[docs] Document keycloakInternalUrl platform value (#452)

## What this PR does

Documents the new `authentication.oidc.keycloakInternalUrl` platform
value across three pages:

- **Platform Package Reference**: added to the Authentication values
table
- **Self-Signed Certificates**: added a section explaining how to
configure the internal URL for the dashboard
- **Enable OIDC Server**: added an info alert linking to the self-signed
certificates page

Related: cozystack/cozystack#2224

### Release note

```release-note
[docs] Added documentation for `keycloakInternalUrl` platform value that routes dashboard backend OIDC requests through internal Keycloak service.
```

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Documentation**
* Added reference documentation for optional Keycloak internal URL
configuration field
* Added usage guidance for configuring internal Keycloak URLs in OIDC
setups
* Added instructions for setting internal Keycloak URLs in self-signed
certificate environments

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Author: kvaps

content/en/docs/v1/operations/configuration/platform-package.md

@@ -96,6 +96,7 @@ spec:
 | `authentication.oidc.enabled` | `false` | Enable [OIDC][oidc] feature in Cozystack. |
 | `authentication.oidc.insecureSkipVerify` | `false` | Skip TLS certificate verification for the OIDC provider. |
 | `authentication.oidc.keycloakExtraRedirectUri` | `""` | Additional redirect URI for Keycloak OIDC client. |
+| `authentication.oidc.keycloakInternalUrl` | `""` | Internal URL for backend-to-backend requests to Keycloak. When set, the dashboard's oauth2-proxy skips OIDC discovery and routes token, JWKS, userinfo, and logout requests through this URL while keeping browser redirects on the external URL. Example: `http://keycloak-http.cozy-keycloak.svc:8080/realms/cozy`. |
 
 #### Scheduling
 

content/en/docs/v1/operations/oidc/enable_oidc.md

@@ -81,6 +81,10 @@ kubectl patch packages.cozystack.io cozystack.cozystack-platform --type=merge -p
 }'
 ```
 
+{{% alert color="info" %}}
+**Optional**: If you want the dashboard to reach Keycloak via the internal cluster network instead of the external ingress, set `keycloakInternalUrl`. This is useful in environments with self-signed certificates or restricted external access. See [Self-Signed Certificates](../self-signed-certificates/) for details.
+{{% /alert %}}
+
 Within one minute, CozyStack will reconcile and create three new `HelmRelease` resources:
 
 ```bash

content/en/docs/v1/operations/oidc/self-signed-certificates.md

@@ -73,6 +73,34 @@ talosctl apply-config -n <NODE_IP> -f nodes/<node>.yaml
 The `extraHostEntries` configuration ensures that the Keycloak domain resolves correctly within the cluster, which is essential when using internal ingress IPs.
 {{% /alert %}}
 
+## Optional: Configure Internal Keycloak URL for Dashboard
+
+By default, the Cozystack Dashboard's oauth2-proxy connects to Keycloak through the external ingress URL. In environments with self-signed certificates or restricted external access, you can configure the dashboard to use Keycloak's internal cluster service for backend requests (token exchange, JWKS validation, userinfo, logout) while keeping browser redirects on the external URL.
+
+Patch the Platform Package:
+
+```bash
+kubectl patch packages.cozystack.io cozystack.cozystack-platform --type=merge -p '{
+  "spec": {
+    "components": {
+      "platform": {
+        "values": {
+          "authentication": {
+            "oidc": {
+              "keycloakInternalUrl": "http://keycloak-http.cozy-keycloak.svc:8080/realms/cozy"
+            }
+          }
+        }
+      }
+    }
+  }
+}'
+```
+
+{{% alert color="info" %}}
+This only affects the dashboard's oauth2-proxy (pod-to-pod communication). The Kubernetes API server still requires `extraHostEntries` to reach Keycloak, since `kube-apiserver` uses host-level DNS and cannot resolve cluster service names.
+{{% /alert %}}
+
 ## Step 3: Configure kubelogin
 
 Install kubelogin if you haven't already: