[bitnami/mariadb] feat: ✨ Add TLS support (#30629)

* [bitnami/mariadb] feat: ✨ Add TLS support Signed-off-by: Javier J. Salmerón García <javier.salmeron@broadcom.com> * docs: 📝 Add readme section Signed-off-by: Javier J. Salmerón García <javier.salmeron@broadcom.com> * Update CHANGELOG.md Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * chore: ♻️ Apply requested changes Signed-off-by: Javier J. Salmerón García <javier.salmeron@broadcom.com> * chore: ♻️ Apply requested changes Signed-off-by: Javier J. Salmerón García <javier.salmeron@broadcom.com> * chore: ♻️ Apply requested changes Signed-off-by: Javier J. Salmerón García <javier.salmeron@broadcom.com> * chore: ♻️ Apply requested changes Signed-off-by: Javier J. Salmerón García <javier.salmeron@broadcom.com> * chore: 💄 Add extra space Signed-off-by: Javier J. Salmerón García <javier.salmeron@broadcom.com> --------- Signed-off-by: Javier J. Salmerón García <javier.salmeron@broadcom.com> Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> Co-authored-by: Bitnami Containers <bitnami-bot@vmware.com>
2026-03-10 15:07:49 +08:00 · 2024-11-27 08:20:20 +01:00
parent 349ecd54c6
commit 13c518ffc9
10 changed files with 303 additions and 3 deletions
--- a/bitnami/mariadb/CHANGELOG.md
+++ b/bitnami/mariadb/CHANGELOG.md
@@ -1,8 +1,12 @@
 # Changelog

+## 20.1.0 (2024-11-26)
+
+* [bitnami/mariadb] feat: :sparkles: Add TLS support ([#30629](https://github.com/bitnami/charts/pull/30629))
+
 ## 20.0.0 (2024-11-08)

-* [bitnami/mariadb] fix!: :bug: :sparkles: :boom: Set correct serviceName and add Password Update Job ([#30300](https://github.com/bitnami/charts/pull/30300))
+* [bitnami/mariadb] fix!: :bug: :sparkles: :boom: Set correct serviceName and add Password Update Job  ([b90422b](https://github.com/bitnami/charts/commit/b90422bd86f34d4c94d8b9da41ebf89e03dbf384)), closes [#30300](https://github.com/bitnami/charts/issues/30300)

 ## <small>19.1.2 (2024-11-04)</small>

--- a/bitnami/mariadb/Chart.yaml
+++ b/bitnami/mariadb/Chart.yaml
@@ -34,4 +34,4 @@ maintainers:
 name: mariadb
 sources:
 - https://github.com/bitnami/charts/tree/main/bitnami/mariadb
-version: 20.0.0
+version: 20.1.0
--- a/bitnami/mariadb/README.md
+++ b/bitnami/mariadb/README.md
@@ -133,6 +133,21 @@ initdbScripts:
    fi
 ```

+### TLS
+
+This chart supports encrypting communications using TLS. To enable this feature, set the `tls.enabled`.
+
+It is necessary to create a secret containing the TLS certificates and pass it to the chart via the `tls.existingSecret` parameter. Every secret should contain a `tls.crt` and `tls.key` keys including the certificate and key files respectively and, optionally, a `ca.crt` key including the CA certificate. For example: create the secret with the certificates files:
+
+```console
+kubectl create secret generic tls-secret --from-file=./tls.crt --from-file=./tls.key --from-file=./ca.crt
+```
+
+You can manually create the required TLS certificates or relying on the chart auto-generation capabilities. The chart supports two different ways to auto-generate the required certificates:
+
+- Using Helm capabilities. Enable this feature by setting `tls.autoGenerated.enabled` to `true` and `tls.autoGenerated.engine` to `helm`.
+- Relying on CertManager (please note it's required to have CertManager installed in your K8s cluster). Enable this feature by setting `tls.autoGenerated.enabled` to `true` and `tls.autoGenerated.engine` to `cert-manager`. Please note it's supported to use an existing Issuer/ClusterIssuer for issuing the TLS certificates by setting the `tls.autoGenerated.certManager.existingIssuer` and `tls.autoGenerated.certManager.existingIssuerKind` parameters.
+
 ### Sidecars and Init Containers

 If additional containers are needed in the same pod as MariaDB (such as additional metrics or logging exporters), they can be defined using the `sidecars` parameter.
