This is my alloy Ingress. Added middleware to intercept the requests to alloy and redirect them for authentication.
ingress:
enabled: true
ingressClassName: traefik
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
traefik.ingress.kubernetes.io/router.middlewares: alloy-oauth-forwardauth@kubernetescrd,alloy-oauth-errors@kubernetescrd
labels: {}
path: /
faroPort: 12345
pathType: Prefix
hosts:
- alloy.example.local
Middlewares
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: oauth-forwardauth
namespace: alloy
spec:
forwardAuth:
address: "http://oauth2-proxy.alloy.svc.cluster.local/oauth2/auth"
trustForwardHeader: true
authRequestHeaders:
- Authorization
authResponseHeaders:
- X-Auth-Request-User
- X-Auth-Request-Email
- X-Auth-Request-Preferred-Username
- X-Auth-Request-Access-Token
- Authorization
- Set-Cookie
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: oauth-errors
namespace: alloy
spec:
errors:
status:
- "401-403"
service:
name: oauth2-proxy
namespace: alloy
port: http
passHostHeader: false
# query: "/oauth2/sign_in?rd=https://{host}{path}{query}"
query: "/oauth2/sign_in?rd={url}"
oauth proxy service config
configuration:
existingSecret: "oauth2-proxy-secret"
configFile: |
upstreams = ["static://200"]
scope = "openid email profile offline_access"
cookie_domains = ".example.local"
cookie_name = "_oauth2_proxy"
whitelist_domains = [".example.local"]
http_address="0.0.0.0:4180"
skip_auth_strip_headers = false
auth_logging = true
extraArgs:
- --provider=oidc
- --oidc-issuer-url=https://authentik.example.local/application/o/oauth2-proxy/
- --redirect-url=https://oauth-proxy.example.local/oauth2/callback
- --cookie-secure=false
- --email-domain=*
- --pass-access-token=true
- --set-authorization-header=true
- --skip-provider-button=true
- --reverse-proxy=true
- --provider-ca-file=/etc/ssl/certs/tls.crt
- --set-xauthrequest=true
- --show-debug-on-error=true
- --provider-display-name=Authentik
- --pass-authorization-header=true
- --code-challenge-method=S256
- --pass-user-headers=true
# JWT validation
- --skip-jwt-bearer-tokens=true
- --oidc-audience-claim=aud
- --insecure-oidc-allow-unverified-email=true
- --insecure-oidc-skip-issuer-verification=false
- --oidc-extra-audience=xxx
# - --whitelist-domain=.example.local
# Logging & Debugging
- --request-logging=true
- --standard-logging=true
- --logging-local-time=true
# Optional: JWKS URL if discovery fails
- --oidc-jwks-url=https://authentik.example.local/application/o/oauth2-proxy/jwks/
nodeSelector:
"kubernetes.io/os": linux
redis:
enabled: false
extraVolumes:
- name: oauth2-tls-cert
secret:
secretName: tls-cert
extraVolumeMounts:
- mountPath: /etc/ssl/certs
name: oauth2-tls-cert
readOnly: true
ingress:
enabled: true
pathType: ImplementationSpecific
ingressClassName: traefik
hostname: oauth-proxy.example.local
path: /
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
When I open https://alloy.example.com on browser it doesn’t redirect me to login page instead gives 401 Unauthorized.
Logs
10.244.240.159 - de5d1aca-c22c-42e8-a7a6-864130a4d2a3 - - [2025/09/16 16:42:39] alloy.example.local GET - "/oauth2/auth" HTTP/1.1 "Go-http-client/1.1" 401 13 0.000
Any thoughts why the auth-errors middleware is not redirecting to /sign_in page.