Skip to content
Percona Operators Documentation

Rate this page
Thanks for your feedback
Thank you! The feedback has been submitted.

Get free database assistance or contact our experts for personalized support.

Get help from Percona

Transport layer security (TLS)

The Percona Operator for PostgreSQL uses Transport Layer Security (TLS) cryptographic protocol for the following types of communication:

  • Internal - communication between PostgreSQL instances in the cluster
  • External - communication between the client application and the cluster

The internal certificate is also used as an authorization method for PostgreSQL Replica instances.

You can configure TLS in these ways:

You can migrate your running cluster to cert-manager to benefit from automatic renewal and centralized management.

Additionally, you can force your database cluster to use only encrypted channels for both internal and external communications. To do this, set the tlsOnly Custom Resource option to true.

Automatic certificate generation by the Operator

The Operator can generate long-term certificates automatically and enable encryption automatically during cluster creation.

Upon cluster creation, the Operator reviews the Custom Resource configuration to determine the TLS approach:

  • If you created custom certificate Secrets and referenced them in the cluster spec, the Operator uses them for TLS.
  • If custom Secrets are not specified but cert-manager is installed, the Operator generates certificates and issuer and delegates certificate lifecycle management to cert-manager.
  • If neither condition is met, the Operator generates the necessary certificates and Secrets itself.

Note

Beginning with version 2.5.0, the Operator creates a dedicated root CA for each cluster. Earlier versions used a single generated root CA for all database clusters.

TLS configuration

The following sections provide guidelines how to:

Keep certificates after deleting the cluster

When you delete the cluster, the Operator handles SSL objects (Secrets, certificates, and issuer) as follows:

  • The Operator doesn’t delete TLS Secrets, certificates, and issuer it generated by default.
  • The Operator removes the cert-manager Issuers and Certificates it created but keeps the Secrets.

If you want to clean up SSL objects, set the finalizers.percona.com/delete-ssl finalizer in the Custom Resource. The Operator deletes the all SSL objects.

Last update: March 26, 2026
Created: July 12, 2022