redpanda: correct truststore_file usage

Prior to this commit, RPK's admin and kafka client configuration would incorrect inherit the `truststore_file` setting of the internal listeners. This was mistakenly done when truststore support was first implemented due to unfamiliar naming conventions and blind grepping for instances of `truststore_file`. Utilizing truststores, a CA for client certificate verification, would result in both jobs failing as said truststores were (correctly) not mounted to the jobs but (incorrectly) referenced in RPK's client configuration. This commit updates the naming to `ca_file` [1] and correctly maps the value to the `ca.crt` of the server's certificate OR the server's certificate if no `ca.crt` is present. Additionally, this commit fixes a small bug in the console chart where license was incorrectly keyed as `License` which caused the "with secrets" helm tests to fail due in case 96 which was passing in the license directly. To avoid the chicken and egg problem, a work around has been added to the redpanda chart. [1] https://github.com/redpanda-data/redpanda/blob/817450a480f4f2cadf66de1adc301cfaf6ccde46/src/go/rpk/pkg/config/redpanda_yaml.go#L124-L125
redpanda-data · Sep 4, 2024 · 96a1c9e · 96a1c9e
1 parent df74df3
commit 96a1c9e
Show file tree

Hide file tree

Showing 24 changed files with 629 additions and 842 deletions.
diff --git a/.github/workflows/pull_requests_from_origin.yaml b/.github/workflows/pull_requests_from_origin.yaml
@@ -39,9 +39,10 @@ jobs:
     strategy:
       matrix:
         version:
-          - ""
-          - v23.1.21
-          - v23.2.24
+          # See also: https://redpandadata.atlassian.net/wiki/spaces/CORE/pages/16711857/Releases+Backports
+          - v23.3.20
+          - v24.1.15
+          - "" # Test the default / Most recent version of Redpanda.
         testvaluespattern:
           - '9[6-9]*'  # some tests depend on a github secret that isn't available for fork PRs. Only run these tests in branch PRs.
       fail-fast: false

diff --git a/.github/workflows/test_redpanda.yaml b/.github/workflows/test_redpanda.yaml
@@ -13,9 +13,10 @@ jobs:
     strategy:
       matrix:
         version:
-          - ""
-          - v23.1.21
-          - v23.2.24
+          # See also: https://redpandadata.atlassian.net/wiki/spaces/CORE/pages/16711857/Releases+Backports
+          - v23.3.20
+          - v24.1.15
+          - "" # Test the default / Most recent version of Redpanda.
         testvaluespattern:
           - '0[1-3]*'
           - '0[4-6]*'

