diff --git a/vendor.conf b/vendor.conf
index e8fed2173f..2a94274db9 100644
--- a/vendor.conf
+++ b/vendor.conf
@@ -123,7 +123,7 @@ golang.org/x/time f51c12702a4d776e4c1fa9b0fabab841babae631
 gopkg.in/inf.v0 3887ee99ecf07df5b447e9b00d9c0b2adaa9f3e4
 gopkg.in/yaml.v2 v2.2.1
 #github.com/ibuildthecloud/kvsql 788464096f5af361d166858efccf26c12dc5b427
-github.com/ibuildthecloud/kvsql d37dd2b0829b44a4964e48c9396e14b0536fefb6 https://github.com/erikwilson/rancher-kvsql.git
+github.com/ibuildthecloud/kvsql 1afc2d8ad7d7e263c1971b05cb37e83aa5562561 https://github.com/erikwilson/rancher-kvsql.git
 
 # rootless
 github.com/rootless-containers/rootlesskit  893c1c3de71f54c301fdb85a7c0dd15c1933c159
diff --git a/vendor/github.com/ibuildthecloud/kvsql/clientv3/driver/mysql/mysql.go b/vendor/github.com/ibuildthecloud/kvsql/clientv3/driver/mysql/mysql.go
index f1e3fbe62c..8783373fc5 100644
--- a/vendor/github.com/ibuildthecloud/kvsql/clientv3/driver/mysql/mysql.go
+++ b/vendor/github.com/ibuildthecloud/kvsql/clientv3/driver/mysql/mysql.go
@@ -1,6 +1,7 @@
 package mysql
 
 import (
+	"crypto/tls"
 	"database/sql"
 	"strings"
 
@@ -64,7 +65,7 @@ func NewMySQL() *driver.Generic {
 	}
 }
 
-func Open(dataSourceName string) (*sql.DB, error) {
+func Open(dataSourceName string, tlsConfig *tls.Config) (*sql.DB, error) {
 	if dataSourceName == "" {
 		dataSourceName = "root@unix(/var/run/mysqld/mysqld.sock)/"
 	}
@@ -77,6 +78,17 @@ func Open(dataSourceName string) (*sql.DB, error) {
 		}
 		dataSourceName = dataSourceName + "kubernetes"
 	}
+
+	// setting up tlsConfig
+	if tlsConfig != nil {
+		mysql.RegisterTLSConfig("custom", tlsConfig)
+		if strings.Contains(dataSourceName, "?") {
+			dataSourceName = dataSourceName + ",tls=custom"
+		} else {
+			dataSourceName = dataSourceName + "?tls=custom"
+		}
+	}
+
 	db, err := sql.Open("mysql", dataSourceName)
 	if err != nil {
 		return nil, err
diff --git a/vendor/github.com/ibuildthecloud/kvsql/clientv3/driver/pgsql/pgsql.go b/vendor/github.com/ibuildthecloud/kvsql/clientv3/driver/pgsql/pgsql.go
index d6a754c64f..903ff92455 100644
--- a/vendor/github.com/ibuildthecloud/kvsql/clientv3/driver/pgsql/pgsql.go
+++ b/vendor/github.com/ibuildthecloud/kvsql/clientv3/driver/pgsql/pgsql.go
@@ -68,6 +68,8 @@ func NewPGSQL() *driver.Generic {
 func Open(dataSourceName string) (*sql.DB, error) {
 	if dataSourceName == "" {
 		dataSourceName = "postgres://postgres:postgres@localhost/"
+	} else {
+		dataSourceName = "postgres://" + dataSourceName
 	}
 	// get database name
 	dsList := strings.Split(dataSourceName, "/")
diff --git a/vendor/github.com/ibuildthecloud/kvsql/clientv3/kv.go b/vendor/github.com/ibuildthecloud/kvsql/clientv3/kv.go
index 20f71fc24d..e1038f2063 100644
--- a/vendor/github.com/ibuildthecloud/kvsql/clientv3/kv.go
+++ b/vendor/github.com/ibuildthecloud/kvsql/clientv3/kv.go
@@ -115,7 +115,7 @@ func newKV(cfg Config) (*kv, error) {
 		}
 		driver = sqlite.NewSQLite()
 	case "mysql":
-		if db, err = mysql.Open(parts[1]); err != nil {
+		if db, err = mysql.Open(parts[1], cfg.TLS); err != nil {
 			return nil, err
 		}
 		driver = mysql.NewMySQL()
diff --git a/vendor/github.com/ibuildthecloud/kvsql/factory.go b/vendor/github.com/ibuildthecloud/kvsql/factory.go
index 9421feae0d..4e03abd4c7 100644
--- a/vendor/github.com/ibuildthecloud/kvsql/factory.go
+++ b/vendor/github.com/ibuildthecloud/kvsql/factory.go
@@ -18,12 +18,14 @@ package factory
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
 	"sync/atomic"
 	"time"
 
+	"github.com/coreos/etcd/pkg/transport"
 	"github.com/ibuildthecloud/kvsql/clientv3"
-	"github.com/ibuildthecloud/kvsql/storage"
+	etcd3 "github.com/ibuildthecloud/kvsql/storage"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apiserver/pkg/storage"
 	"k8s.io/apiserver/pkg/storage/storagebackend"
@@ -65,8 +67,22 @@ func NewKVSQLHealthCheck(c storagebackend.Config) (func() error, error) {
 }
 
 func newETCD3Client(c storagebackend.Config) (*clientv3.Client, error) {
+	tlsInfo := transport.TLSInfo{
+		CertFile: c.Transport.CertFile,
+		KeyFile:  c.Transport.KeyFile,
+		CAFile:   c.Transport.CAFile,
+	}
+	tlsConfig, err := tlsInfo.ClientConfig()
+	if err != nil {
+		return nil, err
+	}
+	tlsConfig.MinVersion = tls.VersionTLS11
+	if len(c.Transport.CertFile) == 0 && len(c.Transport.KeyFile) == 0 && len(c.Transport.CAFile) == 0 {
+		tlsConfig = nil
+	}
 	cfg := clientv3.Config{
 		Endpoints: c.Transport.ServerList,
+		TLS:       tlsConfig,
 	}
 
 	if len(cfg.Endpoints) == 0 {