authentik/website/docs/providers/proxy/_nginx_ingress.md

Create a new ingress for the outpost

```yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
    name: authentik-outpost
spec:
    rules:
        - host: app.company
          http:
              paths: /outpost.goauthentik.io
              pathType: Prefix
              backend:
                  # Or, to use an external Outpost, create an ExternalName service and reference that here.
                  # See https://kubernetes.io/docs/concepts/services-networking/service/#externalname
                  service:
                      name: ak-outpost-example-outpost
                      port:
                          number: 9000
```

This ingress handles authentication requests, and the sign-in flow.

Add these annotations to the ingress you want to protect

:::warning
This configuration requires that you enable [`allow-snippet-annotations`](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#allow-snippet-annotations), for example by setting `controller.allowSnippetAnnotations` to `true` in your helm values for the ingress-nginx installation.
:::

```yaml
metadata:
    annotations:
        # This should be the in-cluster DNS name for the authentik outpost service
        # as when the external URL is specified here, nginx will overwrite some crucial headers
        nginx.ingress.kubernetes.io/auth-url: |-
            http://ak-outpost-example.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx
        # If you're using domain-level auth, use the authentication URL instead of the application URL
        nginx.ingress.kubernetes.io/auth-signin: |-
            https://app.company/outpost.goauthentik.io/start?rd=$escaped_request_uri
        nginx.ingress.kubernetes.io/auth-response-headers: |-
            Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
        nginx.ingress.kubernetes.io/auth-snippet: |
            proxy_set_header X-Forwarded-Host $http_host;
```
website/docs: add nginx-proxy-manager Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-11-12 21:57:19 +00:00			`Create a new ingress for the outpost`

			```yaml
website/docs: Change Kubernetes ingress apiVersion out of beta (#4099) * Change Kubernetes ingress apiVersion out of beta * fix lint Co-authored-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-11-28 15:42:59 +00:00			`apiVersion: networking.k8s.io/v1`
website/docs: add nginx-proxy-manager Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-11-12 21:57:19 +00:00			`kind: Ingress`
			`metadata:`
website: format docs with prettier (#2833) * run prettier Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add scim to comparison Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-05-09 19:22:41 +00:00			`name: authentik-outpost`
website/docs: add nginx-proxy-manager Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-11-12 21:57:19 +00:00			`spec:`
website: format docs with prettier (#2833) * run prettier Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add scim to comparison Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-05-09 19:22:41 +00:00			`rules:`
			`- host: app.company`
			`http:`
website/docs: Change Kubernetes ingress apiVersion out of beta (#4099) * Change Kubernetes ingress apiVersion out of beta * fix lint Co-authored-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-11-28 15:42:59 +00:00			`paths: /outpost.goauthentik.io`
			`pathType: Prefix`
			`backend:`
			`# Or, to use an external Outpost, create an ExternalName service and reference that here.`
			`# See https://kubernetes.io/docs/concepts/services-networking/service/#externalname`
			`service:`
			`name: ak-outpost-example-outpost`
			`port:`
			`number: 9000`
website/docs: add nginx-proxy-manager Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-11-12 21:57:19 +00:00			```

			`This ingress handles authentication requests, and the sign-in flow.`

			`Add these annotations to the ingress you want to protect`

website/docs: add notice for nginx ingress configuration requirement (#7027) * website/docs: add notice for nginx ingress configuration requirement https://github.com/goauthentik/infrastructure/pull/574 Signed-off-by: Jens Langhammer <jens@goauthentik.io> * Update website/docs/providers/proxy/_nginx_ingress.md Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Jens L. <jens@beryju.org> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Jens L. <jens@beryju.org> Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> 2023-10-02 14:04:26 +00:00			`:::warning`
			This configuration requires that you enable [`allow-snippet-annotations`](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#allow-snippet-annotations), for example by setting `controller.allowSnippetAnnotations` to `true` in your helm values for the ingress-nginx installation.
			`:::`

website/docs: add nginx-proxy-manager Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-11-12 21:57:19 +00:00			```yaml
			`metadata:`
website: format docs with prettier (#2833) * run prettier Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add scim to comparison Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-05-09 19:22:41 +00:00			`annotations:`
website/docs: add notice to use in-cluster service for nginx forward auth Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-06-30 19:33:47 +00:00			`# This should be the in-cluster DNS name for the authentik outpost service`
			`# as when the external URL is specified here, nginx will overwrite some crucial headers`
website: format docs with prettier (#2833) * run prettier Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add scim to comparison Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-05-09 19:22:41 +00:00			`nginx.ingress.kubernetes.io/auth-url: \|-`
website/docs: add notice to use in-cluster service for nginx forward auth Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-06-30 19:33:47 +00:00			`http://ak-outpost-example.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx`
website: format docs with prettier (#2833) * run prettier Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add scim to comparison Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-05-09 19:22:41 +00:00			`# If you're using domain-level auth, use the authentication URL instead of the application URL`
			`nginx.ingress.kubernetes.io/auth-signin: \|-`
			`https://app.company/outpost.goauthentik.io/start?rd=$escaped_request_uri`
			`nginx.ingress.kubernetes.io/auth-response-headers: \|-`
			`Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid`
			`nginx.ingress.kubernetes.io/auth-snippet: \|`
			`proxy_set_header X-Forwarded-Host $http_host;`
website/docs: add nginx-proxy-manager Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-11-12 21:57:19 +00:00			```