This patch upgrades keycloak to 20.0.0 and implements the new
adminHostname feature by adding the required variables and a separate
ingress object, which can be utilised for the admin URL and restrict it
independent of the regular frontend.

This patch configures renovate to allow manual addition of a comment
that specifies the image which a helm chart deploys. Should make sure
that no image updates are missed.

This patch adds a new snapshot test that should cover most resources of
the helm chart, instead of just the basic ones, it also renames the
existing job to properly represent what it compares to. This will also
allow to better monitor some of the more complex resources that are
deployed by the chart.

This patch should simply check all resources created by the chart to
contain the recommended Kubernetes labels to be properly identified as
part of the helm chart.

References:
https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/

When using infinispan the app startup is a bit slower. As a result,
it'll might cause a termination of the keycloak instance before it's
fully in sync and therefore breaks HA. This patch introduces a startup
probe that resolves this issue by waiting for a successful startup
before the livenessprobe kicks in and might terminates the pod at any
point when it's actually failing again.

References:
https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes

This patch replaces the individual helm chart gitlab-ci yamls with a
common gitlab-ci yaml for all charts, that will trigger based on changes
and allow more generalised and unified CI jobs for all charts.

This patch enables an PDB for the keycloak instance, if the deployment
is scaled to more than 1 replica.

This patch fixes the forgotten defaults for the networkPolicy feature.

This patch provides a network policy for infinispan that will allow
communication among keycloak pods to the inifispan ping port. This
should provide a first layer of firewall protection for the inifspan
protocol.

This patch adds the infinispan cache configuration for keycloak to allow
proper HA deployment with all caching goodies.

Turns out it's important to add the ping port (7800) to the headless
service in order to run the inifispan setup for kubernetes.

This was pieced together by some nice community posts, see:
https://gist.github.com/pedroigor/e1476a41b544d15c1bd59155aad4f6ad
https://github.com/keycloak/keycloak/issues/9644#issuecomment-1016850466
https://github.com/keycloak/keycloak/discussions/10125

Further the strategy Recreate was removed since it's not needed and the
inifispan will allow to always keep one keycloak instance around.

It's the clusterIP field, not the type field, that has to be set to
`None`.

References:
https://kubernetes.io/docs/concepts/services-networking/service/#headless-services

This should allow to run Keycloak in HA mode. This is done by deploying
an additional headless service, providing its dns name to the keycloak
container and explicitly configuring keycloak to use kubernetes
discovery for cache-stack discovery.

This patch is a workaround for gitlab jobs that merge themselves by
accident. it should be further refined, similar to the images setup to
have a more generalised pipeline in the future.