diff --git a/src/pkg/builder/deployment_builder.go b/src/pkg/builder/deployment_builder.go
index 9104adf..40dc694 100644
--- a/src/pkg/builder/deployment_builder.go
+++ b/src/pkg/builder/deployment_builder.go
@@ -56,12 +56,20 @@ func (b *Builder) buildDepPodTemplate(zitadel *zitadelv1alpha1.ZitadelCluster, l
 			WithAnnotations(zitadel.Spec.PodAnnotations).
 			Build()
 	group := int64(0)
+
+	mode := int32(0444)
 	return &corev1.PodTemplateSpec{
 			ObjectMeta: objMeta,
 			Spec: corev1.PodSpec{
 				SecurityContext: &corev1.PodSecurityContext{FSGroup: &group},
 				Containers:      *b.buildDepContainers(zitadel),
 				Volumes: []corev1.Volume{
+					{Name: "certs", VolumeSource: corev1.VolumeSource{
+						Secret: &corev1.SecretVolumeSource{
+							SecretName:  zitadel.Spec.RootTLSSecret.Name,
+							DefaultMode: &mode,
+						},
+					}},
 					{Name: "zitadel-config-yaml", VolumeSource: corev1.VolumeSource{ConfigMap: &corev1.ConfigMapVolumeSource{LocalObjectReference: corev1.LocalObjectReference{Name: configuration.ConfigurationName(zitadel)}}}},
 				},
 			},
@@ -100,6 +108,32 @@ func (b *Builder) buildDepContainers(zitadel *zitadelv1alpha1.ZitadelCluster) *[
 					Name:      "ZITADEL_MASTERKEY",
 					ValueFrom: &corev1.EnvVarSource{SecretKeyRef: &corev1.SecretKeySelector{LocalObjectReference: corev1.LocalObjectReference{Name: masterkey.MasterKeyName(zitadel)}, Key: masterkey.Key}},
 				},
+
+				{
+					Name:  "ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_ROOTCERT",
+					Value: "/certs/ca.crt",
+				},
+				{
+					Name:  "ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_CERT",
+					Value: "/certs/tls.crt",
+				},
+				{
+					Name:  "ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_KEY",
+					Value: "/certs/tls.key",
+				},
+
+				{
+					Name:  "ZITADEL_DATABASE_COCKROACH_USER_SSL_ROOTCERT",
+					Value: "/certs/ca.crt",
+				},
+				{
+					Name:  "ZITADEL_DATABASE_COCKROACH_USER_SSL_CERT",
+					Value: "/certs/tls.crt",
+				},
+				{
+					Name:  "ZITADEL_DATABASE_COCKROACH_USER_SSL_KEY",
+					Value: "/certs/tls.key",
+				},
 			},
 			Ports: []corev1.ContainerPort{
 				{Name: deployment.ZitadelName, ContainerPort: deployment.ZitadelPort},
@@ -119,6 +153,7 @@ func (b *Builder) buildDepContainers(zitadel *zitadelv1alpha1.ZitadelCluster) *[
 			Resources: zitadel.Spec.Resources,
 			VolumeMounts: []corev1.VolumeMount{
 				{Name: "zitadel-config-yaml", MountPath: "/config"},
+				{Name: "certs", MountPath: "/certs"},
 			},
 		},
 	}