From ac4fa725a2d898c930afff8f226bb2954e1966ac Mon Sep 17 00:00:00 2001
From: Abel Buechner-Mihaljevic <abel.buechner-mihaljevic@bosch.io>
Date: Tue, 25 May 2021 15:31:19 +0200
Subject: [PATCH] [#234] Use TLS for connecting to Kafka.

New certificates are created for the example Kafka broker. The broker
is configured to expect TLS encrypted connections from clients. The
truststore is added to all services and adapters that need to connect
to Kafka. This is currently a "jks" file because in Kafka the support for
the "pem" format was added in version 2.7 and Hono currently uses the
Kafka clients in version 2.6.

Signed-off-by: Abel Buechner-Mihaljevic <abel.buechner-mihaljevic@bosch.io>
---
 charts/hono/example/ca_opts                   |   7 +++++
 charts/hono/example/certs/kafka-cert.pem      |  29 ++++++++++++++++++
 charts/hono/example/certs/kafka-key.pem       |   5 +++
 charts/hono/example/certs/kafkaKeyStore.jks   | Bin 0 -> 1694 bytes
 charts/hono/example/create_certs.sh           |   4 +++
 charts/hono/templates/_helpers.tpl            |   4 ++-
 .../hono-adapter-amqp-vertx-secret.yaml       |   5 +--
 .../hono-adapter-coap-vertx-secret.yaml       |   3 +-
 .../hono-adapter-http-vertx-secret.yaml       |   3 +-
 .../hono-adapter-kura-secret.yaml             |   3 +-
 .../hono-adapter-lora-vertx-secret.yaml       |   3 +-
 .../hono-adapter-mqtt-vertx-secret.yaml       |   3 +-
 .../hono-service-command-router-secret.yaml   |   1 +
 .../hono-service-device-registry-secret.yaml  |   1 +
 .../hono-service-device-registry-secret.yaml  |   1 +
 .../hono-service-device-registry-secret.yaml  |   1 +
 charts/hono/templates/kafka/kafka-secret.yaml |  23 ++++++++++++++
 charts/hono/values.yaml                       |   6 +++-
 18 files changed, 93 insertions(+), 9 deletions(-)
 create mode 100644 charts/hono/example/certs/kafka-cert.pem
 create mode 100644 charts/hono/example/certs/kafka-key.pem
 create mode 100644 charts/hono/example/certs/kafkaKeyStore.jks
 create mode 100644 charts/hono/templates/kafka/kafka-secret.yaml

diff --git a/charts/hono/example/ca_opts b/charts/hono/example/ca_opts
index 3f8f0ed9..6d5c72dd 100644
--- a/charts/hono/example/ca_opts
+++ b/charts/hono/example/ca_opts
@@ -146,3 +146,10 @@ subjectKeyIdentifier = hash
 keyUsage             = keyAgreement,keyEncipherment,digitalSignature
 extendedKeyUsage     = serverAuth, clientAuth
 subjectAltName       = DNS.1:localhost
+
+[ req_ext_kafka ]
+
+subjectKeyIdentifier = hash
+keyUsage             = keyAgreement,keyEncipherment,digitalSignature
+extendedKeyUsage     = serverAuth, clientAuth
+subjectAltName       = DNS.1:*.eclipse-hono-kafka-headless,DNS.2:*.eclipse-hono-kafka-headless.hono,DNS.3:*.eclipse-hono-kafka-headless.hono.svc.cluster.local,DNS.4:localhost
diff --git a/charts/hono/example/certs/kafka-cert.pem b/charts/hono/example/certs/kafka-cert.pem
