diff --git a/lib/gat/modes/zalando_operator_discovery/config.go b/lib/gat/modes/zalando_operator_discovery/config.go
index 52589b4e53a9870366c109ff1c3e19a1a5796873..aed71f9e5fe5b70c4ac16c55c600d5c818f625e4 100644
--- a/lib/gat/modes/zalando_operator_discovery/config.go
+++ b/lib/gat/modes/zalando_operator_discovery/config.go
@@ -1,38 +1,30 @@
 package zalando_operator_discovery
 
 import (
-	"os"
-
+	"gfx.cafe/util/go/gun"
 	"k8s.io/client-go/rest"
 )
 
 type Config struct {
-	Namespace                   string
-	ConfigMapName               string
-	OperatorConfigurationObject string
+	Namespace                   string `env:"PGGAT_NAMESPACE" default:"default"`
+	ConfigMapName               string `env:"CONFIG_MAP_NAME"`
+	OperatorConfigurationObject string `env:"POSTGRES_OPERATOR_CONFIGURATION_OBJECT"`
+	TLSCrtFile                  string `env:"PGGAT_TLS_CRT_FILE" default:"/etc/ssl/certs/pgbouncer.crt"`
+	TLSKeyFile                  string `env:"PGGAT_TLS_KEY_FILE" default:"/etc/ssl/certs/pgbouncer.key"`
 
 	Rest *rest.Config
 }
 
 func Load() (*Config, error) {
-	namespace := os.Getenv("PGGAT_NAMESPACE")
-	if namespace == "" {
-		namespace = "default"
-	}
-	configMapName := os.Getenv("CONFIG_MAP_NAME")
-	operatorConfigurationObject := os.Getenv("POSTGRES_OPERATOR_CONFIGURATION_OBJECT")
+	var config Config
+	gun.Load(&config)
 
-	restConfig, err := rest.InClusterConfig()
+	var err error
+	config.Rest, err = rest.InClusterConfig()
 	if err != nil {
 		return nil, err
 	}
-	return &Config{
-		Namespace:                   namespace,
-		ConfigMapName:               configMapName,
-		OperatorConfigurationObject: operatorConfigurationObject,
-
-		Rest: restConfig,
-	}, nil
+	return &config, nil
 }
 
 func (T *Config) ListenAndServe() error {
diff --git a/lib/gat/modes/zalando_operator_discovery/server.go b/lib/gat/modes/zalando_operator_discovery/server.go
index f9ecdecbe5f4e92235ab8d7358c53123089a872b..a705590ee5e8549f451aa64b97e8e1800e267266 100644
--- a/lib/gat/modes/zalando_operator_discovery/server.go
+++ b/lib/gat/modes/zalando_operator_discovery/server.go
@@ -325,6 +325,19 @@ func (T *Server) ListenAndServe() error {
 		}
 	}()
 
+	// load certificate
+	var sslConfig *tls.Config
+	certificate, err := tls.LoadX509KeyPair(T.config.TLSCrtFile, T.config.TLSKeyFile)
+	if err == nil {
+		sslConfig = &tls.Config{
+			Certificates: []tls.Certificate{
+				certificate,
+			},
+		}
+	} else {
+		log.Printf("failed to load certificate, ssl is disabled")
+	}
+
 	var bank flip.Bank
 
 	bank.Queue(func() error {
@@ -347,7 +360,7 @@ func (T *Server) ListenAndServe() error {
 				strutil.MakeCIString("extra_float_digits"),
 				strutil.MakeCIString("options"),
 			},
-			// TODO(garet)
+			SSLConfig: sslConfig,
 		}, &T.pools)
 	})