feat(tls): Make openstack services compatible with mariadb with TLS

Depends-on: https://review.opendev.org/#/c/741037/ Change-Id: I21f4ede3bd18c0af8da1eba60cd0b7b932a31410
2020-07-01 00:25:27 +00:00 · 2020-07-01 00:25:27 +00:00 · 702c17eb78
parent 61a61d9de1
commit 702c17eb78
63 changed files with 250 additions and 18 deletions
--- a/cinder/templates/configmap-etc.yaml
+++ b/cinder/templates/configmap-etc.yaml
@ -50,7 +50,12 @@ limitations under the License.
 {{- end -}}

 {{- if empty .Values.conf.cinder.database.connection -}}
-{{- $_ := tuple "oslo_db" "internal" "cinder" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.cinder.database "connection" -}}
+{{- $connection := tuple "oslo_db" "internal" "cinder" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.cinder.database "connection" -}}
+{{- else -}}
+{{- $_ := set .Values.conf.cinder.database "connection" $connection -}}
+{{- end -}}
 {{- end -}}

 {{- if empty .Values.conf.cinder.DEFAULT.transport_url -}}
--- a/cinder/templates/cron-job-cinder-volume-usage-audit.yaml
+++ b/cinder/templates/cron-job-cinder-volume-usage-audit.yaml
@ -78,6 +78,7 @@ spec:
                  mountPath: /tmp/volume-usage-audit.sh
                  subPath: volume-usage-audit.sh
                  readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
 {{ if $mounts_cinder_volume_usage_audit.volumeMounts }}{{ toYaml $mounts_cinder_volume_usage_audit.volumeMounts | indent 16 }}{{ end }}
          volumes:
            - name: pod-tmp
@ -92,5 +93,6 @@ spec:
              configMap:
                name: cinder-bin
                defaultMode: 0555
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
 {{ if $mounts_cinder_volume_usage_audit.volumes }}{{ toYaml $mounts_cinder_volume_usage_audit.volumes | indent 12 }}{{ end }}
 {{- end }}
--- a/cinder/templates/deployment-backup.yaml
+++ b/cinder/templates/deployment-backup.yaml
@ -207,6 +207,7 @@ spec:
              mountPath: /etc/cinder/rootwrap.d/volume.filters
              subPath: volume.filters
              readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_cinder_backup.volumeMounts }}{{ toYaml $mounts_cinder_backup.volumeMounts | indent 12 }}{{ end }}
      volumes:
        - name: pod-tmp
@ -248,5 +249,6 @@ spec:
        - name: cinder-coordination
          emptyDir: {}
        {{- end }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_cinder_backup.volumes }}{{ toYaml $mounts_cinder_backup.volumes | indent 8 }}{{ end }}
 {{- end }}
--- a/cinder/templates/deployment-scheduler.yaml
+++ b/cinder/templates/deployment-scheduler.yaml
@ -104,6 +104,7 @@ spec:
            - name: cinder-coordination
              mountPath: {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }}
            {{- end }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_cinder_scheduler.volumeMounts }}{{ toYaml $mounts_cinder_scheduler.volumeMounts | indent 12 }}{{ end }}
      volumes:
        - name: pod-tmp
@ -122,5 +123,6 @@ spec:
        - name: cinder-coordination
          emptyDir: {}
        {{- end }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_cinder_scheduler.volumes }}{{ toYaml $mounts_cinder_scheduler.volumes | indent 8 }}{{ end }}
 {{- end }}
--- a/cinder/templates/deployment-volume.yaml
+++ b/cinder/templates/deployment-volume.yaml
@ -211,6 +211,7 @@ spec:
              mountPath: /usr/local/sbin/iscsiadm
              subPath: iscsiadm
            {{- end }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_cinder_volume.volumeMounts }}{{ toYaml $mounts_cinder_volume.volumeMounts | indent 12 }}{{ end }}
      volumes:
        - name: pod-tmp
@ -257,6 +258,7 @@ spec:
        - name: usrlocalsbin
          emptyDir: {}
        {{- end }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_cinder_volume.volumes }}{{ toYaml $mounts_cinder_volume.volumes | indent 8 }}{{ end }}
 {{- end }}
--- a/cinder/templates/job-db-drop.yaml
+++ b/cinder/templates/job-db-drop.yaml
@ -14,5 +14,8 @@ limitations under the License.

 {{- if .Values.manifests.job_db_drop }}
 {{- $dbDropJob := dict "envAll" . "serviceName" "cinder" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
 {{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
 {{- end }}
--- a/cinder/templates/job-db-init.yaml
+++ b/cinder/templates/job-db-init.yaml
@ -14,5 +14,8 @@ limitations under the License.