@@ -242,6 +257,27 @@ As an alternative, this chart supports using an initContainer to change the owne
 | `initdbScripts`            | Dictionary of initdb scripts                                                                                                                                                                                                                                                  | `{}`                      |
 | `initdbScriptsConfigMap`   | ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`)                                                                                                                                                                                                           | `""`                      |

+### TLS/SSL parameters
+
+| Name                                               | Description                                                                                            | Value     |
+| -------------------------------------------------- | ------------------------------------------------------------------------------------------------------ | --------- |
+| `tls.enabled`                                      | Enable TLS in MariaDB                                                                                  | `false`   |
+| `tls.existingSecret`                               | Existing secret that contains TLS certificates                                                         | `""`      |
+| `tls.certFilename`                                 | The secret key from the existingSecret if 'cert' key different from the default (tls.crt)              | `tls.crt` |
+| `tls.certKeyFilename`                              | The secret key from the existingSecret if 'key' key different from the default (tls.key)               | `tls.key` |
+| `tls.certCAFilename`                               | The secret key from the existingSecret if 'ca' key different from the default (tls.crt)                | `""`      |
+| `tls.ca`                                           | CA certificate for TLS. Ignored if `tls.existingSecret` is set                                         | `""`      |
+| `tls.cert`                                         | TLS certificate for Airflow webserver. Ignored if `tls.master.existingSecret` is set                   | `""`      |
+| `tls.key`                                          | TLS key for Airflow webserver. Ignored if `tls.master.existingSecret` is set                           | `""`      |
+| `tls.autoGenerated.enabled`                        | Enable automatic generation of certificates for TLS                                                    | `true`    |
+| `tls.autoGenerated.engine`                         | Mechanism to generate the certificates (allowed values: helm, cert-manager)                            | `helm`    |
+| `tls.autoGenerated.certManager.existingIssuer`     | The name of an existing Issuer to use for generating the certificates (only for `cert-manager` engine) | `""`      |
+| `tls.autoGenerated.certManager.existingIssuerKind` | Existing Issuer kind, defaults to Issuer (only for `cert-manager` engine)                              | `""`      |
+| `tls.autoGenerated.certManager.keyAlgorithm`       | Key algorithm for the certificates (only for `cert-manager` engine)                                    | `RSA`     |
+| `tls.autoGenerated.certManager.keySize`            | Key size for the certificates (only for `cert-manager` engine)                                         | `2048`    |
+| `tls.autoGenerated.certManager.duration`           | Duration for the certificates (only for `cert-manager` engine)                                         | `2160h`   |
+| `tls.autoGenerated.certManager.renewBefore`        | Renewal period for the certificates (only for `cert-manager` engine)                                   | `360h`    |
+
 ### MariaDB Primary parameters

 | Name                                                        | Description                                                                                                                                                                                                                       | Value               |
--- a/bitnami/mariadb/templates/_helpers.tpl
+++ b/bitnami/mariadb/templates/_helpers.tpl
@@ -68,6 +68,25 @@ Create the name of the service account to use
 {{- end -}}
 {{- end -}}

+{{/*
+Return the MariaDB TLS credentials secret
+*/}}
+{{- define "mariadb.tlsSecretName" -}}
+{{- if .Values.tls.existingSecret -}}
+    {{- print (tpl .Values.tls.existingSecret $) -}}
+{{- else -}}
+    {{- printf "%s-crt" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "mariadb.tlsCACert" -}}
