We have customers whose object storage / other services we need to integrate with, and would prefer being able to do so with OIDC workload identity rather than storing credentials for their cloud providers with keys that need rotating.

Azure, for example, offers https://azure.github.io/azure-workload-identity/docs/introduction.html which we can run in our cluster, but that requires being able to set flags on kube-apiserver and kube-controller-manager so that it signs workload tokens with a key we control: https://azure.github.io/azure-workload-identity/docs/installation/self-managed-clusters/configurations.html

However, I would much rather see this be a standard feature and tokens were issued by something like https://cloud.digitalocean.com, or say https://doks.digitalocean.com/<clusterid> with a https://doks.digitalocean.com/<clusterid>/.well-known/openid-configuration that could be used for all external workload identity needs.