The simple fix is for open-balena-registry to also also pull in the KID environment variable, add an confd template to generate a jwks from from the KID+CERT, and then update the docker-registry.yml.tmpl template to have a jwks entry pointing to the jwks file rather than a rootcertbundle line.
Distribution moved from the long archived
libtrusttogo-joseon Oct 19, 2023 in this change: https://github.com/distribution/distribution/commit/fe21f439118f74781a3088f6553332443f5d552eThis will be in whatever release comes out after the current v2.8.3 release (from Oct 2, 2023). Looking at the changes to https://github.com/distribution/distribution/blob/main/registry/auth/token/accesscontroller.go and https://github.com/distribution/distribution/blob/main/registry/auth/token/token.go - it would appear that there is no longer a need for the libtrust style KID and that if a KID is included in the JWT, then there MUST be a JWKS file (rather than a rootcerts file ... and no support for JWKS URLs yet) set up in the config to associate each JWK with a KID for lookup.
Specifically, see: https://github.com/distribution/distribution/blob/b8fb08e0a14646eb5439fa7915e017cb1176c173/registry/auth/token/token.go#L141-L153
The simple fix is for open-balena-registry to also also pull in the KID environment variable, add an confd template to generate a jwks from from the KID+CERT, and then update the docker-registry.yml.tmpl template to have a
jwksentry pointing to the jwks file rather than arootcertbundleline.