Make the oidc-issuer configurator a CronJob to ensure correct JWKS for the in-cluster self-signed OIDC Issuer

[kromanow94]

Description

Currently the example kustomize for Kubeflow is using the setup for kind and vcluster which contains logic for configuring m2m tokens with the self-signed OIDC Issuer served in-cluster behind kubernetes api. This configuration logic depends on a K8s Job that will get the JWKS and embed it in RequestAuthentication called m2m-token-issuer.

This embedding of JWKS is volatile because of two points:

• user can accidentally overwrite the RequestAuthentication rendering the setup not usable
• the JWKS can change and this also has to be covered

The alternative is to embed the kubernetes CA in Istio container but this is even more tricky:

• https://github.com/istio/istio/blob/1.20.3/manifests/charts/istio-control/istio-discovery/values.yaml#L53
• https://github.com/istio/istio/blob/1.20.3/pilot/pkg/model/jwks_resolver.go#L78

Todo

Change the Job to CronJob and make it run every 5 minutes.

[juliusvonkohout]

@kromanow94 Yes that sound reasonable. Just make sure that the imagepullpolicy is ifnotpresent and the resource is only changed if needed. So kubectl apply instead of kubectl delete and create. The documentation must be updated as well.