Implement TLS for MySQL connections

This is already done for replication but not for client connections. Client connections are mostly OpenStack services, AMIE packet processing code, usage reporting code, Rumba, and SQL reporting server. These are not currently using TLS, but should.

Decision: we could continue operating our own certificate authority, or we could use some product that provides it for us. If we use someone else's certificate authority, we need to deal with periodic renewal (e.g. with certbot).

Risk of doing nothing is: someone with the right level of network access (or who obtains it via BGP misconfig/attacks) could man-in-the-middle the SQL connections. There is also compliance risk; NIST and HIPAA etc.

We should finish this in 2023.