1. Proposed title of this feature request
Singing keys rotation with Openshift Azure Entra ID enabled clusters

2. What is the nature and description of the request?
When creating an Openshift cluster on Azure using short terms credentials, so using Azure Entra Workload ID (formerly Azure AD Workload Identity), a dedicated OIDC endpoints is created. This endpoint exposes a document located at .well-known/openid_configuration which contains key jwks_uri, that points itself to JSON Web Key Sets.
Today, while support for Azure workload identity is GA in 4.14, it seems you do not provide such procedure or tools (with ccoctl for ex) to perform this key rotation.
Could you please provide something to make sure usage of Azure workload identity on Openshift still compliant with standard security guidelines (like NIST).

• Microsoft Entra Workload ID
• Configuring an Azure cluster to use short-term credentials
• What are managed identities for Azure resources?

3. Why does the customer need this? (List the business requirements here)
Key rotations is for important part of PCI-DSS v4 and Nist rules. To be able to comply with Openshift administrator must be able to renew/rotate keys
At any time, we can only have 1 signing/private key present in the Openshift cluster, but JWKS support multiple public keys. This mechanism allows to seamlessly rotate signing key while still allowing older keys to be validated for some period of time.
It is a must to have the capability to rotate the private key on a regular basis (at least once year), and in a seamless way for the workload (no outage, recreating some pod gradually if needed is fine).

4. List any affected packages or components.
CCO