diff --git a/apis/core/v1beta1/openstackcontrolplane_types.go b/apis/core/v1beta1/openstackcontrolplane_types.go
index 7d5244e11..5eb9533f0 100644
--- a/apis/core/v1beta1/openstackcontrolplane_types.go
+++ b/apis/core/v1beta1/openstackcontrolplane_types.go
@@ -30,7 +30,6 @@ import (
 	keystonev1 "github.com/openstack-k8s-operators/keystone-operator/api/v1beta1"
 	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/route"
-	"github.com/openstack-k8s-operators/lib-common/modules/common/service"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/util"
 	"github.com/openstack-k8s-operators/lib-common/modules/storage"
@@ -822,17 +821,3 @@ func SetupDefaults() {
 
 	SetupOpenStackControlPlaneDefaults(openstackControlPlaneDefaults)
 }
-
-// Enabled - returns status of tls configuration for the passed in endpoint type
-func (t *TLSSection) Enabled(endpt service.Endpoint) bool {
-	if t != nil {
-		switch endpt {
-		case service.EndpointPublic:
-			return t.Ingress.Enabled
-
-		case service.EndpointInternal:
-			return t.PodLevel.Enabled
-		}
-	}
-	return false
-}
diff --git a/apis/go.mod b/apis/go.mod
index f43174670..0f64626c5 100644
--- a/apis/go.mod
+++ b/apis/go.mod
@@ -13,7 +13,7 @@ require (
 	github.com/openstack-k8s-operators/horizon-operator/api v0.3.1-0.20240304130922-946bc7dd0996
 	github.com/openstack-k8s-operators/infra-operator/apis v0.3.1-0.20240308113717-eaf5876d69c3
 	github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20240229174131-28e3aee56d91
-	github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240307113114-033a606862c3
+	github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240310093110-b4b2614f40ba
 	github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240306153230-dc65ab49ebc0
 	github.com/openstack-k8s-operators/lib-common/modules/storage v0.3.1-0.20240306153230-dc65ab49ebc0
 	github.com/openstack-k8s-operators/manila-operator/api v0.3.1-0.20240305194401-0fda28a84acb
@@ -54,7 +54,7 @@ require (
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/pprof v0.0.0-20230926050212-f7f687d19a98 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/gophercloud/gophercloud v1.10.0 // indirect
+	github.com/gophercloud/gophercloud v1.11.0 // indirect
 	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
diff --git a/apis/go.sum b/apis/go.sum
index 0fbc9fd37..28af2c1a3 100644
--- a/apis/go.sum
+++ b/apis/go.sum
@@ -46,8 +46,8 @@ github.com/google/pprof v0.0.0-20230926050212-f7f687d19a98 h1:pUa4ghanp6q4IJHwE9
 github.com/google/pprof v0.0.0-20230926050212-f7f687d19a98/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/gophercloud/gophercloud v1.10.0 h1:watRMsaMDlSLuLkpLeLSQ87yvcuwIajNg6A5uLcjoIU=
-github.com/gophercloud/gophercloud v1.10.0/go.mod h1:aAVqcocTSXh2vYFZ1JTvx4EQmfgzxRcNupUfxZbBNDM=
+github.com/gophercloud/gophercloud v1.11.0 h1:ls0O747DIq1D8SUHc7r2vI8BFbMLeLFuENaAIfEx7OM=
+github.com/gophercloud/gophercloud v1.11.0/go.mod h1:aAVqcocTSXh2vYFZ1JTvx4EQmfgzxRcNupUfxZbBNDM=
 github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4=
 github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
@@ -89,8 +89,8 @@ github.com/openstack-k8s-operators/infra-operator/apis v0.3.1-0.20240308113717-e
 github.com/openstack-k8s-operators/infra-operator/apis v0.3.1-0.20240308113717-eaf5876d69c3/go.mod h1:yPqJ+WU8jApuDXNUjpTxMafihuZpX3Yik9ZXqGaxYBQ=
 github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20240229174131-28e3aee56d91 h1:3yvrS33IOQibrXJJlVs/fDxLi5RCZlN5oDrR2c8aShk=
 github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20240229174131-28e3aee56d91/go.mod h1:Yac7wRClzl1/a7uBso4w8wq6Rjm+JLIouEsLre7VSDE=
-github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240307113114-033a606862c3 h1:jMxdglPqLMuIM+s1aC1tYXz/NihB/BaMyutReg2fXpg=
-github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240307113114-033a606862c3/go.mod h1:UruMUJ8wX1fQPcY3olYneAx04Z1alk2Phq33prkoLZw=
+github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240310093110-b4b2614f40ba h1:0wfKrQMGwjh/kKTH/UpZGKk91HrnReYieHFG73OC+Vg=
+github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240310093110-b4b2614f40ba/go.mod h1:gB/IeXuvocAv0yNSf79U1lBHhbx6fdWUB501xFJ0l+A=
