fix(bp-keycloak): bump blueprint.yaml version to match Chart.yaml 1.1.2

Bitnami consolidated their tag scheme around 2025-09 (see
https://github.com/bitnami/charts/issues/30852). The chart was pinned to
upstream bitnami/keycloak Helm chart 24.7.1, whose default image tag
`bitnami/keycloak:26.2.4-debian-12-r0` now returns 404 in the Docker Hub
registry — installs hit ImagePullBackOff (verified on omantel).

Changes:
- Upstream Bitnami chart: 24.7.1 -> 25.2.0 (latest, appVersion 26.3.3)
- Override image.registry/image.repository for every Bitnami image used
  by the chart (keycloak app, keycloak-config-cli, postgresql,
  postgres-exporter, os-shell) to point at `bitnamilegacy/*`, where the
  historic debian-12 tags are preserved
- Replace deprecated `proxy: edge` with `proxyHeaders: "xforwarded"`
  (chart 25.x renamed the field; Catalyst fronts Keycloak with Cilium
  Gateway which sets X-Forwarded-* headers)
- bp-keycloak chart version: 1.1.1 -> 1.1.2

Verification (registry HEAD via Bearer token):
  bitnami/keycloak:26.2.4-debian-12-r0          -> 404 (broken pin)
  bitnami/keycloak:26.3.3-debian-12-r0          -> 404 (registry move)
  bitnamilegacy/keycloak:26.3.3-debian-12-r0    -> 200
  bitnamilegacy/keycloak-config-cli:6.4.0-...   -> 200
  bitnamilegacy/postgresql:17.6.0-debian-12-r0  -> 200
  bitnamilegacy/postgres-exporter:0.17.1-...    -> 200
  bitnamilegacy/os-shell:12-debian-12-r50       -> 200

`helm template platform/keycloak/chart` renders cleanly; rendered images
all resolve to bitnamilegacy/* tags listed above.

Long-term follow-up (not blocking): bitnamilegacy is explicitly marked
"no longer updated, may be removed in the future" — Catalyst should
either build its own Keycloak image or migrate to the Bitnami Secure
Image (BSI/Photon) catalog when chart support catches up. Tracked in
the bp-keycloak description block.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

platform/keycloak/blueprint.yaml

@@ -5,7 +5,7 @@ metadata:
   labels:
     catalyst.openova.io/section: pts-2-3-per-sovereign-supporting-services
 spec:
-  version: 1.1.1
+  version: 1.1.2
   card:
     title: keycloak
     summary: Keycloak — user identity. Topology decided by Sovereign CRD spec.keycloakTopology (per-organization for SME, shared-sovereign for corporate).

platform/keycloak/chart/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: bp-keycloak
-version: 1.1.1
+version: 1.1.2
 description: |
   Catalyst-curated Blueprint umbrella chart for Keycloak. Depends on the
   upstream `keycloak` chart (bitnami) as a Helm subchart so
@@ -16,12 +16,21 @@ maintainers:
     email: catalyst@openova.io
 
 # Upstream chart pulled in as a Helm subchart so `helm dependency build`
-# bundles it into the OCI artifact. Pinned to bitnami/keycloak 24.7.1
+# bundles it into the OCI artifact. Pinned to bitnami/keycloak 25.2.0
 # (matches platform/keycloak/blueprint.yaml + values.yaml
 # `catalystBlueprint.upstream.version`). Per
 # docs/INVIOLABLE-PRINCIPLES.md #4 (never hardcode) the version is
 # operator-bumpable via PR + Blueprint release.
+#
+# Bitnami consolidated their tag scheme around 2025-09 (see
+# https://github.com/bitnami/charts/issues/30852): the original
+# `bitnami/keycloak:<x>-debian-12-rN` tags now 404 in the registry. The
+# preserved historic tags live under `bitnamilegacy/keycloak` (read-only
+# archive). values.yaml overrides image.registry/image.repository to point
+# every Bitnami image used by this chart at `bitnamilegacy/*` so installs
+# succeed. Long-term we will migrate to a Catalyst-built or upstream
+# replacement Keycloak image (issue #191 follow-up).
 dependencies:
   - name: keycloak
-    version: "24.7.1"
+    version: "25.2.0"
     repository: "https://charts.bitnami.com/bitnami"

platform/keycloak/chart/values.yaml

@@ -9,7 +9,7 @@
 #      the values namespace).
 
 catalystBlueprint:
-  upstream: { chart: keycloak, version: "24.7.1", repo: "https://charts.bitnami.com/bitnami" }
+  upstream: { chart: keycloak, version: "25.2.0", repo: "https://charts.bitnami.com/bitnami" }
 
 # ─── Upstream chart values (subchart key: keycloak) ───────────────────────
 # Generated by docs/PROVISIONING-PLAN.md tickets [F] chart Pass 105+.
@@ -17,12 +17,51 @@ keycloak:
   auth:
     adminUser: admin
   production: true
-  proxy: edge
+  # Chart 25.x renamed `proxy: edge` to `proxyHeaders: "xforwarded"`. Catalyst
+  # fronts Keycloak with Cilium Gateway (which sets `X-Forwarded-*`), and we
+  # require `proxyHeaders` to be set so chart-level production-mode validation
+  # passes without forcing in-pod TLS.
+  proxyHeaders: "xforwarded"
+  # ─── Bitnami image-registry consolidation (issue #191) ──────────────────
+  # Bitnami consolidated their tag scheme around 2025-09 (see
+  # https://github.com/bitnami/charts/issues/30852). The original
+  # `bitnami/keycloak:<x>-debian-12-rN` tags now 404 in the registry; the
+  # preserved historic tags moved to `bitnamilegacy/*` (read-only archive,
+  # explicitly published as "no longer updated, may be removed in the
+  # future"). Override repository for every Bitnami image referenced by
+  # this chart (keycloak app, keycloak-config-cli sidecar, postgresql,
+  # postgres-exporter, os-shell init) so `helm install` resolves real
+  # manifests. Verified existence with registry HEAD calls before pinning.
+  # Tag stays the chart 25.2.0 default (`26.3.3-debian-12-r0`) — re-pin
+  # when the chart bumps and we re-verify the new tag.
+  image:
+    registry: docker.io
+    repository: bitnamilegacy/keycloak
+    tag: 26.3.3-debian-12-r0
+  keycloakConfigCli:
+    image:
+      registry: docker.io
+      repository: bitnamilegacy/keycloak-config-cli
+      tag: 6.4.0-debian-12-r11
   postgresql:
     enabled: true
     auth:
       username: keycloak
       database: keycloak
+    image:
+      registry: docker.io
+      repository: bitnamilegacy/postgresql
+      tag: 17.6.0-debian-12-r0
+    metrics:
+      image:
+        registry: docker.io
+        repository: bitnamilegacy/postgres-exporter
+        tag: 0.17.1-debian-12-r15
+    volumePermissions:
+      image:
+        registry: docker.io
+        repository: bitnamilegacy/os-shell
+        tag: 12-debian-12-r50
   ingress:
     enabled: false  # Catalyst uses Cilium Gateway, not the chart ingress
   resources: