Since kube-system is a bit delicate when it comes to blocking, this
intial network policy tries to not block anything in order to keep
everything working. This might be the solution to the
globalnetworkpolicy issue.

This patch should provide some basic network policies for the metallb
namespace helping to restrict access to services running inside.

This patch adds wiretrustee to the cluster, allowing to access it from
everywhere through a P2P VPN network based on wireguard.

References:
https://github.com/wiretrustee/wiretrustee

This patch adds a new service-account that is used by flux to deploy
harbor to the namespace. This reduces the risk if the helm chart
contains any malicious objects to be contained in the namespace.

This patch installs a systemd unit, that will disable CPU overclocking
5 minutes after start of the system. The idea is to keep systems more
  quiet and stable from a temprature perspective.

chore(deps): update helm release oauth2-proxy to v5.1.0

See merge request !24

This patch adds a broader networkpolicy for system-upgrades namespace,
which should ensure network access within the namespace.

This patch provides a temporary, broad network policy to make sure
harbor stays functional

It's the 3rd update of kyverno and each time, things break in minor
version. This is no modi operandi for this setup. Things are supposed to
be stable and solid to work with. Kyverno is too unstable for this
use-case.

This time the installation of the pods failed due to wrong deployment
names. This is nothing we change or adjust.

Further the removal doesn't have any major impact on the platform, since
network policies are already deployed via gitops from the `shared/`
directory.

BREAKING CHANGE: Removing kyverno and related CRDs/APIs.

This patch adjusts the retention to be either 15 days or 15GB of
straoge, which should help to keep data growth under control.

It might be an idea, to prodive a more longterm metrics storage later
on for a selected subset.

The patch also adjust the pvc size once more to account of the size
settings and makes sure there are 2 GiB of additional headspace.

References:
https://prometheus.io/docs/prometheus/latest/storage/#operational-aspects

By default longhorn deploys with 12% cpu allocated node, that's quite a
lot and takes up 1/3 of the current cluster's CPU. Given how little of
the requested CPU is actually used, this patch reduces the CPU
allocation from 12% to 2%.

IMPORTANT: You should not apply this patch while any of your volumes are
still attached. Therefore scale down all deployments that use volumes,
update the setting, then scale up again.

References:
https://longhorn.io/docs/1.2.3/references/settings/#guaranteed-engine-manager-cpu
https://longhorn.io/docs/1.2.3/references/settings/#guaranteed-replica-manager-cpu

This patch finally fixes the issue of a successful oauth2-proxy login
failing directly afterwards due to some issues with the cookie.

This patch enabled "minimal session cookies" and by that resolved the
issue.

References:
https://github.com/oauth2-proxy/oauth2-proxy/issues/941#issuecomment-747108519

This patch allows network requests from the ingress namespace(s) by
adding our shared network policy.

Apparently the helm chart and the oauth2-proxy documentation are not
consistent.

References:
https://artifacthub.io/packages/helm/oauth2-proxy/oauth2-proxy

The proxy secret wasn't generated properly, it has to be base64 encoded.
Therefore the following command is recommended:

```shell
cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1 | base64
```

References:
https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview#generating-a-cookie-secret

This patch introduces calver releases to the repository, this is just to
document progress and helps to navigate the changes in the future.