This patch adjusts the keycloak helm chart to use the upstream
recommended paths for exposing keycloak. It also adjusts the current
deployment to utilise a dedicated, further restricted admin interface.

BREAKING CHANGE: This commit will remove the exposure of the admin
interface as well as other exposed URLs.

References:
https://www.keycloak.org/server/reverseproxy#_exposed_path_recommendations

This patch upgrades keycloak to 20.0.0 and implements the new
adminHostname feature by adding the required variables and a separate
ingress object, which can be utilised for the admin URL and restrict it
independent of the regular frontend.

When using infinispan the app startup is a bit slower. As a result,
it'll might cause a termination of the keycloak instance before it's
fully in sync and therefore breaks HA. This patch introduces a startup
probe that resolves this issue by waiting for a successful startup
before the livenessprobe kicks in and might terminates the pod at any
point when it's actually failing again.

References:
https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes

This patch enables an PDB for the keycloak instance, if the deployment
is scaled to more than 1 replica.

This patch fixes the forgotten defaults for the networkPolicy feature.

This patch provides a network policy for infinispan that will allow
communication among keycloak pods to the inifispan ping port. This
should provide a first layer of firewall protection for the inifspan
protocol.

This patch adds the infinispan cache configuration for keycloak to allow
proper HA deployment with all caching goodies.

Turns out it's important to add the ping port (7800) to the headless
service in order to run the inifispan setup for kubernetes.

This was pieced together by some nice community posts, see:
https://gist.github.com/pedroigor/e1476a41b544d15c1bd59155aad4f6ad
https://github.com/keycloak/keycloak/issues/9644#issuecomment-1016850466
https://github.com/keycloak/keycloak/discussions/10125

Further the strategy Recreate was removed since it's not needed and the
inifispan will allow to always keep one keycloak instance around.

It's the clusterIP field, not the type field, that has to be set to
`None`.

References:
https://kubernetes.io/docs/concepts/services-networking/service/#headless-services

This should allow to run Keycloak in HA mode. This is done by deploying
an additional headless service, providing its dns name to the keycloak
container and explicitly configuring keycloak to use kubernetes
discovery for cache-stack discovery.