diff --git a/charts/gitlab/templates/_geo.tpl b/charts/gitlab/templates/_geo.tpl
index 7ccb207ed294d8d6f96e3f6504ac8df23f275b55..eac29cccd3c46bb63bc9a1a711b22af24954b9b9 100644
--- a/charts/gitlab/templates/_geo.tpl
+++ b/charts/gitlab/templates/_geo.tpl
@@ -51,10 +51,18 @@ Consumed as part of "gitlab.geo.database.yml", no check of `global.geo.secondary
 */}}
 {{- define "gitlab.geo.psql.ssl.config" -}}
 {{- if .Values.global.geo.psql.ssl }}
-sslmode: verify-ca
+sslmode: {{ .Values.global.geo.psql.ssl.mode | default "verify-ca" | quote }}
+{{-   if .Values.global.geo.psql.ssl.secret }}
+{{-     if .Values.global.geo.psql.ssl.serverCA }}
 sslrootcert: '/etc/gitlab/postgres/ssl/geo-server-ca.pem'
+{{-     end -}}
+{{-     if .Values.global.geo.psql.ssl.clientCertificate }}
 sslcert: '/etc/gitlab/postgres/ssl/geo-client-certificate.pem'
+{{-     end -}}
+{{-     if .Values.global.geo.psql.ssl.clientKey }}
 sslkey: '/etc/gitlab/postgres/ssl/geo-client-key.pem'
+{{-     end -}}
+{{-   end -}}
 {{- end -}}
 {{- end -}}
 
@@ -63,20 +71,22 @@ Returns volume definition of a secret containing information required for
 a mutual TLS connection to the Geo Secondary DB.
 */}}
 {{- define "gitlab.geo.psql.ssl.volume" -}}
-{{- if and ( include "gitlab.geo.secondary" $ ) .Values.global.geo.psql.ssl }}
+{{- if and ( include "gitlab.geo.secondary" $ ) (.Values.global.geo.psql.ssl) }}
+{{-   if .Values.global.geo.psql.ssl.secret }}
 - name: geo-postgresql-ssl-secrets
   projected:
     defaultMode: 400
     sources:
     - secret:
-        name: {{ .Values.global.geo.psql.ssl.secret | required "Missing required secret containing SQL SSL certificates and keys. Make sure to set `global.geo.psql.ssl.secret`" }}
+        name: {{ .Values.global.geo.psql.ssl.secret }}
         items:
-          - key: {{ .Values.global.geo.psql.ssl.serverCA | required "Missing required key name of SQL server certificate. Make sure to set `global.geo.psql.ssl.serverCA`" }}
+          - key: {{ .Values.global.geo.psql.ssl.serverCA  }}
             path: geo-server-ca.pem
-          - key: {{ .Values.global.geo.psql.ssl.clientCertificate | required "Missing required key name of SQL client certificate. Make sure to set `global.geo.psql.ssl.clientCertificate`" }}
+          - key: {{ .Values.global.geo.psql.ssl.clientCertificate  }}
             path: geo-client-certificate.pem
-          - key: {{ .Values.global.geo.psql.ssl.clientKey | required "Missing required key name of SQL client key file. Make sure to set `global.geo.psql.ssl.clientKey`" }}
+          - key: {{ .Values.global.geo.psql.ssl.clientKey  }}
             path: geo-client-key.pem
+{{-   end -}}
 {{- end -}}
 {{- end -}}
 