diff --git a/charts/console/templates/_deployment.go.tpl b/charts/console/templates/_deployment.go.tpl
diff --git a/charts/console/templates/_secret.go.tpl b/charts/console/templates/_secret.go.tpl
@@ -15,7 +15,7 @@
 {{- $jwtSecret = (randAlphaNum (32 | int)) -}}
 {{- end -}}
 {{- $_is_returning = true -}}
-{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict "kafka-sasl-password" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.saslPassword "") ))) "r") "kafka-protobuf-git-basicauth-password" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.protobufGitBasicAuthPassword "") ))) "r") "kafka-sasl-aws-msk-iam-secret-key" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.awsMskIamSecretKey "") ))) "r") "kafka-tls-ca" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.tlsCa "") ))) "r") "kafka-tls-cert" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.tlsCert "") ))) "r") "kafka-tls-key" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.tlsKey "") ))) "r") "kafka-schema-registry-password" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.schemaRegistryPassword "") ))) "r") "kafka-schemaregistry-tls-ca" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.schemaRegistryTlsCa "") ))) "r") "kafka-schemaregistry-tls-cert" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.schemaRegistryTlsCert "") ))) "r") "kafka-schemaregistry-tls-key" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.schemaRegistryTlsKey "") ))) "r") "login-jwt-secret" $jwtSecret "login-google-oauth-client-secret" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.google.clientSecret "") ))) "r") "login-google-groups-service-account.json" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.google.groupsServiceAccount "") ))) "r") "login-github-oauth-client-secret" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.github.clientSecret "") ))) "r") "login-github-personal-access-token" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.github.personalAccessToken "") ))) "r") "login-okta-client-secret" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.okta.clientSecret "") ))) "r") "login-okta-directory-api-token" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.okta.directoryApiToken "") ))) "r") "login-oidc-client-secret" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.oidc.clientSecret "") ))) "r") "enterprise-license" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.enterprise.License "") ))) "r") "redpanda-admin-api-password" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.redpanda.adminApi.password "") ))) "r") "redpanda-admin-api-tls-ca" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.redpanda.adminApi.tlsCa "") ))) "r") "redpanda-admin-api-tls-cert" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.redpanda.adminApi.tlsCert "") ))) "r") "redpanda-admin-api-tls-key" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.redpanda.adminApi.tlsKey "") ))) "r") ) ))) | toJson -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict "kafka-sasl-password" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.saslPassword "") ))) "r") "kafka-protobuf-git-basicauth-password" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.protobufGitBasicAuthPassword "") ))) "r") "kafka-sasl-aws-msk-iam-secret-key" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.awsMskIamSecretKey "") ))) "r") "kafka-tls-ca" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.tlsCa "") ))) "r") "kafka-tls-cert" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.tlsCert "") ))) "r") "kafka-tls-key" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.tlsKey "") ))) "r") "kafka-schema-registry-password" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.schemaRegistryPassword "") ))) "r") "kafka-schemaregistry-tls-ca" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.schemaRegistryTlsCa "") ))) "r") "kafka-schemaregistry-tls-cert" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.schemaRegistryTlsCert "") ))) "r") "kafka-schemaregistry-tls-key" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.schemaRegistryTlsKey "") ))) "r") "login-jwt-secret" $jwtSecret "login-google-oauth-client-secret" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.google.clientSecret "") ))) "r") "login-google-groups-service-account.json" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.google.groupsServiceAccount "") ))) "r") "login-github-oauth-client-secret" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.github.clientSecret "") ))) "r") "login-github-personal-access-token" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.github.personalAccessToken "") ))) "r") "login-okta-client-secret" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.okta.clientSecret "") ))) "r") "login-okta-directory-api-token" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.okta.directoryApiToken "") ))) "r") "login-oidc-client-secret" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.oidc.clientSecret "") ))) "r") "enterprise-license" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.enterprise.license "") ))) "r") "redpanda-admin-api-password" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.redpanda.adminApi.password "") ))) "r") "redpanda-admin-api-tls-ca" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.redpanda.adminApi.tlsCa "") ))) "r") "redpanda-admin-api-tls-cert" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.redpanda.adminApi.tlsCert "") ))) "r") "redpanda-admin-api-tls-key" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.redpanda.adminApi.tlsKey "") ))) "r") ) ))) | toJson -}}
 {{- break -}}
 {{- end -}}
 {{- end -}}

diff --git a/charts/console/values.go b/charts/console/values.go
@@ -180,7 +180,7 @@ type OIDCLoginSecrets struct {
 }
 
 type EnterpriseSecrets struct {
-	License *string `json:"License,omitempty"`
+	License *string `json:"license,omitempty"`
 }
 
 type RedpandaSecrets struct {

diff --git a/charts/console/values_partial.gen.go b/charts/console/values_partial.gen.go
diff --git a/charts/redpanda/README.md b/charts/redpanda/README.md
@@ -1243,7 +1243,7 @@ This key is the Certificate name. To apply the Certificate to a specific listene
 
 ### [tls.certs.default.caEnabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.certs.default.caEnabled)
 
-Set the `caEnabled` flag to `true` only for Certificates that are not authenticated using public authorities.
+Indicates whether or not the Secret holding this certificate includes a `ca.crt` key. When `true`, chart managed clients, such as rpk, will use `ca.crt` for certificate verification and listeners with `require_client_auth` and no explicit `truststore` will use `ca.crt` as their `truststore_file` for verification of client certificates. When `false`, chart managed clients will use `tls.crt` for certificate verification and listeners with `require_client_auth` and no explicit `truststore` will use the container's CA certificates.
 
 **Default:** `true`
 
@@ -1255,7 +1255,7 @@ Example external tls configuration uncomment and set the right key to the listen
 
 ### [tls.certs.external.caEnabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.certs.external.caEnabled)
 
-Set the `caEnabled` flag to `true` only for Certificates that are not authenticated using public authorities.
+Indicates whether or not the Secret holding this certificate includes a `ca.crt` key. When `true`, chart managed clients, such as rpk, will use `ca.crt` for certificate verification and listeners with `require_client_auth` and no explicit `truststore` will use `ca.crt` as their `truststore_file` for verification of client certificates. When `false`, chart managed clients will use `tls.crt` for certificate verification and listeners with `require_client_auth` and no explicit `truststore` will use the container's CA certificates.
 
