ForwardAuth with Authentik on K8s

Greetings, I've been noodling with this one for a few days now so any suggestions or help would be greatly appreciated. What I'm attempting to do as a test is protect the Traefik dashboard with forwardauth and authentik, but running into odd issues. Both Traefik and Authentik are deployed via helm on a K8 cluster, following their respective guides.

Pod wise

NAME                                READY   STATUS    RESTARTS      AGE   IP             NODE          NOMINATED NODE   READINESS GATES
authentik-postgresql-0              1/1     Running   0             39h    k8s-worker1   <none>           <none>
authentik-redis-master-0            1/1     Running   0             39h    k8s-worker1   <none>           <none>
authentik-server-7df8799d5d-574s2   1/1     Running   1 (39h ago)   39h   k8s-worker3   <none>           <none>
authentik-worker-5c64f454c6-b8chw   1/1     Running   0             39h   k8s-worker3   <none>           <none>

NAME                       READY   STATUS    RESTARTS   AGE   IP             NODE          NOMINATED NODE   READINESS GATES
traefik-84b569c7db-xzzgm   1/1     Running   0          25h   k8s-worker3   <none>           <none>

Traefik has a LB config running

NAME      TYPE           CLUSTER-IP       EXTERNAL-IP   PORT(S)                      AGE
traefik   LoadBalancer    80:30483/TCP,443:32105/TCP   35h

Authentik is using the ingress

NAMESPACE   NAME        CLASS     HOSTS                        ADDRESS   PORTS   AGE
authentik   authentik   traefik             80      39h

and its services are just clusterip's with no externals

So what is happening right now is 1 of 2 things, I request and I get redirected to for auth and then it dies there after auth (doesn't redirect back to or I get stuck in a loop of traefik > auth > traefik very quickly.

As far as I can tell from many google searches I believe my ingressroute is correct

kind: IngressRoute
  name: traefik-dashboard
  namespace: traefik

    - websecure

        - kind: Rule
          match: "Host(``)"
              - name: authentik
                namespace: traefik
          priority: 10
              - name: api@internal
                namespace: traefik
                kind: TraefikService
        - kind: Rule
          match: "Host(``) && PathPrefix(`/`)"
          priority: 15
              - kind: Service
                name: authentik
                namespace: authentik
                port: 80

And here's my middleware

kind: Middleware
    name: authentik
    namespace: traefik
        trustForwardHeader: true
            - X-authentik-username
            - X-authentik-groups
            - X-authentik-email
            - X-authentik-name
            - X-authentik-uid
            - X-authentik-jwt
            - X-authentik-meta-jwks
            - X-authentik-meta-outpost
            - X-authentik-meta-provider
            - X-authentik-meta-app
            - X-authentik-meta-version

Anyone have any ideas?

Did you search for tutorials? I found this one, maybe it helps.

Greetings thank you for the reply, but yes that is one of the many guides I found online and caused the same behavior of loop or blank page landings.


Hi, did you find a solution yet? I'm struggling with the same setup at the moment...
What I've learned so far:

  • Use private browser windows for testing or delete cookies all the time, otherwise unexpected things may happen (CORS issues etc.)
  • What fixed the infinite redirect loop for me was to NOT use the external URL/hostname in the middleware definition, so instead of

something like

address: https://atuhentik-service.namespace.svc.cluster.local/

Also check which ports your authentik service is listening on. In my case it is just 80 so I went with http instead of https.
I don't know if this is the best setup, I'm just happy that it is working for the first time now... Also I don't understand why it is not working correctly with the external URL...