Enable TLS for MariaDB

Signed-off-by: Matus Jenca <[email protected]>
SovereignCloudStack · Dec 6, 2023 · c2a3461 · c2a3461
1 parent e50c99d
commit c2a3461
Show file tree

Hide file tree

Showing 119 changed files with 465 additions and 41 deletions.
diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
@@ -30,6 +30,8 @@ config_owner_group: "root"
 # By default, we do not provide a filter.
 kolla_ansible_setup_filter: "{{ omit }}"
 
+kolla_ansible_ca_directory: "/etc/kolla/ca-certificates"
+kolla_ansible_container_ca: "/var/lib/ansible/certs/root.crt"
 # This variable is used as the "gather_subset" argument for the setup module.
 # For instance, if one wants to avoid collecting facts via facter:
 # kolla_ansible_setup_gather_subset: "all,!facter"
@@ -484,6 +486,14 @@ mariadb_shard_root_user_prefix: "root_shard_"
 mariadb_shard_backup_user_prefix: "backup_shard_"
 mariadb_shards_info: "{{ groups['mariadb'] | database_shards_info() }}"
 
+mariadb_enable_tls: "no"
+
+mariadb_tls_cert: "mariadb-cert.pem"  
+mariadb_tls_key: "mariadb-key.pem"  
+mariadb_tls_ca: "ca-certificates/root.crt"  
+mariadb_tls_mount_ca: "{{ node_config_directory }}/ca-certificates/root.crt"
+
+
 masakari_internal_fqdn: "{{ kolla_internal_fqdn }}"
 masakari_external_fqdn: "{{ kolla_external_fqdn }}"
 masakari_api_port: "15868"
@@ -998,6 +1008,14 @@ kolla_verify_tls_backend: "yes"
 kolla_tls_backend_cert: "{{ kolla_certificates_dir }}/backend-cert.pem"
 kolla_tls_backend_key: "{{ kolla_certificates_dir }}/backend-key.pem"
 
+######################
+# MariaDB TLS options
+######################
+kolla_enable_tls_mariadb: "no"
+kolla_verify_tls_mariadb: "yes"
+kolla_tls_mariadb_cert: "{{ kolla_certificates_dir }}/mariadb-cert.pem"
+kolla_tls_mariadb_key: "{{ kolla_certificates_dir }}/mariadb-key.pem"
+
 #####################
 # ACME client options
 #####################

diff --git a/ansible/roles/aodh/defaults/main.yml b/ansible/roles/aodh/defaults/main.yml
@@ -174,25 +174,29 @@ aodh_notifier_healthcheck:
   timeout: "{{ aodh_notifier_healthcheck_timeout }}"
 
 aodh_api_default_volumes:
+  - "{{ mariadb_tls_mount_ca ~ ':/var/lib/' ~ project_name ~ '/' ~ mariadb_tls_ca if mariadb_enable_tls | bool else '' }}"
   - "{{ node_config_directory }}/aodh-api/:{{ container_config_directory }}/:ro"
   - "/etc/localtime:/etc/localtime:ro"
   - "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}"
   - "aodh:/var/lib/aodh/"
   - "kolla_logs:/var/log/kolla/"
   - "{{ kolla_dev_repos_directory ~ '/aodh/aodh:/var/lib/kolla/venv/lib/python' ~ distro_python_version ~ '/site-packages/aodh' if aodh_dev_mode | bool else '' }}"
 aodh_evaluator_default_volumes:
+  - "{{ mariadb_tls_mount_ca ~ ':/var/lib/' ~ project_name ~ '/' ~ mariadb_tls_ca if mariadb_enable_tls | bool else '' }}"
   - "{{ node_config_directory }}/aodh-evaluator/:{{ container_config_directory }}/:ro"
   - "/etc/localtime:/etc/localtime:ro"
   - "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}"
   - "kolla_logs:/var/log/kolla/"
   - "{{ kolla_dev_repos_directory ~ '/aodh/aodh:/var/lib/kolla/venv/lib/python' ~ distro_python_version ~ '/site-packages/aodh' if aodh_dev_mode | bool else '' }}"
 aodh_listener_default_volumes:
+  - "{{ mariadb_tls_mount_ca ~ ':/var/lib/' ~ project_name ~ '/' ~ mariadb_tls_ca if mariadb_enable_tls | bool else '' }}"
   - "{{ node_config_directory }}/aodh-listener/:{{ container_config_directory }}/:ro"
   - "/etc/localtime:/etc/localtime:ro"
   - "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}"
   - "kolla_logs:/var/log/kolla/"
   - "{{ kolla_dev_repos_directory ~ '/aodh/aodh:/var/lib/kolla/venv/lib/python' ~ distro_python_version ~ '/site-packages/aodh' if aodh_dev_mode | bool else '' }}"
 aodh_notifier_default_volumes:
+  - "{{ mariadb_tls_mount_ca ~ ':/var/lib/' ~ project_name ~ '/' ~ mariadb_tls_ca if mariadb_enable_tls | bool else '' }}"
   - "{{ node_config_directory }}/aodh-notifier/:{{ container_config_directory }}/:ro"
   - "/etc/localtime:/etc/localtime:ro"
   - "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}"