new file mode 100644
index 00000000..aa95ba14
--- /dev/null
+++ b/charts/hono/example/certs/kafka-cert.pem
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIChjCCAiygAwIBAgIUOrdAF96Bl8S68x9iLGpXTUkHZX4wCgYIKoZIzj0EAwIw
+UDELMAkGA1UEBhMCQ0ExDzANBgNVBAcMBk90dGF3YTEUMBIGA1UECgwLRWNsaXBz
+ZSBJb1QxDTALBgNVBAsMBEhvbm8xCzAJBgNVBAMMAmNhMB4XDTIxMDUyNTEzMDEx
+OFoXDTIyMDUyNTEzMDExOFowUzELMAkGA1UEBhMCQ0ExDzANBgNVBAcMBk90dGF3
+YTEUMBIGA1UECgwLRWNsaXBzZSBJb1QxDTALBgNVBAsMBEhvbm8xDjAMBgNVBAMM
+BWthZmthMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmHhNNE8pFkV/vHK8u3ep
+NYCxstGys1V4qK131+Tq8qQQciyB4BlSd5lhHCTvZKlPAgfD3JO1ajoJFKEc3kQ7
+2qOB4DCB3TAdBgNVHQ4EFgQUS9iuPOvkVh59tk6I8GMd7zu8WY0wCwYDVR0PBAQD
+AgOoMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBjwYDVR0RBIGHMIGE
+gh0qLmVjbGlwc2UtaG9uby1rYWZrYS1oZWFkbGVzc4IiKi5lY2xpcHNlLWhvbm8t
+a2Fma2EtaGVhZGxlc3MuaG9ub4I0Ki5lY2xpcHNlLWhvbm8ta2Fma2EtaGVhZGxl
+c3MuaG9uby5zdmMuY2x1c3Rlci5sb2NhbIIJbG9jYWxob3N0MAoGCCqGSM49BAMC
+A0gAMEUCIQCCiDTpdsyVTlO+Q+qTkM2LJMDUKInomACBKCPjmdOwHgIgYIVRAxNx
+y7cRBvzrjKtzHn+MQGTNacmqS+ALGj2+hNk=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB4zCCAYmgAwIBAgIUDvfsevHpF7ObReAAmGXXHHsAXDswCgYIKoZIzj0EAwIw
+UjELMAkGA1UEBhMCQ0ExDzANBgNVBAcMBk90dGF3YTEUMBIGA1UECgwLRWNsaXBz
+ZSBJb1QxDTALBgNVBAsMBEhvbm8xDTALBgNVBAMMBHJvb3QwHhcNMjEwMTI2MTMx
+MzI1WhcNMjIwMTI2MTMxMzI1WjBQMQswCQYDVQQGEwJDQTEPMA0GA1UEBwwGT3R0
+YXdhMRQwEgYDVQQKDAtFY2xpcHNlIElvVDENMAsGA1UECwwESG9ubzELMAkGA1UE
+AwwCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQrWtTxDTpqzkLfkZWT+RMp
+w3y6/Mbmrj3S4DTfEv9bsuwUvZwcF7yy5X5YWFq+WOESLBh3nykxxg0MBRHdN0fx
+oz8wPTAdBgNVHQ4EFgQUBxIgSnCFs43mB6a9umhpKCA2I30wDwYDVR0TAQH/BAUw
+AwEB/zALBgNVHQ8EBAMCAQYwCgYIKoZIzj0EAwIDSAAwRQIgRau0yW4JCG+2e3w5
+KFWzCYV20/DNJ2Lj5ospGvNhl9sCIQCYde5228wNvKT3Qw6vk70HiS5r/mhFNJaZ
+aPyf7W2E4g==
+-----END CERTIFICATE-----
diff --git a/charts/hono/example/certs/kafka-key.pem b/charts/hono/example/certs/kafka-key.pem
new file mode 100644
index 00000000..bcdfe842
--- /dev/null
+++ b/charts/hono/example/certs/kafka-key.pem
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgDl9XTUixhhdRyYXM
+T+3yickHXeaQwTkCDn3KeaSJI2qhRANCAASYeE00TykWRX+8cry7d6k1gLGy0bKz
+VXiorXfX5OrypBByLIHgGVJ3mWEcJO9kqU8CB8Pck7VqOgkUoRzeRDva
+-----END PRIVATE KEY-----
diff --git a/charts/hono/example/certs/kafkaKeyStore.jks b/charts/hono/example/certs/kafkaKeyStore.jks
new file mode 100644
index 0000000000000000000000000000000000000000..da5b7ab3372292d4b9792c0bcf15b2ae3d5db1d5
GIT binary patch
literal 1694
zcmV;P24VRyf(Dub0Ru3C24DsWDuzgg_YDCD0ic2gQ3QepO)!E6Nic#1KL!aZhDe6@
z4FLxRpn?T3FoFdv0s#Opf(0c82`Yw2hW8Bt2LUh~1_~;MNQU<f0So~KFb)I=*{;?t
z6_U&e0s;sCfPw`0+dd+=MRKuqgri{FCp9YYVkimVjFRx9M+@_M6O+e;mVHnVNf*r}
z%Nj{)%xUkzTukw=50)lFsbn&`R=zbdA;p<qO6kE_)J}Yy;_NsM;bkK{aWBOBcF52?
