[6.1.6 Cherry-pick] Create YAML Kerberos Test Pipeline (#4263)

* Cherry-pick of #4252 requires manual resolution

To resolve, run:  git cherry-pick a3648e4

* Create YAML Kerberos Test Pipeline (#4252)

Co-authored-by: Priyanka Tiwari <prtiwar@microsoft.com>

* Adapted the kerberos pipeline to work with the 6.1 style targets in build.proj.

* Fix kerberos coverage template parameters

* Fix Windows AKV restore caching and Linux per-TF build

* Split Windows Kerberos job into netcore and netfx

* Move Windows NetFx into its own parallel stage

* Replace .NET Core terminology with .NET in comments

* Remove .NET 10 from kerberos release/6.1 pipeline

* Fix Kerberos coverage results path handling

---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Paul Medynski <31868385+paulmedynski@users.noreply.github.com>
Co-authored-by: Priyanka Tiwari <prtiwar@microsoft.com>

Author: 3 people

eng/pipelines/common/templates/jobs/ci-code-coverage-job.yml

@@ -124,6 +124,11 @@ jobs:
                 }
             }
 
+            if ($jobs.Count -eq 0) {
+                Write-Error "No .coverage files found in $InputDirectoryPath. Cannot merge."
+                exit 1
+            }
+
             Write-Host "Merging started..."
             Wait-Job -Job $jobs
 

eng/pipelines/dotnet-sqlclient-ci-package-reference-pipeline.yml

@@ -28,6 +28,7 @@ pr:
       - build.proj
       - NuGet.config
     exclude:
+      - eng/pipelines/kerberos/*
       - eng/pipelines/onebranch/*
 
 # Commit triggers for CI runs on specified branches.

eng/pipelines/dotnet-sqlclient-ci-project-reference-pipeline.yml

@@ -28,6 +28,7 @@ pr:
       - build.proj
       - NuGet.config
     exclude:
+      - eng/pipelines/kerberos/*
       - eng/pipelines/onebranch/*
 
