From 4c02fe18ed3d7ac4170d762155f8610c6db1e7c0 Mon Sep 17 00:00:00 2001
From: Sienna Meridian Satterwhite <sienna@sunbeam.pt>
Date: Tue, 24 Mar 2026 13:58:34 +0000
Subject: [PATCH] fix: use Kratos session auth for observability endpoints
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Observability routes (systemmetrics, systemlogs, systemtracing) use
Kratos /sessions/whoami for auth_request — validates browser session
cookies scoped to the parent domain. Admin API routes (id, hydra,
search, vault) keep Hydra /userinfo for Bearer token auth (CLI access).
---
 base/ingress/pingora-config.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/base/ingress/pingora-config.yaml b/base/ingress/pingora-config.yaml
index 62e0b0b..4a7f532 100644
--- a/base/ingress/pingora-config.yaml
+++ b/base/ingress/pingora-config.yaml
@@ -230,7 +230,7 @@ data:
       [[routes.paths]]
       prefix       = "/"
       backend      = "http://kube-prometheus-stack-prometheus.monitoring.svc.cluster.local:9090"
-      auth_request = "http://hydra-public.ory.svc.cluster.local:4444/userinfo"
+      auth_request = "http://kratos-public.ory.svc.cluster.local/sessions/whoami"
 
     [[routes]]
     host_prefix = "systemlogs"
@@ -239,7 +239,7 @@ data:
       [[routes.paths]]
       prefix       = "/"
       backend      = "http://loki-gateway.monitoring.svc.cluster.local:80"
-      auth_request = "http://hydra-public.ory.svc.cluster.local:4444/userinfo"
+      auth_request = "http://kratos-public.ory.svc.cluster.local/sessions/whoami"
 
     [[routes]]
     host_prefix = "systemtracing"
@@ -248,7 +248,7 @@ data:
       [[routes.paths]]
       prefix       = "/"
       backend      = "http://tempo.monitoring.svc.cluster.local:3200"
-      auth_request = "http://hydra-public.ory.svc.cluster.local:4444/userinfo"
+      auth_request = "http://kratos-public.ory.svc.cluster.local/sessions/whoami"
 
     [[routes]]
     host_prefix = "livekit"