New roles for smartcard server and client setup

There are new smartcard roles in the roles folder:

    roles/ipasmartcard_server
    roles/ipasmartcard_client

This roles allows to setup smartcard for servers and clients.

Here is the documentation for the roles:

    roles/ipasmartcard_server/README.md
    roles/ipasmartcard_client/README.md

New example playbooks have been added:

    playbooks/install-smartcard-server.yml
    playbooks/install-smartcard-replicas.yml
    playbooks/install-smartcard-servers.yml
    playbooks/install-smartcard-clients.yml

idrange: Fix typo in test comments.

requirements-dev: Update requirements for virtual environments

When developing ansible-freeipa using a Python virtual environment,
some ansible-freeipa utility scripts failed to execute due to missing
tools.

This patch add the required tools and modules to requirements-dev.txt
and pin the versions to the same available in Fedora 36.

 Add support to define which playbook tests to execute with pytest.

Due to an issue with IPA in Fedora 36, dnsconfig and dnsforwardzone
plugin tests must be disabled.

See FreeIPA issue: https://pagure.io/freeipa/issue/9158

pytest provide the means to skip tests based on patterns, but writing
these patterns for ansible-freeipa might not be feasible.

This PR allows the selection of playbook tests and modules that will
be executed with pytest using the environmentt variables IPA_ENABLED_TESTS
IPA_ENABLED_MODULES, IPA_DISABLED_TESTS or IPA_DISABLED_MODULES.

When using IPA_ENABLED_MODULES, all modules will be disabled, and only
the modules in the enabled list will be tested. If using the test
filter, IPA_ENABLED_TESTS, all tests are disabled, unless they are in
the enabled test lists.

If the IPA_DISABLED_* version is used, tests and modules are enabled by
default, and the list is used to disable the module or specific test.

To disable a test or module in Azure CI, edit the file
`tests/azure/variables` and add the desired tests or modules to the
parameter variables `enabled_modules`, 'enabled_tests`, `disabled_tests`
or `disable_modules`.

Note that, if added to the `master` branch, this will affect the tests
for every pipeline that it is include (including 'nightly'), so it should
be used with care.

It can be used with TEMP commits to enable only the desired tests,
speeding up upstream tests.

Fix ansible-test sanity missing CHANGELOG.rst.

Recent versions of ansible-test require the existence of a CHANGELOG
file in the root of the collection. This changes extracts the changes
of the latest available release tag using `utils/changelog` and create
the CHANGELOG file with the result of the command.

The generated changelog will include the changes for the latest release
and, if present, the available changes that were not part of a release.

utils/changelog: Fixed --tag option, new --galaxy option

The --tag TAG option is now printing the changes for the given TAG and
not since the given tag. The new option --galaxy is printing the changelog
since the latest tag and also for the latest tag.

These changes are simplifying the generation of the changelog file that
is needed to pass the tests for galaxy and AutomationHub collections.

Upstream CI updates.

There were some typos in the idrange test playbook.

The current ansible-core available in Fedora and RHEL is 2.12 series.
This patch sets the version used for every PR CI to match this series.

Other versions should be used only in the nightly/weekly tests.

This patch adds the latest ansible-core as a test target in upstream
nightl/weekly CI.

As, currently, the latest available ansible-core is still 2.12.z, the
current ansible-core 2.12 targets were disabled. They should be enabled
when ansible-core 2.13 is available.

CentOS 8 images are not supported anymore, and we are using CentOS 8
Stream images.

This patch removes all configuration for CentOS 8 and updates test
README to point to the available container images.

As Ansible versions might change, and as we don't need to report which
version is used on every test, as the information is avaiable in case
it is needed, the jobs labels are changed to easier display which image
was used for testing.

utils/build-galaxy-release.sh: Add "-i" to install generated collection

The "-i" option can be used to install the generated collection using
the ansible-galaxy collection install command. It is using the force
flag to install the collection if there is already a collection with the
same name and namespace. The ansible-galaxy collection build command is
already using the force flag to create the collection.

Add support for managing idoverrideusers in ipagroup.

New idrange management module

ipaautomountmap: Fix parameter evaluation.

There is a new idrange management module placed in the plugins folder:

    plugins/modules/ipaidrange.py

The idrange module allows to ensure presence and absence of idranges.

Here is the documentation of the module:

    README-idrange.md

New example playbooks have been added:

    playbooks/idrange/idrange-absent.yml
    playbooks/idrange/idrange-ad-posix-present.yml
    playbooks/idrange/idrange-ad-present.yml
    playbooks/idrange/idrange-present.yml

New tests for the module can be found at:

    tests/idrange/test_idrange.yml
    tests/idrange/test_idrange_client_context.yml

This patch fixes the error messages when an invalid number of 'mapname'
are provided for states 'present' or 'absent'.

The usage of 'automountmapname' is required in all automount map IPA
API calls, and this change ensures that the value is always set as
an argument.

ipatrust: fix range_type and test enhancement.

The group CLI option `idoverrideusers` was not supported by
ansible-freeipa, and this patch adds support to it.

Tests require an AD trust, and a user `aduser@ad.ipa.test` to exist, or
the user name must be provided (variable, CLI)  through `test_ad_user`.

A new test playbook was added:

    tests/group/test_group_idoverrideuser.yml

module_utils: Fix comparison of elements not in IPA object.

ipatrust: Set valid choices for trust_type.

The ipatrust module was ignoring the value of `range_type`, which is
required to allow for different types of idranges.

This patch applies several changes to the ipatrust test playbook:

* Add externally defined parameters so execution in local trust
  environments can be configured. The available parameters are:
    * winserver_admin_password: the Administrator password for the AD
      server (default: 'SomeW1Npassword')
    * winserver_domain: the AD server domain (default: 'windows.local')
    * winserver realm: the AD server realm (by default, the uppercase
      version of winserver_domain)
    * ipaserver_domain: the FreeIPA server domain (default: 'ipa.test')
    * ipaserver_realm: the FreeIPA server realm (by default, the
      uppercase version of ipaserver_domain

* Modify trust verification to check for the existence of the trust as
  it the output of `ipa trust-find`, instead of cheking for the number
  of items returned, as the number might vary.

* Add idempotency tests by re-executing tasks and verifying that no
  change was performed.

* Added tests to verify creation of trusts with different 'range_type'.

* Use a Kerberos cache for shell scripts, and destroy it on exit.

* Properly remove all `idrange` that might be created upon setting up a
  trust.

As the task is expected to fail, the AD realm name was modified to show
the expected behavior more clearly.

DNS forward policy: ensure consistency between module parameters.

This patch updates the ipatrust documentation about the 'trust_type'
parameter, and changes one password to be similar to the standard
passwords used in other modules.

Ensure only valid choices for trust_type ('ad')  are available for the
module parameter.

This change allows clearing automountmap 'description' attribute by
passing an empty string ("") as the playbook parameter.

New test cases were added to check this behavior.

Due to a change in 'ansible_freeipa_module.compare_args_ipa', playbook
parameters using empty strings are correctly evaluated, and do not need
to be removed before comparison is performed.

A new test playbook, with tests for clearing attributes with an empty
string ("") is available at:

    tests/user/test_user_empty_lists.yml