+{{- if or (eq .Values.tls.autoGenerated.engine "helm") (and (not .Values.tls.autoGenerated.enabled) (empty .Values.tls.existingSecret) .Values.tls.ca) -}}
+    {{- printf "/opt/bitnami/mariadb/certs/%s" "ca.crt" -}}
+{{- else }}
+    {{- ternary "" (printf "/opt/bitnami/mariadb/certs/%s" .Values.tls.certCAFilename) (empty .Values.tls.certCAFilename) }}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Return the configmap with the MariaDB Primary configuration
 */}}
--- a/bitnami/mariadb/templates/ca-cert.yaml
+++ b/bitnami/mariadb/templates/ca-cert.yaml
@@ -0,0 +1,56 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and .Values.tls.enabled .Values.tls.autoGenerated.enabled (eq .Values.tls.autoGenerated.engine "cert-manager") }}
+{{- if empty .Values.tls.autoGenerated.certManager.existingIssuer }}
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ printf "%s-clusterissuer" (include "common.names.fullname" .) }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+    app.kubernetes.io/part-of: mariadb
+    app.kubernetes.io/component: mariadb
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  selfSigned: {}
+---
+{{- end }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ printf "%s-ca-crt" (include "common.names.fullname" .) }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+    app.kubernetes.io/part-of: mariadb
+    app.kubernetes.io/component: mariadb
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  secretName: {{ printf "%s-ca-crt" (include "common.names.fullname" .) }}
+  commonName: {{ printf "%s-ca" (include "common.names.fullname" .) }}
+  isCA: true
+  issuerRef:
+    name: {{ default (printf "%s-clusterissuer" (include "common.names.fullname" .)) .Values.tls.autoGenerated.certManager.existingIssuer }}
+    kind: {{ default "Issuer" .Values.tls.autoGenerated.certManager.existingIssuerKind }}
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ printf "%s-ca-issuer" (include "common.names.fullname" .) }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+    app.kubernetes.io/part-of: mariadb
+    app.kubernetes.io/component: mariadb
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  ca:
+    secretName: {{ printf "%s-ca-crt" (include "common.names.fullname" .) }}
+{{- end }}
--- a/bitnami/mariadb/templates/cert.yaml
+++ b/bitnami/mariadb/templates/cert.yaml
@@ -0,0 +1,48 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and .Values.tls.enabled .Values.tls.autoGenerated.enabled (eq .Values.tls.autoGenerated.engine "cert-manager") }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ printf "%s-crt" (include "common.names.fullname" .) }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+    app.kubernetes.io/part-of: mariadb
+    app.kubernetes.io/component: mariadb
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  secretName: {{ printf "%s-crt" (include "common.names.fullname" .) }}
+  commonName: {{ printf "%s.%s.svc.%s" (include "common.names.fullname" .) (include "common.names.namespace" .) .Values.clusterDomain }}
+  issuerRef:
+    name: {{ printf "%s-ca-issuer" (include "common.names.fullname" .) }}
+    kind: Issuer
+  subject:
+    organizations:
+      - "MariaDB"
+  dnsNames:
+    - '*.{{ include "common.names.namespace" . }}'
+    - '*.{{ include "common.names.namespace" . }}.svc'
+    - '*.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}'
+    - '*.{{ include "mariadb.primary.fullname" . }}'
+    - '*.{{ include "mariadb.primary.fullname" . }}.{{ include "common.names.namespace" . }}'
+    - '*.{{ include "mariadb.primary.fullname" . }}.{{ include "common.names.namespace" . }}.svc'
+    - '*.{{ include "mariadb.primary.fullname" . }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}'
+    - '*.{{ include "mariadb.secondary.fullname" . }}'
+    - '*.{{ include "mariadb.secondary.fullname" . }}.{{ include "common.names.namespace" . }}'
+    - '*.{{ include "mariadb.secondary.fullname" . }}.{{ include "common.names.namespace" . }}.svc'
+    - '*.{{ include "mariadb.secondary.fullname" . }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}'
+    - '*.{{ printf "%s-headless" (include "common.names.fullname" .) }}'
+    - '*.{{ printf "%s-headless" (include "common.names.fullname" .) }}.{{ include "common.names.namespace" . }}'
+    - '*.{{ printf "%s-headless" (include "common.names.fullname" .) }}.{{ include "common.names.namespace" . }}.svc'
+    - '*.{{ printf "%s-headless" (include "common.names.fullname" .) }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}'
+  privateKey:
+    algorithm: {{ .Values.tls.autoGenerated.certManager.keyAlgorithm }}
