diff --git a/values.yaml b/values.yaml
index 305fb77..f8629e0 100644
--- a/values.yaml
+++ b/values.yaml
@@ -391,6 +391,23 @@ kedaHttpAddon:
 # buffers each cold-start request until the target pod is Ready.
 # The scaler is the control loop watching HTTPScaledObject status.
 keda-add-ons-http:
+  # kube-rbac-proxy sidecar — upstream HTTP add-on 0.8.0 references
+  # gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0 which was retired from
+  # gcr.io. Override to a current image mirrored to our registry
+  # (multi-arch preserved via crane copy from quay.io/brancz upstream).
+  # Without this override the controller-manager pod ImagePullBackOffs
+  # forever and HTTPScaledObjects never reconcile.
+  images:
+    kubeRbacProxy:
+      name: registry.odoosky.cloud/odoosky/docker-mirror/kube-rbac-proxy
+      tag: v0.18.0
+  # imagePullSecrets — required so the kube-rbac-proxy sidecar
+  # (mirrored at registry.odoosky.cloud) can pull. The operator
+  # container itself pulls from ghcr.io which needs no auth, but
+  # k8s applies imagePullSecrets per-pod (covers all containers).
+  operator:
+    imagePullSecrets:
+      - name: docker-mirror-pull
   # Same pattern as keda.crds.install above — explicit true so the
   # HTTPScaledObject CRD lands on every fresh server. Without it, the
   # interceptor never gets its watch table synced (logs: "table has