 github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240306153230-dc65ab49ebc0 h1:1Q/9F3SAKvLN9vX+YxwaEB0WvBekj9eakQPoQbI1K6w=
 github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240306153230-dc65ab49ebc0/go.mod h1:R2plZL2JdwDMJwv9+pkPmCB1Mww81J75G0MxRzi2Kug=
 github.com/openstack-k8s-operators/lib-common/modules/openstack v0.3.1-0.20240306153230-dc65ab49ebc0 h1:HRoVOnK5nOSvYKU3Y2N8Ed2SikuRQYSRESeo/ILv0vM=
diff --git a/go.mod b/go.mod
index 262e5897e..108939e51 100644
--- a/go.mod
+++ b/go.mod
@@ -21,7 +21,7 @@ require (
 	github.com/openstack-k8s-operators/horizon-operator/api v0.3.1-0.20240304130922-946bc7dd0996
 	github.com/openstack-k8s-operators/infra-operator/apis v0.3.1-0.20240308113717-eaf5876d69c3
 	github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20240229174131-28e3aee56d91
-	github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240307113114-033a606862c3
+	github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240310093110-b4b2614f40ba
 	github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20240306153230-dc65ab49ebc0
 	github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240306153230-dc65ab49ebc0
 	github.com/openstack-k8s-operators/lib-common/modules/test v0.3.1-0.20240306153230-dc65ab49ebc0
@@ -67,7 +67,7 @@ require (
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/pprof v0.0.0-20230926050212-f7f687d19a98 // indirect
-	github.com/gophercloud/gophercloud v1.10.0 // indirect
+	github.com/gophercloud/gophercloud v1.11.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/k8snetworkplumbingwg/network-attachment-definition-client v1.4.0 // indirect
diff --git a/go.sum b/go.sum
index 92d29da9c..21119329f 100644
--- a/go.sum
+++ b/go.sum
@@ -52,8 +52,8 @@ github.com/google/pprof v0.0.0-20230926050212-f7f687d19a98 h1:pUa4ghanp6q4IJHwE9
 github.com/google/pprof v0.0.0-20230926050212-f7f687d19a98/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/gophercloud/gophercloud v1.10.0 h1:watRMsaMDlSLuLkpLeLSQ87yvcuwIajNg6A5uLcjoIU=
-github.com/gophercloud/gophercloud v1.10.0/go.mod h1:aAVqcocTSXh2vYFZ1JTvx4EQmfgzxRcNupUfxZbBNDM=
+github.com/gophercloud/gophercloud v1.11.0 h1:ls0O747DIq1D8SUHc7r2vI8BFbMLeLFuENaAIfEx7OM=
+github.com/gophercloud/gophercloud v1.11.0/go.mod h1:aAVqcocTSXh2vYFZ1JTvx4EQmfgzxRcNupUfxZbBNDM=
 github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4=
 github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
@@ -103,8 +103,8 @@ github.com/openstack-k8s-operators/infra-operator/apis v0.3.1-0.20240308113717-e
 github.com/openstack-k8s-operators/infra-operator/apis v0.3.1-0.20240308113717-eaf5876d69c3/go.mod h1:yPqJ+WU8jApuDXNUjpTxMafihuZpX3Yik9ZXqGaxYBQ=
 github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20240229174131-28e3aee56d91 h1:3yvrS33IOQibrXJJlVs/fDxLi5RCZlN5oDrR2c8aShk=
 github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20240229174131-28e3aee56d91/go.mod h1:Yac7wRClzl1/a7uBso4w8wq6Rjm+JLIouEsLre7VSDE=
-github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240307113114-033a606862c3 h1:jMxdglPqLMuIM+s1aC1tYXz/NihB/BaMyutReg2fXpg=
-github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240307113114-033a606862c3/go.mod h1:UruMUJ8wX1fQPcY3olYneAx04Z1alk2Phq33prkoLZw=
+github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240310093110-b4b2614f40ba h1:0wfKrQMGwjh/kKTH/UpZGKk91HrnReYieHFG73OC+Vg=
+github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240310093110-b4b2614f40ba/go.mod h1:gB/IeXuvocAv0yNSf79U1lBHhbx6fdWUB501xFJ0l+A=
 github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20240306153230-dc65ab49ebc0 h1:5uv4LtcThS4hcfuecTJj+rXifbsPGcKRiyTvFXyDgNU=
 github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20240306153230-dc65ab49ebc0/go.mod h1:GGbtUK5VQ/BHIT3n0ia31bzNJaQIAANhzT/nC6pygbQ=
 github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240306153230-dc65ab49ebc0 h1:1Q/9F3SAKvLN9vX+YxwaEB0WvBekj9eakQPoQbI1K6w=
diff --git a/pkg/openstack/barbican.go b/pkg/openstack/barbican.go
index f22b67b5b..9af4b3e0e 100644
--- a/pkg/openstack/barbican.go
+++ b/pkg/openstack/barbican.go
@@ -54,7 +54,7 @@ func ReconcileBarbican(ctx context.Context, instance *corev1beta1.OpenStackContr
 	}
 
