diff --git a/keystone/Chart.yaml b/keystone/Chart.yaml
index 8a247fbe61..e3a9ce64ad 100644
--- a/keystone/Chart.yaml
+++ b/keystone/Chart.yaml
@@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Keystone
 name: keystone
-version: 0.2.28
+version: 0.2.29
 home: https://docs.openstack.org/keystone/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Keystone/OpenStack_Project_Keystone_vertical.png
 sources:
diff --git a/keystone/templates/job-bootstrap.yaml b/keystone/templates/job-bootstrap.yaml
index 048332794f..b1336b1c0d 100644
--- a/keystone/templates/job-bootstrap.yaml
+++ b/keystone/templates/job-bootstrap.yaml
@@ -19,7 +19,7 @@ helm.sh/hook-weight: "5"
 
 {{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
 {{- $bootstrapJob := dict "envAll" . "serviceName" "keystone" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.keystone.DEFAULT.log_config_append "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) -}}
-{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal -}}
+{{- if and ( or .Values.manifests.certificates .Values.tls.identity) .Values.secrets.tls.identity.api.internal -}}
 {{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.identity.api.internal -}}
 {{- end -}}
 {{- if .Values.pod.tolerations.keystone.enabled -}}
diff --git a/keystone/values.yaml b/keystone/values.yaml
index d6ad7b9d51..d5c5bc7631 100644
--- a/keystone/values.yaml
+++ b/keystone/values.yaml
@@ -1087,6 +1087,11 @@ endpoints:
       ingress:
         default: 80
 
+tls:
+  identity: false
+  oslo_messaging: false
+  oslo_db: false
+
 manifests:
   certificates: false
   configmap_bin: true
diff --git a/keystone/values_overrides/tls-custom.yaml b/keystone/values_overrides/tls-custom.yaml
new file mode 100644
index 0000000000..a9dbaa3ff8
--- /dev/null
+++ b/keystone/values_overrides/tls-custom.yaml
@@ -0,0 +1,19 @@
+---
+endpoints:
+  identity:
+    auth:
+      admin:
+        cacert: /etc/ssl/certs/openstack-helm.crt
+      test:
+        cacert: /etc/ssl/certs/openstack-helm.crt
+
+secrets:
+  tls:
+    identity:
+      api:
+        # manually created
+        internal: keystone-tls-api
+
+tls:
+  identity: true
+...
diff --git a/releasenotes/notes/keystone.yaml b/releasenotes/notes/keystone.yaml
index d74a67bebe..d5699f3160 100644
--- a/releasenotes/notes/keystone.yaml
+++ b/releasenotes/notes/keystone.yaml
@@ -44,4 +44,5 @@ keystone:
   - 0.2.26 Add Xena and Yoga values overrides
   - 0.2.27 Use LOG.warning instead of deprecated LOG.warn
   - 0.2.28 Added OCI registry authentication
+  - 0.2.29 Support TLS endpoints
 ...