diff --git a/deploy/templates/deployment.yaml b/deploy/templates/deployment.yaml
index 8f9a1b5..1b1ac42 100644
--- a/deploy/templates/deployment.yaml
+++ b/deploy/templates/deployment.yaml
@@ -16,6 +16,10 @@ spec:
         {{- include "tutortool.selectorLabels" . | nindent 8 }}
     spec:
       serviceAccountName: {{ include "tutortool.serviceAccountName" . }}
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       securityContext:
         fsGroup: 1000
       containers:
diff --git a/deploy/templates/httproute.yaml b/deploy/templates/httproute.yaml
index a2c0e53..8c17c99 100644
--- a/deploy/templates/httproute.yaml
+++ b/deploy/templates/httproute.yaml
@@ -5,10 +5,17 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     {{- include "tutortool.labels" . | nindent 4 }}
+  {{- with .Values.httpRoute.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
   parentRefs:
-    - name: itsh-gateway
-      sectionName: {{ .Values.httpRoute.sectionName }}
+    {{- range .Values.httpRoute.parentRefs }}
+    - name: {{ .name }}
+      namespace: {{ .namespace }}
+      sectionName: {{ $.Values.httpRoute.sectionName }}
+    {{- end }}
   hostnames:
     {{- range .Values.httpRoute.hostnames }}
     - {{ . | quote }}
@@ -31,8 +38,11 @@ metadata:
     {{- include "tutortool.labels" . | nindent 4 }}
 spec:
   parentRefs:
-    - name: itsh-gateway
-      sectionName: http-tutor-puchstein-dev
+    {{- range .Values.httpRoute.parentRefs }}
+    - name: {{ .name }}
+      namespace: {{ .namespace }}
+      sectionName: {{ $.Values.httpRoute.httpRedirectSectionName }}
+    {{- end }}
   hostnames:
     {{- range .Values.httpRoute.hostnames }}
     - {{ . | quote }}
diff --git a/deploy/values.yaml b/deploy/values.yaml
index 1f20a10..2a46a84 100644
--- a/deploy/values.yaml
+++ b/deploy/values.yaml
@@ -27,10 +27,19 @@ pvc:
   storageClassName: hcloud-volumes
   storage: 1Gi
 
+imagePullSecrets:
+  - name: itsh-registry
+
 httpRoute:
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+  parentRefs:
+    - name: default
+      namespace: nginx-gateway
   hostnames:
     - tutor.puchstein.dev
   sectionName: https-tutor-puchstein-dev
+  httpRedirectSectionName: http-tutor-puchstein-dev
 
 # JWT_SECRET provisioned as a pre-existing K8s Secret named here.
 # Do not set jwtSecretValue in committed values — provision via kubectl manually.