diff --git a/docker/keystone/keystone-service-35357.json b/docker/keystone/keystone-service-35357.json
new file mode 100644
index 0000000000..08315bfba0
--- /dev/null
+++ b/docker/keystone/keystone-service-35357.json
@@ -0,0 +1,10 @@
+{
+  "id": "keystonemaster",
+  "kind": "Service",
+  "apiVersion": "v1beta1",
+  "port": 35357,
+  "containerPort": 35357,
+  "selector": {
+    "name": "keystone-master"
+  }
+}
diff --git a/docker/keystone/keystone-service-5000.json b/docker/keystone/keystone-service-5000.json
new file mode 100644
index 0000000000..4a95033693
--- /dev/null
+++ b/docker/keystone/keystone-service-5000.json
@@ -0,0 +1,10 @@
+{
+  "id": "keystonemaster",
+  "kind": "Service",
+  "apiVersion": "v1beta1",
+  "port": 5000,
+  "containerPort": 5000,
+  "selector": {
+    "name": "keystone-master"
+  }
+}
diff --git a/docker/keystone/keystone.json b/docker/keystone/keystone.json
new file mode 100644
index 0000000000..1eda27ca75
--- /dev/null
+++ b/docker/keystone/keystone.json
@@ -0,0 +1,24 @@
+{
+  "id": "keystone",
+  "desiredState": {
+    "manifest": {
+      "version": "v1beta1",
+      "id": "keystone-1",
+      "containers": [{
+        "name": "keystone",
+        "image": "docker.usersys.redhat.com/jlabocki/keystone",
+        "ports": [
+		{"containerPort": 5000},
+		{"containerPort": 35357},
+        ],
+        "env": [{
+	  'name': 'DB_ROOT_PASSWORD',
+	  'value': 'password'
+	}]
+      }]
+    }
+  },
+  "labels": {
+    "name": "keystone-master"
+  }
+}
diff --git a/docker/keystone/start b/docker/keystone/start
index 5b46dfedd9..2fcb91317b 100755
--- a/docker/keystone/start
+++ b/docker/keystone/start
@@ -1,14 +1,23 @@
 #!/bin/bash -e
 
-env > /root/ENV
+: ${KEYSTONE_DB_PASSWORD:=keystone}
+: ${KEYSTONE_ADMIN_PASSWORD:=redhat}
 
-socat UNIX-LISTEN:/var/lib/mysql/mysql.sock,fork,reuseaddr,unlink-early,user=mysql,group=mysql,mode=777 TCP:${SERVICE_HOST}:${MARIADBMASTER_SERVICE_PORT} &
+if ! [ "$KEYSTONE_ADMIN_TOKEN" ]; then
+	KEYSTONE_ADMIN_TOKEN=$(openssl -hex 15)
+fi
 
-/usr/bin/openstack-db --service keystone --init --yes --rootpw ${DB_ROOT_PASSWORD} --password redhat
+/usr/bin/openstack-db --service keystone --init --yes --rootpw ${DB_ROOT_PASSWORD} --password ${KEYSTONE_DB_PASSWORD}
 
+crudini --set /etc/keystone/keystone.conf \
+	database \
+	connection \
+	"mysql://keystone:${KEYSTONE_DB_PASSWORD}@${MARIADBMASTER_PORT_3306_TCP_ADDR}:MARIADBMASTER_PORT_3306_TCP_PORT/keystone"
 
-sed -ri 's/#driver=keystone.identity.backends.sql.Identity/driver=keystone.identity.backends.sql.Identity/' /etc/keystone/keystone.conf
-sed -ri 's/#idle_timeout=3600/idle_timeout=200/' /etc/keystone/keystone.conf
+crudini --set /etc/keystone/keystone.conf \
+	DEFAULT \
+	admin_token \
+	"${KEYSTONE_ADMIN_TOKEN}"
 
 /usr/bin/keystone-manage db_sync
 
@@ -17,10 +26,10 @@ PID=$!
 
 /bin/sleep 5
 
-export SERVICE_TOKEN=`cat /root/ks_admin_token`
+export SERVICE_TOKEN="${KEYSTONE_ADMIN_TOKEN}"
 export SERVICE_ENDPOINT="http://127.0.0.1:35357/v2.0"
 
-/bin/keystone user-create --name admin --pass redhat
+/bin/keystone user-create --name admin --pass ${KEYSTONE_ADMIN_PASSWORD}
 /bin/keystone role-create --name admin
 /bin/keystone tenant-create --name admin
 /bin/keystone user-role-add --user admin --role admin --tenant admin