investigate signing key rotationDocument the manual steps (e.g. via KC admin console) - We'll probably use this for phase 4Document the API calls needed to configure this - We'll probably use this eventually via the tenant attribute mechanismadjustments on the client (sidecar) side?implementation of mgr-tenants -> keycloak interactionsDoes keycloak have this ability OOTB?  If so, how should it be configured?Which components need this information? (is it only Sidecars and Keycloak?)How do the components get the latest signing key?  How often?  How should this be configured (env variable?  config entry in mod-configuration/settings, etc?)See https://www.keycloak.org/docs/latest/server_admin/#realm_keys - I think it's relevantclient secret rotation is out of scope for this story.