diff --git a/kubernetes/blackduck/templates/serviceaccount.yaml b/kubernetes/blackduck/templates/serviceaccount.yaml
index de7ee25..d6e46ef 100644
--- a/kubernetes/blackduck/templates/serviceaccount.yaml
+++ b/kubernetes/blackduck/templates/serviceaccount.yaml
@@ -4,5 +4,10 @@ metadata:
   labels:
     {{- include "bd.labelsWithoutVersion" . | nindent 4 }}
     component: serviceaccount
+
+  {{- if .Values.serviceaccount.annotations }}
+  annotations:
+    {{ .Values.serviceaccount.annotations | toYaml}}
+  {{- end }}
   name: {{ .Release.Name }}-blackduck-service-account
-  namespace: {{ .Release.Namespace }}
\ No newline at end of file
+  namespace: {{ .Release.Namespace }}
diff --git a/kubernetes/blackduck/templates/webserver.yaml b/kubernetes/blackduck/templates/webserver.yaml
index be378a0..825a28d 100644
--- a/kubernetes/blackduck/templates/webserver.yaml
+++ b/kubernetes/blackduck/templates/webserver.yaml
@@ -6,6 +6,10 @@ metadata:
     component: webserver
   name: {{ .Release.Name }}-blackduck-webserver
   namespace: {{ .Release.Namespace }}
+  {{- if .Values.webserver.serviceAnnotations }}
+  annotations:
+    {{ .Values.webserver.serviceAnnotations | toYaml}}
+  {{- end }}
 spec:
   ports:
   - name: port-443
@@ -27,6 +31,10 @@ metadata:
     component: route
   name: {{ .Release.Name }}-blackduck
   namespace: {{ .Release.Namespace }}
+  {{- if .Values.webserver.exposedServiceAnnotations }}
+  annotations:
+    {{ .Values.webserver.exposedServiceAnnotations | toYaml}}
+  {{- end }}
 spec:
   host: ""
   port:
@@ -51,6 +59,10 @@ metadata:
     component: webserver-exposed
   name: {{ .Release.Name }}-blackduck-webserver-exposed
   namespace: {{ .Release.Namespace }}
+  {{- if .Values.webserver.exposedServiceAnnotations }}
+  annotations:
+    {{ .Values.webserver.exposedServiceAnnotations | toYaml}}
+  {{- end }}
 spec:
   ports:
     - name: port-443
@@ -95,6 +107,9 @@ spec:
       annotations:
         checksum/blackduck-config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
         checksum/postgres-config: {{ include (print $.Template.BasePath "/postgres-config.yaml") . | sha256sum }}
+        {{- if .Values.webserver.deploymentAnnotations }}
+        {{ .Values.webserver.deploymentAnnotations | toYaml }}
+        {{- end }}
       name: {{ .Release.Name }}-blackduck-webserver
     spec:
       {{- if .Values.enableInitContainer }}
@@ -176,13 +191,13 @@ spec:
         volumeMounts:
         - mountPath: /opt/blackduck/hub/webserver/security
           name: dir-webserver
-        {{- with .Values.tlsCertSecretName }}
+        {{- if .Values.tlsCertSecretName }}
         - mountPath: /tmp/secrets/WEBSERVER_CUSTOM_CERT_FILE
           name: certificate
-          subPath: WEBSERVER_CUSTOM_CERT_FILE
+          subPath: {{ .Values.tlsCertName | default "WEBSERVER_CUSTOM_CERT_FILE" | quote }}
         - mountPath: /tmp/secrets/WEBSERVER_CUSTOM_KEY_FILE
           name: certificate
-          subPath: WEBSERVER_CUSTOM_KEY_FILE
+          subPath: {{ .Values.tlsKeyName | default "WEBSERVER_CUSTOM_KEY_FILE" | quote }}
         {{- end }}
         {{- with .Values.certAuthCACertSecretName }}
         - mountPath: /tmp/secrets/AUTH_CUSTOM_CA
diff --git a/kubernetes/blackduck/values.yaml b/kubernetes/blackduck/values.yaml
index 14523db..2d3f039 100644
--- a/kubernetes/blackduck/values.yaml
+++ b/kubernetes/blackduck/values.yaml
@@ -63,6 +63,18 @@ enableIPV6: true
 # create a generic secret using the following command
 # kubectl create secret generic -n <namespace> <name>-blackduck-webserver-certificate --from-file=WEBSERVER_CUSTOM_CERT_FILE=tls.crt --from-file=WEBSERVER_CUSTOM_KEY_FILE=tls.key
 # tlsCertSecretName: <name>-blackduck-webserver-certificate
+#
+# For secrets generated by other tooling, e.g. cert-manager it might be necessary
+# to change the field names in the tls secret
+# The name of the tls field for the certificate 
+# defaults to WEBSERVER_CUSTOM_CERT_FILE
+# tlsCertName
+#
+# The name of the tls field for the key 
+# defaults to WEBSERVER_CUSTOM_KEY_FILE
+# tlsKeyName
+#
+#
 
 # Certificate Authentication Custom CA certificate for Black Duck (Not Mandatory)
 # create a generic secret using the following command
@@ -399,6 +411,9 @@ webserver:
   podSecurityContext: {}
   securityContext: {}
   resources: {}
+  serviceAnnotations: {}
+  exposedServiceAnnotations: {}
+  deploymentAnnotations: {}
 
 datadog:
   enabled: false
@@ -406,3 +421,7 @@ datadog:
   registry:
   imageTag: "1.0.1"
   imagePullPolicy: IfNotPresent
+
+
+serviceaccount:
+  annotations: {}