When using output plugin kafka with telegraf, how to setup tls config correctly?

Problem is that the telegraf-operator helm chart does not provide a method to add an additional volume to reference the tls files.
How is it meant to work?

We solved it by using k8s secret store and a volume annotation at the main container level.
Can you confirm or are there any other ideas/advices?