upstream ci: Add support for testing ipaserver deployment

This patch provides the base for testing ipaserver role using Azure's
infrastructure.

By using containers prepared to thave FreeIPA installed, but
unconfigured, allows the use of a test matrix to test the behavior of
modules in differnt IPA configurations. It also improves tests by
allowing the creation of a test matrix of FreeIPA deployment.

A new pipeline script is provided, which can be used as a standalone
pipeline, os as part of an existing pipeline.

The script 'tests/server_role/inventory.py' is used to create inventory
files for the tests, which should be executed using the existing
'install-server.yml' playbook.

More information on how to generate different inventories can be found
in the accompanying README file 'tests/server_role/README.md'.

Author: rjeffman

tests/azure/deployment.yml

@@ -0,0 +1,53 @@
+---
+schedules:
+- cron: "0 19 * * *"
+  displayName: Nightly Builds
+  branches:
+    include:
+    - master
+  always: true
+
+trigger: none
+
+pool:
+  vmImage: 'ubuntu-22.04'
+
+stages:
+
+# Fedora
+
+- stage: FedoraLatest_Ansible_Core_2_15
+  dependsOn: []
+  jobs:
+  - template: templates/deployment_tests.yml
+    parameters:
+      build_number: $(Build.BuildNumber)
+      scenario: fedora-latest
+      ansible_version: "-core >=2.15,<2.16"
+
+- stage: FedoraLatest_Ansible_Core_2_16
+  dependsOn: []
+  jobs:
+  - template: templates/deployment_tests.yml
+    parameters:
+      build_number: $(Build.BuildNumber)
+      scenario: fedora-latest
+      ansible_version: "-core >=2.16,<2.17"
+
+#- stage: FedoraLatest_Ansible_Core_2_17
+#  dependsOn: []
+#  jobs:
+#  - template: templates/deployment_tests.yml
+#    parameters:
+#      build_number: $(Build.BuildNumber)
+#      scenario: fedora-latest
+#      ansible_version: "-core >=2.17,<2.18"
+
+- stage: FedoraLatest_Ansible_latest
+  dependsOn: []
+  jobs:
+  - template: templates/deployment_tests.yml
+    parameters:
+      build_number: $(Build.BuildNumber)
+      scenario: fedora-latest
+      ansible_version: ""

tests/azure/templates/deployment_tests.yml

@@ -0,0 +1,70 @@
+---
+parameters:
+  - name: scenario
+    type: string
+    default: fedora-latest
+  - name: ansible_version
+    type: string
+    default: ""
+  - name: python_version
+    type: string
+    default: 3.x
+  - name: build_number
+    type: string
+
+jobs:
+- job: Test_Deployment
+  displayName: Run deployment tests ${{ parameters.scenario }}
+  timeoutInMinutes: 240
+  steps:
+  - task: UsePythonVersion@0
+    inputs:
+      versionSpec: '${{ parameters.python_version }}'
+
+  - script: |
+      pip install "ansible${{ parameters.ansible_version }}"
+    retryCountOnTaskFailure: 5
+    displayName: Install Ansible
+
+  - script: ansible-galaxy collection install community.docker ansible.posix
+    retryCountOnTaskFailure: 5
+    displayName: Install Ansible collections
+
+  - script: pip install -r requirements-tests.txt
+    retryCountOnTaskFailure: 5
+    displayName: Install dependencies
+
+  - script: |
+      rm -rf ~/.ansible/plugins ~/.ansible/roles
+      ln -snf "$(realpath plugins)" ~/.ansible/plugins
+      ln -snf "$(realpath roles)" ~/.ansible/roles
+      ls -l ~/.ansible
+      docker pull ${SCENARIO_IMAGE}
+    env:
+      SCENARIO_IMAGE: quay.io/ansible-freeipa/upstream-tests:raw-${{ parameters.scenario }}
+    retryCountOnTaskFailure: 5
+    displayName: Setup test environment
+
+  - script: tests/server_role/inventory.py | tee inventory.yml
+    displayName: Create inventory files
+
+  - script: |
+      # remove stray container
+      docker rm --force ${{ parameters.scenario }} >&2 2>/dev/null
+      # run test
+      docker run -d --privileged --name ${IPA_CONTAINER} --hostname ${IPA_HOSTNAME} ${SCENARIO_IMAGE}
+      # ansible-playbook -i inventory.yml tests/server_role/ipv6config.yml
+      ansible-playbook -i inventory.yml playbooks/install-server.yml
+      # Run tests to verify installation
+      ansible-playbook -i inventory.yml tests/user/test_user.yml
+    displayName: Run deployment tests
+    env:
+      SCENARIO_IMAGE: quay.io/ansible-freeipa/upstream-tests:raw-${{ parameters.scenario }}
+      IPA_CONTAINER: ipaserver_test_container
+      IPA_HOSTNAME: ipaserver.test.local
+
+  - task: PublishTestResults@2
+    inputs:
+      mergeTestResults: true
+      testRunTitle: DeploymentTests-Build${{ parameters.build_number }}
+    condition: succeededOrFailed()

