Sorry for the late response. No you shouldn't modify this policy, which is used internal for the communication between envoy adapter and Apigee. Is there any specific reason that you need to use HS512? If so, you will need to configure your own endpo...

It is supported. You can follow the existing Hybrid example up to the step where you need to deal with the k8s cluster and start your Envoy and adapter locally. We are working on improving the documentation for this.

In the currently released versions of envoy adapter, the JWT validation is performed by the Envoy's jwt_authn filter, which certainly supports HS512. However, using symmetric encryption means you probably don't want to make the jwks endpoint publicly...