Expose OIDC auth mounts to unauthenticated OpenBao UI listing

Set listing_visibility=unauth on netkingdom and keycape during OIDC configure
so the browser login mask can select KeyCape instead of falling back to token.

sso-mfa/k8s/keycape/configure-openbao-oidc.sh

@@ -73,7 +73,8 @@ ROLE_JSON
       default_role="platform-admin"
 
     bao write "auth/${mount}/role/platform-admin" @/tmp/openbao-platform-admin-role.json
-    printf "configured auth/%s/role/platform-admin\n" "$mount" >&2
+    bao write "sys/auth/${mount}/tune" listing_visibility=unauth
+    printf "configured auth/%s/role/platform-admin and listing_visibility=unauth\n" "$mount" >&2
   done
 
   rm -f /tmp/openbao-platform-admin-role.json /tmp/openbao-*-auth-enable.out /tmp/openbao-*-auth-enable.err