 	// preserve any previously set TLS certs, set CA cert
-	if instance.Spec.TLS.Enabled(service.EndpointInternal) {
+	if instance.Spec.TLS.PodLevel.Enabled {
 		instance.Spec.Barbican.Template.BarbicanAPI.TLS = barbican.Spec.BarbicanAPI.TLS
 	}
 	instance.Spec.Barbican.Template.BarbicanAPI.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName
diff --git a/pkg/openstack/cinder.go b/pkg/openstack/cinder.go
index 037d816bf..15f79ee60 100644
--- a/pkg/openstack/cinder.go
+++ b/pkg/openstack/cinder.go
@@ -56,7 +56,7 @@ func ReconcileCinder(ctx context.Context, instance *corev1beta1.OpenStackControl
 	}
 
 	// preserve any previously set TLS certs,set CA cert
-	if instance.Spec.TLS.Enabled(service.EndpointInternal) {
+	if instance.Spec.TLS.PodLevel.Enabled {
 		instance.Spec.Cinder.Template.CinderAPI.TLS = cinder.Spec.CinderAPI.TLS
 	}
 	instance.Spec.Cinder.Template.CinderAPI.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName
diff --git a/pkg/openstack/glance.go b/pkg/openstack/glance.go
index d61fc2cc5..d044c4e3c 100644
--- a/pkg/openstack/glance.go
+++ b/pkg/openstack/glance.go
@@ -68,7 +68,7 @@ func ReconcileGlance(ctx context.Context, instance *corev1beta1.OpenStackControl
 		}
 
 		// preserve any previously set TLS certs,set CA cert
-		if instance.Spec.TLS.Enabled(service.EndpointInternal) {
+		if instance.Spec.TLS.PodLevel.Enabled {
 			glanceAPI.TLS.API = glance.Spec.GlanceAPIs[name].TLS.API
 		}
 		glanceAPI.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName
diff --git a/pkg/openstack/heat.go b/pkg/openstack/heat.go
index 833999363..e615a9cb4 100644
--- a/pkg/openstack/heat.go
+++ b/pkg/openstack/heat.go
@@ -67,7 +67,7 @@ func ReconcileHeat(ctx context.Context, instance *corev1beta1.OpenStackControlPl
 	}
 
 	// preserve any previously set TLS certs,set CA cert
-	if instance.Spec.TLS.Enabled(service.EndpointInternal) {
+	if instance.Spec.TLS.PodLevel.Enabled {
 		instance.Spec.Heat.Template.HeatAPI.TLS = heat.Spec.HeatAPI.TLS
 		instance.Spec.Heat.Template.HeatCfnAPI.TLS = heat.Spec.HeatCfnAPI.TLS
 	}
diff --git a/pkg/openstack/horizon.go b/pkg/openstack/horizon.go
index 0e1e94e64..6327dede5 100644
--- a/pkg/openstack/horizon.go
+++ b/pkg/openstack/horizon.go
@@ -58,7 +58,7 @@ func ReconcileHorizon(ctx context.Context, instance *corev1beta1.OpenStackContro
 	}
 
