diff --git a/api/v1alpha1/perses_types.go b/api/v1alpha1/perses_types.go
index 20d9337..6915be0 100644
--- a/api/v1alpha1/perses_types.go
+++ b/api/v1alpha1/perses_types.go
@@ -23,17 +23,20 @@ import (
 // PersesSpec defines the desired state of Perses
 type PersesSpec struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// Client perses client configuration
 	Client Client `json:"client,omitempty"`
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	Config PersesConfig `json:"config,omitempty"`
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	ContainerPort int32 `json:"containerPort,omitempty"`
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// Args extra arguments to pass to perses
 	Args []string `json:"args,omitempty"`
 }
 
 type Client struct {
 	// +optional
+	// TLS the equivalent to the tls_config for perses client
 	TLS *TLS `json:"tls,omitempty"`
 }
 
@@ -45,6 +48,7 @@ type TLS struct {
 	UserCert *Certificate `json:"userCert,omitempty"`
 }
 
+// CertificateType types of certificate sources in k8s
 type CertificateType string
 
 const (
@@ -54,15 +58,14 @@ const (
 
 type Certificate struct {
 	// +kubebuilder:validation:Enum:={"secret", "configmap"}
-	Type        CertificateType `json:"type"`
-	Name        string          `json:"name"`
-	CertFile    string          `json:"certFile"`
-	CertKeyFile string          `json:"certKeyFile"`
-}
-
-type UserCert struct {
-	Type string `json:"type,omitempty"`
+	// Type source type of certificate
+	Type CertificateType `json:"type"`
+	// Name of certificate k8s resource
 	Name string `json:"name"`
+	// CertFile path to certificate
+	CertFile string `json:"certFile"`
+	// CertKeyFile path to certificate key file
+	CertKeyFile string `json:"certKeyFile"`
 }
 
 // PersesStatus defines the observed state of Perses
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
index 8489ab1..d2ed088 100644
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -45,7 +45,7 @@ func (in *Client) DeepCopyInto(out *Client) {
 	*out = *in
 	if in.TLS != nil {
 		in, out := &in.TLS, &out.TLS
-		*out = new(TLS)
+		*out = new(TLSConfig)
 		(*in).DeepCopyInto(*out)
 	}
 }
@@ -356,7 +356,7 @@ func (in *PersesStatus) DeepCopy() *PersesStatus {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *TLS) DeepCopyInto(out *TLS) {
+func (in *TLSConfig) DeepCopyInto(out *TLSConfig) {
 	*out = *in
 	out.CaCert = in.CaCert
 	if in.UserCert != nil {
@@ -366,27 +366,12 @@ func (in *TLS) DeepCopyInto(out *TLS) {
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLS.
-func (in *TLS) DeepCopy() *TLS {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSConfig.
+func (in *TLSConfig) DeepCopy() *TLSConfig {
 	if in == nil {
 		return nil
 	}
-	out := new(TLS)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *UserCert) DeepCopyInto(out *UserCert) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserCert.
-func (in *UserCert) DeepCopy() *UserCert {
-	if in == nil {
-		return nil
-	}
-	out := new(UserCert)
+	out := new(TLSConfig)
 	in.DeepCopyInto(out)
 	return out
 }
diff --git a/config/crd/bases/perses.dev_perses.yaml b/config/crd/bases/perses.dev_perses.yaml
index c9cf62c..82aa0d2 100644
--- a/config/crd/bases/perses.dev_perses.yaml
+++ b/config/crd/bases/perses.dev_perses.yaml
@@ -40,22 +40,29 @@ spec:
             description: PersesSpec defines the desired state of Perses
             properties:
               args:
+                description: Args extra arguments to pass to perses
                 items:
                   type: string
                 type: array
               client:
+                description: Client perses client configuration
                 properties:
                   tls:
+                    description: TLS the equivalent to the tls_config for perses client
                     properties:
                       caCert:
                         properties:
                           certFile:
+                            description: CertFile path to certificate
                             type: string
                           certKeyFile:
+                            description: CertKeyFile path to certificate key file
                             type: string
                           name:
+                            description: Name of certificate k8s resource
                             type: string
                           type:
+                            description: Type source type of certificate
                             enum:
                             - secret
                             - configmap
@@ -73,12 +80,16 @@ spec:
                       userCert:
                         properties:
                           certFile:
+                            description: CertFile path to certificate
                             type: string
                           certKeyFile:
+                            description: CertKeyFile path to certificate key file
                             type: string
                           name:
+                            description: Name of certificate k8s resource
                             type: string
                           type:
+                            description: Type source type of certificate
                             enum:
                             - secret
                             - configmap
diff --git a/config/samples/perses.dev_v1alpha1_perses_tls.yaml b/config/samples/perses.dev_v1alpha1_perses_tls.yaml
new file mode 100644
index 0000000..f4574f4
--- /dev/null
+++ b/config/samples/perses.dev_v1alpha1_perses_tls.yaml
@@ -0,0 +1,39 @@
+apiVersion: perses.dev/v1alpha1
+kind: Perses
+metadata:
+  labels:
+    app.kubernetes.io/name: perses
+    app.kubernetes.io/instance: perses-tls-sample
+    app.kubernetes.io/part-of: perses-operator
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/created-by: perses-operator
+  name: perses-tls-sample
+  namespace: perses-dev
+spec:
+  client:
+    tls:
+      enable: true
+      caCert:
+        type: secret
+        name: perses-certs
+        certFile: ca.crt
+      userCert:
+        type: secret
+        name: perses-certs
+        certFile: tls.crt
+        certKeyFile: tls.key
+
+  config:
+    database:
+      file:
+        folder: "/etc/perses/storage"
+        extension: "yaml"
+    schemas:
+      panels_path: "/etc/perses/cue/schemas/panels"
+      queries_path: "/etc/perses/cue/schemas/queries"
+      datasources_path: "/etc/perses/cue/schemas/datasources"
+      variables_path: "/etc/perses/cue/schemas/variables"
+    ephemeral_dashboard:
+      enable: false
+      cleanup_interval: "1s"
+  containerPort: 8080
diff --git a/internal/perses/common/volumes.go b/internal/perses/common/volumes.go
index 0c407ca..e8dd7ae 100644
--- a/internal/perses/common/volumes.go
+++ b/internal/perses/common/volumes.go
@@ -102,16 +102,16 @@ func GetVolumeMounts(perses *v1alpha1.Perses) []corev1.VolumeMount {
 	if perses.Spec.Client.TLS != nil && perses.Spec.Client.TLS.Enable {
 		volumeMounts = append(volumeMounts, corev1.VolumeMount{
 			Name:      "ca",
+			ReadOnly:  true,
 			MountPath: "/ca",
 			SubPath:   perses.Spec.Client.TLS.CaCert.CertFile,
-			ReadOnly:  true,
 		})
 
 		if perses.Spec.Client.TLS.UserCert != nil {
 			volumeMounts = append(volumeMounts, corev1.VolumeMount{
 				Name:      "tls",
-				MountPath: "/tls",
 				ReadOnly:  true,
+				MountPath: "/tls",
 			})
 		}
 	}