diff --git a/dev/functions b/dev/functions
index c81659018..bc23a902e 100644
--- a/dev/functions
+++ b/dev/functions
@@ -40,6 +40,10 @@ function config_defaults {
     # Whether to deploy seed services.
     export KAYOBE_SEED_SERVICE_DEPLOY=${KAYOBE_SEED_SERVICE_DEPLOY:-1}
 
+    # Whether to use the 'kolla-ansible certificates' command to generate X.509
+    # certificates.
+    export KAYOBE_OVERCLOUD_GENERATE_CERTIFICATES=${KAYOBE_OVERCLOUD_GENERATE_CERTIFICATES:-0}
+
     # Whether to build container images for the overcloud services. If 0, they
     # will be pulled if $KAYOBE_OVERCLOUD_CONTAINER_IMAGE_PULL is 1.
     export KAYOBE_OVERCLOUD_CONTAINER_IMAGE_BUILD=${KAYOBE_OVERCLOUD_CONTAINER_IMAGE_BUILD:-0}
@@ -346,6 +350,11 @@ function overcloud_deploy {
     echo "Workaround: upgrading the controller host"
     run_kayobe overcloud host upgrade
 
+    if [[ ${KAYOBE_OVERCLOUD_GENERATE_CERTIFICATES} = 1 ]]; then
+        echo "Generate TLS certificates"
+        run_kayobe kolla ansible run certificates --kolla-extra kolla_certificates_dir=${KAYOBE_CONFIG_PATH}/kolla/certificates
+    fi
+
     # Note: This must currently be before host configure, because host
     # configure runs kolla-ansible.yml, which validates the presence of the
     # built deploy images.
diff --git a/playbooks/kayobe-overcloud-base/globals.yml.j2 b/playbooks/kayobe-overcloud-base/globals.yml.j2
new file mode 100644
index 000000000..e0903653d
--- /dev/null
+++ b/playbooks/kayobe-overcloud-base/globals.yml.j2
@@ -0,0 +1,17 @@
+---
+# Most development environments will use nested virtualisation, and we can't
+# guarantee that nested KVM support is available. Use QEMU as a lowest common
+# denominator.
+nova_compute_virt_type: qemu
+
+# Reduce the control plane's memory footprint by limiting the number of worker
+# processes to one per-service.
+openstack_service_workers: "1"
+
+{% if tls_enabled %}
+# TLS
+kolla_copy_ca_into_containers: "yes"
+kolla_enable_tls_backend: "yes"
+openstack_cacert: "/etc/pki/tls/certs/ca-bundle.crt"
+kolla_admin_openrc_cacert: "{% raw %}{{ '{{' }} kolla_certificates_dir }}{% endraw %}/ca/root.crt"
+{% endif %}
diff --git a/playbooks/kayobe-overcloud-base/overrides.yml.j2 b/playbooks/kayobe-overcloud-base/overrides.yml.j2
index c6d9ca056..bea6e2e98 100644
--- a/playbooks/kayobe-overcloud-base/overrides.yml.j2
+++ b/playbooks/kayobe-overcloud-base/overrides.yml.j2
@@ -24,3 +24,14 @@ pip_index_url: "http://{{ zuul_site_mirror_fqdn }}/pypi/simple"
 # are using for SSH to be removed. Use a dummy interface.
 aio_bridge_ports:
   - dummy1
+
+{% if tls_enabled %}
+kolla_enable_tls_external: "yes"
+kolla_enable_tls_internal: "yes"
+
+# FIXME: ipa-images fails to access OS_CACERT from /home/zuul.
+kayobe_ansible_user: zuul
+
+kolla_ironic_pxe_append_params_extra:
+  - ipa-insecure=1
+{% endif %}
diff --git a/playbooks/kayobe-overcloud-base/pre.yml b/playbooks/kayobe-overcloud-base/pre.yml
index 99e3d5f25..38ca53d2a 100644
--- a/playbooks/kayobe-overcloud-base/pre.yml
+++ b/playbooks/kayobe-overcloud-base/pre.yml
@@ -10,6 +10,12 @@
         src: overrides.yml.j2
         dest: "{{ kayobe_config_src_dir }}/etc/kayobe/zz-overrides.yml"
 
+    - name: Ensure kolla-ansible globals.yml override config file exists
+      template:
+        src: globals.yml.j2
+        dest: "{{ kayobe_config_src_dir }}/etc/kayobe/kolla/globals.yml"
+      when: tls_enabled
+
     # NOTE(mgoddard): The kayobe dev config by default expects a bridge -
     # breth1 - to exist with an IP address of 192.168.33.3.
     - name: Ensure all-in-one network bridge interface exists
diff --git a/playbooks/kayobe-overcloud-base/run.yml b/playbooks/kayobe-overcloud-base/run.yml
index 8e3e18db5..8c60006da 100644
--- a/playbooks/kayobe-overcloud-base/run.yml
+++ b/playbooks/kayobe-overcloud-base/run.yml
@@ -2,6 +2,7 @@
 - hosts: primary
   environment:
     KAYOBE_CONFIG_SOURCE_PATH: "{{ kayobe_config_src_dir }}"
+    KAYOBE_OVERCLOUD_GENERATE_CERTIFICATES: "{{ tls_enabled | ternary(1, 0) }}"
   tasks:
     - name: Ensure overcloud is deployed
       shell:
diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml
index cc2903777..194ec9d3e 100644
--- a/zuul.d/jobs.yaml
+++ b/zuul.d/jobs.yaml
@@ -77,6 +77,7 @@
       requirements_src_dir: "{{ ansible_env.PWD ~ '/' ~ zuul.projects['opendev.org/openstack/requirements'].src_dir }}"
       tenks_src_dir: "{{ ansible_env.PWD ~ '/' ~ zuul.projects['opendev.org/openstack/tenks'].src_dir }}"
       is_upgrade: "{{ 'upgrade' in zuul.job }}"
+      tls_enabled: false
 
 - job:
     name: kayobe-overcloud-base
@@ -94,6 +95,17 @@
     parent: kayobe-overcloud-base
     nodeset: kayobe-centos8
 
+- job:
+    name: kayobe-overcloud-tls-base
+    parent: kayobe-overcloud-base
+    vars:
+      tls_enabled: true
+
+- job:
+    name: kayobe-overcloud-tls-centos8
+    parent: kayobe-overcloud-tls-base
+    nodeset: kayobe-centos8
+
 - job:
     name: kayobe-overcloud-upgrade-base
     parent: kayobe-base
diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml
index 80375c810..d15df0727 100644
--- a/zuul.d/project.yaml
+++ b/zuul.d/project.yaml
@@ -11,6 +11,7 @@
         - kayobe-tox-ansible
         - kayobe-tox-molecule
         - kayobe-overcloud-centos8
+        - kayobe-overcloud-tls-centos8
         - kayobe-overcloud-host-configure-centos8
         - kayobe-overcloud-upgrade-centos8
         - kayobe-seed-centos8
@@ -24,6 +25,7 @@
         - kayobe-tox-ansible
         - kayobe-tox-molecule
         - kayobe-overcloud-centos8
+        - kayobe-overcloud-tls-centos8
         - kayobe-overcloud-host-configure-centos8
         - kayobe-overcloud-upgrade-centos8
         - kayobe-seed-centos8