feat: CNPG PodMonitor, OpenBao ServiceMonitor, CLI OIDC client CRD

- CNPG PodMonitor for PostgreSQL cluster metrics
- OpenBao ServiceMonitor for vault metrics scraping
- Sunbeam CLI OAuth2Client CRD (moved from seed to declarative)

base/data/cnpg-podmonitor.yaml

@@ -0,0 +1,14 @@
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: cnpg-postgres
+  namespace: data
+  labels:
+    release: kube-prometheus-stack
+spec:
+  selector:
+    matchLabels:
+      cnpg.io/cluster: postgres
+  podMetricsEndpoints:
+    - port: metrics
+      interval: 30s

base/data/openbao-servicemonitor.yaml

@@ -0,0 +1,26 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: openbao
+  namespace: data
+  labels:
+    release: kube-prometheus-stack
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: openbao
+      app.kubernetes.io/instance: openbao
+    matchExpressions:
+      - key: openbao-internal
+        operator: DoesNotExist
+  endpoints:
+    - port: http
+      interval: 30s
+      path: /v1/sys/metrics
+      params:
+        format: ["prometheus"]
+      authorization:
+        type: Bearer
+        credentials:
+          name: openbao-keys
+          key: root-token

base/ory/oidc-client-cli.yaml

@@ -0,0 +1,26 @@
+apiVersion: hydra.ory.sh/v1alpha1
+kind: OAuth2Client
+metadata:
+  name: sunbeam-cli
+  namespace: ory
+spec:
+  clientName: Sunbeam CLI
+  grantTypes:
+    - authorization_code
+    - refresh_token
+  responseTypes:
+    - code
+  scope: openid email profile offline_access
+  tokenEndpointAuthMethod: none
+  redirectUris:
+    - http://localhost:9876/callback
+    - http://localhost:9877/callback
+    - http://localhost:9878/callback
+    - http://localhost:9879/callback
+    - http://localhost:9880/callback
+    - http://127.0.0.1:9876/callback
+    - http://127.0.0.1:9877/callback
+    - http://127.0.0.1:9878/callback
+    - http://127.0.0.1:9879/callback
+    - http://127.0.0.1:9880/callback
+  secretName: oidc-sunbeam-cli