline at end of file
+  enabled: false # set to true to have this chart install the grpc config to enable trailers
+
+registry:
+  repository: ""
+  allowInsecure: false
+  create: false
\ No newline at end of file
diff --git a/deployment/values.yaml b/deployment/values.yaml
index 1b7e5dabdc..84f38bb23a 100644
--- a/deployment/values.yaml
+++ b/deployment/values.yaml
@@ -32,3 +32,7 @@ provisioner:
 istio:
   enabled: true
 
+registry:
+    repository: "ftl-registry:5000/ftl-artefacts"
+    allowInsecure: "true"
+    create: true
\ No newline at end of file