diff --git a/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/helm-toolkit/templates/scripts/_rally_test.sh.tpl
new file mode 100644
index 0000000000..4c8cf6ab57
--- /dev/null
+++ b/helm-toolkit/templates/scripts/_rally_test.sh.tpl
@@ -0,0 +1,28 @@
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "helm-toolkit.scripts.rally_test" }}
+#!/bin/bash
+set -ex
+
+: ${RALLY_ENV_NAME:="openstack-helm"}
+rally-manage db create
+rally deployment create --fromenv --name ${RALLY_ENV_NAME}
+rally deployment use ${RALLY_ENV_NAME}
+rally deployment check
+rally task validate /etc/rally/rally_tests.yaml
+rally task start /etc/rally/rally_tests.yaml
+rally deployment destroy --deployment ${RALLY_ENV_NAME}
+rally task sla-check
+{{- end }}
diff --git a/keystone/templates/configmap-bin.yaml b/keystone/templates/configmap-bin.yaml
index e773dea900..ccbd9c003b 100644
--- a/keystone/templates/configmap-bin.yaml
+++ b/keystone/templates/configmap-bin.yaml
@@ -17,6 +17,8 @@ kind: ConfigMap
 metadata:
   name: keystone-bin
 data:
+  rally-test.sh: |
+{{- include "helm-toolkit.scripts.rally_test" . | indent 4 }}
   db-init.py: |
 {{- include "helm-toolkit.scripts.db_init" . | indent 4 }}
   db-sync.sh: |
diff --git a/keystone/templates/configmap-etc.yaml b/keystone/templates/configmap-etc.yaml
index c51751074f..ddf987c56e 100644
--- a/keystone/templates/configmap-etc.yaml
+++ b/keystone/templates/configmap-etc.yaml
@@ -31,6 +31,18 @@ kind: ConfigMap
 metadata:
   name: keystone-etc
 data:
+  rally_tests.yaml: |+
+{{ if .Values.conf.rally_tests.override -}}
+{{ .Values.conf.rally_tests.override | indent 4 }}
+{{- else -}}
+{{- if .Values.conf.rally_tests.prefix -}}
+{{ .Values.conf.rally_tests.prefix | indent 4 }}
+{{- end }}
+{{ tuple "etc/_rally_tests.yaml.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if .Values.conf.rally_tests.append -}}
+{{ .Values.conf.rally_tests.append | indent 4 }}
+{{- end }}
   keystone.conf: |+
 {{ if .Values.conf.keystone.override -}}
 {{ .Values.conf.keystone.override | indent 4 }}
diff --git a/keystone/templates/etc/_rally_tests.yaml.tpl b/keystone/templates/etc/_rally_tests.yaml.tpl
new file mode 100644
index 0000000000..26b515c95b
--- /dev/null
+++ b/keystone/templates/etc/_rally_tests.yaml.tpl
@@ -0,0 +1,201 @@
+---
+KeystoneBasic.add_and_remove_user_role:
+- context:
+    users:
+      tenants: 1
+      users_per_tenant: 1
+  runner:
+    concurrency: 1
+    times: 1
+    type: constant
+  sla:
+    failure_rate:
+      max: 0
+KeystoneBasic.authenticate_user_and_validate_token:
+- args: {}
+  runner:
+    concurrency: 1
+    times: 1
+    type: constant
+  sla:
+    failure_rate:
+      max: 0
+KeystoneBasic.create_add_and_list_user_roles:
+- context:
+    users:
+      tenants: 1
+      users_per_tenant: 1
+  runner:
+    concurrency: 1
+    times: 1
+    type: constant
+  sla:
+    failure_rate:
+      max: 0
+KeystoneBasic.create_and_delete_ec2credential:
+- context:
+    users:
+      tenants: 1
+      users_per_tenant: 1
+  runner:
+    concurrency: 1
+    times: 1
+    type: constant
+  sla:
+    failure_rate:
+      max: 0
+KeystoneBasic.create_and_delete_role:
+- runner:
+    concurrency: 1
+    times: 1
+    type: constant
+  sla:
+    failure_rate:
+      max: 0
+KeystoneBasic.create_and_delete_service:
+- args:
+    description: test_description
+    service_type: Rally_test_type
+  runner:
+    concurrency: 1
+    times: 1
+    type: constant
+  sla:
+    failure_rate:
+      max: 0
+KeystoneBasic.create_and_get_role:
+- args: {}
+  context:
+    users:
+      tenants: 1
+      users_per_tenant: 1
+  runner:
+    concurrency: 1
+    times: 1
+    type: constant
+  sla:
+    failure_rate:
+      max: 0
+KeystoneBasic.create_and_list_ec2credentials:
+- context:
+    users:
+      tenants: 1
+      users_per_tenant: 1
+  runner:
+    concurrency: 1
+    times: 1
+    type: constant
+  sla:
+    failure_rate:
+      max: 0
+KeystoneBasic.create_and_list_services:
+- args:
+    description: test_description
+    service_type: Rally_test_type
+  runner:
+    concurrency: 1
+    times: 1
+    type: constant
+  sla:
+    failure_rate:
+      max: 0
+KeystoneBasic.create_and_list_tenants:
+- args: {}
+  runner:
+    concurrency: 1
+    times: 1
+    type: constant
+  sla:
+    failure_rate:
+      max: 0
+KeystoneBasic.create_and_list_users:
+- args: {}
+  runner:
+    concurrency: 1
+    times: 1
+    type: constant
+  sla:
+    failure_rate:
+      max: 0
+KeystoneBasic.create_delete_user:
+- args: {}
+  runner:
+    concurrency: 1
+    times: 1
+    type: constant
+  sla:
+    failure_rate:
+      max: 0
+KeystoneBasic.create_tenant:
+- args: {}
+  runner:
+    concurrency: 1
+    times: 1
+    type: constant
+  sla:
+    failure_rate:
+      max: 0
+KeystoneBasic.create_tenant_with_users:
