diff --git a/deploy/keycloak/keycloak.yaml b/deploy/keycloak/keycloak.yaml
index 71cb723..806cffc 100644
--- a/deploy/keycloak/keycloak.yaml
+++ b/deploy/keycloak/keycloak.yaml
@@ -52,6 +52,9 @@ spec:
           args:
             - "start"
             - "--cache=ispn"                      # Enable distributed Infinispan cache (HA mode) [oai_citation_attribution:0‡keycloak.org](https://www.keycloak.org/server/caching#:~:text=When%20you%20start%20Keycloak%20in,in%20your%20network%20are%20discovered)
+            - "--cache-stack=kubernetes"          # Use built-in Kubernetes stack for clustering (DNS_PING)
+            - "--hostname=https://sso.panic.haus" # External URL for Keycloak (use HTTPS for TLS offload)
+            - "--http-enabled=true"               # Allow Keycloak to listen on HTTP (for edge TLS termination) [oai_citation_attribution:1‡keycloak.org](https://www.keycloak.org/server/hostname#:~:text=provides%20the%20flexibility%20for%20users,start%20the%20server%20as%20follows)
           env:
             - name: KEYCLOAK_ADMIN
               value: "admin"
@@ -82,8 +85,6 @@ spec:
             # --- Clustering and caching settings ---
             - name: KC_CACHE_STACK
               value: "kubernetes"
-            - name: jgroups.dns.query
-              value: "keycloak-headless"           # DNS name for JGroups discovery (headless service) [oai_citation_attribution:2‡keycloak.org](https://www.keycloak.org/server/caching#:~:text=DNS%20resolution%20using%20the%20JGroups,to%20the%20headless%20service%20FQDN)
             - name: CACHE_OWNERS_COUNT
               value: "2"
             - name: CACHE_OWNERS_AUTH_SESSIONS_COUNT