 {{- if .Values.manifests.job_db_init }}
 {{- $dbInitJob := dict "envAll" . "serviceName" "cinder" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
 {{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
 {{- end }}
--- a/cinder/templates/job-db-sync.yaml
+++ b/cinder/templates/job-db-sync.yaml
@ -14,5 +14,8 @@ limitations under the License.

 {{- if .Values.manifests.job_db_sync }}
 {{- $dbSyncJob := dict "envAll" . "serviceName" "cinder" "podVolMounts" .Values.pod.mounts.cinder_db_sync.cinder_db_sync.volumeMounts "podVols" .Values.pod.mounts.cinder_db_sync.cinder_db_sync.volumes -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
 {{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
 {{- end }}
--- a/cinder/values.yaml
+++ b/cinder/values.yaml
@ -1378,6 +1378,9 @@ endpoints:
      admin:
        username: root
        password: password
+        secret:
+          tls:
+            internal: mariadb-tls-direct
      cinder:
        username: cinder
        password: password
--- a/glance/templates/configmap-etc.yaml
+++ b/glance/templates/configmap-etc.yaml
@ -81,10 +81,20 @@ limitations under the License.
 {{- end -}}

 {{- if empty .Values.conf.glance.database.connection -}}
-{{- $_ := tuple "oslo_db" "internal" "glance" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.glance.database "connection" -}}
+{{- $connection := tuple "oslo_db" "internal" "glance" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.glance.database "connection" -}}
+{{- else -}}
+{{- $_ := set .Values.conf.glance.database "connection" $connection -}}
+{{- end -}}
 {{- end -}}
 {{- if empty .Values.conf.glance_registry.connection -}}
-{{- $_ := tuple "oslo_db" "internal" "glance" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.glance_registry.database "connection" -}}
+{{- $connection := tuple "oslo_db" "internal" "glance" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.glance_registry.database "connection" -}}
+{{- else -}}
+{{- $_ := set .Values.conf.glance_registry.database "connection" $connection -}}
+{{- end -}}
 {{- end -}}

 {{- if empty .Values.conf.glance.DEFAULT.transport_url -}}
--- a/glance/templates/deployment-api.yaml
+++ b/glance/templates/deployment-api.yaml
@ -218,6 +218,7 @@ spec:
              subPath: key
              readOnly: true
 {{- end }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal "path" "/etc/glance/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_glance_api.volumeMounts }}{{ toYaml $mounts_glance_api.volumeMounts | indent 12 }}{{ end }}
      volumes:
@ -252,6 +253,7 @@ spec:
          secret:
            secretName: {{ .Values.secrets.rbd | quote }}
 {{- end }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_glance_api.volumes }}{{ toYaml $mounts_glance_api.volumes | indent 8 }}{{ end }}
 {{- end }}
--- a/glance/templates/job-db-drop.yaml
+++ b/glance/templates/job-db-drop.yaml
@ -16,5 +16,8 @@ limitations under the License.
 {{- $serviceName := "glance" -}}
 {{- $dbToDrop := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName "glance-api" ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" -}}
 {{- $dbDropJob := dict "envAll" . "serviceName" $serviceName "dbToDrop" $dbToDrop -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbToDrop "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
 {{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
 {{- end }}
--- a/glance/templates/job-db-init.yaml
+++ b/glance/templates/job-db-init.yaml
@ -16,5 +16,8 @@ limitations under the License.
 {{- $serviceName := "glance" -}}
 {{- $dbToInit := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName "glance-api" ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" -}}
 {{- $dbInitJob := dict "envAll" . "serviceName" $serviceName "dbToInit" $dbToInit -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
 {{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
 {{- end }}
--- a/glance/templates/job-db-sync.yaml
+++ b/glance/templates/job-db-sync.yaml
@ -15,6 +15,8 @@ limitations under the License.
 {{- if .Values.manifests.job_db_sync }}
 {{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" "glance" "glance-api" ) "logConfigFile" (printf "/etc/%s/logging.conf" "glance" ) "image" ( index .Values.images.tags ( printf "%s_db_sync" "glance" )) ) -}}
 {{- $dbSyncJob := dict "envAll" . "serviceName" "glance" "podVolMounts" .Values.pod.mounts.glance_db_sync.glance_db_sync.volumeMounts "podVols" .Values.pod.mounts.glance_db_sync.glance_db_sync.volumes "dbToSync" $dbToSync -}}
-
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
 {{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
 {{- end }}
--- a/glance/templates/job-metadefs-load.yaml
+++ b/glance/templates/job-metadefs-load.yaml
@ -71,6 +71,7 @@ spec:
              subPath: {{ base .Values.conf.glance.DEFAULT.log_config_append }}
              readOnly: true
            {{- end }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
      volumes:
        - name: pod-tmp
          emptyDir: {}
@ -84,4 +85,5 @@ spec:
          secret:
            secretName: glance-etc
            defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- end }}
--- a/glance/values.yaml
+++ b/glance/values.yaml
@ -672,6 +672,9 @@ endpoints:
      admin:
        username: root
        password: password
+        secret:
+          tls:
+            internal: mariadb-tls-direct
      glance:
        username: glance
        password: password
--- a/heat/templates/configmap-etc.yaml
+++ b/heat/templates/configmap-etc.yaml
@ -73,7 +73,12 @@ limitations under the License.
 {{- end -}}

