diff --git a/cmd/identify_imagebuild_test.go b/cmd/identify_imagebuild_test.go
index 4c713f5e..38c18976 100644
--- a/cmd/identify_imagebuild_test.go
+++ b/cmd/identify_imagebuild_test.go
@@ -218,6 +218,104 @@ func TestImageBuildConfigurationIdentification(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "test2c nginx-php deployment - rootless - unauthenticated",
+			args: testdata.GetSeedData(
+				testdata.TestData{
+					ProjectName:     "example-project",
+					EnvironmentName: "main",
+					Branch:          "main",
+					LagoonYAML:      "internal/testdata/complex/lagoon.varnish.yml",
+					ImageReferences: map[string]string{
+						"nginx":   "unauthenticated.registry/example-project/main-nginx@sha256:b2001babafaa8128fe89aa8fd11832cade59931d14c3de5b3ca32e2a010fbaa8",
+						"php":     "unauthenticated.registry/example-project/main-php@sha256:b2001babafaa8128fe89aa8fd11832cade59931d14c3de5b3ca32e2a010fbaa8",
+						"cli":     "unauthenticated.registry/example-project/main-cli@sha256:b2001babafaa8128fe89aa8fd11832cade59931d14c3de5b3ca32e2a010fbaa8",
+						"redis":   "unauthenticated.registry/example-project/main-redis@sha256:b2001babafaa8128fe89aa8fd11832cade59931d14c3de5b3ca32e2a010fbaa8",
+						"varnish": "unauthenticated.registry/example-project/main-varnish@sha256:b2001babafaa8128fe89aa8fd11832cade59931d14c3de5b3ca32e2a010fbaa8",
+					},
+					BuildPodVariables: []helpers.EnvironmentVariable{
+						{
+							Name:  "UNAUTHENTICATED_REGISTRY",
+							Value: "true",
+						},
+						{
+							Name:  "REGISTRY",
+							Value: "unauthenticated.registry",
+						},
+					},
+					ProjectVariables: []lagoon.EnvironmentVariable{
+						{
+							Name:  "LAGOON_FEATURE_FLAG_ROOTLESS_WORKLOAD",
+							Value: "enabled",
+							Scope: "build",
+						},
+						{
+							Name:  "LAGOON_FEATURE_FLAG_IMAGECACHE_REGISTRY",
+							Value: "imagecache.example.com",
+							Scope: "build",
+						},
+					},
+				}, true),
+			want: imageBuild{
+				BuildKit: helpers.BoolPtr(true),
+				BuildArguments: map[string]string{
+					"LAGOON_FEATURE_FLAG_ROOTLESS_WORKLOAD":   "enabled",
+					"LAGOON_BUILD_NAME":                       "lagoon-build-abcdefg",
+					"LAGOON_PROJECT":                          "example-project",
+					"LAGOON_ENVIRONMENT":                      "main",
+					"LAGOON_ENVIRONMENT_TYPE":                 "production",
+					"LAGOON_BUILD_TYPE":                       "branch",
+					"LAGOON_GIT_SOURCE_REPOSITORY":            "ssh://git@example.com/lagoon-demo.git",
+					"LAGOON_KUBERNETES":                       "remote-cluster1",
+					"LAGOON_GIT_SHA":                          "0000000000000000000000000000000000000000",
+					"LAGOON_GIT_BRANCH":                       "main",
+					"CLI_IMAGE":                               "example-project-main-cli",
+					"NGINX_IMAGE":                             "example-project-main-nginx",
+					"PHP_IMAGE":                               "example-project-main-php",
+					"LAGOON_FEATURE_FLAG_IMAGECACHE_REGISTRY": "imagecache.example.com",
+					"LAGOON_SSH_PRIVATE_KEY":                  "-----BEGIN OPENSSH PRIVATE KEY-----\nthisisafakekey\n-----END OPENSSH PRIVATE KEY-----",
+				},
+				Images: []imageBuilds{
+					{
+						Name: "cli",
+						ImageBuild: generator.ImageBuild{
+							BuildImage:     "unauthenticated.registry/example-project/main-cli:latest",
+							Context:        "internal/testdata/complex/docker",
+							DockerFile:     ".docker/Dockerfile.cli",
+							TemporaryImage: "example-project-main-cli",
+						},
+					}, {
+						Name: "nginx",
+						ImageBuild: generator.ImageBuild{
+							BuildImage:     "unauthenticated.registry/example-project/main-nginx:latest",
+							Context:        "internal/testdata/complex/docker",
+							DockerFile:     ".docker/Dockerfile.nginx-drupal",
+							TemporaryImage: "example-project-main-nginx",
+						},
+					}, {
+						Name: "php",
+						ImageBuild: generator.ImageBuild{
+							BuildImage:     "unauthenticated.registry/example-project/main-php:latest",
+							Context:        "internal/testdata/complex/docker",
+							DockerFile:     ".docker/Dockerfile.php",
+							TemporaryImage: "example-project-main-php",
+						},
+					}, {
+						Name: "redis",
+						ImageBuild: generator.ImageBuild{
+							BuildImage: "unauthenticated.registry/example-project/main-redis:latest",
+							PullImage:  "quay.io/notlagoon/redis",
+						},
+					}, {
+						Name: "varnish",
+						ImageBuild: generator.ImageBuild{
+							BuildImage: "unauthenticated.registry/example-project/main-varnish:latest",
+							PullImage:  "imagecache.example.com/uselagoon/varnish-5-drupal:latest",
+						},
+					},
+				},
+			},
+		},
 		{
 			name:        "test3 - funky pvcs",
