diff --git a/manifests/cache.pp b/manifests/cache.pp
index e566db909..63d5ed939 100644
--- a/manifests/cache.pp
+++ b/manifests/cache.pp
@@ -85,6 +85,39 @@
 #   (Optional) (Optional) Whether to install the backend package for the cache.
 #   Defaults to true
 #
+# [*tls_enabled*]
+#   (Optional) Global toggle for TLS usage when comunicating with
+#   the caching servers.
+#   Default to $::os_service_default
+#
+# [*tls_cafile*]
+#   (Optional) Path to a file of concatenated CA certificates in PEM
+#   format necessary to establish the caching server's authenticity.
+#   If tls_enabled is False, this option is ignored.
+#   Default to $::os_service_default
+#
+# [*tls_certfile*]
+#   (Optional) Path to a single file in PEM format containing the
+#   client's certificate as well as any number of CA certificates
+#   needed to establish the certificate's authenticity. This file
+#   is only required when client side authentication is necessary.
+#   If tls_enabled is False, this option is ignored.
+#   Default to $::os_service_default
+#
+# [*tls_keyfile*]
+#   (Optional) Path to a single file containing the client's private
+#   key in. Otherwhise the private key will be taken from the file
+#   specified in tls_certfile. If tls_enabled is False, this option
+#   is ignored.
+#   Default to $::os_service_default
+#
+# [*tls_allowed_ciphers*]
+#   (Optional) Set the available ciphers for sockets created with
+#   the TLS context. It should be a string in the OpenSSL cipher
+#   list format. If not specified, all OpenSSL enabled ciphers will
+#   be available.
+#   Default to $::os_service_default
+#
 class nova::cache (
   $config_prefix                        = $::os_service_default,
   $expiration_time                      = $::os_service_default,
@@ -100,6 +133,11 @@ class nova::cache (
   $memcache_pool_unused_timeout         = $::os_service_default,
   $memcache_pool_connection_get_timeout = $::os_service_default,
   $manage_backend_package               = true,
+  $tls_enabled                          = $::os_service_default,
+  $tls_cafile                           = $::os_service_default,
+  $tls_certfile                         = $::os_service_default,
+  $tls_keyfile                          = $::os_service_default,
+  $tls_allowed_ciphers                  = $::os_service_default,
 ) {
 
   include nova::deps
@@ -119,5 +157,10 @@ class nova::cache (
     memcache_pool_unused_timeout         => $memcache_pool_unused_timeout,
     memcache_pool_connection_get_timeout => $memcache_pool_connection_get_timeout,
     manage_backend_package               => $manage_backend_package,
+    tls_enabled                          => $tls_enabled,
+    tls_cafile                           => $tls_cafile,
+    tls_certfile                         => $tls_certfile,
+    tls_keyfile                          => $tls_keyfile,
+    tls_allowed_ciphers                  => $tls_allowed_ciphers,
   }
 }
diff --git a/releasenotes/notes/add_tls_options-9f4cd19db6a76a76.yaml b/releasenotes/notes/add_tls_options-9f4cd19db6a76a76.yaml
new file mode 100644
index 000000000..241146dde
--- /dev/null
+++ b/releasenotes/notes/add_tls_options-9f4cd19db6a76a76.yaml
@@ -0,0 +1,4 @@
+---
+features:
+  - |
+    Add TLS options to oslo.cache
diff --git a/spec/classes/nova_cache_spec.rb b/spec/classes/nova_cache_spec.rb
index 84e4adbcf..bca529a3c 100644
--- a/spec/classes/nova_cache_spec.rb
+++ b/spec/classes/nova_cache_spec.rb
@@ -23,6 +23,12 @@ describe 'nova::cache' do
         is_expected.to contain_nova_config('cache/memcache_pool_maxsize').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_nova_config('cache/memcache_pool_unused_timeout').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_nova_config('cache/memcache_pool_connection_get_timeout').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('cache/tls_enabled').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('cache/tls_cafile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('cache/tls_certfile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('cache/tls_keyfile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('cache/tls_allowed_ciphers').with_value('<SERVICE DEFAULT>')
+
         is_expected.to contain_oslo__cache('nova_config').with_manage_backend_package(true)
       end
     end
@@ -43,6 +49,11 @@ describe 'nova::cache' do
           :memcache_pool_unused_timeout         => '120',
           :memcache_pool_connection_get_timeout => '360',
           :manage_backend_package               => false,
+          :tls_enabled                          => false,
+          :tls_cafile                           => nil,
+          :tls_certfile                         => nil,
+          :tls_keyfile                          => nil,
+          :tls_allowed_ciphers                  => nil,
         }
       end
 
@@ -60,6 +71,12 @@ describe 'nova::cache' do
         is_expected.to contain_nova_config('cache/memcache_pool_maxsize').with_value('10')
         is_expected.to contain_nova_config('cache/memcache_pool_unused_timeout').with_value('120')
         is_expected.to contain_nova_config('cache/memcache_pool_connection_get_timeout').with_value('360')
+        is_expected.to contain_nova_config('cache/tls_enabled').with_value('false')
+        is_expected.to contain_nova_config('cache/tls_cafile').with_value('nil')
+        is_expected.to contain_nova_config('cache/tls_certfile').with_value('nil')
+        is_expected.to contain_nova_config('cache/tls_keyfile').with_value('nil')
+        is_expected.to contain_nova_config('cache/tls_allowed_ciphers').with_value('nil')
+
         is_expected.to contain_oslo__cache('nova_config').with_manage_backend_package(false)
       end
     end