fix(auth): use discovery doc issuer instead of normalized URL

The auth middleware stripped trailing slashes from the issuer URL,
but Authentik's JWT includes the trailing slash. Use the issuer
from the OIDC discovery document directly since that matches what
Authentik puts in the iss claim.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: hwcopeland

rke2/chem/compute-infrastructure/k8s-jobs/controller/auth.go

@@ -101,6 +101,12 @@ func NewAuthMiddleware(issuerURL string) (*AuthMiddleware, error) {
 		"::1/128",      // IPv6 loopback
 	})
 
+	// Use the issuer from the discovery document (not our input) since
+	// that's exactly what Authentik puts in the JWT's iss claim.
+	if disc.Issuer != "" {
+		issuerURL = disc.Issuer
+	}
+
 	am := &AuthMiddleware{
 		jwks:      jwks,
 		issuerURL: issuerURL,