z{}pZz`ysDPzqY2bXsp*b(0^R%)eprlA>jq6vC)<MEZ6lx>Mz2az)wXlP(k7x)-HQ6
zIe(bkXk$~`|0%4mzd^Ek`m_{4wtFM@4nXW~Tw^q@lYwxsO2O?)FTY)Au>+-Rq5Q~4
zvh9e|fm49K_+O85&zr9_;`4ie&$n+vzU{TLJ%Yh7o|nOJ+9wXpX{yyvr9>;dE#k2V
zlK7+iv`ya*$xJ>lKw$ZsFn1$%C@uTjIWGpIfG$>&Nr6QvRCpQWdCZ6Z<o84LTjsbT
zur;i3tgf(ShdNa!I4C%)cJJ4v6*gnfyh1{j^|mWBxS#`GnTqbnuw^Vr<7u1duC~uE
zSy#L*(vJ$n{iiy*r7>EE{KX^chWu6g8BDhhA?PDS#5`<|jIoc+0vu>aYR%4jOZ(E%
zfLgMt`r!XLtXVOAd2o%#uwQjXlpKOe%hn^6`01o@3S|C{$nEPB<OyF9*?chy+AT+g
zHwJ6EfGtkaN=P5pu%GUltlv?U0|KNqa?|GI3jxr?;w@PmctH>-=+w<Ms9NVqs^^y`
z%8I*JfJpb0q^7EGZt|d`niX8I%?RG!Wy77DllEFzUe66QDE~ef{RcN5+X9L(iRU`)
zP);*Tl^=WWsr@iJQ}V-a->lIn6^*5OLm?;O6mbD-9*vZ!4W7E;YH}+?xHz~|9XW0d
z{2PdS84lUb?h&{JY9>uTo_JCqHM5{^1?K;J-@C|^=zC02moI0b$yz>6h>;*#^VoT=
zlXV8#GS~om{K7Bamj@x&m(SaZ7^$O4w<V4sTN)Bhg{N?~R()x-siq&I3`BUH&x+b`
z1dS~qYhy(-WM(5B>}TLb^62=f^GjXGi?BZ!f|g;36Z2*a&XrARnSqUSEuWpOKWFO*
z%lBufX?%|xbWN^Em&QA47>Pf0l(6)YCnVQWEc3jf>w>3j78>OemaVc)MT_q*JiT|A
zCAzjFFN_<B38_p`QpSO2<|MS>2sBv@PB3X+vAFX<5G>;{V!{N@fT7N%#+xBA5}{GQ
z)3fF_w>#ko=Azwj-SKWlEqVY9sSn$^i}{58j&ToghdE%VD`tjZ<wkjVwu-Z5n)K0;
zD;B8v*;+5DeB?ieDlGm(#ezRMgc#03EA`5w4oLG^WawZ)gh~QR?^`>tp0)xd;EA(D
z(^XM_{Y><p5v~J;6&UmnZLC44fpo+tcJA-Z^{)G~sTnO(r*B&Y16zJiT@%z4XX)@v
z$v5e3D%A+gT*(llB5m$cX}11CUf{1LvGXz038}!_SZ4Oof)gqBNtv<S=&6mfH#6pk
zd2xC?d%R`ggf^?)*soOk*4;^)<0WaihhKfkS~c(+0mr}Do7x_Fk0_SCHzJ0|0Zb7E
zy3z@AsS7q74dKr`?^?b_TpPLTQ}Sf^IL(IXiDJ1*xL(_n#cfD~r=b}06{P)n-Y&i5
zqY30ne{D%(QmQ2`U4d$HZ%n3Dm1OHI=fPLGJwgl_3wXBreV^ZVeGOkBIB19(EGzk8
z64DKwTeEMhz5CDJIx&r*Ys1VrCcR>PEI4D<JmJ3^Ka%mlFoFRB1_>&LNQU<f0S5t~
zf%F7{@i2kzFoEj^3o3?4hW8Bt3<?1Ppn<e7fw3?g1_~;MNQU<f0So~HFb)I=!fZ~t
zWU$c>0s;sC1c8u1)B(X3`JZgZCi@GHljHgds@uB$-k|lfH(P;Y*~mGD9Lt&6#$5AO
zY(x7TGs5!L#AutTOV|ByU&c@_;})rDx3l{>u-4L}L~OE0ReAp96+%0i`MYAjj5J$s
z1ha#Ab&-Z47*N=fl_ZWDg3JGSqAkfZV|kik{1oVR(^j})T;!8XkDTJktheVM{u5y_
zB`_lf2`Yw2hW8Bt2^BFG1Qe_dwj7JA3&R(YIvP<I!=fH?u3s=QFd;Ar1_dh)0|FWa
o00b0Zv(NwjlAevh(A>U!(NdtNaf(<32*I4r6~~WsLIMH^0Mm;cVE_OC

literal 0
HcmV?d00001

diff --git a/charts/hono/example/create_certs.sh b/charts/hono/example/create_certs.sh
index d8eda3fa..9ab2f741 100755
--- a/charts/hono/example/create_certs.sh
+++ b/charts/hono/example/create_certs.sh
@@ -41,6 +41,9 @@ AMQP_ADAPTER_KEY_STORE=amqpKeyStore.p12
