feat: publish k3s service account JWKS

[xnoto]

Summary

• replace the placeholder empty JWKS with the current k3s ServiceAccount public signing key
• update README wording now that the JWKS is populated

Validation

• fetched only the public JWKS from the k3s API discovery endpoint; did not read or print the private signing key
• parsed OIDC JSON files with Python json module
• verified JWKS contains no private JWK fields: d, p, q, dp, dq, qi, oth
• scanned OIDC files/docs for AWS account/KMS/access-key/private-key identifiers
• pre-commit run -a

Notes

• This publishes public key material only. No private signing keys, AWS credentials, KMS IDs, kubeconfigs, or decrypted SOPS values are included.
• AWS STS web identity still requires the matching tfroot-libvirt k3s issuer config to be applied/restarted and tfroot-aws IAM OIDC trust to be created.