The Kafka development team seems to have only begun discussing this recently, in 3Q 2014:
https://cwiki.apache.org/confluence/display/KAFKA/Security
To secure this traffic using IPsec would mean defining SAs on Varnish nodes (Kafka producers) in ESAMS and ULSFO, as well as on the Kafka brokers. IPsec would not be required between Kafka brokers and consumers (Hadoop workers) because at this time that traffic flow is strictly intra-datacenter at EQIAD.
Implementation would involve modifying the ipsec role to reference Hiera keys which enumerate Varnish nodes (including misc and parsoid caches), and extending enumeration of remote IPsec hosts on Varnish nodes to include Kafka brokers.