diff --git a/reflector/helmrelease-reflector.yaml b/reflector/helmrelease-reflector.yaml
index d694821..dbe7de3 100644
--- a/reflector/helmrelease-reflector.yaml
+++ b/reflector/helmrelease-reflector.yaml
@@ -20,7 +20,7 @@ spec:
     # This is a YAML-formatted file.
     # Declare variables to be passed into your templates.
 
-    replicaCount: 1
+    replicaCount: 2
 
     image:
       repository: emberstack/kubernetes-reflector
diff --git a/traefik/helmrelease-traefik.yaml b/traefik/helmrelease-traefik.yaml
index a9b44cb..441f82d 100644
--- a/traefik/helmrelease-traefik.yaml
+++ b/traefik/helmrelease-traefik.yaml
@@ -240,7 +240,7 @@ spec:
         # -- Load Kubernetes IngressRoute provider
         enabled: true
         # -- Allows IngressRoute to reference resources in namespace other than theirs
-        allowCrossNamespace: false
+        allowCrossNamespace: true
         # -- Allows to reference ExternalName services in IngressRoute
         allowExternalNameServices: false
         # -- Allows to return 503 when there is no endpoints available
diff --git a/traefik/middleware-traefik-forward-auth.yaml b/traefik/middleware-traefik-forward-auth.yaml
new file mode 100644
index 0000000..716bf5d
--- /dev/null
+++ b/traefik/middleware-traefik-forward-auth.yaml
@@ -0,0 +1,20 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+    name: authentik
+spec:
+    forwardAuth:
+        address: http://authentik.michaelthomson.dev:9000/outpost.goauthentik.io/auth/traefik
+        trustForwardHeader: true
+        authResponseHeaders:
+            - X-authentik-username
+            - X-authentik-groups
+            - X-authentik-email
+            - X-authentik-name
+            - X-authentik-uid
+            - X-authentik-jwt
+            - X-authentik-meta-jwks
+            - X-authentik-meta-outpost
+            - X-authentik-meta-provider
+            - X-authentik-meta-app
+            - X-authentik-meta-version