From dfbf7027bc73b8d03188d8d8e4d3db7dc61e231b Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Mon, 20 Dec 2021 22:24:42 +0100
Subject: [PATCH] providers/proxy: add traefik.ingress.kubernetes.io/router.tls
 annotation for ingress

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/providers/proxy/controllers/k8s/ingress.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/authentik/providers/proxy/controllers/k8s/ingress.py b/authentik/providers/proxy/controllers/k8s/ingress.py
index 5ed990013..2815f2a9d 100644
--- a/authentik/providers/proxy/controllers/k8s/ingress.py
+++ b/authentik/providers/proxy/controllers/k8s/ingress.py
@@ -89,8 +89,11 @@ class IngressReconciler(KubernetesObjectReconciler[V1Ingress]):
             # goes to the same pod
             "nginx.ingress.kubernetes.io/affinity": "cookie",
             "traefik.ingress.kubernetes.io/affinity": "true",
+            # Buffer sizes for large headers with JWTs
             "nginx.ingress.kubernetes.io/proxy-buffers-number": "4",
             "nginx.ingress.kubernetes.io/proxy-buffer-size": "16k",
+            # Ensure ingress can receive TLS traffic
+            "traefik.ingress.kubernetes.io/router.tls": "true",
         }
         annotations.update(self.controller.outpost.config.kubernetes_ingress_annotations)
         return annotations