Ability to override jwks_url

[maschmid]

Problem By default, the jwks_url is taken from https://kubernetes.default.svc/.well-known/openid-configuration ,

In some k8s distributions, like OpenShift, the jwks_url defaults to a public address of the API load-balancer. This make sense for a lot of use cases, as the jwks_url is used for applications running outside of the cluster. A secured cluster, however, may block connections from inside of the cluster to the public load-balancer address; so such jwks_url is unusable from inside of the cluster, and Eventing cannot be used with OIDC enabled on such cluster by default.

In such cases, it would be helpful to have an option to override jwks_url, e.g. to https://kubernetes.default.svc/openid/v1/jwks , so as to connect to the API server directly, and not via its public API load-balancer address, which may be blocked from inside of the cluster.

Persona: System Operator

Exit Criteria A configuration option allowing to override jwks_url

Time Estimate (optional): 1

Additional context (optional) It is already possible to use oidc-discovery-base-url configuration option , but using this option for this use-case would require setting up an HTTP server inside the cluster just to return the desired JSON with the desired jwks_url value as its response to GET /.well-known/openid-configuration , which is impractical.

[pierDipi]

/triage accepted