 {{- if empty .Values.conf.heat.database.connection -}}
-{{- $_ := tuple "oslo_db" "internal" "heat" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.heat.database "connection" -}}
+{{- $connection := tuple "oslo_db" "internal" "heat" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.heat.database "connection" -}}
+{{- else -}}
+{{- $_ := set .Values.conf.heat.database "connection" $connection -}}
+{{- end -}}
 {{- end -}}

 {{- if empty .Values.conf.heat.DEFAULT.transport_url -}}
--- a/heat/templates/cron-job-engine-cleaner.yaml
+++ b/heat/templates/cron-job-engine-cleaner.yaml
@ -83,6 +83,7 @@ spec:
                subPath: {{ base .Values.conf.heat.DEFAULT.log_config_append }}
                readOnly: true
              {{ end }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 14 }}
 {{ if $mounts_heat_engine_cleaner.volumeMounts }}{{ toYaml $mounts_heat_engine_cleaner.volumeMounts | indent 14 }}{{ end }}
          volumes:
            - name: pod-tmp
@ -93,6 +94,7 @@ spec:
              secret:
                secretName: heat-etc
                defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
            - name: heat-bin
              configMap:
                name: heat-bin
--- a/heat/templates/deployment-engine.yaml
+++ b/heat/templates/deployment-engine.yaml
@ -99,6 +99,7 @@ spec:
              mountPath: /etc/heat/policy.json
              subPath: policy.json
              readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_heat_engine.volumeMounts }}{{ toYaml $mounts_heat_engine.volumeMounts | indent 12 }}{{ end }}
      volumes:
@ -114,6 +115,7 @@ spec:
          secret:
            secretName: heat-etc
            defaultMode: 0444
+ {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_heat_engine.volumes }}{{ toYaml $mounts_heat_engine.volumes | indent 8 }}{{ end }}
 {{- end }}
--- a/heat/templates/job-db-drop.yaml
+++ b/heat/templates/job-db-drop.yaml
@ -14,5 +14,8 @@ limitations under the License.

 {{- if .Values.manifests.job_db_drop }}
 {{- $dbDropJob := dict "envAll" . "serviceName" "heat" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
 {{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
 {{- end }}
--- a/heat/templates/job-db-init.yaml
+++ b/heat/templates/job-db-init.yaml
@ -14,5 +14,8 @@ limitations under the License.

 {{- if .Values.manifests.job_db_init }}
 {{- $dbInitJob := dict "envAll" . "serviceName" "heat" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
 {{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
 {{- end }}
--- a/heat/templates/job-db-sync.yaml
+++ b/heat/templates/job-db-sync.yaml
@ -14,5 +14,8 @@ limitations under the License.

