FreeIPA PR https://github.com/freeipa/freeipa/pull/7286 moved
ipalib.install.kinit to ipalib.

It is first tried to import kinit_keytab and kinit_password from
ipalib.kinit, then ipalib.install.kinit and finally in some cases
where support for IPA 4.5.0 is needed still also ipapython.ipautil.

Related: https://github.com/freeipa/freeipa/pull/7286

The use of del os.environ assumes that the environment variable exists.
If the variable does not exist, this call will result in a traceback.
The solution is to use os.environ.pop(VARIABLE, None) instead.

This is the ansible-freeipa fix for https://pagure.io/freeipa/issue/9446
(Nightly test failure for replica installation with --setup-ca)

New variables have been added to ipareplica and ipaserver role to enable
the removal from the domein with the undeployment.

`ipaserver_remove_from_domain`
This enables the removal of the server from the domain additionally to the
undeployment.

`ipaserver_remove_on_server`
The value defines the server/replica in the domain that will to be used to
remove the server/replica from the domain if
`ipaserver_ignore_topology_disconnect` and `ipaserver_remove_from_domain`
are enabled. Without the need to enable
`ipaserver_ignore_topology_disconnect`, the value will be automatically
detected using the replication agreements of the server/replica.

For the replica role it is possible to use the server variables, but
also the replica versions: `ipareplica_remove_from_domain` and
`ipareplica_remove_on_server`.

The already existing parameters `ipaserver_ignore_topology_disconnect` and
`ipaserver_ignore_last_of_role` have been added to the README files for
server and replica with descriptions. The same for the replica versions
of the parameters.

The ipareplica role is not calling the `ipa-server-install` anymore, it
is instead using (including) the server role for the task.

The new module `ipaserver_get_connected_server` has been added to the
server role to be able to get a connected server using the replication
agreements. This module is only used if
`ipaserver_ignore_topology_disconnect` is not needed.

The generation of the OTP for client deployment is now completely
happening on the first of the given or detected servers with delegate_to.
The module ipaclient_get_otp has been replaced by a new module using code
from ipahost module and module_utils ansible_freeipa_module.

The action plugin ipaclient_get_otp has been removed and with this also
ipaclient_get_facts.

If an admin keytab is used instead of an admin password, it is copied to
the server as a temporary file to enable the OTP generation. The temporary
file is removed again after using the ipaclient_get_otp module.

The utils script build-galaxy-release.sh has been updated to not copy the
ipaclient action plugin to the global plugins folder of the collection.

This change is import for the use of the ipaclient role with AAP as only
the base environment is sufficient now.

The ipaclient README and also the global README have been updated as
kinit is not needed anymore on the controller for OTP.

Fixes #903 (Allow the use of principals other than admin when using
            ipaadmin_keytab)

ansible-test with ansible-2.14 is adding a lot of new tests to ensure
that the documentation section and the agument spec is complete. Needed
changes:

DOCUMENTATION section

- `type: str` needs to be set for string parameters
- `type: list` needs to be set for list parameters
- `elements: str` needs to be given for list of string parameters
- `required` tags need to be fixed according to the `argument_spec`
- `default` tag needs to match `argument_spec`
- `author` needs to be given with the github user also: `Name (@user)`
- `choices` needs to match `argument_spec`

RETURN section

- `type: string` is not valid and needs to be replaced by `type: str`
- `elements: str` needs to be given for list of string parameters

argument_spec

- `type='str'` needs to be set for string parameters
- `elements='str'` needs to be added to all list of string parameters

A call to ansible_ipa_client.check_imports has been added to check for import
errors.

The `copyright` date is extended with `-2022`.

Before "short description" was used in most plugins, modules and also
in the new module templates.

ansible-doc was therefore not showing the short description. To fix the
issue the flag was renamed to short_description instead.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2121362
       'ansible-doc' -l lists most idm modules as 'UNDOCUMENTED'

Fix pylint warnings raised by enabling linter on ansible-freeipa roles.

This patch is needed to pass Automation Hub tests.

This patch is needed to pass Automation Hub tests.

This patch is needed to pass Automation Hub tests.

The documentation of the module paramaters have been updated. The parameter
list has been updated and all parameters are providing a description and
the required argument has been updated to reflect current setting in the
modules.

These are white space and line length changes to calm down pylint and flake8.

When OTP is used for installation of a client or the client part of
a replica and also there is no DNS record for the client, then
ipaclient_get_otp fails in the host_add call.

With the force mode the host_add call will ignore the missing DNS
record and will properly add the host. The host information and also
the DNS record will be updated while deploying the client according
to the given settings.

Fixes: #74 (ipaclient fails when ipaclient_use_otp is true and client ..)

With the deactivation of the Python2/3 test the handling of
ansible_python_interpreter needs to be removed as the setting might
not exist and is not changed in with the Python2/3 test any more.

The naming in the ipaclient role has not been following the naming scheme
and conventions used in the ipaserver and ipareplica roles. Also registered
results of modules and commands have not been unsing the result_ prefix as
in the other roles. All this has been fixed and the naming is consistent
now.

These are the renames:

ipahost -> ipaclient_get_otp
ipaapi -> ipaclient_api
ipaextras -> ipaclient_extras
ipafixca -> ipaclient_fix_ca
ipafstore -> ipaclient_fstore
ipa_facts -> ipaclient_get_facts
ipahost -> ipaclient_get_otp
ipajoin -> ipaclient_join
ipanss -> ipaclient_setup_nss
ipasssd -> ipaclient_setup_sssd
ipadiscovery -> ipaclient_test
ipatest -> ipaclient_test_keytab

As the action plugin is used with the default python interpreter and
the change to python3 for FreeIPA, the use of OTP was not working anymore.

The ansible_python_interpreter is not automatically used for the module
part of the action plugin. Therefore ansible_python_interpreter needed to
be added to the action plugin call as a new var to make sure that the
module part is used with the proper python version.

Also a new import for the Python2/3 import test has been added to discover
of the server is supporting python2 or python3. The old
ansible_python_interpreter setting is saved before doing this and restored
after the one-time password has been generated on the server.

paths.KDESTROY instead of "kdestroy" and paths.GETENT instead of "getent"

Affected modules:
  roles/ipaclient/library/ipahost.py
  roles/ipaclient/library/ipajoin.py
  roles/ipaclient/library/ipanss.py

The directories library and action_plugins do only contain ipaclient specific
modules and plugins. Therefore these directories should be located in the
ipaclient role directory.

The module had unused imports preventing execution with an IPA 4.4 server.
The commit removes unneeded imports, and adds documentation details.

When ipahost is run to generate an OTP and the host is already existing,
the OTP is properly generated but ipa-join will fail if the host is
already enrolled (ie when it has a keytab).
Add a step calling ipa host-disable to erase OTP and keytab before
requesting an OTP.

node and the credential cache is copied to the managed node

ipahost module is also using facts gathered from the server to find the
domain and realm.