diff --git a/gitops/charts/onelab/templates/statefulset-postgres.yaml b/gitops/charts/onelab/templates/statefulset-postgres.yaml
index e0f0bcf..696bc91 100644
--- a/gitops/charts/onelab/templates/statefulset-postgres.yaml
+++ b/gitops/charts/onelab/templates/statefulset-postgres.yaml
@@ -20,6 +20,12 @@ spec:
         app.kubernetes.io/component: postgres
         app.kubernetes.io/name: {{ include "onelab.name" . }}
         app.kubernetes.io/instance: {{ .Release.Name }}
+      annotations:
+        {{- if .Values.registry.createPullSecret }}
+        checksum/docker-registry: {{ include "onelab.dockerconfigjson" . | sha256sum | quote }}
+        {{- else if not (empty .Values.imagePullSecrets) }}
+        checksum/image-pull-secrets: {{ .Values.imagePullSecrets | toJson | sha256sum | quote }}
+        {{- end }}
     spec:
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
diff --git a/gitops/charts/onelab/templates/statefulset-rabbitmq.yaml b/gitops/charts/onelab/templates/statefulset-rabbitmq.yaml
index 16f35a7..7d33ed9 100644
--- a/gitops/charts/onelab/templates/statefulset-rabbitmq.yaml
+++ b/gitops/charts/onelab/templates/statefulset-rabbitmq.yaml
@@ -20,6 +20,12 @@ spec:
         app.kubernetes.io/component: rabbitmq
         app.kubernetes.io/name: {{ include "onelab.name" . }}
         app.kubernetes.io/instance: {{ .Release.Name }}
+      annotations:
+        {{- if .Values.registry.createPullSecret }}
+        checksum/docker-registry: {{ include "onelab.dockerconfigjson" . | sha256sum | quote }}
+        {{- else if not (empty .Values.imagePullSecrets) }}
+        checksum/image-pull-secrets: {{ .Values.imagePullSecrets | toJson | sha256sum | quote }}
+        {{- end }}
     spec:
       hostname: onelab
       {{- with .Values.imagePullSecrets }}
diff --git a/gitops/docs/BOOTSTRAP.md b/gitops/docs/BOOTSTRAP.md
index 825f91c..19746eb 100644
--- a/gitops/docs/BOOTSTRAP.md
+++ b/gitops/docs/BOOTSTRAP.md
@@ -15,6 +15,16 @@ kubectl create secret docker-registry hub-andrewalliance -n onelab \
 
 …and set `registry.createPullSecret: false` plus `imagePullSecrets: [{ name: hub-andrewalliance }]`.
 
+### StatefulSet pods still get `401 Unauthorized` / `ImagePullBackOff` after enabling registry auth
+
+If `db-0` / `rabbitmq-0` were created **before** `imagePullSecrets` existed, their **Pod** spec can still use anonymous pulls until they are recreated:
+
+```bash
+kubectl delete pod -n onelab db-0 rabbitmq-0
+```
+
+The chart adds a pod-template checksum so a `helm upgrade` after changing registry credentials normally rolls these pods; a one-time delete is enough if you toggled pull secrets outside that path.
+
 ## 2. Argo CD + private Git (`git.luneski.fr`)
 
 If the Application shows `authentication required: Unauthorized`, register the repo in Argo CD (CLI or UI):