Configure the PKI engine as detailed in Configuring a secrets manager in Vault.
Configure the Vault values.yaml file to enable mTLS and point to the Kafka cluster's SSL port using the settings detailed in Security levels and configuration for Kafka and Vault.
Configure the Vault values.yaml file to use the PKI backend. See Vault Installation Tools.
Migrate existing certificates by deleting the previous CA at: secret/
kafka-ca was formerly named certs-ca. You must delete both.
Run the following command:
kubectl exec -it -n tm-system vault-installer -- /deployment-tools/rotate-certs
kafka_certs
Reinstall with the Vault Installer to apply the values changes and start using mTLS.