 **Default:** `true`
 

diff --git a/charts/redpanda/ci/96-audit-logging-values.yaml.tpl b/charts/redpanda/ci/96-audit-logging-values.yaml.tpl
@@ -28,14 +28,6 @@ auditLogging:
   enabled: true
   listeners: default
 
-console:
-  # Until https://github.com/redpanda-data/console-enterprise/pull/256 is released the console
-  # test named `test-license-with-console.yaml` needs to work with unreleased Redpanda Console version.
-  image:
-    registry: redpandadata
-    repository: console-unstable
-    tag: master-8a51854
-
 logging:
   usageStats:
     clusterId: cluster-id-test
diff --git a/charts/redpanda/ci/97-license-key-values.yaml.tpl b/charts/redpanda/ci/97-license-key-values.yaml.tpl
@@ -15,11 +15,3 @@
 ---
 enterprise:
   license: "${REDPANDA_LICENSE}"
-
-console:
-  # Until https://github.com/redpanda-data/console-enterprise/pull/256 is released the console
-  # test named `test-license-with-console.yaml` needs to work with unreleased Redpanda Console version.
-  image:
-    registry: redpandadata
-    repository: console-unstable
-    tag: master-8a51854
diff --git a/charts/redpanda/ci/98-license-secret-values.yaml b/charts/redpanda/ci/98-license-secret-values.yaml
@@ -17,11 +17,3 @@ enterprise:
   licenseSecretRef:
     name: redpanda-license
     key: license-key
-
-console:
-  # Until https://github.com/redpanda-data/console-enterprise/pull/256 is released the console
-  # test named `test-license-with-console.yaml` needs to work with unreleased Redpanda Console version.
-  image:
-    registry: redpandadata
-    repository: console-unstable
-    tag: master-8a51854
diff --git a/charts/redpanda/ci/99-none-existent-config-options-with-empty-values.yaml b/charts/redpanda/ci/99-none-existent-config-options-with-empty-values.yaml
@@ -67,9 +67,3 @@ console:
       secret:
         defaultMode: 0420
         secretName: redpanda-license
-  # Until https://github.com/redpanda-data/console-enterprise/pull/256 is released the console
-  # test named `test-license-with-console.yaml` needs to work with unreleased Redpanda Console version.
-  image:
-    registry: redpandadata
-    repository: console-unstable
-    tag: master-8a51854
diff --git a/charts/redpanda/configmap.tpl.go b/charts/redpanda/configmap.tpl.go
@@ -26,14 +26,7 @@ import (
 )
 
 func ConfigMaps(dot *helmette.Dot) []*corev1.ConfigMap {
-	cms := []*corev1.ConfigMap{RedpandaConfigMap(dot, true)}
-	cms = append(cms, RPKProfile(dot)...)
-	return cms
-}
-
-func ConfigMapsWithoutSeedServer(dot *helmette.Dot) []*corev1.ConfigMap {
-	cms := []*corev1.ConfigMap{RedpandaConfigMap(dot, false)}
-	cms = append(cms, RPKProfile(dot)...)
+	cms := []*corev1.ConfigMap{RedpandaConfigMap(dot, true), RPKProfile(dot)}
 	return cms
 }
 
@@ -103,7 +96,7 @@ func RedpandaConfigFile(dot *helmette.Dot, includeSeedServer bool) string {
 		"schema_registry_client": kafkaClient(dot),
 		"pandaproxy":             pandaProxyListener(dot),
 		"pandaproxy_client":      kafkaClient(dot),
-		"rpk":                    rpkConfiguration(dot),
+		"rpk":                    rpkNodeConfig(dot),
 		"config_file":            "/etc/redpanda/redpanda.yaml",
 	}
 
@@ -116,31 +109,35 @@ func RedpandaConfigFile(dot *helmette.Dot, includeSeedServer bool) string {
 	return helmette.ToYaml(redpandaYaml)
 }
 
