feat(keycloak): run Keycloak on Flatcar

[jmgilman]

Summary

• replaces the AL2023 + SSM association Keycloak host with Flatcar Container Linux and raw Ignition
• boots Postgres, Keycloak, and Traefik as systemd-managed docker run units
• fetches services/keycloak/bootstrap.sops.yaml through the v2.0.0 GitHub token broker using pinned labctl:0.2.0
• adds an encrypted gp3 data volume at /var/lib/keycloak and keeps plaintext bootstrap material only in /run/glab/keycloak
• removes the old instance-role SSM bootstrap parameter policy and adds scoped SOPS KMS decrypt

Supersedes #35 after #32 was squash-merged and the stacked base branch was deleted.

Live validation

• destroyed aws/keycloak-flatcar-spike and closed feat(keycloak): add Flatcar bootstrap spike #34 as superseded
• rotated the permanent bootstrap secret in GilmanLab/secrets#13
• verified labctl OCI attestation for ghcr.io/gilmanlab/platform/labctl@sha256:4638b36a168df88d4206d5ff23aed62a6d8459ba7a2481c0b7c65c696445c1ec
• verified broker-backed labctl secrets get writes mode 0600 and emits no secret values
• applied live in aws/keycloak; final instance is i-01b23894c8a16971a on Flatcar 4593.2.0, data volume vol-09baa3d716d956887
• validated through SSM: /var/lib/keycloak mounted, /run/glab/keycloak/stack.env mode 600, all four units active, Postgres healthy, Keycloak readiness OK, Traefik SNI OK, and journal secret-value scan passed
• rebooted the instance and revalidated /run secret regeneration, data volume remount, service health, Keycloak readiness, Traefik SNI, and journal secret-value scan
• final tofu plan -detailed-exitcode returned no changes
• deleted obsolete SSM SecureString params /glab/keycloak/keycloak-admin-password and /glab/keycloak/postgres-password

Tests

• ./scripts/check.sh
• AWS_PROFILE=lab-admin AWS_REGION=us-west-2 tofu plan -detailed-exitcode