diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
index 28c2c50..8be4a6f 100644
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@@ -296,3 +296,12 @@ Inject extra environment populated by secrets, if populated
 {{- end -}}
 {{- end -}}
 {{- end -}}
+
+{{/* Scheme for health check and local endpoint */}}
+{{- define "vault.scheme" -}}
+{{- if .Values.global.tlsDisable -}}
+{{ "http" }}
+{{- else -}}
+{{ "https" }}
+{{- end -}}
+{{- end -}}
diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml
index 5658565..19f3177 100644
--- a/templates/server-statefulset.yaml
+++ b/templates/server-statefulset.yaml
@@ -59,7 +59,7 @@ spec:
                 fieldRef:
                   fieldPath: status.podIP
             - name: VAULT_ADDR
-              value: "http://localhost:8200"
+              value: "{{ include "vault.scheme" . }}://127.0.0.1:8200"
             - name: SKIP_CHOWN
               value: "true"
             {{ template "vault.envs" . }}
@@ -85,7 +85,7 @@ spec:
             #   1 - error
             #   2 - sealed
             exec:
-              command: ["/bin/sh", "-ec", "vault status"]
+              command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"]
             failureThreshold: 2
             initialDelaySeconds: 5
             periodSeconds: 3
diff --git a/templates/ui-service.yaml b/templates/ui-service.yaml
index 168a1df..e1735d5 100644
--- a/templates/ui-service.yaml
+++ b/templates/ui-service.yaml
@@ -26,6 +26,9 @@ spec:
     - name: http
       port: 8200
       targetPort: 8200
+      {{- if .Values.ui.serviceNodePort }}
+      nodePort: {{ .Values.ui.serviceNodePort }}
+      {{- end }}
   type: {{ .Values.ui.serviceType | default "ClusterIP" }}
 {{- end -}}
 
diff --git a/test/unit/server-ha-statefulset.bats b/test/unit/server-ha-statefulset.bats
index fb46c11..0235ba1 100755
--- a/test/unit/server-ha-statefulset.bats
+++ b/test/unit/server-ha-statefulset.bats
@@ -41,6 +41,42 @@ load _helpers
   [ "${actual}" = "foo" ]
 }
 
+#--------------------------------------------------------------------
+# TLS
+
+@test "server/ha-StatefulSet: tls disabled" {
+  cd `chart_dir`
+  local object=$(helm template \
+      -x templates/server-statefulset.yaml  \
+      --set 'global.tlsDisable=true' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+
+  local actual=$(echo $object |
+     yq -r '.[2].name' | tee /dev/stderr)
+  [ "${actual}" = "VAULT_ADDR" ]
+
+  local actual=$(echo $object |
+     yq -r '.[2].value' | tee /dev/stderr)
+  [ "${actual}" = "http://127.0.0.1:8200" ]
+}
+@test "server/ha-StatefulSet: tls enabled" {
+  cd `chart_dir`
+  local object=$(helm template \
+      -x templates/server-statefulset.yaml  \
+      --set 'global.tlsDisable=false' \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
+
+  local actual=$(echo $object |
+     yq -r '.[2].name' | tee /dev/stderr)
+  [ "${actual}" = "VAULT_ADDR" ]
+
+  local actual=$(echo $object |
+     yq -r '.[2].value' | tee /dev/stderr)
+  [ "${actual}" = "https://127.0.0.1:8200" ]
+}
+
 #--------------------------------------------------------------------
 # updateStrategy
 
diff --git a/values.yaml b/values.yaml
index d744fe1..e428c58 100644
--- a/values.yaml
+++ b/values.yaml
@@ -7,6 +7,8 @@ global:
 
   # Image is the name (and tag) of the Vault Docker image.
   image: "vault:1.2.1"
+  # TLS for end-to-end encrypted transport
+  tlsDisable: true
 
 server:
   # Resource requests, limits, etc. for the server cluster placement. This
@@ -212,6 +214,7 @@ ui:
   # balancer (for supported K8S installations) to access the UI.
   enabled: false
   serviceType: "ClusterIP"
+  serviceNodePort: null
 
   # Extra annotations to attach to the ui service
   # This should be a multi-line string mapping directly to the a map of