 {{- if .Values.manifests.job_db_sync }}
 {{- $dbSyncJob := dict "envAll" . "serviceName" "heat" "podVolMounts" .Values.pod.mounts.heat_db_sync.heat_db_sync.volumeMounts "podVols" .Values.pod.mounts.heat_db_sync.heat_db_sync.volumes -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
 {{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
 {{- end }}
--- a/heat/values.yaml
+++ b/heat/values.yaml
@ -938,6 +938,9 @@ endpoints:
      admin:
        username: root
        password: password
+        secret:
+          tls:
+            internal: mariadb-tls-direct
      heat:
        username: heat
        password: password
--- a/horizon/templates/job-db-drop.yaml
+++ b/horizon/templates/job-db-drop.yaml
@ -15,5 +15,8 @@ limitations under the License.
 {{- if .Values.manifests.job_db_drop }}
 {{- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}}
 {{- $dbDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
 {{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
 {{- end }}
--- a/horizon/templates/job-db-init.yaml
+++ b/horizon/templates/job-db-init.yaml
@ -15,5 +15,8 @@ limitations under the License.
 {{- if .Values.manifests.job_db_init }}
 {{- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}}
 {{- $dbInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
 {{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
 {{- end }}
--- a/horizon/templates/job-db-sync.yaml
+++ b/horizon/templates/job-db-sync.yaml
@ -60,6 +60,7 @@ spec:
            mountPath: /tmp/manage.py
            subPath: manage.py
            readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 10 }}
 {{ if $mounts_horizon_db_sync.volumeMounts }}{{ toYaml $mounts_horizon_db_sync.volumeMounts | indent 10 }}{{ end }}
      volumes:
      - name: horizon-etc
@ -70,5 +71,6 @@ spec:
        configMap:
          name: horizon-bin
          defaultMode: 0555
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 6 }}
 {{ if $mounts_horizon_db_sync.volumes }}{{ toYaml $mounts_horizon_db_sync.volumes | indent 6 }}{{ end }}
 {{- end }}
--- a/horizon/templates/secret-db.yaml
+++ b/horizon/templates/secret-db.yaml
@ -16,6 +16,7 @@ limitations under the License.
 {{- $envAll := . }}
 {{- range $key1, $userClass := tuple "admin" "horizon" }}
 {{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+{{- $connection := tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
 ---
 apiVersion: v1
 kind: Secret
@ -23,6 +24,10 @@ metadata:
  name: {{ $secretName }}
 type: Opaque
 data:
-  DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}}
+{{- if $envAll.Values.manifests.certificates }}
+  DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}}
+{{- else }}
+  DB_CONNECTION: {{  $connection | b64enc -}}
+{{- end }}
 {{- end }}
 {{- end }}
--- a/horizon/values.yaml
+++ b/horizon/values.yaml
@ -367,6 +367,15 @@ conf:
                'PASSWORD': '{{ .Values.endpoints.oslo_db.auth.horizon.password }}',
                'HOST': '{{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}',
                'default-character-set': 'utf8',
+                {{- if .Values.manifests.certificates }}
+                'OPTIONS':{
+                    'ssl': {
+                        'ca': '/etc/mysql/certs/ca.crt',
+                        'cert': '/etc/mysql/certs/tls.crt',
+                        'key': '/etc/mysql/certs/tls.key'
+                    }
+                },
+                {{- end }}
                'PORT': '{{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}'
            }
        }
@ -2213,6 +2222,9 @@ endpoints:
      admin:
        username: root
        password: password
+        secret:
+          tls:
+            internal: mariadb-tls-direct
      horizon:
        username: horizon
        password: password
--- a/keystone/templates/bin/_cred-clean.py.tpl
+++ b/keystone/templates/bin/_cred-clean.py.tpl
@ -51,6 +51,11 @@ else:
    logger.critical('environment variable ROOT_DB_CONNECTION not set')
    sys.exit(1)

+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+    ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt', 'key': '/etc/mysql/certs/tls.key', 'cert': '/etc/mysql/certs/tls.crt'}}
+
 # Get the connection string for the service db
 if "OPENSTACK_CONFIG_FILE" in os.environ:
    os_conf = os.environ['OPENSTACK_CONFIG_FILE']
@ -91,7 +96,7 @@ try:
    host = root_engine_full.url.host
    port = root_engine_full.url.port
    root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
-    root_engine = create_engine(root_engine_url)
+    root_engine = create_engine(root_engine_url, connect_args=ssl_args)
    connection = root_engine.connect()
    connection.close()
    logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
@ -102,7 +107,7 @@ except:

 # User DB engine
 try:
-    user_engine = create_engine(user_db_conn)
+    user_engine = create_engine(user_db_conn, connect_args=ssl_args)
    # Get our user data out of the user_engine
    database = user_engine.url.database
    user = user_engine.url.username
--- a/keystone/templates/configmap-etc.yaml
+++ b/keystone/templates/configmap-etc.yaml
@ -16,7 +16,12 @@ limitations under the License.
 {{- $envAll := . }}

 {{- if empty .Values.conf.keystone.database.connection -}}
-{{- $_ := tuple "oslo_db" "internal" "keystone" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.keystone.database "connection" -}}
+{{- $connection := tuple "oslo_db" "internal" "keystone" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.keystone.database "connection" -}}
+{{- else -}}
+{{- $_ := set .Values.conf.keystone.database "connection" $connection -}}
+{{- end -}}
 {{- end -}}

