This task tracks putting the jaeger-ui web interface behind SSO.
Since we've had success with `oauth2-proxy` to implement stateless OIDC SSO for thanos.w.o we'll be doing the same for trace.wikimedia.org (name TBD, used as placeholder).
The high level I (Filippo) have right now is to do the following:
* trace.w.o is an ingress service, served by k8s-aux ingress
* Ingress talks (within the cluster, and securely) the oauth2-proxy sidecar within the jaeger-query pod
* Said oauth2-proxy is deployed with its OIDC secrets, and redirects the user to SSO as required for authentication
** The proxy is also configured as an OIDC client in SSO
* For authenticated requests, oauth2-proxy reverses-proxy (https or http) to the actual jager query/ui
Upstream's jaeger chart already has support for an oauth2-proxy sidecar, we'll have to change its image and make sure it is compatible with our image.
@fgiunchedi and @akosiaris brainstormed a bit on this and since most/all pieces are in place already via ingress + jaeger chart, the idea so far is not to go through the service mesh. Therefore the request path from the internet will look like the following:
`client <-- tls --> cdn <-- tls --> ingress <-- tls --> oauth2-proxy <-- http or tls? --> jaeger-query`
`internet prod k8s network jaeger pod jaeger pod`