+- args:
+    users_per_tenant: 1
+  runner:
+    concurrency: 1
+    times: 1
+    type: constant
+  sla:
+    failure_rate:
+      max: 0
+KeystoneBasic.create_update_and_delete_tenant:
+- args: {}
+  runner:
+    concurrency: 1
+    times: 1
+    type: constant
+  sla:
+    failure_rate:
+      max: 0
+KeystoneBasic.create_user:
+- args: {}
+  runner:
+    concurrency: 1
+    times: 1
+    type: constant
+  sla:
+    failure_rate:
+      max: 0
+KeystoneBasic.create_user_set_enabled_and_delete:
+- args:
+    enabled: true
+  runner:
+    concurrency: 1
+    times: 1
+    type: constant
+  sla:
+    failure_rate:
+      max: 0
+- args:
+    enabled: false
+  runner:
+    concurrency: 1
+    times: 1
+    type: constant
+  sla:
+    failure_rate:
+      max: 0
+KeystoneBasic.create_user_update_password:
+- args: {}
+  runner:
+    concurrency: 1
+    times: 1
+    type: constant
+  sla:
+    failure_rate:
+      max: 0
+KeystoneBasic.get_entities:
+- runner:
+    concurrency: 1
+    times: 1
+    type: constant
+  sla:
+    failure_rate:
+      max: 0
diff --git a/keystone/templates/pod-rally-test.yaml b/keystone/templates/pod-rally-test.yaml
new file mode 100644
index 0000000000..01777eb862
--- /dev/null
+++ b/keystone/templates/pod-rally-test.yaml
@@ -0,0 +1,75 @@
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- $envAll := . }}
+{{- $ksAdminSecret := .Values.keystone.admin_secret | default "keystone-env-keystone-admin" }}
+{{- $dependencies := .Values.dependencies.tests }}
+{{- $mounts_keystone_tests := .Values.mounts.keystone_tests.keystone_tests }}
+{{- $mounts_keystone_tests_init := .Values.mounts.keystone_tests.init_container }}
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{.Release.Name}}-rally-test"
+  annotations:
+    "helm.sh/hook": test-success
+    pod.beta.kubernetes.io/init-containers: '[
+{{ tuple $envAll $dependencies $mounts_keystone_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 10 }}
+    ]'
+spec:
+  restartPolicy: Never
+  containers:
+    - name: {{.Release.Name}}-token-issue-test
+      image: {{ .Values.images.test }}
+      imagePullPolicy: {{ .Values.images.pull_policy }}
+      {{- if .Values.resources.enabled }}
+      resources:
+        limits:
+          cpu: {{ .Values.resources.tests.limits.cpu | quote }}
+          memory: {{ .Values.resources.tests.limits.memory | quote }}
+        requests:
+          cpu: {{ .Values.resources.tests.requests.cpu | quote }}
+          memory: {{ .Values.resources.tests.requests.memory | quote }}
+      {{- end }}
+      env:
+{{- with $env := dict "ksUserSecret" $ksAdminSecret }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
+{{- end }}
+        - name: RALLY_ENV_NAME
+          value: {{.Release.Name}}
+      command:
+        - bash
+        - /tmp/rally-test.sh
+      volumeMounts:
+        - name: keystone-etc
+          mountPath: /etc/rally/rally_tests.yaml
+          subPath: rally_tests.yaml
+          readOnly: true
+        - name: keystone-bin
+          mountPath: /tmp/rally-test.sh
+          subPath: rally-test.sh
+          readOnly: true
+        - name: rally-db
+          mountPath: /var/lib/rally
+{{ if $mounts_keystone_tests.volumeMounts }}{{ toYaml $mounts_keystone_tests.volumeMounts | indent 8 }}{{ end }}
+  volumes:
+    - name: keystone-etc
+      configMap:
+        name: keystone-etc
+    - name: keystone-bin
+      configMap:
+        name: keystone-bin
+    - name: rally-db
+      emptyDir: {}
+{{ if $mounts_keystone_tests.volumes }}{{ toYaml $mounts_keystone_tests.volumes | indent 4 }}{{ end }}
diff --git a/keystone/templates/secret-keystone-admin.env.yaml b/keystone/templates/secret-keystone-admin.env.yaml
new file mode 100644
index 0000000000..3652bb7a13
--- /dev/null
+++ b/keystone/templates/secret-keystone-admin.env.yaml
@@ -0,0 +1,34 @@
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: keystone-env-keystone-admin
+type: Opaque
+data:
+  OS_AUTH_URL: |
+{{ tuple "identity" "admin" "admin" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc | indent 4 }}
+  OS_REGION_NAME: |
+{{ .Values.keystone.admin_region_name  | b64enc | indent 4 }}
+  OS_PROJECT_DOMAIN_NAME: |
+{{ .Values.keystone.admin_project_domain  | b64enc | indent 4 }}
+  OS_PROJECT_NAME: |
+{{ .Values.keystone.admin_project_name  | b64enc | indent 4 }}
+  OS_USER_DOMAIN_NAME: |
+{{ .Values.keystone.admin_user_domain  | b64enc | indent 4 }}
+  OS_USERNAME: |
+{{ .Values.keystone.admin_user  | b64enc | indent 4 }}
+  OS_PASSWORD: |
+{{ .Values.keystone.admin_password  | b64enc | indent 4 }}
diff --git a/keystone/values.yaml b/keystone/values.yaml
index 011260b172..78c196fffb 100644
--- a/keystone/values.yaml
+++ b/keystone/values.yaml
@@ -24,6 +24,7 @@ labels:
   node_selector_value: enabled
 