diff --git a/charts/gitlab/templates/_postgresql.tpl b/charts/gitlab/templates/_postgresql.tpl
index b6a4572324112c2d48a0bad8725befab407c54ec..ee4bc6e703ccf3365baff7a3488d77edc39ff0d4 100644
--- a/charts/gitlab/templates/_postgresql.tpl
+++ b/charts/gitlab/templates/_postgresql.tpl
@@ -4,10 +4,16 @@ with the PostgreSQL database.
 */}}
 {{- define "gitlab.psql.ssl.config" -}}
 {{- if .Values.global.psql.ssl }}
-sslmode: verify-ca
+sslmode: {{ .Values.global.psql.ssl.mode | default "verify-ca" | quote }}
+{{-   if .Values.global.psql.ssl.serverCA }}
 sslrootcert: '/etc/gitlab/postgres/ssl/server-ca.pem'
+{{-   end -}}
+{{-   if .Values.global.psql.ssl.clientCertificate }}
 sslcert: '/etc/gitlab/postgres/ssl/client-certificate.pem'
+{{-   end -}}
+{{-   if .Values.global.psql.ssl.clientKey }}
 sslkey: '/etc/gitlab/postgres/ssl/client-key.pem'
+{{-   end -}}
 {{- end -}}
 {{- end -}}
 
@@ -17,19 +23,21 @@ a mutual TLS connection.
 */}}
 {{- define "gitlab.psql.ssl.volume" -}}
 {{- if .Values.global.psql.ssl }}
+{{-   if .Values.global.psql.ssl.secret  }}
 - name: postgresql-ssl-secrets
   projected:
     defaultMode: 400
     sources:
     - secret:
-        name: {{ .Values.global.psql.ssl.secret | required "Missing required secret containing SQL SSL certificates and keys. Make sure to set `global.psql.ssl.secret`" }}
+        name: {{ .Values.global.psql.ssl.secret }}
         items:
-          - key: {{ .Values.global.psql.ssl.serverCA | required "Missing required key name of SQL server certificate. Make sure to set `global.psql.ssl.serverCA`" }}
+          - key: {{ .Values.global.psql.ssl.serverCA }}
             path: server-ca.pem
-          - key: {{ .Values.global.psql.ssl.clientCertificate | required "Missing required key name of SQL client certificate. Make sure to set `global.psql.ssl.clientCertificate`" }}
+          - key: {{ .Values.global.psql.ssl.clientCertificate }}
             path: client-certificate.pem
-          - key: {{ .Values.global.psql.ssl.clientKey | required "Missing required key name of SQL client key file. Make sure to set `global.psql.ssl.clientKey`" }}
+          - key: {{ .Values.global.psql.ssl.clientKey }}
             path: client-key.pem
+{{-   end -}}
 {{- end -}}
 {{- end -}}
 
@@ -38,9 +46,11 @@ Returns mount definition for the volume mount definition above.
 */}}
 {{- define "gitlab.psql.ssl.volumeMount" -}}
 {{- if .Values.global.psql.ssl }}
+{{-   if .Values.global.psql.ssl.secret  }}
 - name: postgresql-ssl-secrets
   mountPath: '/etc/postgresql/ssl/'
   readOnly: true
+{{-   end -}}
 {{- end -}}
 {{- end -}}
 
@@ -51,12 +61,14 @@ it sets the permissions correctly.
 */}}
 {{- define "gitlab.psql.ssl.initScript" -}}
 {{- if .Values.global.psql.ssl }}
+{{-   if .Values.global.psql.ssl.secret  }}
 if [ -d /etc/postgresql/ssl ]; then
   mkdir -p /${secret_dir}/postgres/ssl
   cp -v -r -L /etc/postgresql/ssl/* /${secret_dir}/postgres/ssl/
   chmod 600 /${secret_dir}/postgres/ssl/*
   chmod 700 /${secret_dir}/postgres/ssl
 fi
+{{-   end -}}
 {{- end -}}
 {{- end -}}
 {{/*
diff --git a/doc/advanced/external-db/index.md b/doc/advanced/external-db/index.md
index 297a31a111cbddfc646a85060f3316c631592dc2..12a5408c10962bc39ebe9c3429dc445b618dfd40 100644
--- a/doc/advanced/external-db/index.md
+++ b/doc/advanced/external-db/index.md
@@ -53,8 +53,9 @@ Items below can be further customized if you are not using the defaults:
 - `global.psql.database`: The name of the database.
 - `global.psql.username`: The user with access to the database.
 
