From 27c8d6055524c63d720bc8d637795f427419bcea Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Fri, 6 Feb 2026 20:26:21 +0000
Subject: [PATCH] Forward authentik response headers through ingress

Add auth-response-headers annotation to pass user identity headers
(username, uid, email, name, groups) from authentik to backend services.
---
 modules/kubernetes/ingress_factory/main.tf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/kubernetes/ingress_factory/main.tf b/modules/kubernetes/ingress_factory/main.tf
index 6a871afd..d367fc8a 100644
--- a/modules/kubernetes/ingress_factory/main.tf
+++ b/modules/kubernetes/ingress_factory/main.tf
@@ -99,6 +99,7 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
       "nginx.ingress.kubernetes.io/auth-url" : var.protected ? "http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx" : null
       "nginx.ingress.kubernetes.io/auth-signin" : var.protected ? "https://authentik.viktorbarzin.me/outpost.goauthentik.io/start?rd=$scheme%3A%2F%2F$host$escaped_request_uri" : null
       "nginx.ingress.kubernetes.io/auth-snippet" : var.protected ? "proxy_set_header X-Forwarded-Host $http_host;" : null
+      "nginx.ingress.kubernetes.io/auth-response-headers" : var.protected ? "X-authentik-username,X-authentik-uid,X-authentik-email,X-authentik-name,X-authentik-groups" : null
 
       "nginx.ingress.kubernetes.io/proxy-body-size" : var.max_body_size
       "nginx.ingress.kubernetes.io/use-proxy-protocol" : var.use_proxy_protocol