Render a keytab Secret

When To Use This

Use this to render review-first keytab Secret manifests.

Required Authority

Kerberos and IdM own key material. Kubernetes receives it only if a reviewed payload manifest is applied.

Safety Boundary

This workflow is render-only. Confirm that this is the intended boundary before placing it in a scheduled job or AAP workflow.

Secret Handling

Do not print payload material. Use no_log: true on payload-bearing tasks. Review artifacts should redact secret values, and payload manifest rendering should be opt-in.

Inputs

Named target objects
Credentials with the required IdM or platform authority
A reviewed output path or downstream task

Steps

Confirm the target objects and authority before running.
Run the command or task with review-friendly output.
Inspect the returned evidence before continuing to any mutating step.

ansible-playbook playbooks/render-keytab-secret.yml

Example Keytab Secret Rendering

This vars file renders a redacted Kubernetes Secret manifest for an already retrieved keytab.

render-keytab-secret-vars.yml

---
eigenstate_keytab_secret_name: app-http-keytab
eigenstate_keytab_secret_namespace: payments
eigenstate_keytab_secret_principal: HTTP/app01.example.com@EXAMPLE.COM
eigenstate_keytab_secret_keytab_b64: "{{ lookup('file', 'artifacts/http.keytab.b64') }}"
eigenstate_keytab_secret_output_dir: ./artifacts
eigenstate_keytab_secret_render_only: true
eigenstate_keytab_secret_apply: false
eigenstate_keytab_secret_render_review_manifest: true
eigenstate_keytab_secret_write_payload_manifest: false

Run It

ansible-playbook playbooks/render-keytab-secret.yml -e @render-keytab-secret-vars.yml

Expected Evidence

The role renders a review manifest with redacted payload fields and no secret material in clear text. A captured render run produced:

PLAY [Render Kubernetes Secret manifest for keytab delivery] *************

TASK [eigenstate.ipa.keytab_secret_render : Render reviewable keytab Secret manifest] ***
changed: [localhost]

PLAY RECAP ************************************************************
localhost                  : ok=6    changed=2    unreachable=0    failed=0    skipped=4    rescued=0    ignored=0

The review artifact keeps the keytab payload redacted:

apiVersion: v1
kind: Secret
metadata:
  name: "idm-keytab-secret"
  namespace: "default"
  annotations:
    eigenstate.ipa/payload: "redacted-in-review-manifest"
    eigenstate.ipa/principal: "HTTP/app.example.com@EXAMPLE.COM"
    eigenstate.ipa/source: "idm-keytab"
type: Opaque
stringData:
  service.keytab: "REDACTED"

Troubleshooting

Permission failure: verify the account and delegated authority.
Unexpected empty result: verify target names and source records.
Unsafe output: redact payloads and add no_log: true where secret material is present.