chore(deps): update kube-prometheus-stack docker tag to v82.4.0

feat: add proxy auth
2026-02-25 23:46:22 +00:00 · 2026-02-25 17:42:52 -06:00
16 changed files with 316 additions and 1 deletions
--- a/clusters/cl01tl/helm/authentik/templates/reference-grant.yaml
+++ b/clusters/cl01tl/helm/authentik/templates/reference-grant.yaml
@@ -9,9 +9,30 @@ metadata:
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  from:
+    - group: gateway.networking.k8s.io
+      kind: HTTPRoute
+      namespace: lidarr
+    - group: gateway.networking.k8s.io
+      kind: HTTPRoute
+      namespace: radarr
+    - group: gateway.networking.k8s.io
+      kind: HTTPRoute
+      namespace: radarr-4k
+    - group: gateway.networking.k8s.io
+      kind: HTTPRoute
+      namespace: radarr-anime
+    - group: gateway.networking.k8s.io
+      kind: HTTPRoute
+      namespace: radarr-standup
+    - group: gateway.networking.k8s.io
+      kind: HTTPRoute
+      namespace: sonarr
    - group: gateway.networking.k8s.io
      kind: HTTPRoute
      namespace: sonarr-4k
+    - group: gateway.networking.k8s.io
+      kind: HTTPRoute
+      namespace: sonarr-anime
  to:
    - group: ""
      kind: Service
--- a/clusters/cl01tl/helm/kube-prometheus-stack/Chart.lock
+++ b/clusters/cl01tl/helm/kube-prometheus-stack/Chart.lock
@@ -9,4 +9,4 @@ dependencies:
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 1.0.4
 digest: sha256:24214c0bc1e6aed9954385aa61b403a7fa4b4e92bac09777504635cba98735ba
-generated: "2026-02-25T23:28:16.275350848Z"
+generated: "2026-02-25T23:46:14.059155578Z"
--- a/clusters/cl01tl/helm/lidarr/templates/middleware.yaml
+++ b/clusters/cl01tl/helm/lidarr/templates/middleware.yaml
@@ -0,0 +1,26 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: oidc-forward-auth
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: oidc-forward-auth
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  forwardAuth:
+    address: http://ak-outpost-traefik-proxy-auth.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik
+    trustForwardHeader: true
+    authResponseHeaders:
+      - X-authentik-username
+      - X-authentik-groups
+      - X-authentik-entitlements
+      - X-authentik-email
+      - X-authentik-name
+      - X-authentik-uid
+      - X-authentik-jwt
+      - X-authentik-meta-jwks
+      - X-authentik-meta-outpost
+      - X-authentik-meta-provider
+      - X-authentik-meta-app
+      - X-authentik-meta-version
--- a/clusters/cl01tl/helm/lidarr/values.yaml
+++ b/clusters/cl01tl/helm/lidarr/values.yaml
@@ -84,12 +84,28 @@ lidarr:
      hostnames:
        - lidarr.alexlebens.net
      rules:
+        - backendRefs:
+            - name: ak-outpost-traefik-proxy-auth
+              namespace: authentik
+              port: 9000
+              weight: 100
+          filters: []
+          matches:
+            - path:
+                type: PathPrefix
+                value: /outpost.goauthentik.io
        - backendRefs:
            - group: ''
              kind: Service
              name: lidarr
              port: 80
              weight: 100
+          filters:
+            - type: ExtensionRef
+              extensionRef:
+                group: traefik.io
+                kind: Middleware
+                name: oidc-forward-auth
          matches:
            - path:
                type: PathPrefix
--- a/clusters/cl01tl/helm/radarr-4k/templates/middleware.yaml
+++ b/clusters/cl01tl/helm/radarr-4k/templates/middleware.yaml
@@ -0,0 +1,26 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: oidc-forward-auth
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: oidc-forward-auth
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  forwardAuth:
+    address: http://ak-outpost-traefik-proxy-auth.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik
+    trustForwardHeader: true
+    authResponseHeaders:
+      - X-authentik-username
+      - X-authentik-groups
+      - X-authentik-entitlements
+      - X-authentik-email
+      - X-authentik-name
+      - X-authentik-uid
+      - X-authentik-jwt
+      - X-authentik-meta-jwks
+      - X-authentik-meta-outpost
+      - X-authentik-meta-provider
+      - X-authentik-meta-app
+      - X-authentik-meta-version
--- a/clusters/cl01tl/helm/radarr-4k/values.yaml
+++ b/clusters/cl01tl/helm/radarr-4k/values.yaml
@@ -84,12 +84,28 @@ radarr-4k:
      hostnames:
        - radarr-4k.alexlebens.net
      rules:
+        - backendRefs:
+            - name: ak-outpost-traefik-proxy-auth
+              namespace: authentik
+              port: 9000
+              weight: 100
+          filters: []
+          matches:
+            - path:
+                type: PathPrefix
+                value: /outpost.goauthentik.io
        - backendRefs:
            - group: ''
              kind: Service
              name: radarr-4k
              port: 80
              weight: 100
+          filters:
+            - type: ExtensionRef
+              extensionRef:
