diff --git a/keystone/templates/bin/_domain-manage.py.tpl b/keystone/templates/bin/_domain-manage.py.tpl
new file mode 100644
index 00000000..262c86b5
--- /dev/null
+++ b/keystone/templates/bin/_domain-manage.py.tpl
@@ -0,0 +1,42 @@
+import requests
+import json
+import yaml
+import sys
+
+
+def main(args):
+    base_url, token, domainId, domainName, filename = args[1], args[2], args[3], args[4], args[5]
+    url = "%s/domains/%s/config" % (base_url, domainId)
+    print("Connecting to url: %r" % url)
+
+    headers = {
+        'Content-Type': "application/json",
+        'X-Auth-Token': token,
+        'Cache-Control': "no-cache"
+    }
+
+    response = requests.request("GET", url, headers=headers)
+
+    if response.status_code == 404:
+        print("domain config not found - put")
+        action = "PUT"
+    else:
+        print("domain config found - patch")
+        action = "PATCH"
+
+    with open(filename, "rb") as f:
+        data = {"config": json.load(f)}
+
+    response = requests.request(action, url,
+                                data=json.dumps(data),
+                                headers=headers)
+
+
+    print("Response code on action [%s]: %s" % (action, response.status_code))
+    if (int(response.status_code) / 100) != 2:
+        sys.exit(1)
+
+if __name__ == "__main__":
+    if len(sys.argv) != 6:
+        sys.exit(1)
+    main(sys.argv)
diff --git a/keystone/templates/bin/_domain-manage.sh.tpl b/keystone/templates/bin/_domain-manage.sh.tpl
index 01a23ff7..9df3d842 100644
--- a/keystone/templates/bin/_domain-manage.sh.tpl
+++ b/keystone/templates/bin/_domain-manage.sh.tpl
@@ -16,7 +16,17 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
-set -ex
+set -e
+endpt={{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+path={{ .Values.conf.keystone.identity.domain_config_dir | default "/etc/keystonedomains" }}
+
 {{- range $k, $v := .Values.conf.ks_domains }}
-keystone-manage domain_config_upload --domain-name {{ $k }} || true
+
+filename=${path}/keystone.{{ $k }}.json
+python /tmp/domain-manage.py \
+    $endpt \
+    $(openstack token issue -f value -c id) \
+    $(openstack domain show {{ $k }} -f value -c id) \
+    {{ $k }} $filename
+
 {{- end }}
diff --git a/keystone/templates/configmap-bin.yaml b/keystone/templates/configmap-bin.yaml
index 99d3a665..206c832e 100644
--- a/keystone/templates/configmap-bin.yaml
+++ b/keystone/templates/configmap-bin.yaml
@@ -45,6 +45,8 @@ data:
 {{ tuple "bin/_domain-manage-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   domain-manage.sh: |
 {{ tuple "bin/_domain-manage.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  domain-manage.py: |
+{{ tuple "bin/_domain-manage.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   rabbit-init.sh: |
 {{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }}
 {{- end }}
diff --git a/keystone/templates/configmap-etc.yaml b/keystone/templates/configmap-etc.yaml
index bb52de8c..a6116d07 100644
--- a/keystone/templates/configmap-etc.yaml
+++ b/keystone/templates/configmap-etc.yaml
@@ -50,7 +50,7 @@ data:
   sso_callback_template.html: |
 {{- tuple .Values.conf.sso_callback_template "etc/_sso_callback_template.html.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
 {{- range $k, $v := .Values.conf.ks_domains }}
-  keystone.{{ $k }}.conf: |
-{{ include "helm-toolkit.utils.to_oslo_conf" $v | indent 4 }}
+  keystone.{{ $k }}.json: |
+{{ toJson $v | indent 4 }}
 {{- end }}
 {{- end }}
diff --git a/keystone/templates/job-domain-manage.yaml b/keystone/templates/job-domain-manage.yaml
index d6f51f34..d374c92d 100644
--- a/keystone/templates/job-domain-manage.yaml
+++ b/keystone/templates/job-domain-manage.yaml
@@ -75,14 +75,18 @@ spec:
               mountPath: /tmp/domain-manage.sh
               subPath: domain-manage.sh
               readOnly: true
+            - name: keystone-bin
+              mountPath: /tmp/domain-manage.py
+              subPath: domain-manage.py
+              readOnly: true
             - name: keystone-etc
               mountPath: /etc/keystone/keystone.conf
               subPath: keystone.conf
               readOnly: true
 {{- range $k, $v := .Values.conf.ks_domains }}
             - name: keystone-etc
-              mountPath: {{ $envAll.Values.conf.keystone.identity.domain_config_dir | default "/etc/keystonedomains" }}/keystone.{{ $k }}.conf
-              subPath: keystone.{{ $k }}.conf
+              mountPath: {{ $envAll.Values.conf.keystone.identity.domain_config_dir | default "/etc/keystonedomains" }}/keystone.{{ $k }}.json
+              subPath: keystone.{{ $k }}.json
               readOnly: true
 {{- end }}
 {{- if eq .Values.conf.keystone.token.provider "fernet" }}
diff --git a/keystone/values.yaml b/keystone/values.yaml
index 0a6e39d7..a8b0f7b2 100644
--- a/keystone/values.yaml
+++ b/keystone/values.yaml
@@ -49,6 +49,7 @@ bootstrap:
   enabled: true
   ks_user: admin
   script: |
+    openstack role create --or-show _member_
     openstack role add \
           --user="${OS_USERNAME}" \
           --user-domain="${OS_USER_DOMAIN_NAME}" \