diff --git a/deployments/BUILD b/deployments/BUILD
index fef4415f4..b4ff867d6 100644
--- a/deployments/BUILD
+++ b/deployments/BUILD
@@ -15,3 +15,9 @@ limitations under the License.
 
 SPDX-License-Identifier: Apache-2.0
 """
+
+filegroup(
+    name = "values",
+    srcs = glob(["values/**"]),
+    visibility = ["//visibility:public"],
+)
diff --git a/deployments/charts/BUILD b/deployments/charts/BUILD
index ccb508b7a..09a4fd8f0 100644
--- a/deployments/charts/BUILD
+++ b/deployments/charts/BUILD
@@ -32,3 +32,12 @@ filegroup(
     srcs = glob(["quick-start/**"]),
     visibility = ["//visibility:public"],
 )
+
+sh_test(
+    name = "service_public_registry_secret_render_test",
+    srcs = ["service/tests/public_registry_secret_render_test.sh"],
+    data = [
+        ":service",
+        "//deployments:values",
+    ],
+)
diff --git a/deployments/charts/service/templates/_helpers.tpl b/deployments/charts/service/templates/_helpers.tpl
index 0aab73267..193d353f0 100644
--- a/deployments/charts/service/templates/_helpers.tpl
+++ b/deployments/charts/service/templates/_helpers.tpl
@@ -178,17 +178,36 @@ OSMO_CONFIGMAP_NAME deliberately references services.service.serviceName
 {{- end }}
 {{- end -}}
 
+{{/*
+The minimal deploy values keep nvcr-secret as the private-registry default for
+existing deployments. Public installs can omit that Secret; in that case, do
+not render references that make pods wait on or configs load a missing Secret.
+*/}}
+{{- define "osmo.config-secret-ref-enabled" -}}
+{{- $secretName := .secretName | default "" -}}
+{{- $root := .root -}}
+{{- $imagePullSecret := $root.Values.global.imagePullSecret | default "" -}}
+{{- if and (eq $secretName "nvcr-secret") (ne $imagePullSecret $secretName) (not (lookup "v1" "Secret" $root.Release.Namespace $secretName)) -}}
+false
+{{- else -}}
+true
+{{- end -}}
+{{- end -}}
+
 {{- define "osmo.configmap-volume-mounts" -}}
 {{- if .Values.services.configs.enabled }}
 - name: configs
   mountPath: /etc/osmo/configs
   readOnly: true
 {{- range .Values.services.configs.secretRefs }}
+{{- $secretName := .secretName | default "" }}
+{{- if and $secretName (eq (include "osmo.config-secret-ref-enabled" (dict "root" $ "secretName" $secretName) | trim) "true") }}
 - name: secret-{{ .secretName }}
   mountPath: /etc/osmo/secrets/{{ .secretName }}
   readOnly: true
 {{- end }}
 {{- end }}
+{{- end }}
 {{- end -}}
 
 {{- define "osmo.configmap-volumes" -}}
@@ -197,10 +216,12 @@ OSMO_CONFIGMAP_NAME deliberately references services.service.serviceName
   configMap:
     name: {{ .Values.services.service.serviceName }}-configs
 {{- range .Values.services.configs.secretRefs }}
+{{- $secretName := .secretName | default "" }}
+{{- if and $secretName (eq (include "osmo.config-secret-ref-enabled" (dict "root" $ "secretName" $secretName) | trim) "true") }}
 - name: secret-{{ .secretName }}
   secret:
     secretName: {{ .secretName }}
 {{- end }}
 {{- end }}
+{{- end }}
 {{- end -}}
-