homelab/manifests/authentik/authentik-middleware.yaml

# Apply: kubectl apply -f manifests/authentik/authentik-middleware.yaml
# Delete: kubectl delete -f manifests/authentik/authentik-middleware.yaml
# Description: Traefik forwardAuth middleware for Authentik and LAN bypass IP allowlist.
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: authentik-auth
  namespace: authentik
spec:
  forwardAuth:
    address: http://authentik-proxy-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik
    trustForwardHeader: true
    authRequestHeaders:
      - Cookie
      - X-Forwarded-Host
      - X-Forwarded-Proto
      - X-Forwarded-Uri
      - X-Forwarded-For
    authResponseHeaders:
      - X-authentik-username
      - X-authentik-groups
      - X-authentik-email
      - X-authentik-name
      - X-authentik-uid
      - X-authentik-jwt
      - X-authentik-meta-jwks
      - X-authentik-meta-outpost
      - X-authentik-meta-provider
      - X-authentik-meta-app
      - X-authentik-meta-version
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: lan-bypass
  namespace: authentik
spec:
  ipAllowList:
    sourceRange:
      - 192.168.7.0/24