 AMQP_ADAPTER_KEY_STORE_PWD=amqpkeys
 EXAMPLE_GATEWAY_KEY_STORE=exampleGatewayKeyStore.p12
 EXAMPLE_GATEWAY_KEY_STORE_PWD=examplegatewaykeys
+KAFKA_KEY_STORE=kafkaKeyStore.jks
+# the bitnami Kafka chart expects truststore and keystore to have the same name
+KAFKA_KEY_STORE_PWD=honotrust
 # set to either EC or RSA
 KEY_ALG=EC
 
@@ -141,5 +144,6 @@ create_cert artemis $ARTEMIS_KEY_STORE $ARTEMIS_KEY_STORE_PWD
 create_cert coap-adapter $COAP_ADAPTER_KEY_STORE $COAP_ADAPTER_KEY_STORE_PWD
 create_cert amqp-adapter $AMQP_ADAPTER_KEY_STORE $AMQP_ADAPTER_KEY_STORE_PWD
 create_cert example-gateway $EXAMPLE_GATEWAY_KEY_STORE $EXAMPLE_GATEWAY_KEY_STORE_PWD
+create_cert kafka $KAFKA_KEY_STORE $KAFKA_KEY_STORE_PWD
 
 create_client_cert 4711
diff --git a/charts/hono/templates/_helpers.tpl b/charts/hono/templates/_helpers.tpl
index 0e0aff55..a8d2c36e 100644
--- a/charts/hono/templates/_helpers.tpl
+++ b/charts/hono/templates/_helpers.tpl
@@ -226,9 +226,11 @@ kafka:
 {{- if .dot.Values.kafkaMessagingClusterExample.enabled }}
   commonClientConfig:
     bootstrap.servers: {{ .dot.Release.Name }}-{{ .dot.Values.kafka.nameOverride }}-0.{{ .dot.Release.Name }}-{{ .dot.Values.kafka.nameOverride }}-headless.{{ .dot.Release.Namespace }}:{{ .dot.Values.kafka.service.port }}
-    security.protocol: SASL_PLAINTEXT
+    security.protocol: SASL_SSL
     sasl.mechanism: SCRAM-SHA-512
     sasl.jaas.config: "org.apache.kafka.common.security.scram.ScramLoginModule required username=\"{{ first .dot.Values.kafka.auth.sasl.jaas.clientUsers }}\" password=\"{{ first .dot.Values.kafka.auth.sasl.jaas.clientPasswords }}\";"
+    ssl.truststore.location: /etc/hono/truststore.jks
+    ssl.truststore.password: honotrust
 {{- else if not .dot.Values.adapters.kafkaMessagingSpec.commonClientConfig.bootstrap.servers }}
   {{- required ".Values.adapters.kafkaMessagingSpec.commonClientConfig.bootstrap.servers MUST be set if example Kafka cluster is disabled" nil }}
 {{- end }}
diff --git a/charts/hono/templates/hono-adapter-amqp/hono-adapter-amqp-vertx-secret.yaml b/charts/hono/templates/hono-adapter-amqp/hono-adapter-amqp-vertx-secret.yaml
index ea224cf2..57b250ff 100644
