It turned out, that pushing all warning to GitLab resulted in being too
noisy. There were more than 30 issues opened in no time, often
duplicates, due to how GitLab maps or rather doesn't map alerts in the
free version.

This reverts commit de6e02d9.

This patch enables the delivery of alerts with the severity warning to
GitLab, which allows to handle the issues without causing alert fatique.

This patch replaces the third-party integration with the GitLab Native
integration for alertmanager alerts using webhooks.

This should play nicer with Alertmanager and GitLab and also resolve
issues, when the alert is marked as resolved or silenced.

References:
https://docs.gitlab.com/ee/operations/incident_management/integrations.html#add-integration-credentials-to-prometheus-alertmanager

After some testing and fiddling around, I don't think it's worth the
hassle. Not only was ingress-nginx much less stable since integrating
the crowdsec bouncer plugin, but also just providing some questionable
log parsers etc, mainly focusing on bruteforce attacks for passwords,
which is useless when everything goes to SSO anyway.

Finally there were some other technical faux pas, like hardcoded
passwords on the integrated dashboard (which is also mostly useless),
expired GPG keys on the Fedora repository and finally a lack of bouncer
modules on current Fedora releases, depsite the docs claiming otherwise.
And given the issues date back to march, it doesn't seem to be a
something that will be resolved any time soon.

I guess my biggest critique is that the whole "fail2ban of the modern
area" limits itself to IP addresses only. No additional metadata to
block or mitigate attacks or identify attackers. Relying on IP addresses
only in 2023 is not on time. The whole being distributed with the lapi
server, is nice, but not enough to make this acceptable.

This patch adds a haproxy deployment to the cluster, which allows to
mimic the haproxy setup outside the cluster. Making sure that traffic is
automatically redirected and works around the limitations of ingress
nginx, of limiting proxy protocol to a boolean for either all traffic or
for none.

Currently the fix for various DoS attack turned out to be an own DoS
attack since it removed the default scopes from the keycloak provider.

Currently the fix for various DoS attack turned out to be an own DoS
attack since it removed the default scopes from the keycloak provider.