+    size: {{ int .Values.tls.autoGenerated.certManager.keySize }}
+  duration: {{ .Values.tls.autoGenerated.certManager.duration }}
+  renewBefore: {{ .Values.tls.autoGenerated.certManager.renewBefore }}
+{{- end }}
--- a/bitnami/mariadb/templates/primary/statefulset.yaml
+++ b/bitnami/mariadb/templates/primary/statefulset.yaml
@@ -189,6 +189,12 @@ spec:
            {{- end }}
            - name: MARIADB_DATABASE
              value: {{ .Values.auth.database | quote }}
+            - name: MARIADB_ENABLE_SSL
+              value: {{ ternary "yes" "no" .Values.tls.enabled | quote }}
+            {{- if and .Values.tls.enabled (include "mariadb.tlsCACert" .) }}
+            - name: MYSQL_CLIENT_CA_FILE
+              value: {{ include "mariadb.tlsCACert" . | quote }}
+            {{- end }}
            {{- if eq .Values.architecture "replication" }}
            - name: MARIADB_REPLICATION_MODE
              value: "master"
@@ -303,6 +309,10 @@ spec:
            - name: mariadb-credentials
              mountPath: /opt/bitnami/mariadb/secrets/
            {{- end }}
+            {{- if .Values.tls.enabled }}
+            - name: cert
+              mountPath: /opt/bitnami/mariadb/cert
+            {{- end }}
            - name: empty-dir
              mountPath: /tmp
              subPath: tmp-dir
@@ -414,6 +424,12 @@ spec:
                path: mariadb-replication-password
              {{- end }}
        {{- end }}
+        {{- if .Values.tls.enabled }}
+        - name: cert
+          secret:
+            secretName: {{ include "mariadb.tlsSecretName" . }}
+            defaultMode: 256
+        {{- end }}
        {{- if .Values.primary.extraVolumes }}
        {{- include "common.tplvalues.render" (dict "value" .Values.primary.extraVolumes "context" $) | nindent 8 }}
        {{- end }}
--- a/bitnami/mariadb/templates/secondary/statefulset.yaml
+++ b/bitnami/mariadb/templates/secondary/statefulset.yaml
@@ -202,6 +202,12 @@ spec:
            - name: MARIADB_STARTUP_WAIT_SLEEP_TIME
              value: "{{ .Values.secondary.startupWaitOptions.sleepTime | default 2 }}"
            {{- end }}
+            - name: MARIADB_ENABLE_SSL
+              value: {{ ternary "yes" "no" .Values.tls.enabled | quote }}
+            {{- if and .Values.tls.enabled (include "mariadb.tlsCACert" .) }}
+            - name: MYSQL_CLIENT_CA_FILE
+              value: {{ include "mariadb.tlsCACert" . | quote }}
+            {{- end }}
            {{- if .Values.secondary.extraEnvVars }}
            {{- include "common.tplvalues.render" (dict "value" .Values.secondary.extraEnvVars "context" $) | nindent 12 }}
            {{- end }}
@@ -301,6 +307,10 @@ spec:
            - name: empty-dir
              mountPath: /opt/bitnami/mariadb/logs
              subPath: app-logs-dir
+            {{- if .Values.tls.enabled }}
+            - name: cert
+              mountPath: /opt/bitnami/mariadb/cert
+            {{- end }}
        {{- if .Values.metrics.enabled }}
        - name: metrics
          image: {{ include "mariadb.metrics.image" . }}
@@ -386,6 +396,12 @@ spec:
              - key: mariadb-replication-password
                path: mariadb-replication-password
        {{- end }}
+        {{- if .Values.tls.enabled }}
+        - name: cert
+          secret:
+            secretName: {{ include "mariadb.tlsSecretName" . }}
+            defaultMode: 256
+        {{- end }}
        - name: empty-dir
          emptyDir: {}
        {{- if .Values.secondary.extraVolumes }}
--- a/bitnami/mariadb/templates/tls-secret.yaml
+++ b/bitnami/mariadb/templates/tls-secret.yaml
@@ -0,0 +1,51 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- $secretName := printf "%s-crt" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
+{{- if and .Values.tls.enabled (eq .Values.tls.autoGenerated.engine "helm") }}
+{{- $ca := genCA "mariadb-ca" 365 }}
+{{- $releaseNamespace := include "common.names.namespace" . }}
+{{- $clusterDomain := .Values.clusterDomain }}
+{{- $primaryServiceName := include "mariadb.primary.fullname" . }}
+{{- $secondaryServiceName := include "mariadb.secondary.fullname" . }}
+{{- $headlessServiceName := printf "%s-headless" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
+{{- $altNames := list (printf "*.%s.%s.svc.%s" $primaryServiceName $secondaryServiceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $secondaryServiceName $releaseNamespace $clusterDomain) (printf "*.%s.%s.svc.%s" $headlessServiceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $headlessServiceName $releaseNamespace $clusterDomain) (include "common.names.fullname" .) "localhost" "127.0.0.1" }}