--- a/charts/hono/templates/hono-adapter-amqp/hono-adapter-amqp-vertx-secret.yaml
+++ b/charts/hono/templates/hono-adapter-amqp/hono-adapter-amqp-vertx-secret.yaml
@@ -1,6 +1,6 @@
 {{- if .Values.adapters.amqp.enabled }}
 #
-# Copyright (c) 2019, 2020 Contributors to the Eclipse Foundation
+# Copyright (c) 2019, 2021 Contributors to the Eclipse Foundation
 #
 # See the NOTICE file(s) distributed with this work for additional
 # information regarding copyright ownership.
@@ -41,4 +41,5 @@ data:
   cert.pem: {{ .Files.Get "example/certs/amqp-adapter-cert.pem" | b64enc }}
   trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }}
   adapter.credentials: {{ .Files.Get "example/amqp-adapter.credentials" | b64enc }}
-{{- end }}
\ No newline at end of file
+  truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }}
+{{- end }}
diff --git a/charts/hono/templates/hono-adapter-coap/hono-adapter-coap-vertx-secret.yaml b/charts/hono/templates/hono-adapter-coap/hono-adapter-coap-vertx-secret.yaml
index 9581f621..59c5f14b 100644
--- a/charts/hono/templates/hono-adapter-coap/hono-adapter-coap-vertx-secret.yaml
+++ b/charts/hono/templates/hono-adapter-coap/hono-adapter-coap-vertx-secret.yaml
@@ -1,6 +1,6 @@
 {{- if .Values.adapters.coap.enabled }}
 #
-# Copyright (c) 2019, 2020 Contributors to the Eclipse Foundation
+# Copyright (c) 2019, 2021 Contributors to the Eclipse Foundation
 #
 # See the NOTICE file(s) distributed with this work for additional
 # information regarding copyright ownership.
@@ -38,4 +38,5 @@ data:
   cert.pem: {{ .Files.Get "example/certs/coap-adapter-cert.pem" | b64enc }}
   trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }}
   adapter.credentials: {{ .Files.Get "example/coap-adapter.credentials" | b64enc }}
+  truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }}
 {{- end }}
diff --git a/charts/hono/templates/hono-adapter-http/hono-adapter-http-vertx-secret.yaml b/charts/hono/templates/hono-adapter-http/hono-adapter-http-vertx-secret.yaml
index 491e4ef1..136f1eee 100644
--- a/charts/hono/templates/hono-adapter-http/hono-adapter-http-vertx-secret.yaml
+++ b/charts/hono/templates/hono-adapter-http/hono-adapter-http-vertx-secret.yaml
