1. Proposed title of this feature request

Allow the definition of jwks_uri using Authentication Operator

2. What is the nature and description of the request?

Customer needs to enable the Workload Identity with Azure. This means that the OIDC discovery documents of the OpenShift cluster should expose publicly available URLs.

• The service account issuer exposed by the kube-apiserver can be modified via the spec.serviceAccountIssuer field of the Authentication object as per our documentation [1]
• after changing the serviceAccountIssuer the OIDC discovery document uses the control plane IP address into the jwks_uri field and is not possible to change it

The request is to expose a spec field into the Authentication object to define the jwks_uri (that should be reflected into the _ --service-account-jwks-uri_ of the kube-apiserver )

Documentation from MS: https://azure.github.io/azure-workload-identity/docs/introduction.html

3. Why does the customer need this? (List the business requirements here)

Integration of their cluster with Azure applications

4. List any affected packages or components.

Authentication

[1] https://docs.openshift.com/container-platform/4.9/authentication/bound-service-account-tokens.html#bound-sa-tokens-about_bound-service-account-tokens