 	// preserve any previously set TLS certs, set CA cert
-	if instance.Spec.TLS.Enabled(service.EndpointInternal) {
+	if instance.Spec.TLS.PodLevel.Enabled {
 		instance.Spec.Horizon.Template.TLS = horizon.Spec.TLS
 	}
 	instance.Spec.Horizon.Template.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName
diff --git a/pkg/openstack/ironic.go b/pkg/openstack/ironic.go
index 5c110e7cd..308b3e92f 100644
--- a/pkg/openstack/ironic.go
+++ b/pkg/openstack/ironic.go
@@ -64,7 +64,7 @@ func ReconcileIronic(ctx context.Context, instance *corev1beta1.OpenStackControl
 	}
 
 	// preserve any previously set TLS certs,set CA cert
-	if instance.Spec.TLS.Enabled(service.EndpointInternal) {
+	if instance.Spec.TLS.PodLevel.Enabled {
 		instance.Spec.Ironic.Template.IronicAPI.TLS = ironic.Spec.IronicAPI.TLS
 		instance.Spec.Ironic.Template.IronicInspector.TLS = ironic.Spec.IronicInspector.TLS
 	}
diff --git a/pkg/openstack/keystone.go b/pkg/openstack/keystone.go
index bab5c1613..4a47f04cc 100644
--- a/pkg/openstack/keystone.go
+++ b/pkg/openstack/keystone.go
@@ -57,7 +57,7 @@ func ReconcileKeystoneAPI(ctx context.Context, instance *corev1beta1.OpenStackCo
 	}
 
 	// preserve any previously set TLS certs,set CA cert
-	if instance.Spec.TLS.Enabled(service.EndpointInternal) {
+	if instance.Spec.TLS.PodLevel.Enabled {
 		instance.Spec.Keystone.Template.TLS = keystoneAPI.Spec.TLS
 	}
 	instance.Spec.Keystone.Template.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName
diff --git a/pkg/openstack/manila.go b/pkg/openstack/manila.go
index b0ed614d1..1626cf070 100644
--- a/pkg/openstack/manila.go
+++ b/pkg/openstack/manila.go
@@ -56,7 +56,7 @@ func ReconcileManila(ctx context.Context, instance *corev1beta1.OpenStackControl
 	}
 
 	// preserve any previously set TLS certs, set CA cert
-	if instance.Spec.TLS.Enabled(service.EndpointInternal) {
+	if instance.Spec.TLS.PodLevel.Enabled {
 		instance.Spec.Manila.Template.ManilaAPI.TLS = manila.Spec.ManilaAPI.TLS
 	}
 	instance.Spec.Manila.Template.ManilaAPI.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName
diff --git a/pkg/openstack/memcached.go b/pkg/openstack/memcached.go
index 5877478a1..3c1d839c2 100644
--- a/pkg/openstack/memcached.go
+++ b/pkg/openstack/memcached.go
@@ -6,13 +6,17 @@ import (
 	"strings"
 
 	memcachedv1 "github.com/openstack-k8s-operators/infra-operator/apis/memcached/v1beta1"
+	"github.com/openstack-k8s-operators/lib-common/modules/certmanager"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/service"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
 	corev1beta1 "github.com/openstack-k8s-operators/openstack-operator/apis/core/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
@@ -81,8 +85,11 @@ func ReconcileMemcacheds(
 	}
 
 	// then reconcile ones listed in spec
+	var ctrlResult ctrl.Result
+	var err error
+	var status memcachedStatus
 	for name, spec := range instance.Spec.Memcached.Templates {
-		status, err := reconcileMemcached(ctx, instance, helper, name, &spec)
+		status, ctrlResult, err = reconcileMemcached(ctx, instance, helper, name, &spec)
 
 		switch status {
 		case memcachedFailed:
@@ -105,7 +112,7 @@ func ReconcileMemcacheds(
 			corev1beta1.OpenStackControlPlaneMemcachedReadyErrorMessage,
 			errors))
 
-		return ctrl.Result{}, fmt.Errorf(errors)
+		return ctrlResult, fmt.Errorf(errors)
 
 	} else if len(inprogress) > 0 {
 		instance.Status.Conditions.Set(condition.FalseCondition(
@@ -120,7 +127,7 @@ func ReconcileMemcacheds(
 		)
 	}
 
