Skip to content
Percona Operators Documentation

Rate this page
Thanks for your feedback
Thank you! The feedback has been submitted.

Get free database assistance or contact our experts for personalized support.

Get help from Percona

Transport Layer Security (TLS)

The Percona Operator for MySQL uses Transport Layer Security (TLS) cryptographic protocol for the communication between the client application and the cluster.

You can configure TLS security in several ways.

  • By default, the Operator generates long-term certificates automatically during the cluster creation if there are no certificate secrets available. The Operator’s self-signed issuer is local to the Operator Namespace. This self-signed issuer is created because Percona Distribution for MySQL requires all certificates issued by the same source.

  • The Operator can use a cert-manager, which will automatically generate and renew short-term TLS certificates. You must explicitly install cert-manager for this scenario.

    The cert-manager acts as a self-signed issuer and generates certificates allowing you to deploy and use the Percona Operator without a separate certificate issuer.

  • You can generate TLS certificates manually or obtain them from some other issuer and provide to the Operator.

Last update: December 2, 2025
Created: December 2, 2025