diff --git a/postgresql/certificate.yaml b/postgresql/certificate.yaml
new file mode 100644
index 0000000..e553eac
--- /dev/null
+++ b/postgresql/certificate.yaml
@@ -0,0 +1,53 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: postgresql-ca-issuer
+spec:
+  selfSigned: {}
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: postgresql-ca
+spec:
+  isCA: true
+  commonName: PostgreSQL CA
+  secretName: postgresql-ca
+  duration: 96360h
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: postgresql-ca-issuer
+    kind: Issuer
+    group: cert-manager.io
+
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: postgresql-issuer
+spec:
+  ca:
+    secretName: postgresql-ca
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: default
+spec:
+  secretName: default-cert
+  dnsNames:
+  - default.postgresql.svc.cluster.local
+  - default.postgresql.svc
+  - default.postgresql
+  - default
+  issuerRef:
+    group: cert-manager.io
+    kind: Issuer
+    name: postgresql-issuer
+  privateKey:
+    algorithm: ECDSA
+    rotationPolicy: Always
diff --git a/postgresql/default-cluster.yaml b/postgresql/default-cluster.yaml
index 1c84727..3483b82 100644
--- a/postgresql/default-cluster.yaml
+++ b/postgresql/default-cluster.yaml
@@ -10,6 +10,8 @@ spec:
   numberOfInstances: 1
   postgresql:
     version: '15'
+  tls:
+    secretName: default-cert
   users:
     dustin:
     - superuser
diff --git a/postgresql/postgresql-operator-configuration.yaml b/postgresql/postgresql-operator-configuration.yaml
index 92d3809..05c3907 100644
--- a/postgresql/postgresql-operator-configuration.yaml
+++ b/postgresql/postgresql-operator-configuration.yaml
@@ -100,7 +100,7 @@ configuration:
     spilo_allow_privilege_escalation: true
     # spilo_runasuser: 101
     # spilo_runasgroup: 103
-    # spilo_fsgroup: 103
+    spilo_fsgroup: 103
     spilo_privileged: false
     storage_resize_mode: pvc
     # toleration: