diff --git a/chart/templates/keycloak/values.yaml b/chart/templates/keycloak/values.yaml
index 699581470fbfe39216cbf11c629ff2428c9ca0c0..c28db900f9e68685a542af8f036df9b094a03ae2 100644
--- a/chart/templates/keycloak/values.yaml
+++ b/chart/templates/keycloak/values.yaml
@@ -22,9 +22,6 @@ monitoring:
 serviceMonitor:
   enabled: {{ .Values.monitoring.enabled }}
 
-networkPolicies:
-  enabled: {{ .Values.networkPolicies.enabled }}
-
 {{- if .Values.addons.keycloak.database.host }}
 postgresql:
   enabled: false
@@ -33,15 +30,17 @@ postgresql:
 {{- if or .Values.addons.keycloak.database.host (and .Values.addons.keycloak.ingress.cert .Values.addons.keycloak.ingress.key) }}
 secrets:
   {{- if and .Values.addons.keycloak.ingress.cert .Values.addons.keycloak.ingress.key }}
-  certificates:
+  tlscert:
     stringData:
       tls.crt: {{ .Values.addons.keycloak.ingress.cert | quote }}
+  tlskey:
+    stringData:
       tls.key: {{ .Values.addons.keycloak.ingress.key  | quote }}
   {{- end }}
 
   {{- with .Values.addons.keycloak.database }}
   {{- if .host }}
-  db:
+  env:
     stringData:
       DB_USER: {{ .username | quote }}
       DB_PASSWORD: {{ .password | quote }}
@@ -53,10 +52,24 @@ secrets:
   {{- end }}
 {{- end }}
 
-{{- if .Values.addons.keycloak.database.host }}
-extraEnvFrom: |
-  - secretRef:
-      name: 'keycloak-db'
-{{- end }}
+{{- if and .Values.addons.keycloak.ingress.cert .Values.addons.keycloak.ingress.key }}
+extraVolumesBigBang:
+  - name: tlscert
+    secret:
+      secretName: keycloak-tlscert
+  - name: tlskey
+    secret:
+      secretName: keycloak-tlskey
 
+extraVolumeMountsBigBang:
+  - name: tlscert
+    mountPath: /etc/x509/https/tls.crt
+    subPath: tls.crt
+    readOnly: true
+  - name: tlskey
+    mountPath: /etc/x509/https/tls.key
+    subPath: tls.key
+    readOnly: true
 {{- end }}
+
+{{- end }}
\ No newline at end of file
diff --git a/chart/values.yaml b/chart/values.yaml
index 5b7e5d77b5eeb1dc8218f83a4d4093dda87285c8..a8c4acf64c469598568e5a7434938a9c3912d073 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -933,9 +933,10 @@ addons:
     git:
       repo: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak.git
       path: "./chart"
-      tag: "11.0.0-bb.1"
+      tag: "11.0.0-bb.4"
 
     # -- Certificate/Key pair to use as the certificate for exposing Keycloak
+    # Setting the ingress cert here will automatically create the volume and volumemounts in the Keycloak Package chart
     ingress:
       key: ""
       cert: ""
diff --git a/charter/packages/keycloak/Architecture.md b/charter/packages/keycloak/Architecture.md
index 641ccaaa88d09c35c2c33ab0aeaa4c6c6e27e5b5..842723303fe94370e894c8dfe29d5e01f8ce259c 100644
--- a/charter/packages/keycloak/Architecture.md
+++ b/charter/packages/keycloak/Architecture.md
@@ -48,11 +48,75 @@ Due to the sensitivity of Keycloak, Big Bang does not support deploying KeyCloak
 
 The upstream [Keycloak Helm chart](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak) is customized for use in Platform One.  It contains the following modifications from a standard Keycloak deployment:
 