-func RPKProfile(dot *helmette.Dot) []*corev1.ConfigMap {
+// RPKProfile returns a [corev1.ConfigMap] for aiding users in connecting to
+// the external listeners of their redpanda cluster.
+// It is meant for external consumption via NOTES.txt and is not used within
+// this chart.
+func RPKProfile(dot *helmette.Dot) *corev1.ConfigMap {
 	values := helmette.Unwrap[Values](dot.Values)
 
 	if !values.External.Enabled {
 		return nil
 	}
 
-	return []*corev1.ConfigMap{
-		{
-			TypeMeta: metav1.TypeMeta{
-				Kind:       "ConfigMap",
-				APIVersion: "v1",
-			},
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      fmt.Sprintf("%s-rpk", Fullname(dot)),
-				Namespace: dot.Release.Namespace,
-				Labels:    FullLabels(dot),
-			},
-			Data: map[string]string{
-				"profile": helmette.ToYaml(rpkProfile(dot)),
-			},
+	return &corev1.ConfigMap{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "ConfigMap",
+			APIVersion: "v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      fmt.Sprintf("%s-rpk", Fullname(dot)),
+			Namespace: dot.Release.Namespace,
+			Labels:    FullLabels(dot),
+		},
+		Data: map[string]string{
+			"profile": helmette.ToYaml(rpkProfile(dot)),
 		},
 	}
 }
 
+// rpkProfile generates an RPK Profile for connecting to external listeners.
+// It is intended to be used by the end user via a prompt in NOTES.txt.
 func rpkProfile(dot *helmette.Dot) map[string]any {
 	values := helmette.Unwrap[Values](dot.Values)
 
@@ -154,16 +151,14 @@ func rpkProfile(dot *helmette.Dot) map[string]any {
 		adminAdvertisedList = append(adminAdvertisedList, fmt.Sprintf("%s:%d", advertisedHost(dot, i), int(advertisedAdminPort(dot, i))))
 	}
 
-	kafkaTLS := brokersTLSConfiguration(dot)
-	if _, ok := kafkaTLS["truststore_file"]; ok {
+	kafkaTLS := rpkKafkaClientTLSConfiguration(dot)
+	if _, ok := kafkaTLS["ca_file"]; ok {
 		kafkaTLS["ca_file"] = "ca.crt"
-		delete(kafkaTLS, "truststore_file")
 	}
 
-	adminTLS := adminTLSConfiguration(dot)
-	if _, ok := adminTLS["truststore_file"]; ok {
+	adminTLS := rpkAdminAPIClientTLSConfiguration(dot)
+	if _, ok := adminTLS["ca_file"]; ok {
 		adminTLS["ca_file"] = "ca.crt"
-		delete(adminTLS, "truststore_file")
 	}
 
 	ka := map[string]any{
@@ -286,18 +281,19 @@ func BrokerList(dot *helmette.Dot, replicas int32, port int32) []string {
 	return bl
 }
 
-func rpkConfiguration(dot *helmette.Dot) map[string]any {
+// https://github.com/redpanda-data/redpanda/blob/817450a480f4f2cadf66de1adc301cfaf6ccde46/src/go/rpk/pkg/config/redpanda_yaml.go#L143
+func rpkNodeConfig(dot *helmette.Dot) map[string]any {
 	values := helmette.Unwrap[Values](dot.Values)
 
 	brokerList := BrokerList(dot, values.Statefulset.Replicas, values.Listeners.Kafka.Port)
 
 	var adminTLS map[string]any
-	if tls := adminTLSConfiguration(dot); len(tls) > 0 {
+	if tls := rpkAdminAPIClientTLSConfiguration(dot); len(tls) > 0 {
 		adminTLS = tls
 	}
 
 	var brokerTLS map[string]any
-	if tls := brokersTLSConfiguration(dot); len(tls) > 0 {
+	if tls := rpkKafkaClientTLSConfiguration(dot); len(tls) > 0 {
 		brokerTLS = tls
 	}
 
@@ -321,49 +317,57 @@ func rpkConfiguration(dot *helmette.Dot) map[string]any {
 	return result
 }
 
-func brokersTLSConfiguration(dot *helmette.Dot) map[string]any {
+// rpkKafkaClientTLSConfiguration returns a value suitable for use as RPK's
+// "TLS" type.
+// https://github.com/redpanda-data/redpanda/blob/817450a480f4f2cadf66de1adc301cfaf6ccde46/src/go/rpk/pkg/config/redpanda_yaml.go#L178
+func rpkKafkaClientTLSConfiguration(dot *helmette.Dot) map[string]any {
 	values := helmette.Unwrap[Values](dot.Values)
 
