Since we're moving change-prop to k8s, we can use the latest and greatest node-rdkafka (thus in turn librdkafka) and can enable TLS to talk to kafka.
For the k8s setup part, we can draw inspiration from https://gerrit.wikimedia.org/r/c/operations/deployment-charts/+/551610
The code should already support everything, we just need to add
security.protocol: ssl ssl.ca.location: /etc/eventgate/kafka_ca.crt.pem
to both consumer and producer kafka configuration in the config template.