-	return ctrl.Result{}, nil
+	return ctrlResult, nil
 }
 
 // reconcileMemcached -
@@ -130,7 +137,7 @@ func reconcileMemcached(
 	helper *helper.Helper,
 	name string,
 	spec *memcachedv1.MemcachedSpec,
-) (memcachedStatus, error) {
+) (memcachedStatus, ctrl.Result, error) {
 	memcached := &memcachedv1.Memcached{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
@@ -142,15 +149,51 @@ func reconcileMemcached(
 
 	if !instance.Spec.Memcached.Enabled {
 		if _, err := EnsureDeleted(ctx, helper, memcached); err != nil {
-			return memcachedFailed, err
+			return memcachedFailed, ctrl.Result{}, err
 		}
 		instance.Status.Conditions.Remove(corev1beta1.OpenStackControlPlaneMemcachedReadyCondition)
-		return memcachedReady, nil
+		return memcachedReady, ctrl.Result{}, nil
 	}
 
 	Log.Info("Reconciling Memcached", "Memcached.Namespace", instance.Namespace, "Memcached.Name", name)
+
+	tlsCert := ""
+	if instance.Spec.TLS.PodLevel.Enabled {
+		certRequest := certmanager.CertificateRequest{
+			IssuerName: tls.DefaultCAPrefix + string(service.EndpointInternal),
+			CertName:   fmt.Sprintf("%s-svc", memcached.Name),
+			Hostnames: []string{
+				fmt.Sprintf("%s.%s.svc", name, instance.Namespace),
+				fmt.Sprintf("*.%s.%s.svc", name, instance.Namespace),
+			},
+		}
+		if instance.Spec.TLS.PodLevel.Internal.Cert.Duration != nil {
+			certRequest.Duration = &instance.Spec.TLS.PodLevel.Internal.Cert.Duration.Duration
+		}
+		if instance.Spec.TLS.PodLevel.Internal.Cert.RenewBefore != nil {
+			certRequest.RenewBefore = &instance.Spec.TLS.PodLevel.Internal.Cert.RenewBefore.Duration
+		}
+		certSecret, ctrlResult, err := certmanager.EnsureCert(
+			ctx,
+			helper,
+			certRequest)
+		if err != nil {
+			return memcachedFailed, ctrlResult, err
+		} else if (ctrlResult != ctrl.Result{}) {
+			return memcachedCreating, ctrlResult, nil
+		}
+
+		tlsCert = certSecret.Name
+	}
+
 	op, err := controllerutil.CreateOrPatch(ctx, helper.GetClient(), memcached, func() error {
 		spec.DeepCopyInto(&memcached.Spec)
+
+		if tlsCert != "" {
+			memcached.Spec.TLS.SecretName = ptr.To(tlsCert)
+		}
+		memcached.Spec.TLS.CaBundleSecretName = tls.CABundleSecret
+
 		err := controllerutil.SetControllerReference(helper.GetBeforeObject(), memcached, helper.GetScheme())
 		if err != nil {
 			return err
@@ -160,15 +203,15 @@ func reconcileMemcached(
 	})
 
 	if err != nil {
-		return memcachedFailed, err
+		return memcachedFailed, ctrl.Result{}, err
 	}
 	if op != controllerutil.OperationResultNone {
 		Log.Info(fmt.Sprintf("Memcached %s - %s", memcached.Name, op))
 	}
 
 	if memcached.IsReady() {
-		return memcachedReady, nil
+		return memcachedReady, ctrl.Result{}, nil
 	}
 
-	return memcachedCreating, nil
+	return memcachedCreating, ctrl.Result{}, nil
 }
diff --git a/pkg/openstack/neutron.go b/pkg/openstack/neutron.go
index 5a2b16c2a..41cae2bb9 100644
--- a/pkg/openstack/neutron.go
+++ b/pkg/openstack/neutron.go
@@ -59,7 +59,7 @@ func ReconcileNeutron(ctx context.Context, instance *corev1beta1.OpenStackContro
 	}
 
