Add Kubernetes join subtype which fetches JWKS from a known endpoint

[bothra90]

This is related to https://github.com/gravitational/teleport/issues/37183

What would you like Teleport to do?

Provide ability to specify a uri from which jwks could be fetched periodically

What problem does this solve?

EKS with OIDC rotates the underlying signing keys every 7 days. This means that machine id bots authenticated using static jwks will fail to authenticate if they restart after 7 days.

If a workaround exists, please include it.

Unfortunately the only workaround is to manually update the associate token every 7 days.

[strideynet]

As stated other on the other ticket:

but curious if/how it's going to be prioritized.

Unfortunately, I don't have a timeline on this yet. It's not likely a huge priority since IAM joining is a workaround in these environments.

Our team is also happy to contribute a PR if that would help and if you're willing to mentor/review.

More than happy to mentor a PR on this. You can reach me at noah @ goteleport.com - or reach out to me on the slack.

[strideynet]

As for impl - we'll want to implement some form of caching here. It seems like AWS returns a cache-control header that we should respect. We may want to keep in mind that this won't just be for AWS and there's potentially implementations which won't return a cache-control and in these cases we should pick a sensible default (e.g 1 minute).

[bothra90]

since IAM joining is a workaround in these environments.

Aha! I didn't know we could use IAM based auth for bots running on k8s. That solves our problem for now. Thanks a lot @strideynet!