diff --git a/ansible/roles/aodh/tasks/bootstrap.yml b/ansible/roles/aodh/tasks/bootstrap.yml
@@ -7,8 +7,10 @@
     module_args:
       login_host: "{{ database_address }}"
       login_port: "{{ database_port }}"
+      ca_cert: "{{ kolla_ansible_container_ca }}"
       login_user: "{{ aodh_database_shard_root_user }}"
       login_password: "{{ database_password }}"
+
       name: "{{ aodh_database_name }}"
   run_once: True
   delegate_to: "{{ groups['aodh-api'][0] }}"
@@ -23,6 +25,7 @@
     module_args:
       login_host: "{{ database_address }}"
       login_port: "{{ database_port }}"
+      ca_cert: "{{ kolla_ansible_container_ca }}"
       login_user: "{{ aodh_database_shard_root_user }}"
       login_password: "{{ database_password }}"
       name: "{{ aodh_database_user }}"

diff --git a/ansible/roles/aodh/templates/aodh.conf.j2 b/ansible/roles/aodh/templates/aodh.conf.j2
@@ -11,7 +11,7 @@ port = {{ aodh_api_listen_port }}
 host = {{ api_interface_address }}
 
 [database]
-connection = mysql+pymysql://{{ aodh_database_user }}:{{ aodh_database_password }}@{{ aodh_database_address }}/{{ aodh_database_name }}
+connection = mysql+pymysql://{{ aodh_database_user }}:{{ aodh_database_password }}@{{ aodh_database_address }}/{{ aodh_database_name }}{{ '?ssl_ca=/var/lib/' ~ project_name ~ '/' ~  mariadb_tls_ca if mariadb_enable_tls | bool }}
 connection_recycle_time = {{ database_connection_recycle_time }}
 max_pool_size = {{ database_max_pool_size }}
 

diff --git a/ansible/roles/barbican/defaults/main.yml b/ansible/roles/barbican/defaults/main.yml
@@ -130,19 +130,22 @@ barbican_worker_healthcheck:
   timeout: "{{ barbican_worker_healthcheck_timeout }}"
 
 barbican_api_default_volumes:
+  - "{{ mariadb_tls_mount_ca ~ ':/var/lib/' ~ project_name ~ '/' ~ mariadb_tls_ca if mariadb_enable_tls | bool else '' }}"
   - "{{ node_config_directory }}/barbican-api/:{{ container_config_directory }}/:ro"
   - "/etc/localtime:/etc/localtime:ro"
   - "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}"
   - "barbican:/var/lib/barbican/"
   - "kolla_logs:/var/log/kolla/"
   - "{{ kolla_dev_repos_directory ~ '/barbican/barbican:/var/lib/kolla/venv/lib/python' ~ distro_python_version ~ '/site-packages/barbican' if barbican_dev_mode | bool else '' }}"
 barbican_keystone_listener_default_volumes:
+  - "{{ mariadb_tls_mount_ca ~ ':/var/lib/' ~ project_name ~ '/' ~ mariadb_tls_ca if mariadb_enable_tls | bool else '' }}"
   - "{{ node_config_directory }}/barbican-keystone-listener/:{{ container_config_directory }}/:ro"
   - "/etc/localtime:/etc/localtime:ro"
   - "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}"
   - "kolla_logs:/var/log/kolla/"
   - "{{ kolla_dev_repos_directory ~ '/barbican/barbican:/var/lib/kolla/venv/lib/python' ~ distro_python_version ~ '/site-packages/barbican' if barbican_dev_mode | bool else '' }}"
 barbican_worker_default_volumes:
+  - "{{ mariadb_tls_mount_ca ~ ':/var/lib/' ~ project_name ~ '/' ~ mariadb_tls_ca if mariadb_enable_tls | bool else '' }}"
   - "{{ node_config_directory }}/barbican-worker/:{{ container_config_directory }}/:ro"
   - "/etc/localtime:/etc/localtime:ro"
   - "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}"

