providers/proxy: Add a default maxResponseBodySize to Traefik Middleware

[wiiaam]

Details

In response to CVE-2026-26998, Traefik added a maxResponseBodySize configuration option and is recommending this be set, otherwise a warning will show in the traefik logs.

https://doc.traefik.io/traefik/reference/routing-configuration/http/middlewares/forwardauth/#maxresponsebodysize

Added a default maxResponseBodySize of 4MB to the traefik middleware proxy outpost component. Also fixed an issue where the reconciler would throw an error when trying to run a json patch on a non openapi object.

---

Checklist

• Local tests pass (ak test authentik/)
• The code has been formatted (make lint-fix)

If an API change has been made

• The API schema has been updated (make gen-build)

If changes to the frontend have been made

• The code has been formatted (make web)

If applicable

• The documentation has been updated
• The documentation has been formatted (make docs)

[netlify]

✅ Deploy Preview for authentik-storybook ready!

Name	Link
🔨 Latest commit	8ee3d42
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-storybook/deploys/69c24c1c7eb98e0008fd4553
😎 Deploy Preview	https://deploy-preview-21111--authentik-storybook.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for authentik-docs ready!

Name	Link
🔨 Latest commit	8ee3d42
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-docs/deploys/69c24c1c8bf58200083ae0d7
😎 Deploy Preview	https://deploy-preview-21111--authentik-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[BeryJu]

LGTM

@wiiaam have you checked what happens if someone were to run this but hadn't upgraded their CRDs in their cluster?

[codecov]

Codecov Report

❌ Patch coverage is 20.00000% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 92.76%. Comparing base (1236b23) to head (b5d48c9).
⚠️ Report is 49 commits behind head on main.

Files with missing lines	Patch %	Lines
authentik/outposts/controllers/k8s/base.py	0.00%	4 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #21111      +/-   ##
==========================================
- Coverage   92.78%   92.76%   -0.03%     
==========================================
  Files        1000     1000              
  Lines       56592    56564      -28     
  Branches      425      425              
==========================================
- Hits        52511    52471      -40     
- Misses       4081     4093      +12     

Flag	Coverage Δ
conformance	37.40% <20.00%> (+<0.01%)	⬆️
e2e	42.89% <20.00%> (+0.01%)	⬆️
integration	22.18% <20.00%> (-0.04%)	⬇️
rust	0.23% <ø> (ø)
unit	91.70% <20.00%> (+0.01%)	⬆️
unit-migrate	91.80% <20.00%> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[wiiaam]

The API server will just prune the field. The only situation where this would cause an error is if field_validation was set to Strict when calling create_namespaced_custom_object, currently this will revert to the Warn default

https://github.com/kubernetes-client/python/blob/master/kubernetes/docs/CustomObjectsApi.md#create_namespaced_custom_object

I'm happy to do a follow up PR to catch these warnings (for all k8s objects) and show it in the task status?

[BeryJu]

The API server will just prune the field. The only situation where this would cause an error is if field_validation was set to Strict when calling create_namespaced_custom_object, currently this will revert to the Warn default

https://github.com/kubernetes-client/python/blob/master/kubernetes/docs/CustomObjectsApi.md#create_namespaced_custom_object

I'm happy to do a follow up PR to catch these warnings (for all k8s objects) and show it in the task status?

Fair enough, yeah that would be nice to add if you have resources for that

[authentik-automation]

🍒 Cherry-pick to version-2026.2 created: #21140