diff --git a/api/v1/coroot_types.go b/api/v1/coroot_types.go
index 11a60c6..2df05b0 100644
--- a/api/v1/coroot_types.go
+++ b/api/v1/coroot_types.go
@@ -177,8 +177,12 @@ type ExternalClickhouseSpec struct {
 	Database string `json:"database,omitempty"`
 	// Password for accessing the external ClickHouse (plain-text, not recommended).
 	Password string `json:"password,omitempty"`
-	// Secret containing password for accessing the external ClickHouse.
+	// Secret containing a password for accessing the external ClickHouse.
 	PasswordSecret *corev1.SecretKeySelector `json:"passwordSecret,omitempty"`
+	// Whether to enable TLS for the connection to ClickHouse.
+	TLSEnabled bool `json:"tlsEnabled,omitempty"`
+	// Whether to skip verification of the ClickHouse server's TLS certificate.
+	TLSSkipVerify bool `json:"tlsSkipVerify,omitempty"`
 }
 
 type PostgresSpec struct {
@@ -192,7 +196,7 @@ type PostgresSpec struct {
 	Database string `json:"database,omitempty"`
 	// Password for accessing postgres (plain-text, not recommended).
 	Password string `json:"password,omitempty"`
-	// Secret containing password for accessing postgres.
+	// Secret containing a password for accessing postgres.
 	PasswordSecret *corev1.SecretKeySelector `json:"passwordSecret,omitempty"`
 	// Extra parameters, e.g., sslmode and connect_timeout.
 	Params map[string]string `json:"params,omitempty"`
@@ -234,7 +238,7 @@ type TLSSpec struct {
 	// Secret containing TLS certificate.
 	// +kubebuilder:validation:Required
 	CertSecret *corev1.SecretKeySelector `json:"certSecret,omitempty"`
-	// Secret containing TLS private key.
+	// Secret containing a TLS private key.
 	// +kubebuilder:validation:Required
 	KeySecret *corev1.SecretKeySelector `json:"keySecret,omitempty"`
 }
diff --git a/config/crd/coroot.com_coroots.yaml b/config/crd/coroot.com_coroots.yaml
index 587de01..68b5c03 100644
--- a/config/crd/coroot.com_coroots.yaml
+++ b/config/crd/coroot.com_coroots.yaml
@@ -4908,7 +4908,7 @@ spec:
                       not recommended).
                     type: string
                   passwordSecret:
-                    description: Secret containing password for accessing the external
+                    description: Secret containing a password for accessing the external
                       ClickHouse.
                     properties:
                       key:
@@ -4932,6 +4932,13 @@ spec:
                     - key
                     type: object
                     x-kubernetes-map-type: atomic
+                  tlsEnabled:
+                    description: Whether to enable TLS for the connection to ClickHouse.
+                    type: boolean
+                  tlsSkipVerify:
+                    description: Whether to skip verification of the ClickHouse server's
+                      TLS certificate.
+                    type: boolean
                   user:
                     description: Username for accessing the external ClickHouse.
                     type: string
diff --git a/controller/coroot.go b/controller/coroot.go
index bed4c9f..ce6473a 100644
--- a/controller/coroot.go
+++ b/controller/coroot.go
@@ -528,6 +528,12 @@ func (r *CorootReconciler) corootStatefulSet(cr *corootv1.Coroot, configEnvs Con
 			corev1.EnvVar{Name: "GLOBAL_CLICKHOUSE_INITIAL_DATABASE", Value: ec.Database},
 		)
 		env = append(env, envVarFromSecret("GLOBAL_CLICKHOUSE_PASSWORD", ec.PasswordSecret, ec.Password))
+		if ec.TLSEnabled {
+			env = append(env, corev1.EnvVar{Name: "GLOBAL_CLICKHOUSE_TLS_ENABLED", Value: "true"})
+			if ec.TLSSkipVerify {
+				env = append(env, corev1.EnvVar{Name: "GLOBAL_CLICKHOUSE_TLS_SKIP_VERIFY", Value: "true"})
+			}
+		}
 	} else {
 		env = append(env,
 			corev1.EnvVar{