As discussed in the original TLSe review here: https://github.com/openstack-k8s-operators/data-plane-adoption/pull/331#discussion_r1570273299

There should not be any SSH access to compute nodes in the Adoption procedure, it was removed in OSPRH-2301. The certmonger removal should be done through EDPM, similarly to how similar clean up is done in Nova's case. The code under OSPRH-2301 can be viewed for inspiration.

From jistr: And i noticed there is one more issue. Currently the certmonger removal from dataplane is done before the control plane adoption. The issue is that this prevents us from doing control plane adoption rollbacks. Once we touch the data plane, it is considered point of no return. So we don't want to touch the data plane until the control plane adoption is complete. (This issue is reported separately as https://issues.redhat.com/browse/OSPRH-7022 .)