feat: expose admin APIs behind OIDC auth_request

Adds pingora routes for id, hydra, search, vault subdomains.
Each gated by auth_request to Hydra userinfo — only valid SSO
bearer tokens pass through. Adds new SANs to the TLS certificate.

base/ingress/pingora-config.yaml

@@ -21,13 +21,13 @@ data:
     key_path  = "/etc/tls/tls.key"
 
     [telemetry]
-    # Rollout plan for OTLP tracing:
-    #   1. Deploy proxy build that includes the graceful telemetry init
-    #      (proxy/src/telemetry.rs — no longer panics on exporter failure)
-    #   2. Verify Alloy is running:
-    #        kubectl -n monitoring get pods -l app.kubernetes.io/name=alloy
-    #   3. Uncomment the line below:
-    #   otlp_endpoint = "http://alloy.monitoring.svc.cluster.local:4318"
+    # OTLP traces → Alloy → Tempo. Requires proxy build with the
+    # dedicated Tokio runtime in telemetry::init(). To enable:
+    #   1. sunbeam build proxy --push
+    #   2. sunbeam k8s exec on server: sudo crictl pull src.sunbeam.pt/studio/proxy:latest
+    #      (pull the new image WHILE Pingora is still running the old one)
+    #   3. Set otlp_endpoint below and sunbeam apply ingress
+    # NEVER delete the cached image — Pingora gates the registry.
     otlp_endpoint = ""
     metrics_port  = 9090
 
@@ -288,6 +288,50 @@ data:
     host_prefix = "s3"
     backend     = "http://seaweedfs-filer.storage.svc.cluster.local:8333"
 
+    # Admin APIs — gated behind OIDC auth_request (Hydra userinfo validates the SSO bearer token).
+    # CLI passes the token from `sunbeam auth sso` as Authorization: Bearer.
+
+    # Kratos admin API (identity, session, recovery, schema, courier management).
+    [[routes]]
+    host_prefix = "id"
+    backend     = "http://kratos-admin.ory.svc.cluster.local:80"
+
+      [[routes.paths]]
+      prefix       = "/"
+      backend      = "http://kratos-admin.ory.svc.cluster.local:80"
+      auth_request = "http://hydra-public.ory.svc.cluster.local:4444/userinfo"
+
+    # Hydra admin API (OAuth2 client, JWK, issuer, token management).
+    # Exposed as a path under auth.{domain} alongside the existing public endpoints.
+    [[routes]]
+    host_prefix = "hydra"
+    backend     = "http://hydra-admin.ory.svc.cluster.local:4445"
+
+      [[routes.paths]]
+      prefix       = "/"
+      backend      = "http://hydra-admin.ory.svc.cluster.local:4445"
+      auth_request = "http://hydra-public.ory.svc.cluster.local:4444/userinfo"
+
+    # OpenSearch admin API (document, index, cluster management).
+    [[routes]]
+    host_prefix = "search"
+    backend     = "http://opensearch.data.svc.cluster.local:9200"
+
+      [[routes.paths]]
+      prefix       = "/"
+      backend      = "http://opensearch.data.svc.cluster.local:9200"
+      auth_request = "http://hydra-public.ory.svc.cluster.local:4444/userinfo"
+
+    # OpenBao/Vault API (secrets, policies, auth management).
+    [[routes]]
+    host_prefix = "vault"
+    backend     = "http://openbao.data.svc.cluster.local:8200"
+
+      [[routes.paths]]
+      prefix       = "/"
+      backend      = "http://openbao.data.svc.cluster.local:8200"
+      auth_request = "http://hydra-public.ory.svc.cluster.local:4444/userinfo"
+
     # SSH TCP passthrough: port 22 → Gitea SSH pod (headless service → pod:2222).
     [ssh]
     listen  = "0.0.0.0:22"

overlays/production/cert-manager.yaml

@@ -72,3 +72,8 @@ spec:
     - livekit.DOMAIN_SUFFIX
     - cal.DOMAIN_SUFFIX
     - projects.DOMAIN_SUFFIX
+    - id.DOMAIN_SUFFIX
+    - hydra.DOMAIN_SUFFIX
+    - search.DOMAIN_SUFFIX
+    - vault.DOMAIN_SUFFIX
+    - find.DOMAIN_SUFFIX