fix: lazily create OIDC Issuer to support Kubernetes tokens

[SequeI]

Summary

Issuer was created early in __init__, fetching OIDC discovery config. Kubernetes OIDC providers lack authorization_endpoint/token_endpoint, causing failures even when identity_token was provided directly.

Signing failed with error: OIDC issuer returned invalid configuration: 2 validation errors for _OpenIDConfiguration
authorization_endpoint
  Field required [type=missing, input_value={'issuer': 'https://rh-oi/...', 'iat', 'iss', 'sub']}, input_type=dict]
    For further information visit https://errors.pydantic.dev/2.12/v/missing
token_endpoint
  Field required [type=missing, input_value={'issuer': 'https://rh-oi/...', 'iat', 'iss', 'sub']}, input_type=dict]
    For further information visit https://errors.pydantic.dev/2.12/v/missing

Now Issuer is only created when OAuth flow is needed, after FIRST checking if OIDC token was supplied directly via args, or env.

Checklist

• All commits are signed-off, using DCO
• All new code has docstrings and type annotations
• All new code is covered by tests. Aim for at least 90% coverage. CI is configured to highlight lines not covered by tests.
• Public facing changes are paired with documentation changes
• Release note has been added to CHANGELOG.md if needed

[spencerschrock]

Switching this to lazy init seems fine to me, one question though

[spencerschrock]

Any idea how heavy this is as it fetches "an OpenID Connect configuration file, which is then used to bootstrap the issuer's state"

We were previously storing this issuer after creation, and now it gets reinitialized every call to _get_identity_token

[SequeI]

Good point, did not think of this. Fixed to cache Issuer object

[spencerschrock]

Thank you!