In T212257 a simple KDC + kadmin service was set up on kerberos1001, with minimal puppet automation to:
- create principals and keytabs
- copy them securely to the puppetmaster's private puppet repo and deploy them via puppet when requested (by hiera variables)
The above unblocked testing Kerberos in the Hadoop test cluster, but it is surely not enough. A few things need to be done:
- order hardware for the two hosts that will run Kerberos KDC(s) and kadmin daemons (two misc nodes)
- add puppet automation to bootstrap a KDC service from scratch on a node (caveat: this might mean only partial automation since currently the kdc packages, when installing, require manual inputs)
- add puppet automation to allow a proper KDC/kadmin failover in case the primary kerberos node goes down.
- puppetise basic config properties like a default password policy