This patch introduces the CI integration for helm-unittest, a nice helm
plugin, which allows to run automatic tests on helm charts and
validating the YAML based on individual settings with clear reports in
gitlab.

This patch replaces the individual helm chart gitlab-ci yamls with a
common gitlab-ci yaml for all charts, that will trigger based on changes
and allow more generalised and unified CI jobs for all charts.

This patch enables an PDB for the keycloak instance, if the deployment
is scaled to more than 1 replica.

This patch fixes the forgotten defaults for the networkPolicy feature.

This patch provides a network policy for infinispan that will allow
communication among keycloak pods to the inifispan ping port. This
should provide a first layer of firewall protection for the inifspan
protocol.

This patch adds the infinispan cache configuration for keycloak to allow
proper HA deployment with all caching goodies.

Turns out it's important to add the ping port (7800) to the headless
service in order to run the inifispan setup for kubernetes.

This was pieced together by some nice community posts, see:
https://gist.github.com/pedroigor/e1476a41b544d15c1bd59155aad4f6ad
https://github.com/keycloak/keycloak/issues/9644#issuecomment-1016850466
https://github.com/keycloak/keycloak/discussions/10125

Further the strategy Recreate was removed since it's not needed and the
inifispan will allow to always keep one keycloak instance around.

It's the clusterIP field, not the type field, that has to be set to
`None`.

References:
https://kubernetes.io/docs/concepts/services-networking/service/#headless-services

This should allow to run Keycloak in HA mode. This is done by deploying
an additional headless service, providing its dns name to the keycloak
container and explicitly configuring keycloak to use kubernetes
discovery for cache-stack discovery.

Currently there is an issue, that the kube-apiserver can't reach the
metallb admission webhook, which results in the inability to sync any
metallb objects.

The reason why this doesn't work is not completely understood yet. It
uses an IP address from the Pod CIDR (10.1.0.0/16) which is blocked by
the network policies. No single pod has this IP address according to
`kubectl get pods --all-namespace -o wide`, which displays the Pods
along with their IP addresses.

This makes sense, given that the kube-apiserver is a host/node Pod,
which is directly define in the kubelet configuration of the
control-plane node, which also runs in the host network. As a result the
pod has no regular Pod IP from the Pod IP address space.

For debugging, I used a calico log rule, which are based on the calico
network policies.

Reference:
https://projectcalico.docs.tigera.io/archive/v3.23/security/calico-network-policy#generate-logs-for-specific-traffic

This patch allows to set the `HOSTNAME` variable, which should
explicitly set the hostname for the postfix pod and configure it to use
the proper external DNS name.

This patch adjusts the postscreen settings regarding dnsbls and alike to
hopefully speed up the processing time of emails and make the place more
inviting for wanted e-mails.

This patch configures the git-chglog tool to generate the release notes
for newer releases. This is a first step in pushing the tooling around
the repositories further and providing a better overview over the
changes in the repository.

DNSWL went subscriber-only apparently.

References:
https://www.dnswl.org/

This patch is a workaround for gitlab jobs that merge themselves by
accident. it should be further refined, similar to the images setup to
have a more generalised pipeline in the future.

This patch provides a first version of a gitlab-runner dashboard. This
should provide a basic insight into gitlab-runners and allow to monitor
their status if needed.

References:
https://grafana.com/grafana/dashboards/14016-gitlab-runner-metrics/

This patch adjust the labels used by the monitoring network policy. This
is needed because the current defintion uses the wrong labels. The new
labels are directly read from the existing pods, so they should
definitely match.