Authentication for Jaeger

Since we cannot iframe or proxy Jaeger without security concerns, we need to have a more standard way of exposing Jaeger to users when deployed to Kubernetes.

There are two requirements for this:

1. Let's Encrypt SSL via cert-manager - https://gitlab.com/gitlab-org/gitlab-ce/issues/40635
2. Authentication

Ideally we would provide a service in front of Jaeger, for example by leveraging something like oauth2_proxy, to handle authentication and authorization at a project or group level.

Unfortunately, GitLab's OAuth framework does not do a good job of providing the information necessary to filter on project/group data: https://gitlab.com/gitlab-org/gitlab-ce/issues/45274. Essentially it is up to the OAuth implementation to then make calls to the GitLab API to decide whether to let a user in or not. GitHub passes this org info directly in the OAuth data, making it much easier.

There are two general paths forward:

1. Enhance an OAuth2 reverse proxy solution, like oauth2_proxy or NGINX Ingress' built in service, to restrict access to whitelisted projects/group.
2. Contribute an OAuth layer to Jaeger: https://github.com/jaegertracing/jaeger/issues/218#issuecomment-421413971

The easiest solution seems to be the oauth2 sidecar/proxy, however when we go to implement this we should ensure that is still the case.