 images:
+  test: docker.io/kolla/ubuntu-binary-rally:4.0.0
   db_init: docker.io/kolla/ubuntu-source-keystone:3.0.3
   db_sync: docker.io/kolla/ubuntu-source-keystone:3.0.3
   api: docker.io/kolla/ubuntu-source-keystone:3.0.3
@@ -52,6 +53,8 @@ keystone:
   admin_user: admin
   admin_password: password
   admin_project_name: admin
+  admin_user_domain: default
+  admin_project_domain: default
 
 network:
   api:
@@ -81,6 +84,9 @@ dependencies:
   init:
     service:
     - mariadb
+  tests:
+    service:
+    - keystone-api
 
 resources:
   enabled: false
@@ -106,6 +112,13 @@ resources:
       requests:
         memory: "128Mi"
         cpu: "500m"
+  tests:
+    limits:
+      memory: "128Mi"
+      cpu: "500m"
+    requests:
+      memory: "128Mi"
+      cpu: "500m"
 
 mounts:
   keystone_db_init:
@@ -117,8 +130,14 @@ mounts:
   keystone_api:
     init_container: null
     keystone_api:
+  keystone_tests:
+    init_container: null
+    keystone_tests:
 
 conf:
+  rally_tests:
+    override:
+    append:
   paste:
     override:
     append:
diff --git a/tools/gate/basic_launch.sh b/tools/gate/basic_launch.sh
index 40188a59cc..f1eb9e09ea 100755
--- a/tools/gate/basic_launch.sh
+++ b/tools/gate/basic_launch.sh
@@ -28,6 +28,7 @@ kube_wait_for_pods openstack 600
 
 helm install local/keystone --name=keystone --namespace=openstack
 kube_wait_for_pods openstack 240
+helm_test_deployment keystone
 
 # NOTE(portdirect): Temp workaround until module loading is supported by
 # OpenStack-Helm in Fedora
diff --git a/tools/gate/funcs/helm.sh b/tools/gate/funcs/helm.sh
index d672210a18..0aa308af11 100755
--- a/tools/gate/funcs/helm.sh
+++ b/tools/gate/funcs/helm.sh
@@ -73,3 +73,11 @@ function helm_lint {
 function helm_build {
   make TASK=build -C ${WORK_DIR}
 }
+
+function helm_test_deployment {
+  DEPLOYMENT=$1
+  helm test ${DEPLOYMENT}
+  mkdir -p ${LOGS_DIR}/rally
+  kubectl logs -n openstack ${DEPLOYMENT}-rally-test > ${LOGS_DIR}/rally/${DEPLOYMENT}
+  kubectl delete -n openstack pod ${DEPLOYMENT}-rally-test
+}