diff --git a/infra/controllers/authentik/middlewares.yaml b/infra/controllers/authentik/middlewares.yaml
new file mode 100644
index 0000000..1326b32
--- /dev/null
+++ b/infra/controllers/authentik/middlewares.yaml
@@ -0,0 +1,22 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+    name: authentik
+    namespace: authentik-system
+spec:
+    forwardAuth:
+        # This address should point to the cluster endpoint provided by the kubernetes service, not the Ingress.
+        address: http://authentik/outpost.goauthentik.io/auth/traefik
+        trustForwardHeader: true
+        authResponseHeaders:
+            - X-authentik-username
+            - X-authentik-groups
+            - X-authentik-email
+            - X-authentik-name
+            - X-authentik-uid
+            - X-authentik-jwt
+            - X-authentik-meta-jwks
+            - X-authentik-meta-outpost
+            - X-authentik-meta-provider
+            - X-authentik-meta-app
+            - X-authentik-meta-version