diff --git a/ansible/roles/barbican/tasks/bootstrap.yml b/ansible/roles/barbican/tasks/bootstrap.yml
@@ -7,6 +7,7 @@
     module_args:
       login_host: "{{ database_address }}"
       login_port: "{{ database_port }}"
+      ca_cert: "{{ kolla_ansible_container_ca }}"
       login_user: "{{ barbican_database_shard_root_user }}"
       login_password: "{{ database_password }}"
       name: "{{ barbican_database_name }}"
@@ -25,6 +26,7 @@
       login_port: "{{ database_port }}"
       login_user: "{{ barbican_database_shard_root_user }}"
       login_password: "{{ database_password }}"
+      ca_cert: "{{ kolla_ansible_container_ca }}"
       name: "{{ barbican_database_user }}"
       password: "{{ barbican_database_password }}"
       host: "%"

diff --git a/ansible/roles/barbican/templates/barbican.conf.j2 b/ansible/roles/barbican/templates/barbican.conf.j2
@@ -12,7 +12,7 @@ host_href = {{ barbican_public_endpoint }}
 backlog = 4096
 
 db_auto_create = False
-sql_connection = mysql+pymysql://{{ barbican_database_user }}:{{ barbican_database_password }}@{{ barbican_database_address }}/{{ barbican_database_name }}
+sql_connection = mysql+pymysql://{{ barbican_database_user }}:{{ barbican_database_password }}@{{ barbican_database_address }}/{{ barbican_database_name }}{{ '?ssl_ca=/var/lib/' ~ project_name ~ '/' ~  mariadb_tls_ca if mariadb_enable_tls | bool }}
 
 transport_url = {{ rpc_transport_url }}
 

diff --git a/ansible/roles/blazar/defaults/main.yml b/ansible/roles/blazar/defaults/main.yml
@@ -110,6 +110,7 @@ blazar_manager_healthcheck:
 
 
 blazar_api_default_volumes:
+  - "{{ mariadb_tls_mount_ca ~ ':/var/lib/' ~ project_name ~ '/' ~ mariadb_tls_ca if mariadb_enable_tls | bool else '' }}"
   - "{{ node_config_directory }}/blazar-api/:{{ container_config_directory }}/:ro"
   - "/etc/localtime:/etc/localtime:ro"
   - "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}"

diff --git a/ansible/roles/blazar/tasks/bootstrap.yml b/ansible/roles/blazar/tasks/bootstrap.yml
@@ -7,6 +7,7 @@
     module_args:
       login_host: "{{ database_address }}"
       login_port: "{{ database_port }}"
+      ca_cert: "{{ kolla_ansible_container_ca }}"
       login_user: "{{ blazar_database_shard_root_user }}"
       login_password: "{{ database_password }}"
       name: "{{ blazar_database_name }}"
@@ -23,6 +24,7 @@
     module_args:
       login_host: "{{ database_address }}"
       login_port: "{{ database_port }}"
+      ca_cert: "{{ kolla_ansible_container_ca }}"
       login_user: "{{ blazar_database_shard_root_user }}"
       login_password: "{{ database_password }}"
       name: "{{ blazar_database_name }}"

diff --git a/ansible/roles/blazar/templates/blazar.conf.j2 b/ansible/roles/blazar/templates/blazar.conf.j2
@@ -37,7 +37,7 @@ memcache_secret_key = {{ memcache_secret_key }}
 memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
 
 [database]
-connection = mysql+pymysql://{{ blazar_database_user }}:{{ blazar_database_password }}@{{ blazar_database_address }}/{{ blazar_database_name }}
+connection = mysql+pymysql://{{ blazar_database_user }}:{{ blazar_database_password }}@{{ blazar_database_address }}/{{ blazar_database_name }}{{ '?ssl_ca=/var/lib/' ~ project_name ~ '/' ~  mariadb_tls_ca if mariadb_enable_tls | bool }}
 connection_recycle_time = {{ database_connection_recycle_time }}
 max_pool_size = {{ database_max_pool_size }}
 max_retries = -1

diff --git a/ansible/roles/certificates/defaults/main.yml b/ansible/roles/certificates/defaults/main.yml
@@ -4,6 +4,7 @@ external_dir: "{{ kolla_certificates_dir }}/private/external"
 internal_dir: "{{ kolla_certificates_dir }}/private/internal"
 backend_dir: "{{ kolla_certificates_dir }}/private/backend"
 libvirt_dir: "{{ kolla_certificates_dir }}/private/libvirt"
+mariadb_dir: "{{ kolla_certificates_dir }}/private/mariadb"
 
