Fix Keycloak HTTPS primary endpoint

[danegsta]

Description

Update the primary Keycloak endpoint to HTTPS rather than simply adding a second HTTPS endpoint when the dev certificate is enabled. This is a breaking change, but fixes an issue where the Keycloak HTTPS endpoint isn't stable leading to previously issued tokens to become invalid on restart.

Fixes #16979

Checklist

• Is this feature complete?
  • Yes. Ready to ship.
  • No. Follow-up changes expected.
• Are you including unit tests for the changes and scenario tests if relevant?
  • Yes
  • No
• Did you add public API?
  • Yes
    • If yes, did you have an API Review for it?
      • Yes
      • No
    • Did you add <remarks /> and <code /> elements on your triple slash comments?
      • Yes
      • No
  • No
• Does the change make any security assumptions or guarantees?
  • Yes
    • If yes, have you done a threat model and had a security review?
      • Yes
      • No
  • No

[danegsta]

This changes the endpoint name to "http" to better match our service discovery URL behavior (and make the HTTPS scheme update behave reliably).

[github-actions]

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 17058

Or

• Run remotely in PowerShell:

iex "& { $(irm https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 17058"

[Copilot]

Pull request overview

This PR changes Keycloak’s HTTPS handling so the existing primary endpoint is switched to HTTPS when certificate support is enabled, instead of adding a separate HTTPS endpoint. This aligns the configured host port with the endpoint used by clients and helps avoid token issuer mismatches after AppHost restarts.

Changes:

• Switches the Keycloak primary endpoint name constant to the existing "http" endpoint.
• Updates HTTPS certificate handling to mutate the primary endpoint to HTTPS on target port 8443.
• Adds a unit test covering primary endpoint mutation and KC_HTTPS_PORT configuration.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
src/Aspire.Hosting.Keycloak/KeycloakResource.cs	Updates the internal primary endpoint name used by Keycloak configuration.
src/Aspire.Hosting.Keycloak/KeycloakResourceBuilderExtensions.cs	Changes run-mode HTTPS setup to mutate the primary endpoint and configure Keycloak’s HTTPS port.
tests/Aspire.Hosting.Keycloak.Tests/KeycloakResourceBuilderTests.cs	Adds coverage for HTTPS primary endpoint behavior when a certificate annotation is present.

[github-actions]

Re-running the failed jobs in the CI workflow for this pull request because 1 job was identified as retry-safe transient failures in the CI run attempt.
GitHub was asked to rerun all failed jobs for that attempt, and the rerun is being tracked in the rerun attempt.
The job links below point to the failed attempt jobs that matched the retry-safe transient failure rules.

• Tests / Hosting-1 / Hosting-1 (windows-latest) - Job-level runner or infrastructure failure matched the transient allowlist.

[danegsta]

/backport to release/13.3

[github-actions]

Started backporting to release/13.3 (link to workflow run)