fix: default Keycloak issuer to keycloakx layout (port 80, /auth)

[viniciusdc]

Summary

Enabling auth on a NebariApp returned HTTP 500 instead of redirecting to Keycloak, reproducible straight from the operator's own quickstart. The generated SecurityPolicy pointed Envoy at an unreachable Keycloak issuer URL, so OIDC discovery timed out.

This is PR 1 of the routing/SecurityPolicy consolidation tracked in #139.

Root cause

The OIDC issuer is built from DefaultKeycloakServicePort (8080) and DefaultKeycloakContextPath (""). But DefaultKeycloakServiceName already hardcodes the keycloak-keycloakx-http service, and the codecentric/keycloakx chart serves HTTP on port 80 under /auth (its http.relativePath, which dev/scripts also set explicitly). The defaults were internally inconsistent: they named the keycloakx service but used a port/path that service never listens on.

Result — the operator generated:

http://keycloak-keycloakx-http.keycloak.svc.cluster.local:8080/realms/nebari

Envoy dialed :8080 (no listener) → dial tcp ...:8080: i/o timeout → SecurityPolicy stuck Accepted=False → 500.

Change

• constants.go — DefaultKeycloakServicePort 8080 → 80, DefaultKeycloakContextPath "" → "/auth", so the issuer is reachable out of the box on the chart the operator already targets. Both remain overridable via KEYCLOAK_ISSUER_SERVICE_PORT / KEYCLOAK_ISSUER_CONTEXT_PATH for a root-path Keycloak.
• config/manager/manager.yaml — set those two env vars explicitly so the deployed issuer is obvious in the manifest and easy to retarget.
• reconciler_test.go — new TestBuildSecurityPolicySpec_KeycloakSplitEndpoints exercising the split-endpoint behavior end to end with a real KeycloakProvider: Token stays in-cluster, Authorization/EndSession use the public ExternalURL host. Full-URL assertions also guard the issuer fix here.
• auth_test.go — updated the default-derived expectations; the explicit-override case (9090 / explicit "") is unchanged.

Test plan

• go build ./... and go vet ./... clean.
• go test ./internal/config/... ./internal/controller/reconcilers/auth/... — pass, including the new split-endpoint test.
• The internal/controller envtest suite (TestControllers) fails locally on a scheme-registration gap that also fails on clean main (unrelated to this change; needs make test's CRD setup).

Scope

• Closes Generated SecurityPolicy uses wrong Keycloak port (8080) and missing /auth path prefix #136 (issuer port/path bug) and Add reconciler test asserting SecurityPolicy.spec.oidc.provider has Token on in-cluster URL and Authorization on public URL #113 (split-endpoint reconciler test).
• Does not address OIDC SecurityPolicy.Issuer field stays on in-cluster URL; investigate iss-claim mismatch with Keycloak frontendUrl deployments #112 (whether provider.issuer must track ExternalURL under a Keycloak frontendUrl) — that's an open investigation, deferred per Epic: Routing & SecurityPolicy consolidation #139. The new test pins current behavior (issuer stays in-cluster) so OIDC SecurityPolicy.Issuer field stays on in-cluster URL; investigate iss-claim mismatch with Keycloak frontendUrl deployments #112's eventual change is a deliberate, visible diff.

[github-actions]

Docker Images Built

Images pushed to Quay.io for branch fix-oidc-issuer-keycloakx-defaults:

Image	Tag	Platforms
Operator	quay.io/nebari/nebari-operator:fix-oidc-issuer-keycloakx-defaults	linux/amd64 + linux/arm64

Test the operator:

kubectl apply -k https://github.com/nebari-dev/nebari-operator.git/config/default?ref=fix/oidc-issuer-keycloakx-defaults
kubectl set image deployment/nebari-operator-controller-manager manager=quay.io/nebari/nebari-operator:fix-oidc-issuer-keycloakx-defaults -n nebari-operator-system