diff --git a/ceph/templates/configmap-etc.yaml b/ceph/templates/configmap-etc.yaml
index b6223f0c78..dc325292c2 100644
--- a/ceph/templates/configmap-etc.yaml
+++ b/ceph/templates/configmap-etc.yaml
@@ -19,7 +19,7 @@ limitations under the License.
 {{- if or (.Values.deployment.ceph) (.Values.deployment.client_secrets) }}
 
 {{- if empty .Values.conf.ceph.config.global.mon_host -}}
-{{- $monHost := tuple "ceph_mon" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $monHost := tuple "ceph_mon" "discovery" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
 {{- $monHost | set .Values.conf.ceph.config.global "mon_host" | quote | trunc 0 -}}
 {{- end -}}
 
diff --git a/ceph/templates/service-mon-discovery.yaml b/ceph/templates/service-mon-discovery.yaml
new file mode 100644
index 0000000000..a9e96c393c
--- /dev/null
+++ b/ceph/templates/service-mon-discovery.yaml
@@ -0,0 +1,42 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service_mon_discovery }}
+{{- $envAll := . }}
+{{- if .Values.deployment.ceph }}
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: {{ tuple "ceph_mon" "discovery" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+  annotations:
+    # In kubernetes 1.6 and beyond, it seems there was a change in behavior
+    # requiring us to tolerate unready endpoints to form a quorum.  I can only
+    # guess at some small timing change causing statefulset+2 to not see the
+    # now ready statefulset+1, and because we do not tolerate unready endpoints
+    # a newly provisioned ceph-mon will most certainly never see itself in the
+    # peer list.  This change allows us to form a quorum reliably everytime
+    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+spec:
+  ports:
+  - port: {{ .Values.network.port.mon }}
+    protocol: TCP
+    targetPort: {{ .Values.network.port.mon }}
+  selector:
+{{ tuple $envAll "ceph" "mon" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  clusterIP: None
+{{- end }}
+{{- end }}
diff --git a/ceph/templates/service-mon.yaml b/ceph/templates/service-mon.yaml
index acb8375c9f..37e7ad18b7 100644
--- a/ceph/templates/service-mon.yaml
+++ b/ceph/templates/service-mon.yaml
@@ -21,15 +21,7 @@ limitations under the License.
 kind: Service
 apiVersion: v1
 metadata:
-  name: {{ .Values.endpoints.ceph_mon.hosts.default }}
-  annotations:
-    # In kubernetes 1.6 and beyond, it seems there was a change in behavior
-    # requiring us to tolerate unready endpoints to form a quorum.  I can only
-    # guess at some small timing change causing statefulset+2 to not see the
-    # now ready statefulset+1, and because we do not tolerate unready endpoints
-    # a newly provisioned ceph-mon will most certainly never see itself in the
-    # peer list.  This change allows us to form a quorum reliably everytime
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+  name: {{ tuple "ceph_mon" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
 spec:
   ports:
   - port: {{ .Values.network.port.mon }}
diff --git a/ceph/values.yaml b/ceph/values.yaml
index 63c0c00124..a0017cbd3b 100644
--- a/ceph/values.yaml
+++ b/ceph/values.yaml
@@ -212,23 +212,33 @@ dependencies:
     jobs:
   mon:
     jobs:
+      - ceph-storage-keys-generator
+      - ceph-mon-keyring-generator
   osd:
     jobs:
+      - ceph-storage-keys-generator
+      - ceph-osd-keyring-generator
     services:
     - service: ceph_mon
       endpoint: internal
   moncheck:
     jobs:
+      - ceph-storage-keys-generator
+      - ceph-mon-keyring-generator
     services:
     - service: ceph_mon
-      endpoint: internal
+      endpoint: discovery
   rgw:
     jobs:
+      - ceph-storage-keys-generator
+      - ceph-rgw-keyring-generator
     services:
     - service: ceph_mon
       endpoint: internal
   mds:
     jobs:
+      - ceph-storage-keys-generator
+      - ceph-mds-keyring-generator
     services:
     - service: ceph_mon
       endpoint: internal
@@ -258,6 +268,8 @@ dependencies:
       endpoint: internal
   mgr:
     jobs:
+      - ceph-storage-keys-generator
+      - ceph-mgr-keyring-generator
     services:
     - service: ceph_mon
       endpoint: internal
@@ -356,6 +368,7 @@ endpoints:
     namespace: null
     hosts:
       default: ceph-mon
+      discovery: ceph-mon-discovery
     host_fqdn_override:
       default: null
     port:
@@ -388,5 +401,6 @@ manifests:
   secret_keystone: true
   service_mgr: true
   service_mon: true
+  service_mon_discovery: true
   service_rgw: true
   storageclass: true