@@ -1,6 +1,6 @@
 {{- if .Values.adapters.http.enabled }}
 #
-# Copyright (c) 2019, 2020 Contributors to the Eclipse Foundation
+# Copyright (c) 2019, 2021 Contributors to the Eclipse Foundation
 #
 # See the NOTICE file(s) distributed with this work for additional
 # information regarding copyright ownership.
@@ -41,4 +41,5 @@ data:
   cert.pem: {{ .Files.Get "example/certs/http-adapter-cert.pem" | b64enc }}
   trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }}
   adapter.credentials: {{ .Files.Get "example/http-adapter.credentials" | b64enc }}
+  truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }}
 {{- end }}
diff --git a/charts/hono/templates/hono-adapter-kura/hono-adapter-kura-secret.yaml b/charts/hono/templates/hono-adapter-kura/hono-adapter-kura-secret.yaml
index 94bafceb..cb44c340 100644
--- a/charts/hono/templates/hono-adapter-kura/hono-adapter-kura-secret.yaml
+++ b/charts/hono/templates/hono-adapter-kura/hono-adapter-kura-secret.yaml
@@ -1,6 +1,6 @@
 {{- if .Values.adapters.kura.enabled }}
 #
-# Copyright (c) 2019, 2020 Contributors to the Eclipse Foundation
+# Copyright (c) 2019, 2021 Contributors to the Eclipse Foundation
 #
 # See the NOTICE file(s) distributed with this work for additional
 # information regarding copyright ownership.
@@ -40,4 +40,5 @@ data:
   cert.pem: {{ .Files.Get "example/certs/kura-adapter-cert.pem" | b64enc }}
   trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }}
   adapter.credentials: {{ .Files.Get "example/kura-adapter.credentials" | b64enc }}
+  truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }}
 {{- end }}
diff --git a/charts/hono/templates/hono-adapter-lora/hono-adapter-lora-vertx-secret.yaml b/charts/hono/templates/hono-adapter-lora/hono-adapter-lora-vertx-secret.yaml
index 1ce76850..93edc302 100644
--- a/charts/hono/templates/hono-adapter-lora/hono-adapter-lora-vertx-secret.yaml
+++ b/charts/hono/templates/hono-adapter-lora/hono-adapter-lora-vertx-secret.yaml
@@ -1,6 +1,6 @@
 {{- if .Values.adapters.lora.enabled }}
 #
-# Copyright (c) 2019, 2020 Contributors to the Eclipse Foundation
+# Copyright (c) 2019, 2021 Contributors to the Eclipse Foundation
 #
 # See the NOTICE file(s) distributed with this work for additional
 # information regarding copyright ownership.
@@ -40,4 +40,5 @@ data:
   cert.pem: {{ .Files.Get "example/certs/lora-adapter-cert.pem" | b64enc }}
   trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }}
   adapter.credentials: {{ .Files.Get "example/lora-adapter.credentials" | b64enc }}
+  truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }}
 {{- end }}
diff --git a/charts/hono/templates/hono-adapter-mqtt/hono-adapter-mqtt-vertx-secret.yaml b/charts/hono/templates/hono-adapter-mqtt/hono-adapter-mqtt-vertx-secret.yaml
index 15cb997e..f7d52acc 100644
--- a/charts/hono/templates/hono-adapter-mqtt/hono-adapter-mqtt-vertx-secret.yaml
+++ b/charts/hono/templates/hono-adapter-mqtt/hono-adapter-mqtt-vertx-secret.yaml
