We have added health check to individual jwt authenticators as part of implementing structured authentication config reload. This health check confirms the provider in the authenticator has successfully initialized (fetched the discovery doc). We should extend this health check to also get the /jwks endpoint to confirm the authenticator is actually working because without it, authenticate token requests will actually fail. This stricter health check can be enabled behind a feature gate.

/readyz instead of /healthz since restarting the API server won't fix the jwt authenticator.

/assign
/sig auth
/milestone v1.35
/triage accepted
/kind feature
/cc @enj