One quick clarification. Kafka 0.9 + has support for SSL. Spark 1.X is using the old consumer API which only supports the PLAINTEXT protocol. Spark 2.0 uses the new consumer api which does have SSL + Kerberos support
CDH will be most likely ship an updated Spark version once Cloudera has finished testing.
Navigator Encrypt is a good option in the Cloudera ecosystem to provide encryption at rest. Confluent provides this functionality by utilizing partnerships with a few encryption at rest vendors.
Most of the patches that Confluent provides originate from customer requests.