 # Whether to generate certificates for libvirt TLS.
 certificates_generate_libvirt: "{{ libvirt_tls | default(false) | bool }}"

diff --git a/ansible/roles/certificates/tasks/generate-backend.yml b/ansible/roles/certificates/tasks/generate-backend.yml
@@ -77,3 +77,16 @@
       dest: "{{ kolla_certificates_dir }}/rabbitmq-key.pem"
   when:
     - rabbitmq_enable_tls | bool
+
+- name: Copy backend TLS certificate and key for MariaDB
+  copy:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    remote_src: true
+  with_items:
+    - src: "{{ kolla_tls_backend_cert }}"
+      dest: "{{ kolla_certificates_dir }}/mariadb-cert.pem"
+    - src: "{{ kolla_tls_backend_key }}"
+      dest: "{{ kolla_certificates_dir }}/mariadb-key.pem"
+  when:
+    - rabbitmq_enable_tls | bool
diff --git a/ansible/roles/certificates/tasks/generate-mariadb.yml b/ansible/roles/certificates/tasks/generate-mariadb.yml
@@ -0,0 +1,66 @@
+---
+- name: Ensuring private MariaDB directory exist
+  file:
+    path: "{{ mariadb_dir }}"
+    state: "directory"
+    mode: "0770"
+
+- name: Creating MariaDB SSL configuration file
+  template:
+    src: "{{ item }}.j2"
+    dest: "{{ kolla_certificates_dir }}/{{ item }}"
+    mode: "0660"
+  with_items:
+    - "openssl-kolla-mariadb.cnf"
+
+- name: Creating MariaDB Server Certificate key
+  command: >
+    openssl genrsa
+    -out "{{ mariadb_dir }}/mariadb.key" 2048
+  args:
+    creates: "{{ kolla_tls_mariadb_key }}"
+
+- name: Creating MariaDB Server Certificate signing request
+  command: >
+    openssl req
+    -new
+    -key "{{ mariadb_dir }}/mariadb.key"
+    -out "{{ mariadb_dir }}/mariadb.csr"
+    -config "{{ kolla_certificates_dir }}/openssl-kolla-mariadb.cnf"
+    -sha256
+  args:
+    creates: "{{ mariadb_dir }}/mariadb.csr"
+
+- name: Creating MariaDB Server Certificate
+  command: >
+    openssl x509
+    -req
+    -in "{{ mariadb_dir }}/mariadb.csr"
+    -CA "{{ root_dir }}/root.crt"
+    -CAkey "{{ root_dir }}/root.key"
+    -CAcreateserial
+    -extensions v3_req
+    -extfile "{{ kolla_certificates_dir }}/openssl-kolla-mariadb.cnf"
+    -out "{{ mariadb_dir }}/mariadb.crt"
+    -days 500
+    -sha256
+  args:
+    creates: "{{ mariadb_dir }}/mariadb.crt"
+
+- name: Setting permissions on MariaDB key
+  file:
+    path: "{{ mariadb_dir }}/mariadb.key"
+    mode: "0660"
+    state: file
+
+- name: Copy MariaDB cert to default configuration location
+  copy:
+    src: "{{ mariadb_dir }}/mariadb.crt"
+    dest: "{{ kolla_certificates_dir }}/mariadb-cert.pem"
+    mode: "0660"
+
+- name: Copy MariaDB key to default configuration location
+  copy:
+    src: "{{ mariadb_dir }}/mariadb.key"
+    dest: "{{ kolla_certificates_dir }}/mariadb-key.pem"
+    mode: "0660"
diff --git a/ansible/roles/certificates/tasks/main.yml b/ansible/roles/certificates/tasks/main.yml
@@ -2,6 +2,7 @@
 - include_tasks: generate-root.yml
 - include_tasks: generate.yml
 - include_tasks: generate-backend.yml
+- include_tasks: generate-mariadb.yml
   when:
     - kolla_enable_tls_backend | bool or rabbitmq_enable_tls | bool
 - include_tasks: generate-libvirt.yml

