diff --git a/tcs-upgrade/kafka/kafka-1.yml b/tcs-upgrade/kafka/kafka-1.yml
new file mode 100644
index 0000000..2eaef3c
--- /dev/null
+++ b/tcs-upgrade/kafka/kafka-1.yml
@@ -0,0 +1,184 @@
+apiVersion: platform.confluent.io/v1beta1
+kind: Zookeeper
+metadata:
+  name: zookeeper
+  namespace: confluent
+spec:
+  replicas: 3
+  oneReplicaPerNode: true
+  configOverrides:
+    jvm:
+      - "-Xmx128m"
+  podTemplate:
+    affinity:
+      nodeAffinity:
+        requiredDuringSchedulingIgnoredDuringExecution:
+          nodeSelectorTerms:
+          - matchExpressions:
+            - key: app.kubernetes.io/name
+              operator: In
+              values:
+              - tcs
+  image:
+    application: confluentinc/cp-zookeeper:7.5.0
+    init: confluentinc/confluent-init-container:2.7.0
+  dataVolumeCapacity: 10Gi
+  logVolumeCapacity: 10Gi
+  storageClass:
+    name: tcs-kafka
+  authentication:
+    type: digest
+    jaasConfig:
+      secretRef: credential
+  tls:
+    secretRef: tls-group1
+---
+apiVersion: platform.confluent.io/v1beta1
+kind: Kafka
+metadata:
+  name: kafka
+  namespace: confluent
+spec:
+  replicas: 3
+  oneReplicaPerNode: true
+  configOverrides:
+    server:
+      - auto.create.topics.enable=true
+      - default.replication.factor=3
+    jvm:
+      - "-Xmx512m"
+  podTemplate:
+    resources:
+      requests:
+        memory: "256Mi"
+        cpu: "100m"
+      limits:
+        memory: "4G"
+        cpu: "1"
+    affinity:
+      nodeAffinity:
+        requiredDuringSchedulingIgnoredDuringExecution:
+          nodeSelectorTerms:
+          - matchExpressions:
+            - key: app.kubernetes.io/name
+              operator: In
+              values:
+              - tcs
+  image:
+    application: confluentinc/cp-server:7.5.0
+    init: confluentinc/confluent-init-container:2.7.0
+  dataVolumeCapacity: 10Gi
+  storageClass:
+    name: tcs-kafka
+  tls:
+    secretRef: tls-group1
+  listeners:
+    internal:
+      authentication:
+        type: ldap
+        jaasConfig:
+          secretRef: credential
+      tls:
+        enabled: true
+    external:
+      externalAccess:
+        type: nodePort
+        nodePort:
+          host: kafka-tcs.beaconfireinc.com
+          nodePortOffset: 30001
+      authentication:
+        type: ldap
+        jaasConfig:
+          secretRef: credential
+      tls:
+        enabled: true
+  authorization:
+    type: rbac
+    superUsers:
+    - User:kafka
+  services:
+    mds:
+      tls:
+        enabled: true
+      tokenKeyPair:
+        secretRef: mds-token
+      provider:
+        type: ldap
+        ldap:
+          address: ldap://ldap.tcs.svc.cluster.local:389
+          authentication:
+            type: simple
+            simple:
+              secretRef: credential
+          configurations:
+            groupNameAttribute: cn
+            groupObjectClass: group
+            groupMemberAttribute: member
+            groupMemberAttributePattern: CN=(.*),DC=test,DC=com
+            groupSearchBase: dc=test,dc=com
+            userNameAttribute: cn
+            userMemberOfAttributePattern: CN=(.*),DC=test,DC=com
+            userObjectClass: organizationalRole
+            userSearchBase: dc=test,dc=com
+  dependencies:
+    zookeeper:
+      endpoint: zookeeper.tcs.svc.cluster.local:2182
+      authentication:
+        type: digest
+        jaasConfig:
+          secretRef: credential
+      tls:
+        enabled: true
+---
+apiVersion: platform.confluent.io/v1beta1
+kind: SchemaRegistry
+metadata:
+  name: schemaregistry
+  namespace: confluent
+spec:
+  replicas: 1
+  oneReplicaPerNode: true
+  configOverrides:
+    jvm:
+      - "-Xmx128m"
+  podTemplate:
+    affinity:
+      nodeAffinity:
+        requiredDuringSchedulingIgnoredDuringExecution:
+          nodeSelectorTerms:
+          - matchExpressions:
+            - key: app.kubernetes.io/name
+              operator: In
+              values:
+              - tcs
+  image:
+    application: confluentinc/cp-schema-registry:7.5.0
+    init: confluentinc/confluent-init-container:2.7.0
+  tls:
+    secretRef: tls-group1
+  externalAccess:
+    type: nodePort
+    nodePort:
+      host: kafka-tcs.beaconfireinc.com
+      nodePortOffset: 30005
+  authorization:
+    type: rbac
+  dependencies:
+    kafka:
+      bootstrapEndpoint: kafka.tcs.svc.cluster.local:9071
+      authentication:
+        type: plain
+        jaasConfig:
+          secretRef: credential
+      tls:
+        enabled: true
+    mds:
+      endpoint: https://kafka.tcs.svc.cluster.local:8090
+      tokenKeyPair:
+        secretRef: mds-token
+      authentication:
+        type: bearer
+        bearer:
+          secretRef: sr-mds-client
+      tls:
+        enabled: true
diff --git a/tcs-upgrade/kafka/kafka.yaml b/tcs-upgrade/kafka/kafka.yaml
index 8f1241f..f20ed7f 100644
--- a/tcs-upgrade/kafka/kafka.yaml
+++ b/tcs-upgrade/kafka/kafka.yaml
@@ -67,10 +67,10 @@ spec:
     enabled: true
   listeners:
       external:
-        # authentication:
-        #   type: plain
-        #   jaasConfig:                
-        #     secretRef: credentials
+        authentication:
+          type: plain
+          jaasConfigPassThrough:                
+            secretRef: credentials
         externalAccess:
           type: nodePort
           nodePort: