> On Kafka cluster side, how to configure *advertised.listeners* for
external access? All 3 LoadBalancer IPs + port, or any 1 LoadBalancer IP +

Since you have one LoadBalancer per broker, you should set
*one LoadBalancer IP + port.
You can check this good blog post to learn how to configure the load
balancer environment in k8s for Kafka here

> On external client side, does it need all 3 broker’s certificates?

You need to import all the certificates into client's truststore. Usually
you can import the root CA of all the certificates, to trust them all.

> How does the client know using which certificate while creating request
to Kafka cluster?

That's the basic of SSL connection. It's like when you connect to Google,
how does the browser know which certificate to use to connect? The answer
is, the browser doesn't need to know, it just verifies if the server's
certificate is in my trust list. Something like that.

[image:
/var/folders/lz/j260ry496sxfn5wtpwvf3yscgy48r3/T/com.microsoft.Outlook/Content.MSO/DB2DAAE.tmp]
