feat(keycloak): implement SPOT with Realm

Replace 01_import.yml with 01_initialize.yml (KEYCLOAK_HOST_IMPORT_DIR)
Add generic 02_update.yml (kcadm updater for clients/components)
- Resolve ID → read current → merge (kc_merge_path optional)
- Preserve immutable fields; support kc_force_attrs
Update tasks/main.yml:
- Readiness via KEYCLOAK_MASTER_REALM_URL; kcadm login
- Merge LDAP component config from Realm when KEYCLOAK_LDAP_ENABLED
- Update client settings incl. frontchannel.logout.url
realm.json.j2: include ldap.json in UserStorageProvider
ldap.json.j2: use KEYCLOAK_LDAP_* vars for bindDn/credential/connectionUrl
vars/main.yml: add KEYCLOAK_* URLs/dirs and KEYCLOAK_DICTIONARY_REALM(_RAW)
docker-compose.yml.j2: mount KEYCLOAK_HOST_IMPORT_DIR
Cleanup: remove 02_update_client_redirects.yml, 03_update-ldap-bind.yml, 04_ssh_public_key.yml; drop obsolete config flag; formatting

Note: redirectUris/webOrigins ordering may still cause changed=true; consider sorting for stability in a follow-up.

roles/web-app-keycloak/templates/docker-compose.yml.j2

@@ -8,7 +8,7 @@
     ports:
       - "{{ KEYCLOAK_SERVER_HOST }}:8080"
     volumes:
-      - "{{ keycloak_host_import_directory }}:{{KEYCLOAK_DOCKER_IMPORT_DIR}}"
+      - "{{ KEYCLOAK_HOST_IMPORT_DIR }}:{{KEYCLOAK_DOCKER_IMPORT_DIR}}"
 {% include 'roles/docker-container/templates/depends_on/dmbs_excl.yml.j2' %}
 {% include 'roles/docker-container/templates/networks.yml.j2' %}
 {% set container_port = 9000 %}

roles/web-app-keycloak/templates/import/client.json.j2

@@ -10,7 +10,6 @@
   "alwaysDisplayInConsole": false,
   "clientAuthenticatorType": "client-secret",
   "secret": "{{ OIDC.CLIENT.SECRET }}",
-  {# The following line should be covered by 02_update_client_redirects.yml #}
   "redirectUris": {{ KEYCLOAK_REDIRECT_URIS | to_json }},
   "webOrigins": {{ KEYCLOAK_WEB_ORIGINS | to_json }},
   "notBefore": 0,

roles/web-app-keycloak/templates/import/ldap.json.j2

@@ -196,14 +196,14 @@
     "useKerberosForPasswordAuthentication": [ "false" ],
     "importEnabled": [ "true" ],
     "enabled": [ "true" ],
-    "bindCredential": [ "{{ ldap.bind_credential }}" ],
+    "bindCredential": [ "{{ KEYCLOAK_LDAP_BIND_PW }}" ],
     "changedSyncPeriod": [ "-1" ],
     "usernameLDAPAttribute": [ "{{ ldap.user.attributes.id }}" ],
-    "bindDn": [ "{{ ldap.dn.administrator.data }}" ],
+    "bindDn": [ "{{ KEYCLOAK_LDAP_BIND_DN }}" ],
     "vendor": [ "other" ],
     "uuidLDAPAttribute": [ "{{ ldap.user.attributes.id }}" ],
     "allowKerberosAuthentication": [ "false" ],
-    "connectionUrl": [ "{{ ldap.server.uri }}" ],
+    "connectionUrl": [ "{{ KEYCLOAK_LDAP_URL }}" ],
     "syncRegistrations": [ "true" ],
     "authType": [ "simple" ],
     "krbPrincipalAttribute": [ "krb5PrincipalName" ],

roles/web-app-keycloak/templates/import/realm.json.j2

@@ -1654,7 +1654,7 @@
       }
     ],
     "org.keycloak.storage.UserStorageProvider": [
-      {% include "client.json.j2" %}
+      {% include "ldap.json.j2" %}
     ],
     "org.keycloak.keys.KeyProvider": [
       {