diff --git a/ansible/roles/certificates/templates/openssl-kolla-mariadb.cnf.j2 b/ansible/roles/certificates/templates/openssl-kolla-mariadb.cnf.j2
@@ -0,0 +1,22 @@
+[req]
+prompt = no
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+
+[req_distinguished_name]
+countryName = US
+stateOrProvinceName = NC
+localityName = RTP
+organizationalUnitName = kolla
+
+[v3_req]
+subjectAltName = @alt_names
+
+[alt_names]
+{% if kolla_external_fqdn != kolla_external_vip_address %}
+DNS.1 = {{ kolla_external_fqdn }}
+{% endif %}
+IP.1 = {{ kolla_external_vip_address }}
+{% for host in groups['tls-backend']%}
+IP.{{ loop.index + 1 }} = {{ 'api' | kolla_address(host) }}
+{% endfor %}
diff --git a/ansible/roles/cinder/defaults/main.yml b/ansible/roles/cinder/defaults/main.yml
@@ -161,12 +161,14 @@ cinder_backup_healthcheck:
 
 cinder_api_default_volumes:
   - "{{ node_config_directory }}/cinder-api/:{{ container_config_directory }}/:ro"
+  -  "{{ mariadb_tls_mount_ca ~ ':/var/lib/' ~ project_name ~ '/' ~ mariadb_tls_ca if mariadb_enable_tls | bool else '' }}"
   - "/etc/localtime:/etc/localtime:ro"
   - "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}"
   - "kolla_logs:/var/log/kolla/"
   - "{{ kolla_dev_repos_directory ~ '/cinder/cinder:/var/lib/kolla/venv/lib/python' ~ distro_python_version ~ '/site-packages/cinder' if cinder_dev_mode | bool else '' }}"
 cinder_backup_default_volumes:
   - "{{ node_config_directory }}/cinder-backup/:{{ container_config_directory }}/:ro"
+  -  "{{ mariadb_tls_mount_ca ~ ':/var/lib/' ~ project_name ~ '/' ~ mariadb_tls_ca if mariadb_enable_tls | bool else '' }}"
   - "/etc/localtime:/etc/localtime:ro"
   - "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}"
   - "/dev/:/dev/"
@@ -178,12 +180,14 @@ cinder_backup_default_volumes:
   - "{{ kolla_dev_repos_directory ~ '/cinder/cinder:/var/lib/kolla/venv/lib/python' ~ distro_python_version ~ '/site-packages/cinder' if cinder_dev_mode | bool else '' }}"
 cinder_scheduler_default_volumes:
   - "{{ node_config_directory }}/cinder-scheduler/:{{ container_config_directory }}/:ro"
+  -  "{{ mariadb_tls_mount_ca ~ ':/var/lib/' ~ project_name ~ '/' ~ mariadb_tls_ca if mariadb_enable_tls | bool else '' }}"
   - "/etc/localtime:/etc/localtime:ro"
   - "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}"
   - "kolla_logs:/var/log/kolla/"
   - "{{ kolla_dev_repos_directory ~ '/cinder/cinder:/var/lib/kolla/venv/lib/python' ~ distro_python_version ~ '/site-packages/cinder' if cinder_dev_mode | bool else '' }}"
 cinder_volume_default_volumes:
   - "{{ node_config_directory }}/cinder-volume/:{{ container_config_directory }}/:ro"
+  -  "{{ mariadb_tls_mount_ca ~ ':/var/lib/' ~ project_name ~ '/' ~ mariadb_tls_ca if mariadb_enable_tls | bool else '' }}"
   - "/etc/localtime:/etc/localtime:ro"
   - "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}"
   - "/dev/:/dev/"

diff --git a/ansible/roles/cinder/tasks/bootstrap.yml b/ansible/roles/cinder/tasks/bootstrap.yml
@@ -8,6 +8,7 @@
       login_host: "{{ database_address }}"
       login_port: "{{ database_port }}"
       login_user: "{{ cinder_database_shard_root_user }}"
+      ca_cert: "{{ kolla_ansible_container_ca }}"
       login_password: "{{ database_password }}"
       name: "{{ cinder_database_name }}"
   run_once: True
@@ -26,6 +27,7 @@
       login_user: "{{ cinder_database_shard_root_user }}"
       login_password: "{{ database_password }}"
       name: "{{ cinder_database_user }}"
+      ca_cert: "{{ kolla_ansible_container_ca }}"
       password: "{{ cinder_database_password }}"
       host: "%"
       priv: "{{ cinder_database_name }}.*:ALL"

diff --git a/ansible/roles/cinder/templates/cinder.conf.j2 b/ansible/roles/cinder/templates/cinder.conf.j2
@@ -102,7 +102,7 @@ password = {{ nova_keystone_password }}
 cafile = {{ openstack_cacert }}
 
