diff --git a/src/pkg/builder/job_builder.go b/src/pkg/builder/job_builder.go
index cec29c6..7c9dc5a 100644
--- a/src/pkg/builder/job_builder.go
+++ b/src/pkg/builder/job_builder.go
@@ -20,6 +20,7 @@ func (b *Builder) BuildInitJob(zitadel *zitadelv1alpha1.ZitadelCluster, key type
 	runAsNonRoot := true
 	enableServiceLinks := false
 	user := int64(1000)
+	mode := int32(444)
 	initJob := &batchv1.Job{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      key.Name,
@@ -39,7 +40,8 @@ func (b *Builder) BuildInitJob(zitadel *zitadelv1alpha1.ZitadelCluster, key type
 					Volumes: []corev1.Volume{
 						{Name: "certs", VolumeSource: corev1.VolumeSource{
 							Secret: &corev1.SecretVolumeSource{
-								SecretName: zitadel.Spec.RootTLSSecret.Name,
+								SecretName:  zitadel.Spec.RootTLSSecret.Name,
+								DefaultMode: &mode,
 							},
 						}},
 						{Name: "zitadel-config-yaml", VolumeSource: corev1.VolumeSource{ConfigMap: &corev1.ConfigMapVolumeSource{LocalObjectReference: corev1.LocalObjectReference{Name: configuration.ConfigurationName(zitadel)}}}},
@@ -89,6 +91,7 @@ func (b *Builder) BuildSetupJob(zitadel *zitadelv1alpha1.ZitadelCluster, key typ
 	runAsNonRoot := true
 	enableServiceLinks := false
 	user := int64(1000)
+	mode := int32(444)
 	setupJob := &batchv1.Job{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      key.Name,
@@ -106,6 +109,12 @@ func (b *Builder) BuildSetupJob(zitadel *zitadelv1alpha1.ZitadelCluster, key typ
 					},
 					EnableServiceLinks: &enableServiceLinks,
 					Volumes: []corev1.Volume{
+						{Name: "certs", VolumeSource: corev1.VolumeSource{
+							Secret: &corev1.SecretVolumeSource{
+								SecretName:  zitadel.Spec.RootTLSSecret.Name,
+								DefaultMode: &mode,
+							},
+						}},
 						{Name: "zitadel-config-yaml", VolumeSource: corev1.VolumeSource{ConfigMap: &corev1.ConfigMapVolumeSource{LocalObjectReference: corev1.LocalObjectReference{Name: configuration.ConfigurationName(zitadel)}}}},
 					},
 					Containers: []corev1.Container{
@@ -129,9 +138,22 @@ func (b *Builder) BuildSetupJob(zitadel *zitadelv1alpha1.ZitadelCluster, key typ
 									Name:  "ZITADEL_FIRSTINSTANCE_MACHINEKEYPATH",
 									Value: "/machinekey/sa.json",
 								},
+								{
+									Name:  "ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_ROOTCERT",
+									Value: "/certs/ca.crt",
+								},
+								{
+									Name:  "ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_CERT",
+									Value: "/certs/tls.crt",
+								},
+								{
+									Name:  "ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_KEY",
+									Value: "/certs/tls.key",
+								},
 							},
 							VolumeMounts: []corev1.VolumeMount{
 								{Name: "zitadel-config-yaml", MountPath: "/config"},
+								{Name: "certs", MountPath: "/certs"},
 							},
 						},
 					},