Per: T267214#6662762
I have tested the connection from kubernetes1017 which is on 10.64.0, and it works fine, it can reach m2-master.eqiad.wmnet thru port 3306 just fine.
Going to close this as fixed as the DB side is done (T267214#6658395)
As mentioned at T267214#6658395 you might need help from @jijiki or @JMeybohm to puppetize and commit the password to the private repo once ready. If by any reason a firewall hole is required, check this as an example: https://gerrit.wikimedia.org/r/c/operations/puppet/+/643239/1/modules/profile/manifests/mariadb/ferm_misc.pp