 {{- if empty .Values.conf.keystone.DEFAULT.transport_url -}}
--- a/keystone/templates/deployment-api.yaml
+++ b/keystone/templates/deployment-api.yaml
@ -147,6 +147,7 @@ spec:
 {{- end }}
            - name: keystone-credential-keys
              mountPath: {{ .Values.conf.keystone.credential.key_repository }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal "path" "/etc/keystone/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_keystone_api.volumeMounts }}{{ toYaml $mounts_keystone_api.volumeMounts | indent 12 }}{{ end }}
      volumes:
@ -181,6 +182,7 @@ spec:
        - name: keystone-credential-keys
          secret:
            secretName: keystone-credential-keys
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_keystone_api.volumes }}{{ toYaml $mounts_keystone_api.volumes | indent 8 }}{{ end }}
 {{- end }}
--- a/keystone/templates/job-credential-cleanup.yaml
+++ b/keystone/templates/job-credential-cleanup.yaml
@ -67,6 +67,10 @@ spec:
              value: {{ $dbToClean.configDbSection | quote }}
            - name: OPENSTACK_CONFIG_DB_KEY
              value: {{ $dbToClean.configDbKey | quote }}
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+            - name: MARIADB_X509
+              value: "REQUIRE X509"
 {{- end }}
          command:
            - python
@ -89,6 +93,9 @@ spec:
              mountPath: {{ $dbToClean.logConfigFile | quote }}
              subPath: {{ base $dbToClean.logConfigFile | quote }}
              readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- end }}
      volumes:
        - name: pod-tmp
@ -97,6 +104,9 @@ spec:
          configMap:
            name: "keystone-bin"
            defaultMode: 0555
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
 {{- $local := dict "configMapBinFirst" true -}}
 {{- $dbToCleanType := default "oslo" $dbToClean.inputType }}
 {{- if and (eq $dbToCleanType "oslo") $local.configMapBinFirst }}
--- a/keystone/templates/job-db-drop.yaml
+++ b/keystone/templates/job-db-drop.yaml
@ -14,5 +14,8 @@ limitations under the License.

 {{- if .Values.manifests.job_db_drop }}
 {{- $dbDropJob := dict "envAll" . "serviceName" "keystone" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
 {{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
 {{- end }}
--- a/keystone/templates/job-db-init.yaml
+++ b/keystone/templates/job-db-init.yaml
@ -14,5 +14,8 @@ limitations under the License.

 {{- if .Values.manifests.job_db_init }}
 {{- $dbInitJob := dict "envAll" . "serviceName" "keystone" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
 {{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
 {{- end }}
--- a/keystone/templates/job-db-sync.yaml
+++ b/keystone/templates/job-db-sync.yaml
@ -42,6 +42,7 @@ volumeMounts:
  - name: keystone-fernet-keys
    mountPath: {{ $envAll.Values.conf.keystone.fernet_tokens.key_repository }}
    readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 2 }}
 {{- end }}

 {{- define "keystone.templates._job_db_sync.pod_vols" -}}
@ -50,6 +51,7 @@ volumes:
  - name: keystone-fernet-keys
    secret:
      secretName: keystone-fernet-keys
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 2 }}
 {{- end }}

 {{- if .Values.manifests.job_db_sync }}
--- a/keystone/values.yaml
+++ b/keystone/values.yaml
@ -1159,6 +1159,9 @@ endpoints:
      admin:
        username: root
        password: password
+        secret:
+          tls:
+            internal: mariadb-tls-direct
      keystone:
        username: keystone
        password: password
--- a/neutron/templates/configmap-etc.yaml
+++ b/neutron/templates/configmap-etc.yaml
@ -52,7 +52,12 @@ limitations under the License.
 {{- end -}}

 {{- if empty $envAll.Values.conf.neutron.database.connection -}}
-{{- $_ := tuple "oslo_db" "internal" "neutron" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set $envAll.Values.conf.neutron.database "connection" -}}
+{{- $connection := tuple "oslo_db" "internal" "neutron" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.neutron.database "connection" -}}
+{{- else -}}
+{{- $_ := set .Values.conf.neutron.database "connection" $connection -}}
+{{- end -}}
 {{- end }}

 {{- if empty $envAll.Values.conf.neutron.DEFAULT.transport_url -}}
--- a/neutron/templates/deployment-server.yaml
+++ b/neutron/templates/deployment-server.yaml
@ -226,6 +226,7 @@ spec:
              mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
              subPath: ml2_conf.ini
              readOnly: true
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal "path" "/etc/neutron/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- end }}
      volumes:
@ -249,6 +250,7 @@ spec:
        - name: neutron-plugin-shared
          emptyDir: {}
        {{- end }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_neutron_server.volumes }}{{ toYaml $mounts_neutron_server.volumes | indent 8 }}{{ end }}
 {{- end }}
--- a/neutron/templates/job-db-drop.yaml
+++ b/neutron/templates/job-db-drop.yaml
@ -15,5 +15,8 @@ limitations under the License.

 {{- if .Values.manifests.job_db_drop }}
 {{- $dbDropJob := dict "envAll" . "serviceName" "neutron" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
 {{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
 {{- end }}
--- a/neutron/templates/job-db-init.yaml
+++ b/neutron/templates/job-db-init.yaml
@ -14,5 +14,8 @@ limitations under the License.

 {{- if .Values.manifests.job_db_init }}
 {{- $dbInitJob := dict "envAll" . "serviceName" "neutron" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
 {{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
 {{- end }}
--- a/neutron/templates/job-db-sync.yaml
+++ b/neutron/templates/job-db-sync.yaml
@ -14,5 +14,8 @@ limitations under the License.

