diff --git a/.woodpecker.yml b/.woodpecker.yml
index d9db98a..7c35259 100644
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@@ -435,6 +435,11 @@ steps:
 
   integration-test:
     image: alpine/k8s:1.30.2
+    environment:
+      DOCKERHUB_USER:
+        from_secret: docker_username
+      DOCKERHUB_TOKEN:
+        from_secret: docker_password
     commands:
       - bash infra/inttest/run_pipeline.sh --image-tag ${CI_COMMIT_SHA} --results-file inttest-results.json
     when:
diff --git a/infra/inttest/minio.yaml b/infra/inttest/minio.yaml
index 9265349..d8029ee 100644
--- a/infra/inttest/minio.yaml
+++ b/infra/inttest/minio.yaml
@@ -25,6 +25,8 @@ spec:
         tier: infra
     spec:
       automountServiceAccountToken: false
+      imagePullSecrets:
+        - name: dockerhub-credentials
       securityContext:
         runAsNonRoot: true
         runAsUser: 1000
@@ -116,6 +118,8 @@ spec:
         app: minio-bucket-init
         tier: infra
     spec:
+      imagePullSecrets:
+        - name: dockerhub-credentials
       automountServiceAccountToken: false
       securityContext:
         runAsNonRoot: true
diff --git a/infra/inttest/run_pipeline.sh b/infra/inttest/run_pipeline.sh
index 78c509e..b825e3d 100755
--- a/infra/inttest/run_pipeline.sh
+++ b/infra/inttest/run_pipeline.sh
@@ -224,6 +224,25 @@ else
   log "GHCR_TOKEN not set — skipping image pull secret (images must be pullable without auth)"
 fi
 
+# ── Create Docker Hub pull secret (avoid rate limits) ────────────────────────
+if [ -n "${DOCKERHUB_USER:-}" ] && [ -n "${DOCKERHUB_TOKEN:-}" ]; then
+  log "Creating dockerhub-credentials secret ..."
+  kubectl create secret docker-registry dockerhub-credentials \
+    --docker-server=https://index.docker.io/v1/ \
+    --docker-username="$DOCKERHUB_USER" \
+    --docker-password="$DOCKERHUB_TOKEN" \
+    -n "$NAMESPACE" || true
+else
+  log "DOCKERHUB_USER/TOKEN not set — skipping Docker Hub pull secret"
+fi
+
+# ── Create proxy CA cert ConfigMap (for Squid SSL bump) ─────────────────────
+CA_CERT_URL="http://192.168.42.1/home.crt"
+if curl -sf "$CA_CERT_URL" -o /tmp/home.crt 2>/dev/null; then
+  kubectl create configmap proxy-ca-cert --from-file=ca.crt=/tmp/home.crt -n "$NAMESPACE" 2>/dev/null || true
+  log "proxy-ca-cert ConfigMap created"
+fi
+
 # ══════════════════════════════════════════════════════════════════════════════
 # Stage: Deploy infra (postgres, redis, minio)
 # ══════════════════════════════════════════════════════════════════════════════