diff --git a/manifests/function/helm-operator/deployment.yaml b/manifests/function/helm-operator/deployment.yaml
index 21719051e..c5b3f6774 100644
--- a/manifests/function/helm-operator/deployment.yaml
+++ b/manifests/function/helm-operator/deployment.yaml
@@ -45,6 +45,13 @@ spec:
           requests:
             cpu: 50m
             memory: 64Mi
+        env:
+        - name: http_proxy
+          value: REPLACEMENT_HTTP_PROXY
+        - name: https_proxy
+          value: REPLACEMENT_HTTPS_PROXY
+        - name: no_proxy
+          value: REPLACEMENT_NO_PROXY
       serviceAccountName: helm-operator
       # See https://github.com/fluxcd/flux/pull/2116
       dnsPolicy: None
diff --git a/manifests/function/helm-operator/replacements/helm-operator-env-vars.yaml b/manifests/function/helm-operator/replacements/helm-operator-env-vars.yaml
new file mode 100644
index 000000000..f3f280bda
--- /dev/null
+++ b/manifests/function/helm-operator/replacements/helm-operator-env-vars.yaml
@@ -0,0 +1,34 @@
+# These rules inject env vars into the helm-operator function.
+apiVersion: airshipit.org/v1alpha1
+kind: ReplacementTransformer
+metadata:
+  name: helm-operator-env-vars-replacements
+replacements:
+# Replace the proxy vars
+- source:
+    objref:
+      name: env-vars-catalogue
+    fieldref: env.HTTP_PROXY
+  target:
+    objref:
+      kind: Deployment
+      name: helm-operator
+    fieldrefs: ["spec.template.spec.containers[name=helm-operator].env[name=http_proxy].value%REPLACEMENT_HTTP_PROXY%"]
+- source:
+    objref:
+      name: env-vars-catalogue
+    fieldref: env.HTTPS_PROXY
+  target:
+    objref:
+      kind: Deployment
+      name: helm-operator
+    fieldrefs: ["spec.template.spec.containers[name=helm-operator].env[name=https_proxy].value%REPLACEMENT_HTTPS_PROXY%"]
+- source:
+    objref:
+      name: env-vars-catalogue
+    fieldref: env.NO_PROXY
+  target:
+    objref:
+      kind: Deployment
+      name: helm-operator
+    fieldrefs: ["spec.template.spec.containers[name=helm-operator].env[name=no_proxy].value%REPLACEMENT_NO_PROXY%"]
diff --git a/manifests/function/helm-operator/replacements/kustomization.yaml b/manifests/function/helm-operator/replacements/kustomization.yaml
index 1d43ee154..ddee62ce3 100644
--- a/manifests/function/helm-operator/replacements/kustomization.yaml
+++ b/manifests/function/helm-operator/replacements/kustomization.yaml
@@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - versions.yaml
+  - helm-operator-env-vars.yaml
diff --git a/manifests/site/test-site/target/workers/kubeadmconfigtemplate.yaml b/manifests/site/test-site/target/workers/kubeadmconfigtemplate.yaml
index 4bd8d4b8d..20b070236 100644
--- a/manifests/site/test-site/target/workers/kubeadmconfigtemplate.yaml
+++ b/manifests/site/test-site/target/workers/kubeadmconfigtemplate.yaml
@@ -27,6 +27,20 @@ spec:
           net.bridge.bridge-nf-call-iptables = 1
           EOF
         - sysctl --system
+        - |
+          mkdir -p /etc/systemd/system/docker.service.d/
+          cat <<EOF | tee /etc/systemd/system/docker.service.d/http-proxy.conf
+          [Service]
+          Environment="HTTP_PROXY=REPLACEMENT_HTTP_PROXY"
+          Environment="HTTPS_PROXY=REPLACEMENT_HTTPS_PROXY"
+          Environment="NO_PROXY=REPLACEMENT_NO_PROXY"
+          EOF
+        - export HTTP_PROXY=REPLACEMENT_HTTP_PROXY
+        - export HTTPS_PROXY=REPLACEMENT_HTTPS_PROXY
+        - export http_proxy=${HTTP_PROXY}
+        - export https_proxy=${HTTPS_PROXY}
+        - export NO_PROXY=REPLACEMENT_NO_PROXY
+        - export no_proxy=${NO_PROXY}
         - curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
         - curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -
         - add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
@@ -41,6 +55,7 @@ spec:
         - apt-mark hold kubelet kubeadm
         - systemctl mask ntp
         - systemctl enable --now systemd-timesyncd
+        - unset http_proxy https_proxy HTTP_PROXY HTTPS_PROXY no_proxy NO_PROXY
       users:
         - name: deployer
           sshAuthorizedKeys:
diff --git a/manifests/site/test-site/target/workers/kustomization.yaml b/manifests/site/test-site/target/workers/kustomization.yaml
index ece1a696c..0c94f53b2 100644
--- a/manifests/site/test-site/target/workers/kustomization.yaml
+++ b/manifests/site/test-site/target/workers/kustomization.yaml
@@ -5,3 +5,7 @@ resources:
   - kubeadmconfigtemplate.yaml
   - metal3machinetemplate.yaml
   - machinedeployment.yaml
+  - ../../../../function/airshipctl-base-catalogues
+
+transformers:
+  - replacements
diff --git a/manifests/site/test-site/target/workers/replacements/kustomization.yaml b/manifests/site/test-site/target/workers/replacements/kustomization.yaml
new file mode 100644
index 000000000..5bef2323b
--- /dev/null
+++ b/manifests/site/test-site/target/workers/replacements/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - workers-env-vars.yaml
diff --git a/manifests/site/test-site/target/workers/replacements/workers-env-vars.yaml b/manifests/site/test-site/target/workers/replacements/workers-env-vars.yaml
new file mode 100644
index 000000000..89e217f55
--- /dev/null
+++ b/manifests/site/test-site/target/workers/replacements/workers-env-vars.yaml
@@ -0,0 +1,34 @@
+# These rules inject env vars into the workers.
+apiVersion: airshipit.org/v1alpha1
+kind: ReplacementTransformer
+metadata:
+  name: workers-env-vars-replacements
+replacements:
+# Replace the proxy vars
+- source:
+    objref:
+      name: env-vars-catalogue
+    fieldref: env.HTTP_PROXY
+  target:
+    objref:
+      kind: KubeadmConfigTemplate
+      name: worker-1
+    fieldrefs: ["spec.template.spec.preKubeadmCommands%REPLACEMENT_HTTP_PROXY%"]
+- source:
+    objref:
+      name: env-vars-catalogue
+    fieldref: env.HTTPS_PROXY
+  target:
+    objref:
+      kind: KubeadmConfigTemplate
+      name: worker-1
+    fieldrefs: ["spec.template.spec.preKubeadmCommands%REPLACEMENT_HTTPS_PROXY%"]
+- source:
+    objref:
+      name: env-vars-catalogue
+    fieldref: env.NO_PROXY
+  target:
+    objref:
+      kind: KubeadmConfigTemplate
+      name: worker-1
+    fieldrefs: ["spec.template.spec.preKubeadmCommands%REPLACEMENT_NO_PROXY%"]