add admin role mapping and internal IdP URL override

[vmelikyan]

• New internalIdp.mapAdminRole flag (default false) — opt-in end-to-end admin role propagation:
  • Defines a realm admin role on the internal realm
  • Grants it to the bootstrap user
  • Adds a realm-role protocol mapper to the internal-sso client so realm_access.roles is emitted in ID/access/userinfo tokens
  • Adds an oidc-role-idp-mapper ("Admin Role Mapper", syncMode: FORCE) so an admin claim from the upstream company SSO maps into the local admin role
  • New internalIdp.internalUrl value (default "") — lets service-to-service endpoints (tokenUrl / jwksUrl in both internal and lifecycle realms) resolve to a cluster-internal address while public-facing URLs stay on hostname.
    Falls back to hostname when unset, so existing deployments are unaffected.
  • Bug fix: malformed YAML key — resetPasswordAllowed": false had a stray quote, corrupting the realm spec key. Now resetPasswordAllowed: false.
  • Chart version bump 0.7.3 → 0.7.4.