-If you use a mutual TLS connection to the database:
+If you use a TLS or mutual TLS connection to the database, you can use the following options:
 
+- `global.psql.ssl.mode`: Defines the [SSL mode](https://www.postgresql.org/docs/11/libpq-ssl.html) of the PostgreSQL connection. Defaults to "verify-ca" if SSL is enabled, otherwise it is not set.
 - `global.psql.ssl.secret`: A secret containing client certificate, key and certificate authority.
 - `global.psql.ssl.serverCA`: The key inside the secret referring the certificate authority (CA).
 - `global.psql.ssl.clientCertificate`: The key inside the secret referring the client certificate.
diff --git a/templates/_checkConfig.tpl b/templates/_checkConfig.tpl
index 3a0d7b923503f48ef5d808362ccc79bc712d279e..bb6d8a1cf85accbaea300db8cc9a700d3876cf53 100644
--- a/templates/_checkConfig.tpl
+++ b/templates/_checkConfig.tpl
@@ -34,6 +34,8 @@ Due to gotpl scoping, we can't make use of `range`, so we have to add action lin
 {{- $messages = append $messages (include "gitlab.checkConfig.sidekiq.routingRules" .) -}}
 {{- $messages = append $messages (include "gitlab.checkConfig.appConfig.maxRequestDurationSeconds" .) -}}
 {{- $messages = append $messages (include "gitlab.checkConfig.gitaly.extern.repos" .) -}}
+{{- $messages = append $messages (include "gitlab.checkConfig.psql.ssl" .) -}}
+{{- $messages = append $messages (include "gitlab.checkConfig.geo.database.ssl" .) -}}
 {{- $messages = append $messages (include "gitlab.checkConfig.geo.database" .) -}}
 {{- $messages = append $messages (include "gitlab.checkConfig.geo.secondary.database" .) -}}
 {{- $messages = append $messages (include "gitlab.task-runner.replicas" .) -}}
@@ -248,6 +250,39 @@ sidekiq:
 {{- end -}}
 {{/* END gitlab.checkConfig.sidekiq.routingRules */}}
 
+{{/* Ensure secrets are correctly configured if provided */}}
+{{- define "gitlab.checkConfig.database.ssl" -}}
+{{- if .ssl -}}
+{{- if .ssl.secret -}}
+{{-   if not .ssl.serverCA }}
+{{ .item }}: SSL enabled, No CA provided
+    Missing required key name of SQL server certificate. Make sure to set `[...].ssl.serverCA`.
+{{    end -}}
+{{-   if not .ssl.clientCertificate }}
+psql: No client certificate provided
+    Missing required key name of SQL client certificate. Make sure to set `[...].ssl.clientCertificate`.
+{{    end -}}
+{{-   if not .ssl.clientKey }}
+psql: No client key provided
+    Missing required key name of SQL client key file. Make sure to set `[...].ssl.clientKey`.
+{{    end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{/* END gitlab.checkConfig.database.ssl */}}
+
+{{/* Ensure secrets are correctly configured for PostgreSQL database */}}
+{{- define "gitlab.checkConfig.psql.ssl" -}}
+{{- include "gitlab.checkConfig.database.ssl" (dict "ssl" $.Values.global.psql.ssl "item" "psql") -}}
+{{- end -}}
+{{/* END gitlab.psql.ssl */}}
+
+{{/* Ensure secrets are correctly configured if Geo PostgreSQL database */}}
+{{- define "gitlab.checkConfig.geo.database.ssl" -}}
+{{- include "gitlab.checkConfig.database.ssl" (dict "ssl" $.Values.global.geo.psql.ssl "item" "geo.psql") -}}
+{{- end -}}
+{{/* END gitlab.geo.database.ssl */}}
+
 {{/*
 Ensure a database is configured when using Geo
 listen over TLS */}}