-- DoD Certificate Authorities
-- Customized Platform One registration
-- Customizable Platform One realm, with IL2, IL4, and IL5 isolation (not loaded by default, but [available in the package's git repo](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak/-/blob/main/chart/resources/dev/baby-yoda.json))
-- Redirects for specific keycloak endpoints to work with Platform One deployments
-- A customized image, based on Iron Bank's Keycloak, that adds a plugin to support the above features
+- Customized Platform One registration plugin
+
+Additional customization can be added through values.  For example:
+
+```yaml
+addons:
+  keycloak:
+    # Setup TLS key pair
+    # An alternative to this is to create a secret namged `tlskey` and `tlscert` using Kustomize in the customer template.  Then use the volume and volumemount configuration below to mount the files.  In this case, the `ingress.key` and `ingress.cert` would be left blank.
+    ingress:
+      key: |-
+        {insert keycloak TLS key}
+      cert: |-
+        {insert keycloak TLS cert}
+    values:
+      secrets:
+        # The `env` secret is used to add environmental variables to the keycloak pod
+        env:
+          stringData:
+            # Keycloak will use the `customreg.yaml` for configuring the custom registration process.
+            CUSTOM_REGISTRATION_CONFIG: /opt/jboss/keycloak/customreg.yaml
+            # Keycloak will load a custom realm defined in `realm.json`
+            KEYCLOAK_IMPORT: /opt/jboss/keycloak/realm.json
+            # Keycloak will load a custom set of certificate authorities
+            X509_CA_BUNDLE: /etc/x509/https/cas.pem
+        # The `certauthority` secret holds the certificate authority keys.
+        # Using the customer template, kustomize could be used to create the secret instead of using the keycloak chart via values
+        certauthority:
+          stringData:
+            cas.pem: |-
+              {insert CAS.PEM content}
+        # The `customreg` secret holds the configuration for customer registration.
+        # Using the customer template, kustomize could be used to create the secret instead of using the keycloak chart via values
+        customreg:
+          stringData:
+            customreg.yaml: |-
+              {insert customreg.yaml content}
+        # The `realm` secret holds the custom realm configuration.
+        # Using the customer template, kustomize could be used to create the secret instead of using the keycloak chart via values
+        realm:
+          stringData:
+            realm.json: |-
+              {insert realm.json content}
+      # Create volumes for each secret above
+      extraVolumes: |-
+        - name: certauthority
+          secret:
+            secretName: {{ include "keycloak.fullname" . }}-certauthority
+        - name: customreg
+          secret:
+            secretName: {{ include "keycloak.fullname" . }}-customreg
+        - name: realm
+          secret:
+            secretName: {{ include "keycloak.fullname" . }}-realm
+      # Volume mount each volume in the appropriate location
+      extraVolumeMounts: |-
+        - name: certauthority
+          mountPath: /etc/x509/https/cas.pem
+          subPath: cas.pem
+          readOnly: true
+        - name: customreg
+          mountPath: /opt/jboss/keycloak/customreg.yaml
+          subPath: customreg.yaml
+          readOnly: true
+        - name: realm
+          mountPath: /opt/jboss/keycloak/realm.json
+          subPath: realm.json
+          readOnly: true
+```
 
 ### Keycloak Admin password
 
@@ -112,8 +176,8 @@ To workaround this situation, you have to isolate the applications by IP, port,
 ### GUI
 
 Keycloak has two main end point URLs:
-https://keycloak.bigbang.dev for authentication.
-https://keycloak.bigbang.dev/auth/admin for administration.
+[https://keycloak.bigbang.dev](https://keycloak.bigbang.dev) for authentication.
+[https://keycloak.bigbang.dev/auth/admin](https://keycloak.bigbang.dev/auth/admin) for administration.
 
 The `bigbang.dev` domain name can be customized by setting the `hostname` in `values.yaml`
 
@@ -190,6 +254,6 @@ addons:
 
 ## Dependent Packages
 
-- PostgreSQL for in-cluster development/test database
 - Istio for ingress
 - (Optional) Monitoring for metrics
+- PostgreSQL database (development/test only)