+{{- $cert := genSignedCert $primaryServiceName nil $altNames 365 $ca }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+    app.kubernetes.io/part-of: mariadb
+    app.kubernetes.io/component: mariadb
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+type: kubernetes.io/tls
+data:
+  ca.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }}
+  tls.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }}
+  tls.key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $cert.Key "context" $) }}
+{{- else if and .Values.tls.enabled (not .Values.tls.autoGenerated.enabled) (empty .Values.tls.existingSecret) -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+    app.kubernetes.io/part-of: mariadb
+    app.kubernetes.io/component: mariadb
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+type: kubernetes.io/tls
+data:
+  {{- if .Values.tls.ca }}
+  ca.crt: {{ .Values.tls.ca | b64enc | quote }}
+  {{- end -}}
+  tls.crt: {{ required "A valid .Values.tls.cert entry required!" .Values.tls.cert | b64enc | quote }}
+  tls.key: {{ required "A valid .Values.tls.key entry required!" .Values.tls.key | b64enc | quote }}
+{{- end }}
--- a/bitnami/mariadb/values.yaml
+++ b/bitnami/mariadb/values.yaml
@@ -170,6 +170,46 @@ initdbScripts: {}
 ## @param initdbScriptsConfigMap ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`)
 ##
 initdbScriptsConfigMap: ""
+
+## @section TLS/SSL parameters
+##
+## @param tls.enabled Enable TLS in MariaDB
+## @param tls.existingSecret Existing secret that contains TLS certificates
+## @param tls.certFilename The secret key from the existingSecret if 'cert' key different from the default (tls.crt)
+## @param tls.certKeyFilename The secret key from the existingSecret if 'key' key different from the default (tls.key)
+## @param tls.certCAFilename The secret key from the existingSecret if 'ca' key different from the default (tls.crt)
+## @param tls.ca CA certificate for TLS. Ignored if `tls.existingSecret` is set
+## @param tls.cert TLS certificate for Airflow webserver. Ignored if `tls.master.existingSecret` is set
+## @param tls.key TLS key for Airflow webserver. Ignored if `tls.master.existingSecret` is set
+##
+tls:
+  enabled: false
+  existingSecret: ""
+  certFilename: tls.crt
+  certKeyFilename: tls.key
+  certCAFilename: ""
+  ca: ""
+  cert: ""
+  key: ""
+  ## @param tls.autoGenerated.enabled Enable automatic generation of certificates for TLS
+  ## @param tls.autoGenerated.engine Mechanism to generate the certificates (allowed values: helm, cert-manager)
+  autoGenerated:
+    enabled: true
+    engine: helm
+    ## @param tls.autoGenerated.certManager.existingIssuer The name of an existing Issuer to use for generating the certificates (only for `cert-manager` engine)
+    ## @param tls.autoGenerated.certManager.existingIssuerKind Existing Issuer kind, defaults to Issuer (only for `cert-manager` engine)
+    ## @param tls.autoGenerated.certManager.keyAlgorithm Key algorithm for the certificates (only for `cert-manager` engine)
+    ## @param tls.autoGenerated.certManager.keySize Key size for the certificates (only for `cert-manager` engine)
+    ## @param tls.autoGenerated.certManager.duration Duration for the certificates (only for `cert-manager` engine)
+    ## @param tls.autoGenerated.certManager.renewBefore Renewal period for the certificates (only for `cert-manager` engine)
+    certManager:
+      existingIssuer: ""
+      existingIssuerKind: ""
+      keySize: 2048
+      keyAlgorithm: RSA
+      duration: 2160h
+      renewBefore: 360h
+
 ## @section MariaDB Primary parameters
 ##

@@ -221,7 +261,13 @@ primary:
    slow_query_log=0
    long_query_time=10.0
    binlog_expire_logs_seconds=2592000
-
+    {{- if .Values.tls.enabled }}
+    ssl_cert=/opt/bitnami/mariadb/certs/{{ .Values.tls.certFilename }}
+    ssl_key=/opt/bitnami/mariadb/certs/{{ .Values.tls.certKeyFilename }}
+    {{- if (include "mariadb.tlsCACert" .) }}
+    ssl_ca={{ include "mariadb.tlsCACert" . }}
+    {{- end }}
+    {{- end }}
    [client]
    port=3306
    socket=/opt/bitnami/mariadb/tmp/mysql.sock
@@ -646,6 +692,13 @@ secondary:
    slow_query_log=0
    long_query_time=10.0
    binlog_expire_logs_seconds=2592000
+    {{- if .Values.tls.enabled }}
+    ssl_cert=/opt/bitnami/mariadb/certs/{{ .Values.tls.certFilename }}
+    ssl_key=/opt/bitnami/mariadb/certs/{{ .Values.tls.certKeyFilename }}
+    {{- if (include "mariadb.tlsCACert" .) }}
+    ssl_ca={{ include "mariadb.tlsCACert" . }}
+    {{- end }}
+    {{- end }}

    [client]
    port=3306
@@ -1011,6 +1064,7 @@ secondary:
  ## @param secondary.revisionHistoryLimit Maximum number of revisions that will be maintained in the StatefulSet
  ##
  revisionHistoryLimit: 10
+
 ## @section RBAC parameters
 ##