 	// preserve any previously set TLS certs,set CA cert
-	if instance.Spec.TLS.Enabled(service.EndpointInternal) {
+	if instance.Spec.TLS.PodLevel.Enabled {
 		instance.Spec.Neutron.Template.TLS = neutronAPI.Spec.TLS
 
 		serviceName := "neutron"
diff --git a/pkg/openstack/nova.go b/pkg/openstack/nova.go
index 3ad37a08f..dc971d5ff 100644
--- a/pkg/openstack/nova.go
+++ b/pkg/openstack/nova.go
@@ -76,7 +76,7 @@ func ReconcileNova(ctx context.Context, instance *corev1beta1.OpenStackControlPl
 				nova.Name+"-api")
 	}
 	// preserve any previously set TLS certs,set CA cert
-	if instance.Spec.TLS.Enabled(service.EndpointInternal) {
+	if instance.Spec.TLS.PodLevel.Enabled {
 		instance.Spec.Nova.Template.APIServiceTemplate.TLS = nova.Spec.APIServiceTemplate.TLS
 	}
 	instance.Spec.Nova.Template.APIServiceTemplate.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName
@@ -89,7 +89,7 @@ func ReconcileNova(ctx context.Context, instance *corev1beta1.OpenStackControlPl
 		instance.Spec.Nova.Template.MetadataServiceTemplate.Override.Service.AddLabel(centralMetadataLabelMap(nova.Name))
 
 		// preserve any previously set TLS certs,set CA cert
-		if instance.Spec.TLS.Enabled(service.EndpointInternal) {
+		if instance.Spec.TLS.PodLevel.Enabled {
 			instance.Spec.Nova.Template.MetadataServiceTemplate.TLS = nova.Spec.MetadataServiceTemplate.TLS
 		}
 		instance.Spec.Nova.Template.MetadataServiceTemplate.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName
@@ -104,7 +104,7 @@ func ReconcileNova(ctx context.Context, instance *corev1beta1.OpenStackControlPl
 			cellTemplate.NoVNCProxyServiceTemplate.Override.Service.AddLabel(getNoVNCProxyLabelMap(nova.Name, cellName))
 
 			// preserve any previously set TLS certs,set CA cert
-			if instance.Spec.TLS.Enabled(service.EndpointInternal) {
+			if instance.Spec.TLS.PodLevel.Enabled {
 				cellTemplate.NoVNCProxyServiceTemplate.TLS = nova.Spec.CellTemplates[cellName].NoVNCProxyServiceTemplate.TLS
 			}
 			cellTemplate.NoVNCProxyServiceTemplate.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName
@@ -118,7 +118,7 @@ func ReconcileNova(ctx context.Context, instance *corev1beta1.OpenStackControlPl
 			cellTemplate.MetadataServiceTemplate.Override.Service.AddLabel(cellMetadataLabelMap(nova.Name, cellName))
 
 			// preserve any previously set TLS certs,set CA cert
-			if instance.Spec.TLS.Enabled(service.EndpointInternal) {
+			if instance.Spec.TLS.PodLevel.Enabled {
 				cellTemplate.MetadataServiceTemplate.TLS = nova.Spec.CellTemplates[cellName].MetadataServiceTemplate.TLS
 			}
 			cellTemplate.MetadataServiceTemplate.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName
@@ -166,7 +166,7 @@ func ReconcileNova(ctx context.Context, instance *corev1beta1.OpenStackControlPl
 	}
 
 	// create certificate for central Metadata agent if internal TLS and Metadata are enabled
-	if instance.Spec.TLS.Enabled(service.EndpointInternal) &&
+	if instance.Spec.TLS.PodLevel.Enabled &&
 		metadataEnabled(instance.Spec.Nova.Template.MetadataServiceTemplate) {
 		certScrt, ctrlResult, err := certmanager.EnsureCertForServiceWithSelector(
 			ctx,
@@ -187,7 +187,7 @@ func ReconcileNova(ctx context.Context, instance *corev1beta1.OpenStackControlPl
 	// cell Metadata and NoVNCProxy
 	for cellName, cellTemplate := range instance.Spec.Nova.Template.CellTemplates {
 		// create certificate for Metadata agend if internal TLS and Metadata per cell is enabled
-		if instance.Spec.TLS.Enabled(service.EndpointInternal) &&
+		if instance.Spec.TLS.PodLevel.Enabled &&
 			metadataEnabled(cellTemplate.MetadataServiceTemplate) {
 
 			certScrt, ctrlResult, err := certmanager.EnsureCertForServiceWithSelector(
diff --git a/pkg/openstack/ovn.go b/pkg/openstack/ovn.go
index 9d87a9d30..20e8a9d74 100644
--- a/pkg/openstack/ovn.go
+++ b/pkg/openstack/ovn.go
@@ -7,7 +7,6 @@ import (
 	"github.com/openstack-k8s-operators/lib-common/modules/certmanager"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
-	"github.com/openstack-k8s-operators/lib-common/modules/common/service"
 
