Nomad workload identity with federated clusters

So the documentation still doesn’t mention anything related to this; it’s great that the feature exists, but I still have no clear upgrade path past 1.9 because we’ve been using the “deprecated” way of handling Vault.

So. When setting up the integration for workload identity, if I give Vault the URL to the Nomad JWKS on the authoritative region, does this work for the federated regions as well? Or am I going to have to manually upload the JWKS for every cluster?

Because frankly if I have to manually manage the JWKS config in Vault and stay on top of it in case keys are rotated, that’s pants on head stupid.