To figure out what range of MediaWiki / mariadb traffic will use TLS and whether proxying is a must-have, we need to test the connection rate with a test mariadb host. It could be a new host or possibly an existing codfw one getting no traffic (aside from replication).
The client host could probably just be terbium/wasat. Tests cases are:
a) Within eqiad
b) eqiad <=> codfw