feat(keycloak): add Flatcar bootstrap spike

[jmgilman]

Summary

• add isolated aws/keycloak-flatcar-spike OpenTofu root for a temporary Flatcar EC2 sidecar
• grant the spike role only SSM managed instance, broker invoke, and KMS decrypt scoped to Repo=GilmanLab/secrets / Scope=keycloak
• bootstrap through raw Ignition and the pinned labctl 0.2.0 image digest

Live validation

• verified current Flatcar stable arm64 AMI ami-0ce605082061bbb10 is Flatcar-stable-4593.2.0-arm64-hvm
• verified labctl image attestation for ghcr.io/gilmanlab/platform/labctl@sha256:4638b36a168df88d4206d5ff23aed62a6d8459ba7a2481c0b7c65c696445c1ec
• merged GilmanLab/secrets#12 so GitHub Contents fetch can read services/keycloak/bootstrap.sops.yaml from master
• applied temporary stack in us-west-2; current instance is i-0cdacc2361dde4f14
• EC2 status checks passed and SSM reports Flatcar Container Linux 4593.2.0
• glab-keycloak-bootstrap.service active
• /run/glab/keycloak/stack.env regenerated after reboot with mode 600 and expected keys only
• journal scan compared password values internally and found no secret values in the service journal
• final tofu plan -detailed-exitcode returned no changes

Notes

• Flatcar stable arm64 cannot launch with an 8 GiB root volume because the current AMI snapshot requires a larger root disk. The spike uses a 16 GiB encrypted gp3 root volume matching the AMI block mapping.
• This PR is stacked on feat(keycloak): deploy token broker from reusable module #32 / session-044/keycloak-token-broker.

[jmgilman]

Closing as superseded. The verified spike stack has been destroyed, and the permanent Flatcar implementation is moving into aws/keycloak on a new branch stacked on #32.