diff --git a/keystone/Chart.yaml b/keystone/Chart.yaml
index 64c600a0cc..37c73f8e73 100644
--- a/keystone/Chart.yaml
+++ b/keystone/Chart.yaml
@@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Keystone
 name: keystone
-version: 0.2.14
+version: 0.2.15
 home: https://docs.openstack.org/keystone/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Keystone/OpenStack_Project_Keystone_vertical.png
 sources:
diff --git a/keystone/templates/deployment-api.yaml b/keystone/templates/deployment-api.yaml
index f4154932e2..b9f5701f7b 100644
--- a/keystone/templates/deployment-api.yaml
+++ b/keystone/templates/deployment-api.yaml
@@ -61,6 +61,23 @@ spec:
       terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.api.timeout | default "30" }}
       initContainers:
 {{ tuple $envAll "api" $mounts_keystone_api_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: link-keys
+          image: {{ .Values.images.tags.keystone_api }}
+          imagePullPolicy: IfNotPresent
+          command:
+            - /bin/sh
+            - -c
+          args:
+            - set -xe;
+              find /etc/keystone/mounted-keys -type l -exec ln -sfn {} {{ .Values.conf.keystone.fernet_tokens.key_repository }} \; ;
+              chmod o-wrx {{ .Values.conf.keystone.fernet_tokens.key_repository }} ;
+          securityContext:
+            runAsUser: 0
+          volumeMounts:
+            - name: keystone-fernet-keys
+              mountPath: /etc/keystone/mounted-keys
+            - name: post-keystone-fernet-keys
+              mountPath: {{ .Values.conf.keystone.fernet_tokens.key_repository }}
       containers:
         - name: keystone-api
 {{ tuple $envAll "keystone_api" | include "helm-toolkit.snippets.image" | indent 10 }}
@@ -143,6 +160,8 @@ spec:
 {{- end }}
 {{- if eq .Values.conf.keystone.token.provider "fernet" }}
             - name: keystone-fernet-keys
+              mountPath: /etc/keystone/mounted-keys
+            - name: post-keystone-fernet-keys
               mountPath: {{ .Values.conf.keystone.fernet_tokens.key_repository }}
 {{- end }}
             - name: keystone-credential-keys
@@ -171,7 +190,7 @@ spec:
         - name: keystone-etc
           secret:
             secretName: keystone-etc
-            defaultMode: 0444
+            defaultMode: 0440
         - name: keystone-bin
           configMap:
             name: keystone-bin
@@ -182,9 +201,12 @@ spec:
             secretName: keystone-ldap-tls
 {{- end }}
 {{- if eq .Values.conf.keystone.token.provider "fernet" }}
+        - name: post-keystone-fernet-keys
+          emptyDir: {}
         - name: keystone-fernet-keys
           secret:
             secretName: keystone-fernet-keys
+            defaultMode: 0440
 {{- end }}
         - name: keystone-credential-keys
           secret:
diff --git a/keystone/values.yaml b/keystone/values.yaml
index 5f0e7aa1f8..4b04dcdf8d 100644
--- a/keystone/values.yaml
+++ b/keystone/values.yaml
@@ -163,10 +163,13 @@ pod:
     keystone:
       pod:
         runAsUser: 42424
+        fsGroup: 42424
       container:
         keystone_api:
           readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
+          runAsGroup: 42424
+          fsGroup: 42424
     credential_setup:
       pod:
         runAsUser: 42424
diff --git a/releasenotes/notes/keystone.yaml b/releasenotes/notes/keystone.yaml
index 4221d9f6a3..4f0212c9f4 100644
--- a/releasenotes/notes/keystone.yaml
+++ b/releasenotes/notes/keystone.yaml
@@ -30,4 +30,5 @@ keystone:
   - 0.2.12 Helm 3 - Fix Job Labels
   - 0.2.13 Helm 3 - Fix more Job Labels
   - 0.2.14 Update htk requirements repo
+  - 0.2.15 Reduce log chattiness
 ...