diff --git a/charts/crossplane-late/templates/opentofu/provider-config.yaml b/charts/crossplane-late/templates/opentofu/provider-config.yaml
new file mode 100644
index 00000000..282714d8
--- /dev/null
+++ b/charts/crossplane-late/templates/opentofu/provider-config.yaml
@@ -0,0 +1,33 @@
+apiVersion: opentofu.upbound.io/v1beta1
+kind: ProviderConfig
+metadata:
+  name: opentofu
+spec:
+  # Note that unlike most provider configs this one supports an array of
+  # credentials. This is because each tofu workspace uses a single
+  # Crossplane provider config, but could use multiple Terraform providers each
+  # with their own credentials.
+  credentials: []
+  # - filename: gcp-credentials.json
+  #   source: Secret
+  #   secretRef:
+  #     namespace: upbound-system
+  #     name: opentofu-gcp-creds
+  #     key: credentials
+  # This optional configuration block can be used to inject HCL into any
+  # workspace that uses this provider config, for example to setup Terraform
+  # providers.
+  configuration: |
+    // provider "google" {
+    //   credentials = "gcp-credentials.json"
+    //   project     = "YOUR-GCP-PROJECT-ID"
+    // }
+
+    // Modules _must_ use remote state. The provider does not persist state.
+    terraform {
+      backend "kubernetes" {
+        secret_suffix     = "providerconfig-opentofu"
+        namespace         = "crossplane"
+        in_cluster_config = true
+      }
+    }