fix: align Keeper TLS verification with ClickHouse settings

[loomts]

Follow-up to #1312.

This fixes Keeper TLS verification to match ClickHouse openSSL/client settings more closely.
Previously the Keeper TLS code effectively collapsed verification into one skipVerify flag. That is not quite right: extendedVerification=false should skip hostname verification, but should still keep certificate chain verification enabled.

This PR:

• parses Keeper TLS verification settings more explicitly
• uses the configured Keeper host as TLS ServerName
• updates the integration Keeper TLS fixture
• adds unit tests and a TestKeeperTLS integration check for the expected behavior

Tested locally:

go test ./pkg/...
KEEPER_TLS_ENABLED=1 RUN_TESTS='^TestKeeperTLS$' ./test/integration/run.sh

TestKeeperTLS passed with ClickHouse 26.3 and KEEPER_TLS_ENABLED=1.

[coveralls]

Coverage Report for CI Build 25507910574

Warning

Build has drifted: This PR's base is out of sync with its target branch, so coverage data may include unrelated changes.
Quick fix: rebase this PR. Learn more →

Coverage at 66.807% (no base build to compare)

Details

• Coverage remained the same as the base build.
• Patch coverage: 45 uncovered changes across 1 file (174 of 219 lines covered, 79.45%).
• No coverage regressions found.

Uncovered Changes

File	Changed	Covered	%
pkg/keeper/keeper.go	219	174	79.45%

Coverage Regressions

No coverage regressions found.

---

Coverage Stats

Relevant Lines:	18100
Covered Lines:	12092
Line Coverage:	66.81%
Coverage Strength:	31752.24 hits per line

---

💛 - Coveralls