# Transport Layer Security (TLS)

Percona Operator for MongoDB uses Transport Layer Security (TLS) cryptographic protocol for the following types of communication:

* External - to enable client applications communicate with the cluster
* Internal - for communication between Percona Server for MongoDB instances in the cluster. The internal certificate is also used as an authorization method.

You control TLS usage with the `tls.mode` option in the Custom Resource. This setting defines how Percona Server for MongoDB cluster handles TLS for both internal and external connections. You can choose from the following modes:

- `allowTLS`: The cluster accepts both TLS and non-TLS incoming connections, but does not use TLS for internal communication.
- `preferTLS` (default): The cluster uses TLS for internal communication and accepts both TLS and non-TLS external connections.
- `requireTLS`: The cluster enforces TLS encryption for all connections and accepts only TLS connections.
- `disabled`: The cluster completely [disables TLS](tls-disable.md) for all connections.

Example configuration:

```yaml
...
spec:
  ...
  tls:
    mode: preferTLS
```

## TLS Certificates

TLS security can be configured in several ways:

* The Operator generates long-term certificates automatically during the cluster creation if there are no
certificate secrets available. When generating certificates, the Operator creates two Secrets objects named `<cluster-name>-ssl` and `<cluster-name>-ssl-internal`. These Secrets are also referenced in the `secrets.ssl` and `secrets.sslInternal` options in the Custom Resource.

   This is the default behavior. If you need new certificates, and you must renew them manually.

   To allow certificates automatically generated by the Operator, the [tls.allowInvalidCertificates](operator.md#tlsallowinvalidcertificates)
    Custom Resource option is set to `true` by default. You can set it to `false` when using other certificate generation methods, such as using cert-manager.

* The Operator can use a specifically installed *cert-manager*, which will
    automatically generate and renew short-term TLS certificates
* You can generate TLS certificates manually.
   
   **For testing purposes**, you can use pre-generated certificates available in the
`deploy/ssl-secrets.yaml` file. But we strongly recommend
**to not use them on any production system**!


## TLS configuration

The following sections provide guidelines how to:

* [Configure TLS security with the Operator using cert-manager](tls-cert-manager.md)
* [Generate certificates manually](tls-manual.md)
* [Update certificates](tls-update.md)
* [Disable TLS temporarily](tls-disable.md)

To use TLS for external traffic, you need to additionally configure your client application. See [this blog post :octicons-link-external-16:](https://www.percona.com/blog/authenticating-your-clients-to-mongodb-on-kubernetes-using-x509-certificates/) for detailed instruction with examples. Also, you can check the [official MongoDB documentation :octicons-link-external-16:](https://www.mongodb.com/docs/manual/tutorial/configure-ssl-clients/). 

For clients outside of your Kubernetes-based environment, you must also [expose your cluster](expose.md).