From a912331f9753ba0a84556f1678cce02a5f3121ed Mon Sep 17 00:00:00 2001
From: Sienna Meridian Satterwhite <sienna@sunbeam.pt>
Date: Wed, 25 Mar 2026 18:01:52 +0000
Subject: [PATCH] feat: CNPG PodMonitor, OpenBao ServiceMonitor, CLI OIDC
 client CRD

- CNPG PodMonitor for PostgreSQL cluster metrics
- OpenBao ServiceMonitor for vault metrics scraping
- Sunbeam CLI OAuth2Client CRD (moved from seed to declarative)
---
 base/data/cnpg-podmonitor.yaml        | 14 ++++++++++++++
 base/data/openbao-servicemonitor.yaml | 26 ++++++++++++++++++++++++++
 base/ory/oidc-client-cli.yaml         | 26 ++++++++++++++++++++++++++
 3 files changed, 66 insertions(+)
 create mode 100644 base/data/cnpg-podmonitor.yaml
 create mode 100644 base/data/openbao-servicemonitor.yaml
 create mode 100644 base/ory/oidc-client-cli.yaml

diff --git a/base/data/cnpg-podmonitor.yaml b/base/data/cnpg-podmonitor.yaml
new file mode 100644
index 0000000..796e310
--- /dev/null
+++ b/base/data/cnpg-podmonitor.yaml
@@ -0,0 +1,14 @@
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: cnpg-postgres
+  namespace: data
+  labels:
+    release: kube-prometheus-stack
+spec:
+  selector:
+    matchLabels:
+      cnpg.io/cluster: postgres
+  podMetricsEndpoints:
+    - port: metrics
+      interval: 30s
diff --git a/base/data/openbao-servicemonitor.yaml b/base/data/openbao-servicemonitor.yaml
new file mode 100644
index 0000000..3ab0ea2
--- /dev/null
+++ b/base/data/openbao-servicemonitor.yaml
@@ -0,0 +1,26 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: openbao
+  namespace: data
+  labels:
+    release: kube-prometheus-stack
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: openbao
+      app.kubernetes.io/instance: openbao
+    matchExpressions:
+      - key: openbao-internal
+        operator: DoesNotExist
+  endpoints:
+    - port: http
+      interval: 30s
+      path: /v1/sys/metrics
+      params:
+        format: ["prometheus"]
+      authorization:
+        type: Bearer
+        credentials:
+          name: openbao-keys
+          key: root-token
diff --git a/base/ory/oidc-client-cli.yaml b/base/ory/oidc-client-cli.yaml
new file mode 100644
index 0000000..8b4fe73
--- /dev/null
+++ b/base/ory/oidc-client-cli.yaml
@@ -0,0 +1,26 @@
+apiVersion: hydra.ory.sh/v1alpha1
+kind: OAuth2Client
+metadata:
+  name: sunbeam-cli
+  namespace: ory
+spec:
+  clientName: Sunbeam CLI
+  grantTypes:
+    - authorization_code
+    - refresh_token
+  responseTypes:
+    - code
+  scope: openid email profile offline_access
+  tokenEndpointAuthMethod: none
+  redirectUris:
+    - http://localhost:9876/callback
+    - http://localhost:9877/callback
+    - http://localhost:9878/callback
+    - http://localhost:9879/callback
+    - http://localhost:9880/callback
+    - http://127.0.0.1:9876/callback
+    - http://127.0.0.1:9877/callback
+    - http://127.0.0.1:9878/callback
+    - http://127.0.0.1:9879/callback
+    - http://127.0.0.1:9880/callback
+  secretName: oidc-sunbeam-cli