If Kerberos keytabs were issued for a host, they should also be revoked when running the decom cookbook (currently happens manually).
Reporting in here a chat with Moritz about steps to do. Every host that runs a keytab holds several things, let's pick analytics1028 as example:
- A dir in puppet private /srv/private/modules/secret/secrets/kerberos/keytabs/analytics1028.eqiad.wmnet
- A dir on krb1001 /srv/kerberos/keytabs/analytics1028.eqiad.wmnet
- Some kerberos principals registered on kadmin/kdc - hdfs/analytics1028.eqiad.wmnet@WIKIMEDIA, etc..
We could start with a read-only step, that checks all the above and reports a prompt to the user asking for inputs ("please acknowledge that you are aware of the keytabs to remove" or similar). Thoughts?
Agreed. Printing the steps is a good first step which will prevent that these files slip through. Mid-term it would be nice to have a dedicated Spicerack module for Kerberos, which wraps common kadmin commands and makes them available for cook books.