 {{- if .Values.manifests.job_db_sync }}
 {{- $dbSyncJob := dict "envAll" . "serviceName" "neutron" "podVolMounts" .Values.pod.mounts.neutron_db_sync.neutron_db_sync.volumeMounts "podVols" .Values.pod.mounts.neutron_db_sync.neutron_db_sync.volumes -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
 {{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
 {{- end }}
--- a/neutron/values.yaml
+++ b/neutron/values.yaml
@ -2216,6 +2216,9 @@ endpoints:
      admin:
        username: root
        password: password
+        secret:
+          tls:
+            internal: mariadb-tls-direct
      neutron:
        username: neutron
        password: password
--- a/nova/templates/configmap-etc.yaml
+++ b/nova/templates/configmap-etc.yaml
@ -77,15 +77,30 @@ limitations under the License.
 {{- end -}}

 {{- if empty .Values.conf.nova.database.connection -}}
-{{- $_ := tuple "oslo_db" "internal" "nova" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | set .Values.conf.nova.database "connection" -}}
+{{- $connection := tuple "oslo_db" "internal" "nova" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.nova.database "connection" -}}
+{{- else -}}
+{{- $_ := set .Values.conf.nova.database "connection" $connection -}}
+{{- end -}}
 {{- end -}}

 {{- if empty .Values.conf.nova.api_database.connection -}}
-{{- $_ := tuple "oslo_db_api" "internal" "nova" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | set .Values.conf.nova.api_database "connection" -}}
+{{- $connection := tuple "oslo_db_api" "internal" "nova" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.nova.api_database "connection" -}}
+{{- else -}}
+{{- $_ := set .Values.conf.nova.api_database "connection" $connection -}}
+{{- end -}}
 {{- end -}}

 {{- if empty .Values.conf.nova.cell0_database.connection -}}
-{{- $_ := tuple "oslo_db_cell0" "internal" "nova" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | set .Values.conf.nova.cell0_database "connection" -}}
+{{- $connection := tuple "oslo_db_cell0" "internal" "nova" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.nova.cell0_database "connection" -}}
+{{- else -}}
+{{- $_ := set .Values.conf.nova.cell0_database "connection" $connection -}}
+{{- end -}}
 {{- end -}}

