diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc
index ffb4844..6e1870c 100644
--- a/docs/modules/ROOT/pages/references/parameters.adoc
+++ b/docs/modules/ROOT/pages/references/parameters.adoc
@@ -10,6 +10,30 @@ default:: `appuio-control-api`
 
 The namespace in which to deploy this component.
 
+== `apiserver.apiservice`
+type:: dict
+
+== `apiserver.tls`
+
+This key configures encryption of internal traffic, meaning from the Kubernetes API server to our aggregate API sever.
+
+You have the option to provide a custom TLS key and certificate.
+
+If any of the following fields are set to `null` or empty string, the aggregate API server will generate its own certificates.
+In that case the connection is still encrypted, but you need to disable TLS verification by setting `insecureSkipTLSVerify` to `true` in the APIService.
+
+=== `apiserver.tls.certSecretName`
+type:: string
+default:: `control-api-tls`
+
+=== `apiserver.tls.serverCert`
+type:: string
+default:: "?{vaultkv:${customer:name}/${cluster:name}/${_instance}/apiserver-cert}"
+
+=== `apiserver.tls.serverKey`
+type:: string
+default:: "?{vaultkv:${customer:name}/${cluster:name}/${_instance}/apiserver-key}"
+
 == `zones`
 
 [horizontal]