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
@@ -87,7 +86,7 @@ func ReconcileOVNDbClusters(ctx context.Context, instance *corev1beta1.OpenStack
 				return false, err
 			}
 		}
-		if instance.Spec.TLS.Enabled(service.EndpointInternal) {
+		if instance.Spec.TLS.PodLevel.Enabled {
 			dbcluster.TLS = OVNDBCluster.Spec.TLS
 		}
 		dbcluster.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName
@@ -121,7 +120,7 @@ func ReconcileOVNDbClusters(ctx context.Context, instance *corev1beta1.OpenStack
 				return false, nil
 			}
 
-			if instance.Spec.TLS.Enabled(service.EndpointInternal) {
+			if instance.Spec.TLS.PodLevel.Enabled {
 				dbcluster.TLS.SecretName = &certSecret.Name
 			}
 		}
@@ -181,7 +180,7 @@ func ReconcileOVNNorthd(ctx context.Context, instance *corev1beta1.OpenStackCont
 			return false, err
 		}
 	}
-	if instance.Spec.TLS.Enabled(service.EndpointInternal) {
+	if instance.Spec.TLS.PodLevel.Enabled {
 		ovnNorthdSpec.TLS = OVNNorthd.Spec.TLS
 
 		serviceName := ovnv1.ServiceNameOvnNorthd
@@ -272,7 +271,7 @@ func ReconcileOVNController(ctx context.Context, instance *corev1beta1.OpenStack
 			return false, err
 		}
 	}
-	if instance.Spec.TLS.Enabled(service.EndpointInternal) {
+	if instance.Spec.TLS.PodLevel.Enabled {
 		ovnControllerSpec.TLS = OVNController.Spec.TLS
 
 		serviceName := ovnv1.ServiceNameOvnController
diff --git a/pkg/openstack/placement.go b/pkg/openstack/placement.go
index 03d9c420b..f295f9bc1 100644
--- a/pkg/openstack/placement.go
+++ b/pkg/openstack/placement.go
@@ -55,7 +55,7 @@ func ReconcilePlacementAPI(ctx context.Context, instance *corev1beta1.OpenStackC
 	}
 
 	// set CA cert and preserve any previously set TLS certs
-	if instance.Spec.TLS.Enabled(service.EndpointInternal) {
+	if instance.Spec.TLS.PodLevel.Enabled {
 		instance.Spec.Placement.Template.TLS = placementAPI.Spec.TLS
 	}
 	instance.Spec.Placement.Template.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName
diff --git a/pkg/openstack/rabbitmq.go b/pkg/openstack/rabbitmq.go
index 697d00e94..e0bfd5453 100644
--- a/pkg/openstack/rabbitmq.go
+++ b/pkg/openstack/rabbitmq.go
@@ -175,7 +175,7 @@ func reconcileRabbitMQ(
 	hostname := fmt.Sprintf("%s.%s.svc", name, instance.Namespace)
 	tlsCert := ""
 
-	if instance.Spec.TLS.Enabled(service.EndpointInternal) {
+	if instance.Spec.TLS.PodLevel.Enabled {
 		certRequest := certmanager.CertificateRequest{
 			IssuerName: tls.DefaultCAPrefix + string(service.EndpointInternal),
 			CertName:   fmt.Sprintf("%s-svc", rabbitmq.Name),
diff --git a/pkg/openstack/swift.go b/pkg/openstack/swift.go
index de2596ec4..a522d0871 100644
--- a/pkg/openstack/swift.go
+++ b/pkg/openstack/swift.go
@@ -57,7 +57,7 @@ func ReconcileSwift(ctx context.Context, instance *corev1beta1.OpenStackControlP
 	}
 
 	// preserve any previously set TLS certs,set CA cert
-	if instance.Spec.TLS.Enabled(service.EndpointInternal) {
+	if instance.Spec.TLS.PodLevel.Enabled {
 		instance.Spec.Swift.Template.SwiftProxy.TLS = swift.Spec.SwiftProxy.TLS
 	}
 	instance.Spec.Swift.Template.SwiftProxy.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName