diff --git a/services/vault/ingress.yaml b/services/vault/ingress.yaml
index 5497bc1..26c9b16 100644
--- a/services/vault/ingress.yaml
+++ b/services/vault/ingress.yaml
@@ -1,4 +1,4 @@
-# services/vault/helmrelease.yaml
+# services/vault/ingress.yaml
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
@@ -9,6 +9,8 @@ metadata:
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.middlewares: vault-vault-login-redirect@kubernetescrd
     traefik.ingress.kubernetes.io/router.tls: "true"
+    traefik.ingress.kubernetes.io/service.serversscheme: https
+    traefik.ingress.kubernetes.io/service.serverstransport: vault-vault-to-https@kubernetescrd
 spec:
   ingressClassName: traefik
   tls:
diff --git a/services/zot/ingress.yaml b/services/zot/ingress.yaml
index 7a40679..9180541 100644
--- a/services/zot/ingress.yaml
+++ b/services/zot/ingress.yaml
@@ -8,7 +8,7 @@ metadata:
     cert-manager.io/cluster-issuer: letsencrypt-prod
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
-    traefik.ingress.kubernetes.io/router.middlewares: zot-zot-resp-headers@kubernetescrd,zot-zot-forward-auth@kubernetescrd
+    traefik.ingress.kubernetes.io/router.middlewares: zot-zot-resp-headers@kubernetescrd
 spec:
   ingressClassName: traefik
   tls:
diff --git a/services/zot/middleware.yaml b/services/zot/middleware.yaml
index cc76d5f..166b070 100644
--- a/services/zot/middleware.yaml
+++ b/services/zot/middleware.yaml
@@ -24,20 +24,3 @@ spec:
       - PUT
       - PATCH
       - DELETE
-
----
-
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: zot-forward-auth
-  namespace: zot
-spec:
-  forwardAuth:
-    address: https://auth.bstein.dev/oauth2/auth
-    trustForwardHeader: true
-    authResponseHeaders:
-      - Authorization
-      - X-Auth-Request-Email
-      - X-Auth-Request-User
-      - X-Auth-Request-Groups