Skip to content
Percona Operators Documentation

Get free database assistance or contact our experts for personalized support.

Get help from Percona

Transport Layer Security (TLS)

Percona Operator for MongoDB uses Transport Layer Security (TLS) cryptographic protocol for the following types of communication:

  • External - to enable client applications communicate with the cluster
  • Internal - for communication between Percona Server for MongoDB instances in the cluster. The internal certificate is also used as an authorization method.

You control TLS usage with the tls.mode option in the Custom Resource. This setting defines how Percona Server for MongoDB cluster handles TLS for both internal and external connections. You can choose from the following modes:

  • allowTLS: The cluster accepts both TLS and non-TLS incoming connections, but does not use TLS for internal communication.
  • preferTLS (default): The cluster uses TLS for internal communication and accepts both TLS and non-TLS external connections.
  • requireTLS: The cluster enforces TLS encryption for all connections and accepts only TLS connections.
  • disabled: The cluster completely disables TLS for all connections.

Example configuration:

...
spec:
  ...
  tls:
    mode: preferTLS

TLS Certificates

TLS security can be configured in several ways:

  • The Operator generates long-term certificates automatically during the cluster creation if there are no certificate secrets available. When generating certificates, the Operator creates two Secrets objects named <cluster-name>-ssl and <cluster-name>-ssl-internal. These Secrets are also referenced in the secrets.ssl and secrets.sslInternal options in the Custom Resource.

This is the default behavior. If you need new certificates, and you must renew them manually.

To allow certificates automatically generated by the Operator, the tls.allowInvalidCertificates Custom Resource option is set to true by default. You can set it to false when using other certificate generation methods, such as using cert-manager.

  • The Operator can use a specifically installed cert-manager, which will automatically generate and renew short-term TLS certificates
  • You can generate TLS certificates manually.

For testing purposes, you can use pre-generated certificates available in the deploy/ssl-secrets.yaml file. But we strongly recommend to not use them on any production system!

TLS configuration

The following sections provide guidelines how to:

To use TLS for external traffic, you need to additionally configure your client application. See this blog post for detailed instruction with examples. Also, you can check the official MongoDB documentation .

For clients outside of your Kubernetes-based environment, you must also expose your cluster.

Last update: 2025-10-31