 			description: "only create pvcs of the requested persistent-name in the docker-compose file",
diff --git a/internal/generator/buildvalues.go b/internal/generator/buildvalues.go
index d0a641ac..3ee78c3a 100644
--- a/internal/generator/buildvalues.go
+++ b/internal/generator/buildvalues.go
@@ -64,6 +64,7 @@ type BuildValues struct {
 	CronjobsDisabled              bool                         `json:"cronjobsDisabled" description:"this controls whether cronjobs are enabled for this environment or not"`
 	FeatureFlags                  map[string]bool              `json:"-" description:"these are used by templating systems to turn on or off certain functionality based on if feature flags are defined"`
 	ImageRegistry                 string                       `json:"imageRegistry" description:"the image registry in use for this environment, usually harbor"`
+	UnauthenticatedImageRegistry  bool                         `json:"unauthenticatedImageRegistry" description:"if this is an unauthenticated registry"`
 	DockerBuildKit                *bool                        `json:"dockerBuildKit" description:"the flag to determine if docker buildkit is used"`
 	ImageBuildArguments           map[string]string            `json:"imageBuildArguments" description:"where the calculated image build arguments are stored"`
 	EnvironmentVariables          []lagoon.EnvironmentVariable `json:"environmentVariables" description:"the merged project and environment variables for this environment"`
diff --git a/internal/generator/generator.go b/internal/generator/generator.go
index df8ed8b0..70964597 100644
--- a/internal/generator/generator.go
+++ b/internal/generator/generator.go
@@ -110,6 +110,7 @@ func NewGenerator(
 	dynamicDBaaSSecrets := helpers.GetEnv("DYNAMIC_DBAAS_SECRETS", strings.Join(generator.DynamicDBaaSSecrets, ","), generator.Debug)
 	imageCacheBuildArgsJSON := helpers.GetEnv("LAGOON_CACHE_BUILD_ARGS", generator.ImageCacheBuildArgsJSON, generator.Debug)
 	buildValues.SSHPrivateKey = helpers.GetEnv("SSH_PRIVATE_KEY", generator.SSHPrivateKey, generator.Debug)
+	buildValues.UnauthenticatedImageRegistry = helpers.GetEnvBool("UNAUTHENTICATED_REGISTRY", generator.CI, generator.Debug)
 	// this is used by CI systems to influence builds, it is rarely used and should probably be abandoned
 	buildValues.IsCI = helpers.GetEnvBool("CI", generator.CI, generator.Debug)
 
diff --git a/internal/generator/images.go b/internal/generator/images.go
index 6224038a..35820aff 100644
--- a/internal/generator/images.go
+++ b/internal/generator/images.go
@@ -103,9 +103,16 @@ func generateImageBuild(buildValues BuildValues, composeServiceValues composetyp
 	}
 	// since we know what the final build image will be, we can set it here, this is what all images will be built as during the build
 	// for `pullimages` they will get retagged as this imagename and pushed to the registry
-	imageBuild.BuildImage = fmt.Sprintf("%s/%s/%s/%s:%s", buildValues.ImageRegistry, buildValues.Project, buildValues.Environment, composeService, "latest")
-	if buildValues.BuildType == "promote" {
-		imageBuild.PromoteImage = fmt.Sprintf("%s/%s/%s/%s:%s", buildValues.ImageRegistry, buildValues.Project, buildValues.PromotionSourceEnvironment, composeService, "latest")
+	if buildValues.UnauthenticatedImageRegistry {
+		imageBuild.BuildImage = fmt.Sprintf("%s/%s/%s-%s:%s", buildValues.ImageRegistry, buildValues.Project, buildValues.Environment, composeService, "latest")
+		if buildValues.BuildType == "promote" {
+			imageBuild.PromoteImage = fmt.Sprintf("%s/%s/%s-%s:%s", buildValues.ImageRegistry, buildValues.Project, buildValues.PromotionSourceEnvironment, composeService, "latest")
+		}
+	} else {
+		imageBuild.BuildImage = fmt.Sprintf("%s/%s/%s/%s:%s", buildValues.ImageRegistry, buildValues.Project, buildValues.Environment, composeService, "latest")
+		if buildValues.BuildType == "promote" {
+			imageBuild.PromoteImage = fmt.Sprintf("%s/%s/%s/%s:%s", buildValues.ImageRegistry, buildValues.Project, buildValues.PromotionSourceEnvironment, composeService, "latest")
+		}
 	}
 	// populate the docker derived information here, this information will be used by the build and pushing scripts
 	return imageBuild, nil
diff --git a/legacy/build-deploy-docker-compose.sh b/legacy/build-deploy-docker-compose.sh
index 9a3f510b..74eafb69 100755
--- a/legacy/build-deploy-docker-compose.sh
+++ b/legacy/build-deploy-docker-compose.sh
@@ -591,6 +591,8 @@ if [ ! -z ${INTERNAL_REGISTRY_URL} ] ; then
     # fi
     echo "Set internal registry secrets for token ${INTERNAL_REGISTRY_USERNAME} in ${REGISTRY}"
   fi
+else
+  export UNAUTHENTICATED_REGISTRY=true
 fi
 
 # log in to any container registries before building or pulling images