Currently this routes to doorkeeper/openid_connect/discovery#keys, but
we are going to use it instead of using the existing
`/oauth/discovery/keys` directly. This way if we decide to move away
from the controller provided by `doorkeeper-openid_connect` we can do it
without disrupting any third parties using this endpoint.

Update docs to clarify that the signing key for CI_JOB_JWT may change
without any notice.