 [database]
-connection = mysql+pymysql://{{ cinder_database_user }}:{{ cinder_database_password }}@{{ cinder_database_address }}/{{ cinder_database_name }}
+connection = mysql+pymysql://{{ cinder_database_user }}:{{ cinder_database_password }}@{{ cinder_database_address }}/{{ cinder_database_name }}{{ '?ssl_ca=/var/lib/' ~ project_name ~ '/' ~  mariadb_tls_ca if mariadb_enable_tls | bool }}
 connection_recycle_time = {{ database_connection_recycle_time }}
 max_pool_size = {{ database_max_pool_size }}
 max_retries = -1

diff --git a/ansible/roles/cloudkitty/defaults/main.yml b/ansible/roles/cloudkitty/defaults/main.yml
@@ -76,12 +76,14 @@ cloudkitty_processor_dimensions: "{{ default_container_dimensions }}"
 cloudkitty_api_dimensions: "{{ default_container_dimensions }}"
 
 cloudkitty_api_default_volumes:
+  - "{{ mariadb_tls_mount_ca ~ ':/var/lib/' ~ project_name ~ '/' ~ mariadb_tls_ca if mariadb_enable_tls | bool else '' }}"
   - "{{ node_config_directory }}/cloudkitty-api/:{{ container_config_directory }}/:ro"
   - "/etc/localtime:/etc/localtime:ro"
   - "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}"
   - "kolla_logs:/var/log/kolla/"
   - "{{ kolla_dev_repos_directory ~ '/cloudkitty/cloudkitty:/var/lib/kolla/venv/lib/python' ~ distro_python_version ~ '/site-packages/cloudkitty' if cloudkitty_dev_mode | bool else '' }}"
 cloudkitty_processor_default_volumes:
+  - "{{ mariadb_tls_mount_ca ~ ':/var/lib/' ~ project_name ~ '/' ~ mariadb_tls_ca if mariadb_enable_tls | bool else '' }}"
   - "{{ node_config_directory }}/cloudkitty-processor/:{{ container_config_directory }}/:ro"
   - "/etc/localtime:/etc/localtime:ro"
   - "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}"

diff --git a/ansible/roles/cloudkitty/tasks/bootstrap.yml b/ansible/roles/cloudkitty/tasks/bootstrap.yml
@@ -8,6 +8,7 @@
       login_host: "{{ database_address }}"
       login_port: "{{ database_port }}"
       login_user: "{{ cloudkitty_database_shard_root_user }}"
+      ca_cert: "{{ kolla_ansible_container_ca }}"
       login_password: "{{ database_password }}"
       name: "{{ cloudkitty_database_name }}"
   run_once: True
@@ -24,6 +25,7 @@
       login_host: "{{ database_address }}"
       login_port: "{{ database_port }}"
       login_user: "{{ cloudkitty_database_shard_root_user }}"
+      ca_cert: "{{ kolla_ansible_container_ca }}"
       login_password: "{{ database_password }}"
       name: "{{ cloudkitty_database_user }}"
       password: "{{ cloudkitty_database_password }}"

diff --git a/ansible/roles/cloudkitty/templates/cloudkitty.conf.j2 b/ansible/roles/cloudkitty/templates/cloudkitty.conf.j2
@@ -11,7 +11,7 @@ log_file = /var/log/kolla/cloudkitty/cloudkitty-api.log
 transport_url = {{ rpc_transport_url }}
 
 [database]
-connection = mysql+pymysql://{{ cloudkitty_database_user }}:{{ cloudkitty_database_password }}@{{ cloudkitty_database_address }}/{{ cloudkitty_database_name }}
+connection = mysql+pymysql://{{ cloudkitty_database_user }}:{{ cloudkitty_database_password }}@{{ cloudkitty_database_address }}/{{ cloudkitty_database_name }}{{ '?ssl_ca=/var/lib/' ~ project_name ~ '/' ~  mariadb_tls_ca if mariadb_enable_tls | bool }}
 connection_recycle_time = {{ database_connection_recycle_time }}
 max_pool_size = {{ database_max_pool_size }}
 max_retries = -1