diff --git a/namespaces/monitoring/namespace.yaml b/namespaces/monitoring/namespace.yaml
new file mode 100644
index 0000000..15c3aae
--- /dev/null
+++ b/namespaces/monitoring/namespace.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    homelab-access: "true"
+  name: monitoring
diff --git a/namespaces/monitoring/uptime-kuma/extra/middleware-auth.yaml b/namespaces/monitoring/uptime-kuma/extra/middleware-auth.yaml
new file mode 100644
index 0000000..db0baf1
--- /dev/null
+++ b/namespaces/monitoring/uptime-kuma/extra/middleware-auth.yaml
@@ -0,0 +1,25 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: authentik-forward-auth
+  namespace: monitoring # adjust as needed
+spec:
+  forwardAuth:
+    address: http://ak-outpost-authentik-embedded-outpost.auth.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik
+    trustForwardHeader: true
+    authResponseHeaders:
+      - X-Authentik-Username
+      - X-Authentik-Groups
+      - X-Authentik-Email
+    authRequestHeaders:
+      - Accept
+      - Cookie
+      - Host
+      - X-Forwarded-For
+      - X-Forwarded-Host
+      - X-Forwarded-Proto
+      - X-Forwarded-Uri
+      - X-Forwarded-Port
+      - X-Forwarded-Method
+    # Add these to handle redirect
+    authResponseHeadersRegex: "X-.*"
diff --git a/namespaces/monitoring/uptime-kuma/kustomization.yaml b/namespaces/monitoring/uptime-kuma/kustomization.yaml
new file mode 100644
index 0000000..7ecceef
--- /dev/null
+++ b/namespaces/monitoring/uptime-kuma/kustomization.yaml
@@ -0,0 +1,92 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+transformers:
+  - |-
+    apiVersion: builtin
+    kind: NamespaceTransformer
+    metadata:
+      name: notImportantHere
+      namespace: monitoring
+    unsetOnly: true
+
+namePrefix: uptime-kuma-
+resources:
+  - ../../../kustomize/deployment/
+  - extra/middleware-auth.yaml
+
+replacements:
+  - source:
+      kind: Service
+      name: svc
+    targets:
+      - select:
+          kind: HTTPRoute
+        options:
+          create: true
+        fieldPaths:
+          - spec.rules.0.backendRefs.0.name
+  - source:
+      kind: Deployment
+      name: app
+      fieldPath: metadata.labels.[app.kubernetes.io/appName]
+    targets:
+      - select:
+          kind: InfisicalSecret
+        options:
+          delimiter: "-"
+          index: 0
+        fieldPaths:
+          - spec.managedSecretReference.secretName
+      - select:
+          kind: InfisicalSecret
+        options:
+          delimiter: "/"
+          index: 2
+        fieldPaths:
+          - spec.authentication.universalAuth.secretsScope.secretsPath
+      - select:
+          kind: Service
+        fieldPaths:
+          - spec.ports.0.name
+          - spec.ports.0.targetPort
+  - source:
+      kind: Deployment
+      name: app
+      fieldPath: metadata.labels.[app.kubernetes.io/appNamespace]
+    targets:
+      - select:
+          kind: InfisicalSecret
+        fieldPaths:
+          - spec.managedSecretReference.secretNamespace
+  - source:
+      kind: Deployment
+      name: app
+      fieldPath: metadata.labels.[app.kubernetes.io/routePrefix]
+    targets:
+      - select:
+          kind: HTTPRoute
+        options:
+          create: true
+          delimiter: "."
+          index: 0
+        fieldPaths:
+          - spec.hostnames.0
+
+patches:
+  - path: patches/deployment.yaml
+    target:
+      kind: Deployment
+      name: app
+  - path: patches/httproute.yaml
+    target:
+      kind: HTTPRoute
+
+labels:
+  - includeSelectors: true
+    pairs:
+      app.kubernetes.io/appName: uptime-kuma
+  - pairs:
+      app.kubernetes.io/appNamespace: monitoring
+  - pairs:
+      app.kubernetes.io/routePrefix: status
diff --git a/namespaces/monitoring/uptime-kuma/patches/deployment.yaml b/namespaces/monitoring/uptime-kuma/patches/deployment.yaml
new file mode 100644
index 0000000..15dd903
--- /dev/null
+++ b/namespaces/monitoring/uptime-kuma/patches/deployment.yaml
@@ -0,0 +1,33 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: app
+spec:
+  template:
+    spec:
+      containers:
+        - name: uptime-kuma
+          image: louislam/uptime-kuma:1
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 3001
+              name: uptime-kuma
+          livenessProbe:
+            tcpSocket:
+              port: uptime-kuma
+            initialDelaySeconds: 60
+            periodSeconds: 10
+          readinessProbe:
+            httpGet:
+              scheme: HTTP
+              path: /
+              port: uptime-kuma
+            initialDelaySeconds: 30
+            periodSeconds: 10
+          volumeMounts:
+            - name: data
+              mountPath: /app/data
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: uptime-kuma-pvc
diff --git a/namespaces/monitoring/uptime-kuma/patches/httproute.yaml b/namespaces/monitoring/uptime-kuma/patches/httproute.yaml
new file mode 100644
index 0000000..9b51de4
--- /dev/null
+++ b/namespaces/monitoring/uptime-kuma/patches/httproute.yaml
@@ -0,0 +1,14 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http
+spec:
+  rules:
+    - backendRefs:
+        - port: 80
+      filters:
+        - type: ExtensionRef
+          extensionRef:
+            group: traefik.io
+            kind: Middleware
+            name: authentik-forward-auth