tests/server_role/README.md

@@ -0,0 +1 @@
+This file should include how to test ipaserver.

tests/server_role/inventory.py

@@ -0,0 +1,111 @@
+#!/usr/bin/env python
+"""Dynamic inventory to test ipaserver role."""
+
+import os
+import sys
+from collections import namedtuple
+
+try:
+    import yaml
+
+    inventory_to_string = yaml.dump
+except ImportError:
+    import json
+
+    inventory_to_string = json.dumps
+
+Config = namedtuple(
+    "Config",
+    """
+    engine
+    container
+    hostname
+    ipa_domain
+    ipa_realm
+    setup_kra
+    setup_dns
+    dns_no_forwarders
+    dns_auto_reverse
+    setup_adtrust
+    ipa_netbios_name
+""",
+)
+
+
+def to_boolean(value):
+    return value.lower() == "true"
+
+
+def get_inventory_data(config):
+    """Generate inventory based on given configuration."""
+    return {
+        "all": {
+            "children": {
+                "ipaserver": {
+                    "hosts": {
+                        "ipa_server": {
+                            "ansible_connection": config.engine,
+                            "ansible_host": config.container,
+                        },
+                    },
+                    "vars": {
+                        # KRA
+                        "ipaserver_setup_kra": config.setup_kra,
+                        # DNS
+                        "ipaserver_setup_dns": config.setup_dns,
+                        "ipaserver_no_forwarders": config.dns_no_forwarders,
+                        "ipaserver_auto_reverse": config.dns_auto_reverse,
+                        # AD Trust
+                        "ipaserver_setup_adtrust": config.setup_adtrust,
+                        "ipaserver_netbios_name": config.ipa_netbios_name,
+                        # adjtimex fails on container, so do not set ntp
+                        "ipaclient_no_ntp": True,
+                        # server configuration
+                        "ipaserver_hostname": config.hostname,
+                    },
+                },
+            },
+            "vars": {
+                # server/realm
+                "ipaserver_domain": config.ipa_domain,
+                "ipaserver_realm": config.ipa_realm,
+                # passwords
+                "ipaadmin_password": "SomeADMINpassword",
+                "ipadm_password": "SomeDMpassword",
+            },
+        },
+    }
+
+
+def gen_default_inventory():
+    default_hostname = "ipaserver.test.local"
+    ipa_hostname = os.environ.get("IPA_HOSTNAME", default_hostname).split(".")
+
+    setup_dns = to_boolean(os.environ.get("SETUP_DNS", "False"))
+
+    config = Config(
+        engine=(
+            "containers.podman.podman"
+            if "--podman" in sys.argv
+            else "community.docker.docker"
+        ),
+        container=os.environ.get("IPA_CONTAINER", "ipaserver_test_container"),
+        hostname=".".join(ipa_hostname),
+        ipa_domain=os.environ.get("IPA_DOMAIN", ".".join(ipa_hostname[1:])),
+        ipa_realm=os.environ.get(
+            "IPA_REALM", ".".join(ipa_hostname[1:]).upper()
+        ),
+        setup_kra=to_boolean(os.environ.get("SETUP_KRA", "False")),
+        setup_dns=setup_dns,
+        dns_no_forwarders=os.environ.get("DNS_NO_FORWARDERS", setup_dns),
+        dns_auto_reverse=os.environ.get("DNS_AUTO_REVERSE", setup_dns),
+        setup_adtrust=to_boolean(os.environ.get("SETUP_ADTRUST", "False")),
+        ipa_netbios_name=os.environ.get("IPA_NETBIOS_NAME", "IPA"),
+    )
+    print(inventory_to_string(get_inventory_data(config)))
+
+
+if "--matrix" in sys.argv:  # pylint: disable=no-else-raise
+    raise NotImplementedError("Test matrix not implemented yet.")
+else:
+    gen_default_inventory()