Identify path forward for Keycloak with Istio Ambient

[mjnagel]

Our current L7 AuthorizationPolicies for Keycloak are not natively supported with Ambient unless we are using Waypoints. This issue should find a path forward to setup waypoints for Keycloak and ensure full functionality including:

• Access from both tenant and admin gateways
• Proper restrictions of paths from the tenant gateway
• Access to client registration from Pepr

[mjnagel]

Path identified here/usage of waypoints may inform #1029.

Additional note related to Keycloak from our previous work:

Traffic to keycloak from Pepr showed as originating from a "different" host, requiring a new trusted host policy in Keycloak for *.pepr-uds-core-watcher.pepr-system.svc.cluster.local (previously we were using the generic Isto 127.0.0.6).

[sgettys]

This is working with Waypoint, need to determine UX around Waypoint and Ambient (always deploy Waypoint or add either logic in Pepr to auto detect if Waypoint is needed or add configuration option to UDS Package CR)

Also requires adding Waypoint trusted host so a full config would include support for sidecar, ambient ztunnel, and waypoint see uds-identity-config PR299

[mjnagel]

In light of ^ note opened #1200 to track this. This issue could be closed out with that one - leaving open for now in case this requires special implementation.