What's the right way to use multi-tenancy with Forward Auth across multiple Kubernetes clusters?

[duckfullstop]

My primary Authentik instance is running on a cloud-based cluster (let's call it cluster1.org). This instance provides all the auth services for stuff under the cluster1.org domain, and has a number of outposts deployed with the local Kubernetes Outpost Integration. This all works absolutely perfectly - the cluster's Træfik instance has a middleware configured to point to the embedded outpost (at http://ak-outpost-authentik-embedded-outpost.identity.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik), and redirection works fine, with end users going to id.cluster1.org to authenticate and being redirected back to the application (with the appropriate headers being injected to the app via forwardauth).

However, I also have an on-premises cluster (let's call it cluster2.org). The users of cluster2 have their own tenancy with custom branding, etcetera. This works absolutely fine when using OAuth / SAML / etcetera.

What I can't for the life of me figure out is how to implement forwardauth on cluster2.org. I have tried the following:

• Deploy Proxy outpost with forwardauth Provider on cluster2, point DNS for id.cluster2.org at cluster2, authentik_host set to id.cluster2.org
  • This throws 404 errors
• Same as above, but with authentik_host set to id.cluster1.org
  • This breaks tenancy
• Proxy outpost on cluster2, point DNS for id.cluster2.org at cluster1's core / embedded outpost, authentik_host set to id.cluster2.org
  • This throws "no app for hostname" errors, unless I set the embedded outpost to receive cluster2's proxy application definition, in which case auth works but I get dropped at id.cluster2.org without a redirect
• Same as above, but proxy outpost on cluster1
  • This throws 404 errors

What am I missing here? The documentation isn't particularly helpful for this setup - quite happy to write some docs if someone can enlighten me on the right way to do this!

TL;DR: Multiple tenants, multiple K8s clusters, multiple forward-auth proxies. What's the right DNS / ingress / proxy deployment configuration?

[LaRenard]

I have a similar scenario with multiple docker hosts and domains (e.g. example.com and example.co.uk).

Deployments:

• Authentik Server and Worker on Docker1 with Traefik and a .com domain
• Proxy Outpost on Docker2 with Traefik and .co.uk domain

Config:

• Domain level forward auth providers, one for each domain
• Applications for each domain
• Each domain applied to its local outpost (one embedded and the other deployed manually).

Docker1/.com works fine and domain level forward auth is working
Docker2/.co.uk in any of the configs I've tried results in an endless loading page, a 404 or a redirect to the Authentik apps page.

Traefik on Docker1 uses the following rule for access:

 traefik.http.routers.authentik.rule: Host(`auth.example.com`) || HostRegexp(`{subdomain:[A-Za-z0-9](?:[A-Za-z0-9\-]{0,61}[A-Za-z0-9])?}.example.com`) && PathPrefix(`/outpost.goauthentik.io/`)

Both Traefik middlewares are setup the same way for forward auth with the address being:

traefik.http.middlewares.authentik.forwardauth.address: "http://<container name>:9000/outpost.goauthentik.io/auth/traefik"

Can anyone confirm this concept is possible?