This task tracks putting the jaeger-ui web interface behind SSO.
Since we've had success with `oauth2-proxy` to implement stateless OIDC SSO for thanos.w.o we'll be doing the same for trace.wikimedia.org (name TBD, used as placeholder).
The high level I (Filippo) have right now is to do the following:
* trace.w.o is an ingress service, served by k8s-aux ingress
* Ingress talks (within the cluster, and securely) with a trace-specific (i.e. one per ingress service) oauth2-proxy.
* Said oauth2-proxy is deployed with its OIDC secrets, and redirects the user to SSO as required for authentication
** The proxy is also configured as an OIDC client in SSO
* For authenticated requests, oauth2-proxy reverses-proxy (https) to the actual jager ui service
@akosiaris please let me know what do you think of the above!