We decided to go the mTLS way.
Because:
- Changing client/server certificate is already implemented (k8s cert-manager/acme.sh and kafka's dynamic key-/truststore reload mechanism)
- Replacing a CA works well because you can have multiple CAs in Kafka's truststore
- Long running ssl-connections are not interrupted by changes to key-/truststore
- well supported by most kafka client libraries