The JWT plugin performs outbound HTTPS traffic to Identity Provider (IdP) to fetch signing keys. If that IdP has a custom SSL certificate not signed by any of the root certs shipping with Java, then we need to add its certificate to Jetty/Java's TrustStore to tell Solr that it should trust the self-signed cert of the IdP.
In the k8s world it is quite common to terminate SSL in a mesh network outside applications or in the ingress controller. This won't work with the use case discussed above, since Jetty's TrustStore is not enabled at all when Solr is running in non-SSL mode.
The proposal is to let JWT manage its own TrustStore by configuration.