@@ -1,6 +1,6 @@
 {{- if .Values.adapters.mqtt.enabled }}
 #
-# Copyright (c) 2019, 2020 Contributors to the Eclipse Foundation
+# Copyright (c) 2019, 2021 Contributors to the Eclipse Foundation
 #
 # See the NOTICE file(s) distributed with this work for additional
 # information regarding copyright ownership.
@@ -45,4 +45,5 @@ data:
   cert.pem: {{ .Files.Get "example/certs/mqtt-adapter-cert.pem" | b64enc }}
   trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }}
   adapter.credentials: {{ .Files.Get "example/mqtt-adapter.credentials" | b64enc }}
+  truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }}
 {{- end }}
diff --git a/charts/hono/templates/hono-service-command-router/hono-service-command-router-secret.yaml b/charts/hono/templates/hono-service-command-router/hono-service-command-router-secret.yaml
index 161a00ae..fc0f743e 100644
--- a/charts/hono/templates/hono-service-command-router/hono-service-command-router-secret.yaml
+++ b/charts/hono/templates/hono-service-command-router/hono-service-command-router-secret.yaml
@@ -102,4 +102,5 @@ data:
   trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }}
   auth-server-cert.pem: {{ .Files.Get "example/certs/auth-server-cert.pem" | b64enc }}
   adapter.credentials: {{ .Files.Get "example/command-router.credentials" | b64enc }}
+  truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }}
 {{- end }}
diff --git a/charts/hono/templates/hono-service-device-registry-file/hono-service-device-registry-secret.yaml b/charts/hono/templates/hono-service-device-registry-file/hono-service-device-registry-secret.yaml
index eabb0119..87576ac8 100644
--- a/charts/hono/templates/hono-service-device-registry-file/hono-service-device-registry-secret.yaml
+++ b/charts/hono/templates/hono-service-device-registry-file/hono-service-device-registry-secret.yaml
@@ -74,4 +74,5 @@ data:
   cert.pem: {{ .Files.Get "example/certs/device-registry-cert.pem" | b64enc }}
   trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }}
   auth-server-cert.pem: {{ .Files.Get "example/certs/auth-server-cert.pem" | b64enc }}
+  truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }}
 {{- end }}
diff --git a/charts/hono/templates/hono-service-device-registry-jdbc/hono-service-device-registry-secret.yaml b/charts/hono/templates/hono-service-device-registry-jdbc/hono-service-device-registry-secret.yaml
index 4e282690..9ef5ed1f 100644
--- a/charts/hono/templates/hono-service-device-registry-jdbc/hono-service-device-registry-secret.yaml
+++ b/charts/hono/templates/hono-service-device-registry-jdbc/hono-service-device-registry-secret.yaml
@@ -73,4 +73,5 @@ data:
   cert.pem: {{ .Files.Get "example/certs/device-registry-cert.pem" | b64enc }}
   trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }}
   auth-server-cert.pem: {{ .Files.Get "example/certs/auth-server-cert.pem" | b64enc }}
+  truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }}
 {{- end }}
diff --git a/charts/hono/templates/hono-service-device-registry-mongodb/hono-service-device-registry-secret.yaml b/charts/hono/templates/hono-service-device-registry-mongodb/hono-service-device-registry-secret.yaml
index 9b05e54c..371aba97 100644
--- a/charts/hono/templates/hono-service-device-registry-mongodb/hono-service-device-registry-secret.yaml
+++ b/charts/hono/templates/hono-service-device-registry-mongodb/hono-service-device-registry-secret.yaml
@@ -74,4 +74,5 @@ data:
   cert.pem: {{ .Files.Get "example/certs/device-registry-cert.pem" | b64enc }}
   trusted-certs.pem: {{ .Files.Get "example/certs/trusted-certs.pem" | b64enc }}
   auth-server-cert.pem: {{ .Files.Get "example/certs/auth-server-cert.pem" | b64enc }}
+  truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }}
 {{- end }}
diff --git a/charts/hono/templates/kafka/kafka-secret.yaml b/charts/hono/templates/kafka/kafka-secret.yaml
new file mode 100644
index 00000000..dfcd68c8
--- /dev/null
+++ b/charts/hono/templates/kafka/kafka-secret.yaml
@@ -0,0 +1,23 @@
+{{- if .Values.kafkaMessagingClusterExample.enabled }}
+#
+# Copyright (c) 2021 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+#
+apiVersion: v1
+kind: Secret
+metadata:
+  {{- $args := dict "dot" . "component" "kafka" "name" "kafka-jks" }}
+  {{- include "hono.metadata" $args | nindent 2 }}
+type: Opaque
+data:
+  "kafka.truststore.jks": {{ .Files.Get "example/certs/trustStore.jks" | b64enc }}
+  "kafka-0.keystore.jks": {{ .Files.Get "example/certs/kafkaKeyStore.jks" | b64enc }}
+{{- end }}
diff --git a/charts/hono/values.yaml b/charts/hono/values.yaml
index 9e740af4..b1756f09 100755
--- a/charts/hono/values.yaml
+++ b/charts/hono/values.yaml
@@ -1778,7 +1778,7 @@ kafka:
   service:
     port: 9092
   auth:
-    clientProtocol: sasl
+    clientProtocol: sasl_tls
     sasl:
       jaas:
         clientUsers:
@@ -1787,3 +1787,7 @@ kafka:
           - "hono-secret"
         zookeeperUser: zookeeperUser
         zookeeperPassword: zookeeperPassword
+    tls:
+      type: jks
+      existingSecret: "{{ .Release.Name }}-kafka-jks"
+      password: honotrust