Current behavior: During GCP Workload Identity Federation (WIF) setup for OCP via ccoctl, the cluster’s OIDC public keys are published to a GCS bucket. The WIF pool/provider then references the bucket to obtain keys, supporting cases where the cluster issuer may be unreachable.

Problem: Enterprise org policies often restrict creating public GCS buckets or relaxing storage policies. Customers must loosen controls solely to host OIDC keys, which they already have locally and do not need OCP to fetch.

Capability gap: GCP WIF supports configuring a provider by directly supplying provider keys (embedding JWKS/PEM) instead of referencing a public bucket. OCP does not currently use this capability.

Proposal: Enhance ccoctl/installer flow for GCP WIF so that, when adding/configuring the OIDC provider in the WIF pool, OCP uploads/embeds the provider keys directly (no GCS bucket). This should continue to support disconnected/unreachable cluster scenarios without requiring storage policy changes.

Benefits:

• Eliminates public GCS bucket requirement and associated policy exceptions.
• Reduces operational and security overhead for customers.
• Works in disconnected/unreachable issuer cases by embedding keys with the provider.