 # Commit triggers for CI runs on specified branches.

eng/pipelines/kerberos/build-and-test-steps.yml

@@ -0,0 +1,154 @@
+#################################################################################
+# Licensed to the .NET Foundation under one or more agreements.                 #
+# The .NET Foundation licenses this file to you under the MIT license.          #
+# See the LICENSE file in the project root for more information.                #
+#################################################################################
+
+# Shared build-and-test steps used by both the Windows and Linux Kerberos jobs.
+#
+# Parameters:
+#   buildTargets  — Ordered build.proj targets to run before tests (for
+#                   example BuildNetCore, BuildNetFx, BuildTestsNetCore).
+#   testFramework — The TFM to test against (e.g. net9.0, net462).
+#   testRunTitle  — Title for the published test results (displayed in the ADO
+#                   Tests tab).
+#   artifactName  — Name of the published pipeline artifact that carries the
+#                   test results and coverage files.
+
+parameters:
+
+  # Ordered build.proj targets to run before test execution.
+  - name: buildTargets
+    type: object
+
+  # TFM to pass to the test targets (-p:TestFramework).
+  - name: testFramework
+    type: string
+
+  # Title shown in the ADO Tests tab for this run.
+  - name: testRunTitle
+    type: string
+
+  # Pipeline artifact name for test results and coverage.
+  - name: artifactName
+    type: string
+
+steps:
+
+  # ---------------------------------------------------------------------------
+  # Build
+  # ---------------------------------------------------------------------------
+
+  # Build the configured targets in order.
+  #
+  # The test stages build as part of their targets, but this separate step isolates build failures
+  # so we can fail fast before running tests. Retries are enabled intentionally (1 attempt for
+  # build, 2 attempts for test steps) to reduce transient infrastructure-related failures.
+  #
+  - ${{ each target in parameters.buildTargets }}:
+    - task: DotNetCoreCLI@2
+      displayName: Build (${{ target }})
+      retryCountOnTaskFailure: 1
+      inputs:
+        command: build
+        projects: build.proj
+        arguments: >-
+          -t:${{ target }}
+          -p:Configuration=Release
+          -p:TF=${{ parameters.testFramework }}
+
+  # ---------------------------------------------------------------------------
+  # Run tests in separate steps to permit focused retries.
+  # ---------------------------------------------------------------------------
+
+  # Set a shared job variable so all test and publish steps use one results path.
+  - pwsh: |
+      Write-Host "##vso[task.setvariable variable=ResultsDirectory]$(Build.SourcesDirectory)/TestResults"
+    displayName: Set test results directory variable
+
+  # Run the Unit Test suite.
+  - task: DotNetCoreCLI@2
+    displayName: Run Unit Tests (${{ parameters.testFramework }})
+    retryCountOnTaskFailure: 2
+    inputs:
+      command: build
+      projects: build.proj
+      arguments: >-
+        -t:RunUnitTests
+        -p:TF=${{ parameters.testFramework }}
+        -p:Configuration=Release
+        -p:ResultsDirectory=$(ResultsDirectory)
+
+  # Run the Functional Test suite.
+  - task: DotNetCoreCLI@2
+    displayName: Run Functional Tests (${{ parameters.testFramework }})
+    retryCountOnTaskFailure: 2
+    inputs:
+      command: build
+      projects: build.proj
+      arguments: >-
+        -t:RunFunctionalTests
+        -p:TF=${{ parameters.testFramework }}
+        -p:Configuration=Release
+        -p:ResultsDirectory=$(ResultsDirectory)
+
+  # Run the Manual Test suite.
+  - task: DotNetCoreCLI@2
+    displayName: Run Manual Tests (${{ parameters.testFramework }})
+    retryCountOnTaskFailure: 2
+    inputs:
+      command: build
+      projects: build.proj
+      arguments: >-
+        -t:RunManualTests
+        -p:TF=${{ parameters.testFramework }}
+        -p:Configuration=Release
+        -p:ResultsDirectory=$(ResultsDirectory)
+
+  # ---------------------------------------------------------------------------
+  # Publish results & coverage
+  # ---------------------------------------------------------------------------
+
+  # Azure Pipelines task conditions do not support path existence checks directly,
+  # so compute this once and gate later steps on the variable.
+  - pwsh: |
+      $resultsDir = "$(ResultsDirectory)"
+      if (Test-Path -LiteralPath $resultsDir) {
+        Write-Host "##vso[task.setvariable variable=HasTestResultsDir]true"
+      }
+      else {
+        Write-Host "##vso[task.setvariable variable=HasTestResultsDir]false"
+      }
+    displayName: Detect TestResults directory
+    condition: succeededOrFailed()
+
+  # Publish the TRX test results to the pipeline run.
+  - task: PublishTestResults@2
+    displayName: Publish Test Results
+    condition: and(succeededOrFailed(), eq(variables['HasTestResultsDir'], 'true'))
+    inputs:
+      testResultsFormat: VSTest
+      # build.proj defaults ResultsDirectory to 'TestResults' (relative to the source root).
+      # We override it to an absolute path in the test steps above.
+      testResultsFiles: $(ResultsDirectory)/**/*.trx
+      mergeTestResults: true
+      testRunTitle: ${{ parameters.testRunTitle }}
+      buildConfiguration: Release
+
+  # Give our coverage files a unique name to make it clear where they originated when we download
+  # the artifacts from all jobs in the merge stage.
+  - pwsh: |
+      cd $(ResultsDirectory)
+      Get-ChildItem -Filter "*.coverage" -Recurse |
+        Rename-Item -NewName { "${{ parameters.testFramework }}" + $_.Name }
+    displayName: Rename coverage files
+    condition: and(succeededOrFailed(), eq(variables['HasTestResultsDir'], 'true'))
+
+  # Publish TRX test results and coverage files as pipeline artifacts.  The merge stage needs the
+  # coverage files from all of the jobs.
+  - task: PublishPipelineArtifact@1
+    displayName: Publish Test Artifacts
+    condition: and(succeededOrFailed(), eq(variables['HasTestResultsDir'], 'true'))
+    inputs:
+      targetPath: $(ResultsDirectory)
+      artifact: ${{ parameters.artifactName }}

eng/pipelines/kerberos/linux-cleanup-step.yml

@@ -0,0 +1,45 @@
+#################################################################################
+# Licensed to the .NET Foundation under one or more agreements.                 #
+# The .NET Foundation licenses this file to you under the MIT license.          #
+# See the LICENSE file in the project root for more information.                #
+#################################################################################
+
+# This template leaves the Active Directory domain and destroys Kerberos
+# credentials.  It should be referenced at the end of any job that called
+# linux-init-step.yml.
+#
+# All steps use condition: always() so that cleanup runs even when previous
+# steps fail.
+
+parameters:
+
+  # The Active Directory domain to leave (e.g. mydomain.contoso.com).
+  - name: kerberosDomain
+    type: string
+
+  # The domain user account used during the join.
+  - name: kerberosDomainUser
+    type: string
+
+  # The password for the domain user account.
+  - name: kerberosDomainPassword
+    type: string
+
+steps:
+
+  - bash: |
+      set -uo pipefail
+
+      DOMAIN="${{ parameters.kerberosDomain }}"
+      DOMAIN_USER="${{ parameters.kerberosDomainUser }}"
+      DOMAIN_PASSWORD="${{ parameters.kerberosDomainPassword }}"
+      DOMAIN_UPPER=$(echo "$DOMAIN" | tr '[:lower:]' '[:upper:]')
+
+      # Leave the domain
+      echo "$DOMAIN_PASSWORD" | sudo realm leave "$DOMAIN_UPPER" --verbose \
+        -U "$DOMAIN_USER@$DOMAIN_UPPER" || true
+
+      # Destroy the TGT and credential cache
+      kdestroy || true
+    displayName: Clean up Kerberos (domain leave + kdestroy)
+    condition: always()

