OIDC discovery fails in split-horizon deployments (in-cluster pods can't reach public issuer)

[viniciusdc]

Problem

nebi uses a single oidc_issuer_url for both OIDC discovery (fetching .well-known/openid-configuration) and iss-claim validation. In split-horizon deployments the public issuer URL that browsers use is not resolvable from inside the cluster, so OIDC initialization fails on the discovery fetch and loops forever:

"msg":"OIDC initialization retry failed, will try again",
"error":"failed to discover OIDC provider: Get \"https://keycloak.<redacted>/realms/nebari/.well-known/openid-configuration\": dial tcp: lookup keycloak.<redacted>: no such host"

Hit while deploying the nebari-nebi-pack into a private cluster where Keycloak sits behind an external gateway (browsers reach it; in-cluster pods don't). Downstream of nebari-dev/nebari-nebi-pack#13.

Proposed fix

Add an optional oidc_discovery_url (NEBI_AUTH_OIDC_DISCOVERY_URL) that decouples the discovery fetch from iss validation: fetch discovery from the in-cluster URL while still validating iss against the public issuer (via oidc.InsecureIssuerURLContext). Unset = unchanged behavior.

This is the same issuer-vs-discovery split tracked for the gateway layer in nebari-dev/nebari-operator#112; this issue covers nebi's own direct OIDC (CLI device-code flow).