 {{- if empty .Values.conf.nova.DEFAULT.transport_url -}}
--- a/nova/templates/deployment-api-osapi.yaml
+++ b/nova/templates/deployment-api-osapi.yaml
@ -126,6 +126,7 @@ spec:
              subPath: mpm_event.conf
              readOnly: true
            {{- end }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_nova_api_osapi.volumeMounts }}{{ toYaml $mounts_nova_api_osapi.volumeMounts | indent 12 }}{{ end }}
      volumes:
@ -145,6 +146,7 @@ spec:
          secret:
            secretName: nova-etc
            defaultMode: 0444
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_nova_api_osapi.volumes}}{{ toYaml $mounts_nova_api_osapi.volumes | indent 8 }}{{ end }}
 {{- end }}
--- a/nova/templates/deployment-conductor.yaml
+++ b/nova/templates/deployment-conductor.yaml
@ -120,6 +120,7 @@ spec:
              subPath: policy.yaml
              readOnly: true
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" "certs" (tuple "ca.crt") | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_nova_conductor.volumeMounts }}{{ toYaml $mounts_nova_conductor.volumeMounts | indent 12 }}{{ end }}
      volumes:
        - name: pod-tmp
@ -133,5 +134,6 @@ spec:
            secretName: nova-etc
            defaultMode: 0444
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_nova_conductor.volumes }}{{ toYaml $mounts_nova_conductor.volumes | indent 8 }}{{ end }}
 {{- end }}
--- a/nova/templates/deployment-consoleauth.yaml
+++ b/nova/templates/deployment-consoleauth.yaml
@ -115,6 +115,7 @@ spec:
              mountPath: /etc/nova/policy.yaml
              subPath: policy.yaml
              readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_nova_consoleauth.volumeMounts }}{{ toYaml $mounts_nova_consoleauth.volumeMounts | indent 12 }}{{ end }}
      volumes:
        - name: pod-tmp
@ -127,5 +128,6 @@ spec:
          secret:
            secretName: nova-etc
            defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_nova_consoleauth.volumes }}{{ toYaml $mounts_nova_consoleauth.volumes | indent 8 }}{{ end }}
 {{- end }}
--- a/nova/templates/deployment-novncproxy.yaml
+++ b/nova/templates/deployment-novncproxy.yaml
@ -139,6 +139,7 @@ spec:
              readOnly: true
            - name: pod-shared
              mountPath: /tmp/pod-shared
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_nova_novncproxy.volumeMounts }}{{ toYaml $mounts_nova_novncproxy.volumeMounts | indent 12 }}{{ end }}
      volumes:
@ -156,6 +157,7 @@ spec:
          emptyDir: {}
        - name: pod-shared
          emptyDir: {}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_nova_novncproxy.volumes }}{{ toYaml $mounts_nova_novncproxy.volumes | indent 8 }}{{ end }}
 {{- end }}
--- a/nova/templates/deployment-scheduler.yaml
+++ b/nova/templates/deployment-scheduler.yaml
@ -119,6 +119,7 @@ spec:
              mountPath: /etc/nova/policy.yaml
              subPath: policy.yaml
              readOnly: true
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_nova_scheduler.volumeMounts }}{{ toYaml $mounts_nova_scheduler.volumeMounts | indent 12 }}{{ end }}
      volumes:
@ -132,6 +133,7 @@ spec:
          secret:
            secretName: nova-etc
            defaultMode: 0444
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_nova_scheduler.volumes }}{{ toYaml $mounts_nova_scheduler.volumes | indent 8 }}{{ end }}
 {{- end }}
--- a/nova/templates/job-cell-setup.yaml
+++ b/nova/templates/job-cell-setup.yaml
@ -84,6 +84,7 @@ spec:
              mountPath: /etc/nova/policy.yaml
              subPath: policy.yaml
              readOnly: true
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
      volumes:
        - name: pod-tmp
          emptyDir: {}
@ -97,5 +98,6 @@ spec:
          configMap:
            name: nova-bin
            defaultMode: 0555
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- end }}
--- a/nova/templates/job-db-drop.yaml
+++ b/nova/templates/job-db-drop.yaml
@ -19,5 +19,8 @@ limitations under the License.
 {{- $dbCell := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "cell0_database" "configDbKey" "connection" -}}
 {{- $dbsToDrop := list $dbSvc $dbApi $dbCell }}
 {{- $dbDropJob := dict "envAll" . "serviceName" $serviceName "dbsToDrop" $dbsToDrop -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
 {{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
 {{- end }}
--- a/nova/templates/job-db-init.yaml
+++ b/nova/templates/job-db-init.yaml
@ -19,5 +19,8 @@ limitations under the License.
 {{- $dbCell := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "cell0_database" "configDbKey" "connection" -}}
 {{- $dbsToInit := list $dbSvc $dbApi $dbCell }}
 {{- $dbInitJob := dict "envAll" . "serviceName" $serviceName "dbsToInit" $dbsToInit -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
 {{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
 {{- end }}
--- a/nova/templates/job-db-sync.yaml
+++ b/nova/templates/job-db-sync.yaml
@ -30,5 +30,8 @@ env:
 {{- if .Values.manifests.job_db_sync }}
 {{- $podEnvVars := include "nova.templates._job_db_sync.env_vars" (tuple .) | toString | fromYaml }}
 {{- $dbSyncJob := dict "envAll" . "serviceName" "nova" "podVolMounts" .Values.pod.mounts.nova_db_sync.nova_db_sync.volumeMounts "podVols" .Values.pod.mounts.nova_db_sync.nova_db_sync.volumes "podEnvVars" $podEnvVars.env -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
 {{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
 {{- end }}
--- a/nova/templates/secret-db-api.yaml
+++ b/nova/templates/secret-db-api.yaml
@ -16,6 +16,7 @@ limitations under the License.
 {{- $envAll := . }}
 {{- range $key1, $userClass := tuple "admin" "nova" }}
 {{- $secretName := index $envAll.Values.secrets.oslo_db_api $userClass }}
+{{- $connection := tuple "oslo_db_api" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
 ---
 apiVersion: v1
 kind: Secret
@ -23,6 +24,10 @@ metadata:
  name: {{ $secretName }}
 type: Opaque
 data:
-  DB_CONNECTION: {{ tuple "oslo_db_api" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}}
+{{- if $envAll.Values.manifests.certificates }}
+  DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}}
+{{- else }}
+  DB_CONNECTION: {{ $connection | b64enc -}}
+{{- end }}
 {{- end }}
 {{- end }}
--- a/nova/templates/secret-db.yaml
+++ b/nova/templates/secret-db.yaml
@ -16,6 +16,7 @@ limitations under the License.
 {{- $envAll := . }}
 {{- range $key1, $userClass := tuple "admin" "nova" }}
 {{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+{{- $connection := tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
 ---
 apiVersion: v1
 kind: Secret
@ -23,6 +24,10 @@ metadata:
  name: {{ $secretName }}
 type: Opaque
 data:
-  DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}}
+{{- if $envAll.Values.manifests.certificates }}
+  DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}}
+{{- else }}
+  DB_CONNECTION: {{  $connection | b64enc -}}
+{{- end }}
 {{- end }}
 {{- end }}
--- a/nova/values.yaml
+++ b/nova/values.yaml
@ -1897,6 +1897,9 @@ endpoints:
      admin:
        username: root
        password: password
+        secret:
+          tls:
+            internal: mariadb-tls-direct
      nova:
        username: nova
        password: password
--- a/placement/templates/bin/_mysql-migrate-db.sh.tpl
+++ b/placement/templates/bin/_mysql-migrate-db.sh.tpl
@ -90,7 +90,14 @@ function mysql_command() {
        command="mysql --skip-column-names"
    fi