eng/pipelines/kerberos/linux-init-step.yml

@@ -0,0 +1,117 @@
+#################################################################################
+# Licensed to the .NET Foundation under one or more agreements.                 #
+# The .NET Foundation licenses this file to you under the MIT license.          #
+# See the LICENSE file in the project root for more information.                #
+#################################################################################
+
+# This template joins a Linux agent to an Active Directory domain using Kerberos
+# and acquires a TGT (Ticket-Granting Ticket) for the specified domain user.
+#
+# Prerequisites:
+#   - The agent must be running on Ubuntu/Debian (uses apt-get).
+#   - The domain controller must be reachable from the agent network.
+#
+# After this step completes successfully, the agent will have:
+#   - Kerberos packages installed (krb5-user, realmd, sssd, adcli, etc.)
+#   - Hostname set to FQDN within the domain
+#   - NTP synchronized with the domain controller
+#   - Machine joined to the AD domain
+#   - A valid Kerberos TGT for the specified user
+
+parameters:
+
+  # The Active Directory domain to join (e.g. mydomain.contoso.com).
+  - name: kerberosDomain
+    type: string
+
+  # The Organizational Unit in which to place the computer account.
+  - name: kerberosDomainOU
+    type: string
+
+  # The domain user account to authenticate with (sAMAccountName, without @realm).
+  - name: kerberosDomainUser
+    type: string
+
+  # The password for the domain user account.
+  - name: kerberosDomainPassword
+    type: string
+
+steps:
+
+  - bash: |
+      set -euo pipefail
+
+      DOMAIN="${{ parameters.kerberosDomain }}"
+      DOMAIN_OU="${{ parameters.kerberosDomainOU }}"
+      DOMAIN_USER="${{ parameters.kerberosDomainUser }}"
+      DOMAIN_PASSWORD="${{ parameters.kerberosDomainPassword }}"
+      DOMAIN_UPPER=$(echo "$DOMAIN" | tr '[:lower:]' '[:upper:]')
+
+      echo "Domain:   $DOMAIN"
+      echo "Realm:    $DOMAIN_UPPER"
+      echo "User:     $DOMAIN_USER"
+      echo "OU:       $DOMAIN_OU"
+
+      if [ -z "$DOMAIN_PASSWORD" ]; then
+        echo "##vso[task.logissue type=error]KerberosDomainPassword is empty"
+        exit 1
+      fi
+
+      # -----------------------------------------------------------------------
+      # Install Kerberos and AD integration packages
+      # -----------------------------------------------------------------------
+      echo 'debconf debconf/frontend select Noninteractive' | sudo debconf-set-selections
+
+      sudo apt-get -y update
+      sudo apt-get install -y dialog apt-utils
+      sudo apt-get install -y \
+        krb5-user samba sssd sssd-tools libnss-sss libpam-sss \
+        ntp ntpdate realmd adcli
+
+      # -----------------------------------------------------------------------
+      # Set the hostname to FQDN within the domain
+      # -----------------------------------------------------------------------
+      CURRENT_HOSTNAME="$(hostname)"
+      if [ "$CURRENT_HOSTNAME" = "$DOMAIN" ] || [[ "$CURRENT_HOSTNAME" == *".$DOMAIN" ]]; then
+        echo "Hostname already uses domain suffix '.$DOMAIN': $CURRENT_HOSTNAME"
+      else
+        sudo hostnamectl set-hostname "$CURRENT_HOSTNAME.$DOMAIN"
+      fi
+
+      # -----------------------------------------------------------------------
+      # Synchronize time with the domain controller (required for Kerberos)
+      # -----------------------------------------------------------------------
+      if ! sudo grep -Fqx "server $DOMAIN" /etc/ntp.conf; then
+        echo "server $DOMAIN" | sudo tee -a /etc/ntp.conf
+      fi
+      sudo systemctl stop ntp
+      sudo ntpdate "$DOMAIN"
+      sudo systemctl start ntp
+
+      # -----------------------------------------------------------------------
+      # Configure Kerberos realm
+      # -----------------------------------------------------------------------
+      echo "[libdefaults]
+              default_realm = $DOMAIN_UPPER
+              rdns = false" | sudo tee /etc/krb5.conf
+
+      # -----------------------------------------------------------------------
+      # Discover and join the domain
+      # -----------------------------------------------------------------------
+      sudo realm discover "$DOMAIN_UPPER"
+
+      echo "$DOMAIN_PASSWORD" | sudo realm join --verbose "$DOMAIN_UPPER" \
+        -U "$DOMAIN_USER@$DOMAIN_UPPER" \
+        --computer-ou "OU=$DOMAIN_OU"
+
+      realm list
+
+      # -----------------------------------------------------------------------
+      # Acquire a Kerberos TGT
+      # -----------------------------------------------------------------------
+      echo "$DOMAIN_PASSWORD" | kinit "$DOMAIN_USER@$DOMAIN_UPPER"
+
+      klist
+      sudo ip addr
+      sudo ip route
+    displayName: Initialize Kerberos (domain join + kinit)