+                group: traefik.io
+                kind: Middleware
+                name: oidc-forward-auth
          matches:
            - path:
                type: PathPrefix
--- a/clusters/cl01tl/helm/radarr-anime/templates/middleware.yaml
+++ b/clusters/cl01tl/helm/radarr-anime/templates/middleware.yaml
@@ -0,0 +1,26 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: oidc-forward-auth
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: oidc-forward-auth
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  forwardAuth:
+    address: http://ak-outpost-traefik-proxy-auth.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik
+    trustForwardHeader: true
+    authResponseHeaders:
+      - X-authentik-username
+      - X-authentik-groups
+      - X-authentik-entitlements
+      - X-authentik-email
+      - X-authentik-name
+      - X-authentik-uid
+      - X-authentik-jwt
+      - X-authentik-meta-jwks
+      - X-authentik-meta-outpost
+      - X-authentik-meta-provider
+      - X-authentik-meta-app
+      - X-authentik-meta-version
--- a/clusters/cl01tl/helm/radarr-anime/values.yaml
+++ b/clusters/cl01tl/helm/radarr-anime/values.yaml
@@ -82,12 +82,28 @@ radarr-anime:
      hostnames:
        - radarr-anime.alexlebens.net
      rules:
+        - backendRefs:
+            - name: ak-outpost-traefik-proxy-auth
+              namespace: authentik
+              port: 9000
+              weight: 100
+          filters: []
+          matches:
+            - path:
+                type: PathPrefix
+                value: /outpost.goauthentik.io
        - backendRefs:
            - group: ''
              kind: Service
              name: radarr-anime
              port: 80
              weight: 100
+          filters:
+            - type: ExtensionRef
+              extensionRef:
+                group: traefik.io
+                kind: Middleware
+                name: oidc-forward-auth
          matches:
            - path:
                type: PathPrefix
--- a/clusters/cl01tl/helm/radarr-standup/templates/middleware.yaml
+++ b/clusters/cl01tl/helm/radarr-standup/templates/middleware.yaml
@@ -0,0 +1,26 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: oidc-forward-auth
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: oidc-forward-auth
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  forwardAuth:
+    address: http://ak-outpost-traefik-proxy-auth.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik
+    trustForwardHeader: true
+    authResponseHeaders:
+      - X-authentik-username
+      - X-authentik-groups
+      - X-authentik-entitlements
+      - X-authentik-email
+      - X-authentik-name
+      - X-authentik-uid
+      - X-authentik-jwt
+      - X-authentik-meta-jwks
+      - X-authentik-meta-outpost
+      - X-authentik-meta-provider
+      - X-authentik-meta-app
+      - X-authentik-meta-version
--- a/clusters/cl01tl/helm/radarr-standup/values.yaml
+++ b/clusters/cl01tl/helm/radarr-standup/values.yaml
@@ -82,12 +82,28 @@ radarr-standup:
      hostnames:
        - radarr-standup.alexlebens.net
      rules:
+        - backendRefs:
+            - name: ak-outpost-traefik-proxy-auth
+              namespace: authentik
+              port: 9000
+              weight: 100
+          filters: []
+          matches:
+            - path:
+                type: PathPrefix
+                value: /outpost.goauthentik.io
        - backendRefs:
            - group: ''
              kind: Service
              name: radarr-standup
              port: 80
              weight: 100
+          filters:
+            - type: ExtensionRef
+              extensionRef:
+                group: traefik.io
+                kind: Middleware
+                name: oidc-forward-auth
          matches:
            - path:
                type: PathPrefix
--- a/clusters/cl01tl/helm/radarr/templates/middleware.yaml
+++ b/clusters/cl01tl/helm/radarr/templates/middleware.yaml
@@ -0,0 +1,26 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: oidc-forward-auth
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: oidc-forward-auth
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  forwardAuth:
+    address: http://ak-outpost-traefik-proxy-auth.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik
+    trustForwardHeader: true
+    authResponseHeaders:
+      - X-authentik-username
+      - X-authentik-groups
+      - X-authentik-entitlements
+      - X-authentik-email
+      - X-authentik-name
+      - X-authentik-uid
+      - X-authentik-jwt
+      - X-authentik-meta-jwks
+      - X-authentik-meta-outpost
+      - X-authentik-meta-provider
+      - X-authentik-meta-app
+      - X-authentik-meta-version
--- a/clusters/cl01tl/helm/radarr/values.yaml
+++ b/clusters/cl01tl/helm/radarr/values.yaml
@@ -84,12 +84,28 @@ radarr:
      hostnames:
        - radarr.alexlebens.net
      rules:
+        - backendRefs:
+            - name: ak-outpost-traefik-proxy-auth
