From 7411f391e8766f6f841c94694a3ab3d532ded905 Mon Sep 17 00:00:00 2001 From: Alex Lebens Date: Wed, 25 Feb 2026 17:42:52 -0600 Subject: [PATCH] feat: add proxy auth --- .../authentik/templates/reference-grant.yaml | 21 +++++++++++++++ .../helm/lidarr/templates/middleware.yaml | 26 +++++++++++++++++++ clusters/cl01tl/helm/lidarr/values.yaml | 16 ++++++++++++ .../helm/radarr-4k/templates/middleware.yaml | 26 +++++++++++++++++++ clusters/cl01tl/helm/radarr-4k/values.yaml | 16 ++++++++++++ .../radarr-anime/templates/middleware.yaml | 26 +++++++++++++++++++ clusters/cl01tl/helm/radarr-anime/values.yaml | 16 ++++++++++++ .../radarr-standup/templates/middleware.yaml | 26 +++++++++++++++++++ .../cl01tl/helm/radarr-standup/values.yaml | 16 ++++++++++++ .../helm/radarr/templates/middleware.yaml | 26 +++++++++++++++++++ clusters/cl01tl/helm/radarr/values.yaml | 16 ++++++++++++ .../sonarr-anime/templates/middleware.yaml | 26 +++++++++++++++++++ clusters/cl01tl/helm/sonarr-anime/values.yaml | 16 ++++++++++++ .../helm/sonarr/templates/middleware.yaml | 26 +++++++++++++++++++ clusters/cl01tl/helm/sonarr/values.yaml | 16 ++++++++++++ 15 files changed, 315 insertions(+) create mode 100644 clusters/cl01tl/helm/lidarr/templates/middleware.yaml create mode 100644 clusters/cl01tl/helm/radarr-4k/templates/middleware.yaml create mode 100644 clusters/cl01tl/helm/radarr-anime/templates/middleware.yaml create mode 100644 clusters/cl01tl/helm/radarr-standup/templates/middleware.yaml create mode 100644 clusters/cl01tl/helm/radarr/templates/middleware.yaml create mode 100644 clusters/cl01tl/helm/sonarr-anime/templates/middleware.yaml create mode 100644 clusters/cl01tl/helm/sonarr/templates/middleware.yaml diff --git a/clusters/cl01tl/helm/authentik/templates/reference-grant.yaml b/clusters/cl01tl/helm/authentik/templates/reference-grant.yaml index e4b210d6d..c8b139038 100644 --- a/clusters/cl01tl/helm/authentik/templates/reference-grant.yaml +++ b/clusters/cl01tl/helm/authentik/templates/reference-grant.yaml @@ -9,9 +9,30 @@ metadata: app.kubernetes.io/part-of: {{ .Release.Name }} spec: from: + - group: gateway.networking.k8s.io + kind: HTTPRoute + namespace: lidarr + - group: gateway.networking.k8s.io + kind: HTTPRoute + namespace: radarr + - group: gateway.networking.k8s.io + kind: HTTPRoute + namespace: radarr-4k + - group: gateway.networking.k8s.io + kind: HTTPRoute + namespace: radarr-anime + - group: gateway.networking.k8s.io + kind: HTTPRoute + namespace: radarr-standup + - group: gateway.networking.k8s.io + kind: HTTPRoute + namespace: sonarr - group: gateway.networking.k8s.io kind: HTTPRoute namespace: sonarr-4k + - group: gateway.networking.k8s.io + kind: HTTPRoute + namespace: sonarr-anime to: - group: "" kind: Service diff --git a/clusters/cl01tl/helm/lidarr/templates/middleware.yaml b/clusters/cl01tl/helm/lidarr/templates/middleware.yaml new file mode 100644 index 000000000..341764b57 --- /dev/null +++ b/clusters/cl01tl/helm/lidarr/templates/middleware.yaml @@ -0,0 +1,26 @@ +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: oidc-forward-auth + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: oidc-forward-auth + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + forwardAuth: + address: http://ak-outpost-traefik-proxy-auth.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik + trustForwardHeader: true + authResponseHeaders: + - X-authentik-username + - X-authentik-groups + - X-authentik-entitlements + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-meta-version diff --git a/clusters/cl01tl/helm/lidarr/values.yaml b/clusters/cl01tl/helm/lidarr/values.yaml index b5ab49c22..41e62be04 100644 --- a/clusters/cl01tl/helm/lidarr/values.yaml +++ b/clusters/cl01tl/helm/lidarr/values.yaml @@ -84,12 +84,28 @@ lidarr: hostnames: - lidarr.alexlebens.net rules: + - backendRefs: + - name: ak-outpost-traefik-proxy-auth + namespace: authentik + port: 9000 + weight: 100 + filters: [] + matches: + - path: + type: PathPrefix + value: /outpost.goauthentik.io - backendRefs: - group: '' kind: Service name: lidarr port: 80 weight: 100 + filters: + - type: ExtensionRef + extensionRef: + group: traefik.io + kind: Middleware + name: oidc-forward-auth matches: - path: type: PathPrefix diff --git a/clusters/cl01tl/helm/radarr-4k/templates/middleware.yaml b/clusters/cl01tl/helm/radarr-4k/templates/middleware.yaml new file mode 100644 index 000000000..341764b57 --- /dev/null +++ b/clusters/cl01tl/helm/radarr-4k/templates/middleware.yaml @@ -0,0 +1,26 @@ +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: oidc-forward-auth + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: oidc-forward-auth + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + forwardAuth: + address: http://ak-outpost-traefik-proxy-auth.