need /opt/so/conf/ca/cacerts on receiver for kafka to run

salt/allowed_states.map.jinja

@@ -191,7 +191,8 @@
           'firewall',
           'schedule',
           'docker_clean',
-          'kafka'
+          'kafka',
+          'elasticsearch.ca'
           ],
       'so-desktop': [
           'ssl',

salt/elasticsearch/ca.sls

@@ -4,7 +4,7 @@
 # Elastic License 2.0.
 
 {% from 'allowed_states.map.jinja' import allowed_states %}
-{% if sls.split('.')[0] in allowed_states %}
+{% if sls.split('.')[0] in allowed_states or sls in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 
 # Move our new CA over so Elastic and Logstash can use SSL with the internal CA

salt/kafka/enabled.sls

@@ -10,6 +10,7 @@
 {%   set KAFKANODES = salt['pillar.get']('kafka:nodes', {}) %}
 
 include:
+  - elasticsearch.ca
   - kafka.sostatus
   - kafka.config
   - kafka.storage