diff --git a/metadata.yaml b/metadata.yaml
index 3e208424..0fdd2c37 100644
--- a/metadata.yaml
+++ b/metadata.yaml
@@ -46,6 +46,8 @@ requires:
     interface: gcp-integration
   azure:
     interface: azure-integration
+  keystone-credentials:
+    interface: keystone-credentials
   certificates:
     interface: tls-certificates
   dns-provider:
diff --git a/src/auth_webhook.py b/src/auth_webhook.py
index 69a171ce..8808fd0d 100644
--- a/src/auth_webhook.py
+++ b/src/auth_webhook.py
@@ -36,11 +36,38 @@ class Secret:
     password: str
 
 
-def configure(
-    charm_dir, aws_iam_endpoint=None, custom_authn_endpoint=None, keystone_endpoint=None
-):
+def _uplift_keystone_endpoint() -> str:
+    """Uplift the keystone auth service from a cdk-addons installation."""
+    try:
+        keystone_auth_service = kubectl_get(
+            "service", "-n", "kube-system", "k8s-keystone-auth-service"
+        )
+    except CalledProcessError:
+        log.info("No k8s-keystone-auth-service to uplift")
+        return None
+    labels = keystone_auth_service.get("metadata", {}).get("labels", {})
+    if labels.get("cdk-addons") != "true":
+        log.info("No cdk-addons based k8s-keystone-auth-service to uplift")
+        return None
+    if not (spec := keystone_auth_service.get("spec")):
+        log.error("No spec found for k8s-keystone-auth-service")
+        return None
+    cluster_ip, port = spec.get("clusterIP"), spec.get("ports")[0].get("port")
+    if not cluster_ip or not port:
+        log.error("No clusterIP or port found for k8s-keystone-auth-service")
+        return None
+    return f"https://{cluster_ip}:{port}/webhook"
+
+
+def _uplift_aws_iam_endpoint() -> str:
+    return None
+
+
+def configure(charm_dir, custom_authn_endpoint=None):
     """Render auth webhook templates and start the related service."""
     status.add(MaintenanceStatus("Configuring auth webhook"))
+    keystone_endpoint = _uplift_keystone_endpoint()
+    aws_iam_endpoint = _uplift_aws_iam_endpoint()
 
     # Set the number of gunicorn workers based on our core count. (2*cores)+1 is
     # recommended: https://docs.gunicorn.org/en/stable/design.html#how-many-workers
diff --git a/src/charm.py b/src/charm.py
index 2b515d4f..e7a4a83e 100755
--- a/src/charm.py
+++ b/src/charm.py
@@ -161,11 +161,19 @@ def configure_auth_webhook(self):
         auth_webhook.configure(
             charm_dir=self.charm_dir,
             custom_authn_endpoint=self.model.config["authn-webhook-endpoint"],
-            # TODO: aws iam, keystone
-            # aws_iam_endpoint=???,
-            # keystone_endpoint=???
         )
 
+    def warn_keystone_management(self):
+        relation = self.model.relations.get("keystone-credentials")
+        if relation and any(r.units for r in relation):
+            log.warning(
+                "------------------------------------------------------------\n"
+                "Keystone credential relation is no longer managed\n"
+                "Please remove the relation and manage keystone manually\n"
+                "Run `juju remove-relation kubernetes-control-plane:keystone-credentials keystone`"
+            )
+            status.add(ops.BlockedStatus("Keystone credential relation is no longer managed"))
+
     @status.on_error(ops.WaitingStatus("Waiting for container runtime"))
     def configure_container_runtime(self):
         assert self.container_runtime.relations, "Missing container-runtime integration"
@@ -510,6 +518,7 @@ def reconcile(self, event):
         self.write_etcd_client_credentials()
         self.write_service_account_key()
         self.configure_auth_webhook()
+        self.warn_keystone_management()
         self.configure_loadbalancers()
         if self.api_dependencies_ready():
             self.encryption_at_rest.prepare()