• Clowder did not provide a 'cacert' key in the 'brokers' section of the cdappconfig.json that apps load their config from
• Technically, this should be OK, because a cacert should NOT be required to communicate with managed kafka (their certificates are signed by a well-trusted public CA, DigiCert)
• Different apps / clowder libraries / etc. were handling the absence of this key in different ways. Some apps / libraries were assuming that cacert would always be present

As a work-around for now, I downloaded the root CA .pem from DigiCert that the Managed Kafka team has used, and we have modified Clowder to provide the 'cacert' in cdappconfig.json

In future, we want to move away from doing this because it prevents the managed kafka team from changing their CA. As long as they continue to use well-trusted public CAs (which is the plan), in theory their cert should already be trusted.

Each app will need to test and possibly make code changes to be sure that it can successfully connect to managed kafka even if a CA cert is not provided.