home-server/clusters/noble/bootstrap/oauth2-proxy/middleware-forwardauth.yaml

# Traefik ForwardAuth → oauth2-proxy (OIDC with Authentik). Reference from Ingress:
# traefik.ingress.kubernetes.io/router.middlewares: oauth2-proxy-forward-auth@kubernetescrd
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: forward-auth
  namespace: oauth2-proxy
spec:
  forwardAuth:
    address: http://oauth2-proxy.oauth2-proxy.svc.cluster.local:4180/oauth2/auth
    trustForwardHeader: true
    authResponseHeaders:
      - X-Forwarded-User
      - X-Forwarded-Email
      - X-Forwarded-Preferred-Username
      - X-Forwarded-Groups