diff --git a/prometheus-openstack-exporter/templates/deployment.yaml b/prometheus-openstack-exporter/templates/deployment.yaml
index 05e5db9d9..ac5db3699 100644
--- a/prometheus-openstack-exporter/templates/deployment.yaml
+++ b/prometheus-openstack-exporter/templates/deployment.yaml
@@ -83,7 +83,7 @@ spec:
             - name: LISTEN_PORT
               value: {{ tuple "prometheus_openstack_exporter" "internal" "exporter" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
 {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.conf.prometheus_openstack_exporter | indent 12 }}
-{{- with $env := dict "ksUserSecret" $ksUserSecret }}
+{{- with $env := dict "ksUserSecret" $ksUserSecret "useCA" .Values.manifests.certificates }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
 {{- end }}
           volumeMounts:
@@ -93,6 +93,7 @@ spec:
               mountPath: /tmp/prometheus-openstack-exporter.sh
               subPath: prometheus-openstack-exporter.sh
               readOnly: true
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
       volumes:
         - name: pod-tmp
           emptyDir: {}
@@ -100,4 +101,5 @@ spec:
           configMap:
             name: prometheus-openstack-exporter-bin
             defaultMode: 0555
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- end }}
diff --git a/prometheus-openstack-exporter/templates/job-ks-user.yaml b/prometheus-openstack-exporter/templates/job-ks-user.yaml
index 7059cbcde..294cd35aa 100644
--- a/prometheus-openstack-exporter/templates/job-ks-user.yaml
+++ b/prometheus-openstack-exporter/templates/job-ks-user.yaml
@@ -51,8 +51,9 @@ spec:
               mountPath: /tmp/ks-user.sh
               subPath: ks-user.sh
               readOnly: true
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
           env:
-{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
 {{- end }}
             - name: SERVICE_OS_SERVICE_NAME
@@ -69,4 +70,5 @@ spec:
           configMap:
             name: prometheus-openstack-exporter-bin
             defaultMode: 0555
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- end }}
diff --git a/prometheus-openstack-exporter/values.yaml b/prometheus-openstack-exporter/values.yaml
index 55a01bd25..611fc7b4e 100644
--- a/prometheus-openstack-exporter/values.yaml
+++ b/prometheus-openstack-exporter/values.yaml
@@ -134,6 +134,14 @@ secrets:
   identity:
     admin: prometheus-openstack-exporter-keystone-admin
     user: prometheus-openstack-exporter-keystone-user
+  tls:
+    identity:
+      api:
+        # This name should be same as in keystone. Keystone
+        # secret will be used in these charts
+        #
+        internal: keystone-tls-api
+
 
 endpoints:
   cluster_domain_suffix: cluster.local
@@ -212,6 +220,7 @@ network_policy:
       - {}
 
 manifests:
+  certificates: false
   configmap_bin: true
   deployment: true
   job_image_repo_sync: true
diff --git a/prometheus-openstack-exporter/values_overrides/tls.yaml b/prometheus-openstack-exporter/values_overrides/tls.yaml
new file mode 100644
index 000000000..99667ca85
--- /dev/null
+++ b/prometheus-openstack-exporter/values_overrides/tls.yaml
@@ -0,0 +1,4 @@
+---
+manifests:
+  certificates: true
+...