From 0a35894502e725de67a7160a654a77f959edc27d Mon Sep 17 00:00:00 2001
From: gitea-bot <gitea-bot@alexlebens.net>
Date: Wed, 25 Feb 2026 22:29:06 +0000
Subject: [PATCH] Automated Manifest Update (#4239)

This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow.

Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/4239
Co-authored-by: gitea-bot <gitea-bot@alexlebens.net>
Co-committed-by: gitea-bot <gitea-bot@alexlebens.net>
---
 .../sonarr-4k/HTTPRoute-sonarr-4k.yaml        |  6 +++++
 .../Middleware-oidc-forward-auth.yaml         | 26 +++++++++++++++++++
 2 files changed, 32 insertions(+)
 create mode 100644 clusters/cl01tl/manifests/sonarr-4k/Middleware-oidc-forward-auth.yaml

diff --git a/clusters/cl01tl/manifests/sonarr-4k/HTTPRoute-sonarr-4k.yaml b/clusters/cl01tl/manifests/sonarr-4k/HTTPRoute-sonarr-4k.yaml
index 32e70244b..b69fd9779 100644
--- a/clusters/cl01tl/manifests/sonarr-4k/HTTPRoute-sonarr-4k.yaml
+++ b/clusters/cl01tl/manifests/sonarr-4k/HTTPRoute-sonarr-4k.yaml
@@ -28,3 +28,9 @@ spec:
         - path:
             type: PathPrefix
             value: /
+      filters:
+        - extensionRef:
+            group: traefik.io
+            kind: Middleware
+            name: oidc-forward-auth
+          type: ExtensionRef
diff --git a/clusters/cl01tl/manifests/sonarr-4k/Middleware-oidc-forward-auth.yaml b/clusters/cl01tl/manifests/sonarr-4k/Middleware-oidc-forward-auth.yaml
new file mode 100644
index 000000000..5008fe867
--- /dev/null
+++ b/clusters/cl01tl/manifests/sonarr-4k/Middleware-oidc-forward-auth.yaml
@@ -0,0 +1,26 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: oidc-forward-auth
+  namespace: sonarr-4k
+  labels:
+    app.kubernetes.io/name: oidc-forward-auth
+    app.kubernetes.io/instance: sonarr-4k
+    app.kubernetes.io/part-of: sonarr-4k
+spec:
+  forwardAuth:
+    address: http://ak-outpost-traefik-proxy-auth.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik
+    trustForwardHeader: true
+    authResponseHeaders:
+      - X-authentik-username
+      - X-authentik-groups
+      - X-authentik-entitlements
+      - X-authentik-email
+      - X-authentik-name
+      - X-authentik-uid
+      - X-authentik-jwt
+      - X-authentik-meta-jwks
+      - X-authentik-meta-outpost
+      - X-authentik-meta-provider
+      - X-authentik-meta-app
+      - X-authentik-meta-version