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik + trustForwardHeader: true + authResponseHeaders: + - X-authentik-username + - X-authentik-groups + - X-authentik-entitlements + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-meta-version diff --git a/clusters/cl01tl/helm/radarr-4k/values.yaml b/clusters/cl01tl/helm/radarr-4k/values.yaml index 5033f8a82..607a68a55 100644 --- a/clusters/cl01tl/helm/radarr-4k/values.yaml +++ b/clusters/cl01tl/helm/radarr-4k/values.yaml @@ -84,12 +84,28 @@ radarr-4k: hostnames: - radarr-4k.alexlebens.net rules: + - backendRefs: + - name: ak-outpost-traefik-proxy-auth + namespace: authentik + port: 9000 + weight: 100 + filters: [] + matches: + - path: + type: PathPrefix + value: /outpost.goauthentik.io - backendRefs: - group: '' kind: Service name: radarr-4k port: 80 weight: 100 + filters: + - type: ExtensionRef + extensionRef: + group: traefik.io + kind: Middleware + name: oidc-forward-auth matches: - path: type: PathPrefix diff --git a/clusters/cl01tl/helm/radarr-anime/templates/middleware.yaml b/clusters/cl01tl/helm/radarr-anime/templates/middleware.yaml new file mode 100644 index 000000000..341764b57 --- /dev/null +++ b/clusters/cl01tl/helm/radarr-anime/templates/middleware.yaml @@ -0,0 +1,26 @@ +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: oidc-forward-auth + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: oidc-forward-auth + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + forwardAuth: + address: http://ak-outpost-traefik-proxy-auth.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik + trustForwardHeader: true + authResponseHeaders: + - X-authentik-username + - X-authentik-groups + - X-authentik-entitlements + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-meta-version diff --git a/clusters/cl01tl/helm/radarr-anime/values.yaml b/clusters/cl01tl/helm/radarr-anime/values.yaml index 4e1228b67..cfde8f7b2 100644 --- a/clusters/cl01tl/helm/radarr-anime/values.yaml +++ b/clusters/cl01tl/helm/radarr-anime/values.yaml @@ -82,12 +82,28 @@ radarr-anime: hostnames: - radarr-anime.alexlebens.net rules: + - backendRefs: + - name: ak-outpost-traefik-proxy-auth + namespace: authentik + port: 9000 + weight: 100 + filters: [] + matches: + - path: + type: PathPrefix + value: /outpost.goauthentik.io - backendRefs: - group: '' kind: Service name: radarr-anime port: 80 weight: 100 + filters: + - type: ExtensionRef + extensionRef: + group: traefik.io + kind: Middleware + name: oidc-forward-auth matches: - path: type: PathPrefix diff --git a/clusters/cl01tl/helm/radarr-standup/templates/middleware.yaml b/clusters/cl01tl/helm/radarr-standup/templates/middleware.yaml new file mode 100644 index 000000000..341764b57 --- /dev/null +++ b/clusters/cl01tl/helm/radarr-standup/templates/middleware.yaml @@ -0,0 +1,26 @@ +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: oidc-forward-auth + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: oidc-forward-auth + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + forwardAuth: + address: http://ak-outpost-traefik-proxy-auth.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik + trustForwardHeader: true + authResponseHeaders: + - X-authentik-username + - X-authentik-groups + - X-authentik-entitlements + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-meta-version diff --git a/clusters/cl01tl/helm/radarr-standup/values.yaml b/clusters/cl01tl/helm/radarr-standup/values.yaml index f7a6ce707..de4ebbd32 100644 --- a/clusters/cl01tl/helm/radarr-standup/values.yaml +++ b/clusters/cl01tl/helm/radarr-standup/values.yaml @@ -82,12 +82,28 @@ radarr-standup: hostnames: - radarr-standup.alexlebens.net rules: + - backendRefs: + - name: ak-outpost-traefik-proxy-auth + namespace: authentik + port: 9000 + weight: 100 + filters: [] + matches: + - path: + type: PathPrefix + value: /outpost.goauthentik.io - backendRefs: - group: '' kind: Service name: radarr-standup port: 80 weight: 100 + filters: + - type: ExtensionRef + extensionRef: + group: traefik.io + kind: Middleware + name: oidc-forward-auth matches: - path: type: PathPrefix diff --git a/clusters/cl01tl/helm/radarr/templates/middleware.yaml b/clusters/cl01tl/helm/radarr/templates/middleware.yaml new file mode 100644 index 000000000..341764b57 --- /dev/null +++ b/clusters/cl01tl/helm/radarr/templates/middleware.yaml @@ -0,0 +1,26 @@ +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: oidc-forward-auth + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: oidc-forward-auth + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + forwardAuth: + address: http://ak-outpost-traefik-proxy-auth.