Skip to content
Percona Operators Documentation

For help, click the link below to get free database assistance or contact our experts for personalized support.

Get help from Percona

Transport Layer Security (TLS)

Percona Operator for MongoDB uses Transport Layer Security (TLS) cryptographic protocol for the following types of communication:

  • Internal - communication between Percona Server for MongoDB instances in the cluster. The internal certificate is also used as an authorization method.

  • External - communication between the client application and the cluster

TLS usage is controlled by the tls.mode Custom Resource option, which can be set to allowTLS, preferTLS (default choice), requireTLS, or disabled:

...
spec:
  ...
  tls:
    mode: preferTLS
  • allowTLS means that both TLS and non-TLS incoming connections are accepted, but server doesn’t use TLS internally,
  • preferTLS turns on TLS for internal communication, and allows both TLS and non-TLS external traffic,
  • requireTLS enforces the use of TLS encrypted connections only,
  • disabled completely turns TLS off.

TLS Certificates

Certificates for TLS security can be generated in several ways. By default, the Operator generates long-term certificates automatically if there are no certificate secrets available.

Other options are the following ones:

  • the Operator can use a specifically installed cert-manager, which will automatically generate and renew short-term TLS certificates,
  • certificates can be generated manually.

Note

The tls.allowInvalidCertificates Custom Resource option is set to true by default to allow certificates automatically generated by the Operator. It can be set to false with other variants, such as certificates generated by cert-manager.

You can also use pre-generated certificates available in the deploy/ssl-secrets.yaml file for test purposes, but we strongly recommend avoiding their usage on any production system!

TLS configuration

The following sections provide guidelines how to:

If you are going to use TLS for external traffic, you need to additionally configure your client application. See this blog post for detailed instruction with examples. Also, you can check the official MongoDB documentation .

For clients outside of your Kubernetes-based environment, you must also expose your cluster.

Last update: 2025-05-20