+              namespace: authentik
+              port: 9000
+              weight: 100
+          filters: []
+          matches:
+            - path:
+                type: PathPrefix
+                value: /outpost.goauthentik.io
        - backendRefs:
            - group: ''
              kind: Service
              name: radarr
              port: 80
              weight: 100
+          filters:
+            - type: ExtensionRef
+              extensionRef:
+                group: traefik.io
+                kind: Middleware
+                name: oidc-forward-auth
          matches:
            - path:
                type: PathPrefix
--- a/clusters/cl01tl/helm/sonarr-anime/templates/middleware.yaml
+++ b/clusters/cl01tl/helm/sonarr-anime/templates/middleware.yaml
@@ -0,0 +1,26 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: oidc-forward-auth
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: oidc-forward-auth
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  forwardAuth:
+    address: http://ak-outpost-traefik-proxy-auth.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik
+    trustForwardHeader: true
+    authResponseHeaders:
+      - X-authentik-username
+      - X-authentik-groups
+      - X-authentik-entitlements
+      - X-authentik-email
+      - X-authentik-name
+      - X-authentik-uid
+      - X-authentik-jwt
+      - X-authentik-meta-jwks
+      - X-authentik-meta-outpost
+      - X-authentik-meta-provider
+      - X-authentik-meta-app
+      - X-authentik-meta-version
--- a/clusters/cl01tl/helm/sonarr-anime/values.yaml
+++ b/clusters/cl01tl/helm/sonarr-anime/values.yaml
@@ -82,12 +82,28 @@ sonarr-anime:
      hostnames:
        - sonarr-anime.alexlebens.net
      rules:
+        - backendRefs:
+            - name: ak-outpost-traefik-proxy-auth
+              namespace: authentik
+              port: 9000
+              weight: 100
+          filters: []
+          matches:
+            - path:
+                type: PathPrefix
+                value: /outpost.goauthentik.io
        - backendRefs:
            - group: ''
              kind: Service
              name: sonarr-anime
              port: 80
              weight: 100
+          filters:
+            - type: ExtensionRef
+              extensionRef:
+                group: traefik.io
+                kind: Middleware
+                name: oidc-forward-auth
          matches:
            - path:
                type: PathPrefix
--- a/clusters/cl01tl/helm/sonarr/templates/middleware.yaml
+++ b/clusters/cl01tl/helm/sonarr/templates/middleware.yaml
@@ -0,0 +1,26 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: oidc-forward-auth
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: oidc-forward-auth
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  forwardAuth:
+    address: http://ak-outpost-traefik-proxy-auth.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik
+    trustForwardHeader: true
+    authResponseHeaders:
+      - X-authentik-username
+      - X-authentik-groups
+      - X-authentik-entitlements
+      - X-authentik-email
+      - X-authentik-name
+      - X-authentik-uid
+      - X-authentik-jwt
+      - X-authentik-meta-jwks
+      - X-authentik-meta-outpost
+      - X-authentik-meta-provider
+      - X-authentik-meta-app
+      - X-authentik-meta-version
--- a/clusters/cl01tl/helm/sonarr/values.yaml
+++ b/clusters/cl01tl/helm/sonarr/values.yaml
@@ -82,12 +82,28 @@ sonarr:
      hostnames:
        - sonarr.alexlebens.net
      rules:
+        - backendRefs:
+            - name: ak-outpost-traefik-proxy-auth
+              namespace: authentik
+              port: 9000
+              weight: 100
+          filters: []
+          matches:
+            - path:
+                type: PathPrefix
+                value: /outpost.goauthentik.io
        - backendRefs:
            - group: ''
              kind: Service
              name: sonarr
              port: 80
              weight: 100
+          filters:
+            - type: ExtensionRef
+              extensionRef:
+                group: traefik.io
+                kind: Middleware
+                name: oidc-forward-auth
          matches:
            - path:
                type: PathPrefix
Author	SHA1	Message	Date
Renovate Bot	b594e71993	chore(deps): update kube-prometheus-stack docker tag to v82.4.0 All checks were successful lint-test-helm / lint-helm (pull_request) Successful in 48s Details render-manifests-automerge / render-manifests-automerge (pull_request) Has been skipped Details render-manifests-merge / render-manifests-merge (pull_request) Successful in 3m18s Details	2026-02-25 23:46:22 +00:00
Alex Lebens	7411f391e8	feat: add proxy auth All checks were successful lint-test-helm / lint-helm (push) Successful in 1m21s Details render-manifests-push / render-manifests-push (push) Successful in 4m17s Details renovate / renovate (push) Successful in 5m3s Details	2026-02-25 17:42:52 -06:00