diff --git a/keystone/templates/bin/_db-sync.sh.tpl b/keystone/templates/bin/_db-sync.sh.tpl
index 473d773e72..d9fdae2618 100644
--- a/keystone/templates/bin/_db-sync.sh.tpl
+++ b/keystone/templates/bin/_db-sync.sh.tpl
@@ -27,3 +27,5 @@ keystone-manage --config-file=/etc/keystone/keystone.conf bootstrap \
     --bootstrap-public-url ${OS_BOOTSTRAP_PUBLIC_URL} \
     --bootstrap-internal-url ${OS_BOOTSTRAP_INTERNAL_URL} \
     --bootstrap-region-id ${OS_REGION_NAME}
+
+exec python /tmp/endpoint-update.py
diff --git a/keystone/templates/bin/_endpoint-update.py.tpl b/keystone/templates/bin/_endpoint-update.py.tpl
new file mode 100644
index 0000000000..88930f5626
--- /dev/null
+++ b/keystone/templates/bin/_endpoint-update.py.tpl
@@ -0,0 +1,114 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+#!/usr/bin/env python
+import os
+import sys
+import ConfigParser
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm Keystone Endpoint management')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+    os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+    if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+        os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+        sys.exit(1)
+    if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+        os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+    else:
+        logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+        sys.exit(1)
+    try:
+        config = ConfigParser.RawConfigParser()
+        logger.info("Using {0} as db config source".format(os_conf))
+        config.read(os_conf)
+        logger.info("Trying to load db config from {0}:{1}".format(
+            os_conf_section, os_conf_key))
+        user_db_conn = config.get(os_conf_section, os_conf_key)
+        logger.info("Got config from {0}".format(os_conf))
+    except:
+        logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+        raise
+elif "DB_CONNECTION" in os.environ:
+    user_db_conn = os.environ['DB_CONNECTION']
+    logger.info('Got config from DB_CONNECTION env var')
+else:
+    logger.critical('Could not get db config, either from config file or env var')
+    sys.exit(1)
+
+# User DB engine
+try:
+    user_engine = create_engine(user_db_conn)
+except:
+    logger.critical('Could not get user database config')
+    raise
+
+# Set Internal Endpoint
+try:
+    endpoint_url = os.environ['OS_BOOTSTRAP_INTERNAL_URL']
+    user_engine.execute(
+        "update endpoint set url = '{0}' where interface ='internal' and service_id = (select id from service where service.type = 'identity')".
+        format(endpoint_url))
+except:
+    logger.critical("Could not update internal endpoint")
+    raise
+
+# Set Admin Endpoint
+try:
+    endpoint_url = os.environ['OS_BOOTSTRAP_ADMIN_URL']
+    user_engine.execute(
+        "update endpoint set url = '{0}' where interface ='admin' and service_id = (select id from service where service.type = 'identity')".
+        format(endpoint_url))
+except:
+    logger.critical("Could not update admin endpoint")
+    raise
+
+# Set Public Endpoint
+try:
+    endpoint_url = os.environ['OS_BOOTSTRAP_PUBLIC_URL']
+    user_engine.execute(
+        "update endpoint set url = '{0}' where interface ='public' and service_id = (select id from service where service.type = 'identity')".
+        format(endpoint_url))
+except:
+    logger.critical("Could not update public endpoint")
+    raise
+
+# Print endpoints
+try:
+    endpoints = user_engine.execute(
+        "select interface, url from endpoint where service_id = (select id from service where service.type = 'identity')"
+    ).fetchall()
+    for row in endpoints:
+        logger.info("endpoint ({0}): {1}".format(row[0], row[1]))
+except:
+    logger.critical("Could not update endpoint")
+    raise
+
+logger.info('Finished Endpoint Management')
diff --git a/keystone/templates/configmap-bin.yaml b/keystone/templates/configmap-bin.yaml
index 1b5892b68f..b06aa84630 100644
--- a/keystone/templates/configmap-bin.yaml
+++ b/keystone/templates/configmap-bin.yaml
@@ -43,6 +43,8 @@ data:
 {{- include "helm-toolkit.scripts.db_drop" . | indent 4 }}
   keystone-api.sh: |
 {{ tuple "bin/_keystone-api.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  endpoint-update.py: |
+{{ tuple "bin/_endpoint-update.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   fernet-manage.py: |
 {{ tuple "bin/_fernet-manage.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   domain-manage-init.sh: |
diff --git a/keystone/templates/job-db-sync.yaml b/keystone/templates/job-db-sync.yaml
index be84f64134..56a39b8937 100644
--- a/keystone/templates/job-db-sync.yaml
+++ b/keystone/templates/job-db-sync.yaml
@@ -23,16 +23,42 @@ env:
     value: {{ tuple "identity" "internal" "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
   - name: OS_BOOTSTRAP_PUBLIC_URL
     value: {{ tuple "identity" "public" "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+  - name: OPENSTACK_CONFIG_FILE
+    value: "/etc/keystone/keystone.conf"
+  - name: OPENSTACK_CONFIG_DB_SECTION
+    value: "database"
+  - name: OPENSTACK_CONFIG_DB_KEY
+    value: "connection"
 {{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 2}}
 {{- end }}
 {{- end }}
 
+{{- define "keystone.templates._job_db_sync.pod_vol_mounts" -}}
+{{- $envAll := index . 0 -}}
+volumeMounts:
+  - name: db-sync-sh
+    mountPath: /tmp/endpoint-update.py
+    subPath: endpoint-update.py
+    readOnly: true
+  - name: keystone-fernet-keys
+    mountPath: {{ $envAll.Values.conf.keystone.fernet_tokens.key_repository }}
+    readOnly: true
+{{- end }}
+
+{{- define "keystone.templates._job_db_sync.pod_vols" -}}
+{{- $envAll := index . 0 -}}
+volumes:
+  - name: keystone-fernet-keys
+    secret:
+      secretName: keystone-fernet-keys
+{{- end }}
+
 {{- if .Values.manifests.job_db_sync }}
 {{- $local := dict "podVolMounts" false "podVols" false -}}
 {{- if eq .Values.conf.keystone.token.provider "fernet" }}
-{{- $_ := set $local "podVolMounts" (list (dict "name" "keystone-fernet-keys" "mountPath" .Values.conf.keystone.fernet_tokens.key_repository "readOnly" true )) }}
-{{- $_ := set $local "podVols" (list (dict "name" "keystone-fernet-keys" "secret" (dict "secretName" "keystone-fernet-keys"))) }}
+{{- $_ := set $local "podVolMounts" ( index ( tuple . | include "keystone.templates._job_db_sync.pod_vol_mounts" | toString | fromYaml ) "volumeMounts" ) }}
+{{- $_ := set $local "podVols" ( index ( tuple . | include "keystone.templates._job_db_sync.pod_vols" | toString | fromYaml ) "volumes" ) }}
 {{- end }}
 {{- $podEnvVars := tuple . | include "keystone.templates._job_db_sync.env_vars" | toString | fromYaml }}
 {{- $dbSyncJob := dict "envAll" . "serviceName" "keystone" "podVolMounts" $local.podVolMounts "podVols" $local.podVols "podEnvVars" $podEnvVars.env -}}