-	if !values.Listeners.Kafka.TLS.IsEnabled(&values.TLS) {
+	tls := values.Listeners.Kafka.TLS
+
+	if !tls.IsEnabled(&values.TLS) {
 		return map[string]any{}
 	}
 
-	result := map[string]any{}
-
-	if truststore := values.Listeners.Kafka.TLS.TrustStoreFilePath(&values.TLS); truststore != defaultTruststorePath {
-		result["truststore_file"] = truststore
+	result := map[string]any{
+		"ca_file": tls.ServerCAPath(&values.TLS),
 	}
 
-	if values.Listeners.Kafka.TLS.RequireClientAuth {
+	if tls.RequireClientAuth {
 		result["cert_file"] = fmt.Sprintf("/etc/tls/certs/%s-client/tls.crt", Fullname(dot))
 		result["key_file"] = fmt.Sprintf("/etc/tls/certs/%s-client/tls.key", Fullname(dot))
-
 	}
 
 	return result
 }
 
-func adminTLSConfiguration(dot *helmette.Dot) map[string]any {
+// rpkAdminAPIClientTLSConfiguration returns a value suitable for use as RPK's
+// "TLS" type.
+// https://github.com/redpanda-data/redpanda/blob/817450a480f4f2cadf66de1adc301cfaf6ccde46/src/go/rpk/pkg/config/redpanda_yaml.go#L184
+func rpkAdminAPIClientTLSConfiguration(dot *helmette.Dot) map[string]any {
 	values := helmette.Unwrap[Values](dot.Values)
 
-	result := map[string]any{}
-	if !values.Listeners.Admin.TLS.IsEnabled(&values.TLS) {
-		return result
+	tls := values.Listeners.Admin.TLS
+
+	if !tls.IsEnabled(&values.TLS) {
+		return map[string]any{}
 	}
 
-	if truststore := values.Listeners.Admin.TLS.TrustStoreFilePath(&values.TLS); truststore != defaultTruststorePath {
-		result["truststore_file"] = truststore
+	result := map[string]any{
+		"ca_file": tls.ServerCAPath(&values.TLS),
 	}
 
-	if values.Listeners.Admin.TLS.RequireClientAuth {
+	if tls.RequireClientAuth {
 		result["cert_file"] = fmt.Sprintf("/etc/tls/certs/%s-client/tls.crt", Fullname(dot))
 		result["key_file"] = fmt.Sprintf("/etc/tls/certs/%s-client/tls.key", Fullname(dot))
-
 	}
 
 	return result
 }
 
+// kafkaClient returns the configuration for internal components of redpanda to
+// connect to its own Kafka API. This is distinct from RPK's configuration for
+// Kafka API interactions.
 func kafkaClient(dot *helmette.Dot) map[string]any {
 	values := helmette.Unwrap[Values](dot.Values)
 
@@ -381,11 +385,18 @@ func kafkaClient(dot *helmette.Dot) map[string]any {
 	if values.Listeners.Kafka.TLS.IsEnabled(&values.TLS) {
 		brokerTLS = map[string]any{
 			"enabled":             true,
-			"cert_file":           fmt.Sprintf("/etc/tls/certs/%s/tls.crt", kafkaTLS.Cert),
-			"key_file":            fmt.Sprintf("/etc/tls/certs/%s/tls.key", kafkaTLS.Cert),
 			"require_client_auth": kafkaTLS.RequireClientAuth,
-			"truststore_file":     kafkaTLS.TrustStoreFilePath(&values.TLS),
+			// NB: truststore_file here is synonymous with ca_file in the RPK
+			// configuration. The difference being that redpanda does NOT read
+			// the ca_file key.
+			"truststore_file": kafkaTLS.ServerCAPath(&values.TLS),
 		}
+
+		if kafkaTLS.RequireClientAuth {
+			brokerTLS["cert_file"] = fmt.Sprintf("/etc/tls/certs/%s-client/tls.crt", Fullname(dot))
+			brokerTLS["key_file"] = fmt.Sprintf("/etc/tls/certs/%s-client/tls.key", Fullname(dot))
+		}
+
 	}
 
 	cfg := map[string]any{