-    $command -h$host -u$user -p$pass $db $* 2>$LAST_MYSQL_ERR
+    if [ ! -z "$MARIADB_X509" ]; then
+        local ca=/etc/mysql/certs/ca.crt
+        local cert=/etc/mysql/certs/tls.crt
+        local key=/etc/mysql/certs/tls.key
+        $command -h$host -u$user -p$pass $db --ssl-ca=$ca --ssl-cert=$cert --ssl-key=$key $* 2>$LAST_MYSQL_ERR
+    else
+        $command -h$host -u$user -p$pass $db $* 2>$LAST_MYSQL_ERR
+    fi
 }

 function show_error() {
--- a/placement/templates/configmap-etc.yaml
+++ b/placement/templates/configmap-etc.yaml
@ -18,7 +18,12 @@ limitations under the License.
 {{- $envAll := . }}

 {{- if empty .Values.conf.placement.placement_database.connection -}}
-{{- $_ := tuple "oslo_db" "internal" "placement" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | set .Values.conf.placement.placement_database "connection" -}}
+{{- $connection := tuple "oslo_db" "internal" "placement" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.placement.placement_database "connection" -}}
+{{- else -}}
+{{- $_ := set .Values.conf.placement.placement_database "connection" $connection -}}
+{{- end -}}
 {{- end -}}

 {{- if empty .Values.conf.placement.keystone_authtoken.auth_uri -}}
--- a/placement/templates/job-db-drop.yaml
+++ b/placement/templates/job-db-drop.yaml
@ -17,5 +17,8 @@ limitations under the License.
 {{- if .Values.manifests.job_db_drop }}
 {{- $serviceName := "placement" -}}
 {{- $dbDropJob := dict "envAll" . "serviceName" $serviceName -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
 {{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
 {{- end }}
--- a/placement/templates/job-db-init.yaml
+++ b/placement/templates/job-db-init.yaml
@ -19,5 +19,8 @@ limitations under the License.
 {{- $dbApi := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "placement_database" "configDbKey" "connection" -}}
 {{- $dbsToInit := list $dbApi }}
 {{- $dbInitJob := dict "envAll" . "serviceName" $serviceName "dbsToInit" $dbsToInit -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
 {{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
 {{- end }}
--- a/placement/templates/job-db-migrate.yaml
+++ b/placement/templates/job-db-migrate.yaml
@ -58,6 +58,10 @@ spec:
              value: {{ .Values.endpoints.oslo_db.auth.placement.password | quote }}
            - name: PLACEMENT_DB_HOST
              value: {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" | quote }}
+{{- if $envAll.Values.manifests.certificates }}
+            - name: MARIADB_X509
+              value: "REQUIRE X509"
+{{- end }}
          volumeMounts:
            - name: pod-tmp
              mountPath: /tmp
@ -74,6 +78,7 @@ spec:
              subPath: placement.conf
              readOnly: true
 {{ dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.placement.api.internal | include "helm-toolkit.snippets.tls_volume_mount"  | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
      volumes:
        - name: pod-tmp
          emptyDir: {}
@ -85,5 +90,6 @@ spec:
          secret:
            secretName: placement-etc
            defaultMode: 0444
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- end }}
--- a/placement/templates/job-db-sync.yaml
+++ b/placement/templates/job-db-sync.yaml
@ -16,5 +16,8 @@ limitations under the License.

 {{- if .Values.manifests.job_db_sync }}
 {{- $dbSyncJob := dict "envAll" . "serviceName" "placement" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
 {{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
 {{- end }}
--- a/placement/templates/secret-db.yaml
+++ b/placement/templates/secret-db.yaml
@ -18,6 +18,7 @@ limitations under the License.
 {{- $envAll := . }}
 {{- range $key1, $userClass := tuple "admin" "placement" }}
 {{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+{{- $connection :=  tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
 ---
 apiVersion: v1
 kind: Secret
@ -25,6 +26,10 @@ metadata:
  name: {{ $secretName }}
 type: Opaque
 data:
-  DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}}
+{{- if $envAll.Values.manifests.certificates }}
+  DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}}
+{{- else }}
+  DB_CONNECTION: {{  $connection | b64enc -}}
+{{- end }}
 {{- end }}
 {{- end }}
--- a/placement/values.yaml
+++ b/placement/values.yaml
@ -232,6 +232,9 @@ endpoints:
      admin:
        username: root
        password: password
+        secret:
+          tls:
+            internal: mariadb-tls-direct
      placement:
        username: placement
        password: password