THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
When specifying a dns alias in bootstrap.server, the Java client API doesn't resolve all the CNAMES behind it.
This breaks kerberos based SASL authentication and therefore clients are unable to connect to a secured cluster when using an alias.
The details are specified in the JIRA, but it boils down to the kafka server principal not matching the hostname referenced by the client, as the SaslAuthenticator will compare the alias' FQDN with the kafka broker hostname.
...