diff --git a/README.md b/README.md
index 73ecbead..4705e165 100644
--- a/README.md
+++ b/README.md
@@ -566,9 +566,9 @@ There are many components to consider when enabling TLS for a Pulsar Cluster. To
 endpoints, set `enableTls: true` in the values file and configure certificates. This setting will enable TLS endpoints
 for the Broker pods, Function Worker pods, and Proxy pods. However, this setting will not configure the proxy or the
 function worker to use TLS for connections with the broker. You can enable those by configuring
-`tls.proxy.enabled: true` and `tls.function.enabled: true`, respectively. Because the function worker only connects to
-the broker over TLS when authentication is configured, make sure to enable authentication if you'd like the function
-worker to connect to the broker over TLS.
+`tls.proxy.enableTlsWithBroker: true` and `tls.function.enableTlsWithBroker: true`, respectively. Because the function
+worker only connects to the broker over TLS when authentication is configured, make sure to enable authentication if
+you'd like the function worker to connect to the broker over TLS.
 
 #### Hostname Verification
 
diff --git a/helm-chart-sources/pulsar/templates/function/function-configmap.yaml b/helm-chart-sources/pulsar/templates/function/function-configmap.yaml
index d66ce3d7..a1491576 100644
--- a/helm-chart-sources/pulsar/templates/function/function-configmap.yaml
+++ b/helm-chart-sources/pulsar/templates/function/function-configmap.yaml
@@ -74,7 +74,7 @@ data:
     {{- end }}
     tlsKeyFilePath: "/pulsar/tls-pk8.key"
     {{- end }}
-    {{- if and .Values.enableTls .Values.tls.function.enabled }}
+    {{- if or (and .Values.enableTls .Values.tls.function.enabled) (and .Values.enableTls .Values.tls.function.enableTlsWithBroker) }}
     useTls: "true"
     tlsEnableHostnameVerification: "{{ .Values.tls.proxy.enableHostnameVerification }}"
     pulsarServiceUrl: "pulsar+ssl://{{ template "pulsar.fullname" . }}-{{ .Values.brokerSts.component }}:6651"
diff --git a/helm-chart-sources/pulsar/templates/proxy/proxy-configmap.yaml b/helm-chart-sources/pulsar/templates/proxy/proxy-configmap.yaml
index 2020f3a2..03af6c88 100644
--- a/helm-chart-sources/pulsar/templates/proxy/proxy-configmap.yaml
+++ b/helm-chart-sources/pulsar/templates/proxy/proxy-configmap.yaml
@@ -92,14 +92,14 @@ data:
   webServicePortTls: "8443"
   servicePortTls: "6651"
   # Used to enable via .Values.tls.function.enabled, but that is deprecated now.
-  {{- if or .Values.tls.function.enabled .Values.tls.proxy.enabled }}
+  {{- if or .Values.tls.function.enabled .Values.tls.proxy.enableTlsWithBroker }}
   tlsEnabledWithBroker: "true"
   tlsHostnameVerificationEnabled: "{{ .Values.tls.proxy.enableHostnameVerification }}"
   {{- else }}
   tlsEnabledWithBroker: "false"
   {{- end }}
   {{- if .Values.extra.function }}
-  {{- if or .Values.tls.function.enabled .Values.tls.proxy.enabled }}
+  {{- if or .Values.tls.function.enabled .Values.tls.proxy.enableTlsWithBroker }}
   functionWorkerWebServiceURLTLS: "https://{{ template "pulsar.fullname" . }}-{{ .Values.function.component }}-ca:6751"
   {{- else }}
   functionWorkerWebServiceURL: "http://{{ template "pulsar.fullname" . }}-{{ .Values.function.component }}-ca:6750"
diff --git a/helm-chart-sources/pulsar/templates/proxy/proxy-ws-configmap.yaml b/helm-chart-sources/pulsar/templates/proxy/proxy-ws-configmap.yaml
index 536af762..c8baf81b 100644
--- a/helm-chart-sources/pulsar/templates/proxy/proxy-ws-configmap.yaml
+++ b/helm-chart-sources/pulsar/templates/proxy/proxy-ws-configmap.yaml
@@ -66,7 +66,8 @@ data:
   tlsEnabled: "true"
   tlsCertificateFilePath: /pulsar/certs/tls.crt
   tlsKeyFilePath: /pulsar/tls-pk8.key
-  {{- if or .Values.tls.websocket.enabled .Values.enableTls }}
+  # .Values.tls.websocket.enabled is deprecated
+  {{- if or (or .Values.tls.websocket.enabled .Values.enableTls) (and .Values.enableTls .Values.tls.websocket.enableTlsWithBroker) }}
   brokerClientTlsEnabled: "true"
   {{- if or .Values.secrets .Values.createCertificates.selfSigned.enabled}}
   tlsTrustCertsFilePath: /pulsar/certs/ca.crt
diff --git a/helm-chart-sources/pulsar/values.yaml b/helm-chart-sources/pulsar/values.yaml
index 97b2753f..5303aed9 100644
--- a/helm-chart-sources/pulsar/values.yaml
+++ b/helm-chart-sources/pulsar/values.yaml
@@ -116,8 +116,9 @@ default_storage:
 # TLS-enabled ports on the service. To allow TLS connections only, remove the plain-text ports.
 # See the proxy and broker sections for details.
 # This flag enables TLS for all client and admin facing components: broker, proxy, websocket proxy, standalone function
-# worker. You must deploy the broker as a StatefulSet for hostname verification to work. The function worker and the
-# proxy will network with the brokers over TLS when this flag is set to true.
+# worker. You must deploy the broker as a StatefulSet for hostname verification to work. In order to enable Pulsar
+# components to network using TLS, see the tls.<component> section below; by default, intra cluster networking is
+# plaintext.
 enableTls: false
 tlsSecretName: pulsar-tls
 
@@ -150,15 +151,14 @@ tls:
   # NOTE: the function worker's connection to the broker is only over TLS if brokerClientAuthenticationEnabled is true
   # or if authenticationEnabled is true in the function's configuration.
   function:
-    enabled: false
+    enableTlsWithBroker: false
     # NOTE: temporarily false to allow for easy transition. In next major version bump, this will default to true.
     enableHostnameVerification: false
-  # Enable TLS between WebSocket proxy and broker
   websocket:
-    enabled: false
-  # Enable TLS between proxy and broker and between proxy and function worker
+    enableTlsWithBroker: false
   proxy:
-    enabled: false
+    # Applies to connections to standalone function worker, too.
+    enableTlsWithBroker: false
     # Applies to upstream broker and function worker TLS connections.
     # NOTE: temporarily false to allow for easy transition. In next major version bump, this will default to true.
     enableHostnameVerification: false