This patch simply adjusts the proxy buffer since, since nginx
complained.

This patch removes the needs relation since it requires all `parallel`
jobs to be executed before continuing, which break when only one helm
chart is linted.

Error message:
'chart-package: [keycloak]' job needs 'chart-helm-unittest: [mok]' job, but 'chart-helm-unittest: [mok]' is not in any previous stage

When using infinispan the app startup is a bit slower. As a result,
it'll might cause a termination of the keycloak instance before it's
fully in sync and therefore breaks HA. This patch introduces a startup
probe that resolves this issue by waiting for a successful startup
before the livenessprobe kicks in and might terminates the pod at any
point when it's actually failing again.

References:
https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes

Currently gitlab-ci doesn't allow variables in `exists` rules, which
means the condition below can't be used. This is fixed by moving the
condition into the script and just exit successful if the tests don't
exist.

Further it adds a requirement for the chart-package job to wait for the
chart-helm-unittest job(s) before, this should help to prevent the
release of broken charts.

Finally we namespace the junit files generated during the tests, since
they would overwrite each other, if multiple helm charts would run the
CI jobs at the same time.

References:
https://docs.gitlab.com/ee/ci/yaml/#needs
https://docs.gitlab.com/ee/ci/yaml/#rulesexists

This patch reorders CI steps and adjusts some names. It also adjusts the
exists rule, which doesn't seem to trigger as expected.

This patch updates the keycloak replica count to 2 and deploys a pod
anti-affinity which will spreadout pods to different nodes.

This patch introduces the CI integration for helm-unittest, a nice helm
plugin, which allows to run automatic tests on helm charts and
validating the YAML based on individual settings with clear reports in
gitlab.

This patch replaces the individual helm chart gitlab-ci yamls with a
common gitlab-ci yaml for all charts, that will trigger based on changes
and allow more generalised and unified CI jobs for all charts.

This patch enables an PDB for the keycloak instance, if the deployment
is scaled to more than 1 replica.

This patch fixes the forgotten defaults for the networkPolicy feature.

This patch provides a network policy for infinispan that will allow
communication among keycloak pods to the inifispan ping port. This
should provide a first layer of firewall protection for the inifspan
protocol.

This patch adds the infinispan cache configuration for keycloak to allow
proper HA deployment with all caching goodies.

Turns out it's important to add the ping port (7800) to the headless
service in order to run the inifispan setup for kubernetes.

This was pieced together by some nice community posts, see:
https://gist.github.com/pedroigor/e1476a41b544d15c1bd59155aad4f6ad
https://github.com/keycloak/keycloak/issues/9644#issuecomment-1016850466
https://github.com/keycloak/keycloak/discussions/10125

Further the strategy Recreate was removed since it's not needed and the
inifispan will allow to always keep one keycloak instance around.

It's the clusterIP field, not the type field, that has to be set to
`None`.

References:
https://kubernetes.io/docs/concepts/services-networking/service/#headless-services

This should allow to run Keycloak in HA mode. This is done by deploying
an additional headless service, providing its dns name to the keycloak
container and explicitly configuring keycloak to use kubernetes
discovery for cache-stack discovery.

Currently there is an issue, that the kube-apiserver can't reach the
metallb admission webhook, which results in the inability to sync any
metallb objects.

The reason why this doesn't work is not completely understood yet. It
uses an IP address from the Pod CIDR (10.1.0.0/16) which is blocked by
the network policies. No single pod has this IP address according to
`kubectl get pods --all-namespace -o wide`, which displays the Pods
along with their IP addresses.

This makes sense, given that the kube-apiserver is a host/node Pod,
which is directly define in the kubelet configuration of the
control-plane node, which also runs in the host network. As a result the
pod has no regular Pod IP from the Pod IP address space.

For debugging, I used a calico log rule, which are based on the calico
network policies.

Reference:
https://projectcalico.docs.tigera.io/archive/v3.23/security/calico-network-policy#generate-logs-for-specific-traffic

This patch allows to set the `HOSTNAME` variable, which should
explicitly set the hostname for the postfix pod and configure it to use
the proper external DNS name.

This patch adjusts the postscreen settings regarding dnsbls and alike to
hopefully speed up the processing time of emails and make the place more
inviting for wanted e-mails.

This patch configures the git-chglog tool to generate the release notes
for newer releases. This is a first step in pushing the tooling around
the repositories further and providing a better overview over the
changes in the repository.

DNSWL went subscriber-only apparently.

References:
https://www.dnswl.org/