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik + trustForwardHeader: true + authResponseHeaders: + - X-authentik-username + - X-authentik-groups + - X-authentik-entitlements + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-meta-version diff --git a/clusters/cl01tl/helm/radarr/values.yaml b/clusters/cl01tl/helm/radarr/values.yaml index ad11b5890..cd05e67da 100644 --- a/clusters/cl01tl/helm/radarr/values.yaml +++ b/clusters/cl01tl/helm/radarr/values.yaml @@ -84,12 +84,28 @@ radarr: hostnames: - radarr.alexlebens.net rules: + - backendRefs: + - name: ak-outpost-traefik-proxy-auth + namespace: authentik + port: 9000 + weight: 100 + filters: [] + matches: + - path: + type: PathPrefix + value: /outpost.goauthentik.io - backendRefs: - group: '' kind: Service name: radarr port: 80 weight: 100 + filters: + - type: ExtensionRef + extensionRef: + group: traefik.io + kind: Middleware + name: oidc-forward-auth matches: - path: type: PathPrefix diff --git a/clusters/cl01tl/helm/sonarr-anime/templates/middleware.yaml b/clusters/cl01tl/helm/sonarr-anime/templates/middleware.yaml new file mode 100644 index 000000000..341764b57 --- /dev/null +++ b/clusters/cl01tl/helm/sonarr-anime/templates/middleware.yaml @@ -0,0 +1,26 @@ +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: oidc-forward-auth + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: oidc-forward-auth + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + forwardAuth: + address: http://ak-outpost-traefik-proxy-auth.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik + trustForwardHeader: true + authResponseHeaders: + - X-authentik-username + - X-authentik-groups + - X-authentik-entitlements + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-meta-version diff --git a/clusters/cl01tl/helm/sonarr-anime/values.yaml b/clusters/cl01tl/helm/sonarr-anime/values.yaml index 67c481f61..e4f5150cb 100644 --- a/clusters/cl01tl/helm/sonarr-anime/values.yaml +++ b/clusters/cl01tl/helm/sonarr-anime/values.yaml @@ -82,12 +82,28 @@ sonarr-anime: hostnames: - sonarr-anime.alexlebens.net rules: + - backendRefs: + - name: ak-outpost-traefik-proxy-auth + namespace: authentik + port: 9000 + weight: 100 + filters: [] + matches: + - path: + type: PathPrefix + value: /outpost.goauthentik.io - backendRefs: - group: '' kind: Service name: sonarr-anime port: 80 weight: 100 + filters: + - type: ExtensionRef + extensionRef: + group: traefik.io + kind: Middleware + name: oidc-forward-auth matches: - path: type: PathPrefix diff --git a/clusters/cl01tl/helm/sonarr/templates/middleware.yaml b/clusters/cl01tl/helm/sonarr/templates/middleware.yaml new file mode 100644 index 000000000..341764b57 --- /dev/null +++ b/clusters/cl01tl/helm/sonarr/templates/middleware.yaml @@ -0,0 +1,26 @@ +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: oidc-forward-auth + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: oidc-forward-auth + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + forwardAuth: + address: http://ak-outpost-traefik-proxy-auth.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik + trustForwardHeader: true + authResponseHeaders: + - X-authentik-username + - X-authentik-groups + - X-authentik-entitlements + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-meta-version diff --git a/clusters/cl01tl/helm/sonarr/values.yaml b/clusters/cl01tl/helm/sonarr/values.yaml index e04c9ee1d..e5c60e4f4 100644 --- a/clusters/cl01tl/helm/sonarr/values.yaml +++ b/clusters/cl01tl/helm/sonarr/values.yaml @@ -82,12 +82,28 @@ sonarr: hostnames: - sonarr.alexlebens.net rules: + - backendRefs: + - name: ak-outpost-traefik-proxy-auth + namespace: authentik + port: 9000 + weight: 100 + filters: [] + matches: + - path: + type: PathPrefix + value: /outpost.goauthentik.io - backendRefs: - group: '' kind: Service name: sonarr port: 80 weight: 100 + filters: + - type: ExtensionRef + extensionRef: + group: traefik.io + kind: Middleware + name: oidc-forward-auth matches: - path: type: PathPrefix