Update authentik documentation for forward auth (single application) (#10010)

**Description**
<!--
Please include a summary of the change and which issue is fixed. Please
also include relevant motivation and context. List any dependencies that
are required for this change.
-->
Updated the documentation for authentik. There are several threads about
this in Discord, but the solution is still hard to find. The [closes one
is
this](https://discord.com/channels/830763548678291466/1101105773850935316),
but I only found it after I got it to work on my system.

The update contains info about using subdomain level authentication, as
well as using basic-auth credentials for services in authentik.

**⚙️ Type of change**

- [ ] ⚙️ Feature/App addition
- [ ] 🪛 Bugfix
- [ ] ⚠️ Breaking change (fix or feature that would cause existing
functionality to not work as expected)
- [ ] 🔃 Refactor of current code
- [x] 📄 Documentation Update

**🧪 How Has This Been Tested?**
<!--
Please describe the tests that you ran to verify your changes. Provide
instructions so we can reproduce. Please also list any relevant details
for your test configuration
-->

I tested this locally and from a different network, on multiple devices.

**📃 Notes:**
<!-- Please enter any other relevant information here -->

**✔️ Checklist:**

- [ ] ⚖️ My code follows the style guidelines of this project
- [ ] 👀 I have performed a self-review of my own code
- [ ] #️⃣ I have commented my code, particularly in hard-to-understand
areas
- [x] 📄 I have made corresponding changes to the documentation
- [ ] ⚠️ My changes generate no new warnings
- [ ] 🧪 I have added tests to this description that prove my fix is
effective or that my feature works
- [ ] ⬆️ I increased versions for any altered app according to semantic
versioning

**➕ App addition**

If this PR is an app addition please make sure you have done the
following.

- [ ] 🪞 I have opened a PR on
[truecharts/containers](https://github.com/truecharts/containers) adding
the container to TrueCharts mirror repo.
- [ ] 🖼️ I have added an icon in the Chart's root directory called
`icon.png`

---

_Please don't blindly check all the boxes. Read them and only check
those that apply.
Those checkboxes are there for the reviewer to see what is this all
about and
the status of this PR with a quick glance._

charts/incubator/authentik/docs/how_to.md

@@ -26,6 +26,12 @@ All of the defaults are fine to start off, you must choose a password, however `
 
 **Ingress Example**
 
+:::note
+
+Note that the `*.mydomain.com` host config is only needed if you want to use `Forward auth (single application)` in `authentik`.
+
+:::
+
 ![Ingress-Auth](img/Ingress-Auth.png)
 
 ## Authentik GUI Setup
@@ -54,6 +60,14 @@ Default username is `akadmin` and password is whatever you entered in the initia
 
 ![New-Provider-2](img/New-Provider-2.png)
 
+- If you want to use subdomain-level access control, select `Forward auth (single application)` and enter the URL you have chosen for your apps' ingress.
+- The example uses `https://application.mydomain.com/`, make sure your app is reachable and uses a valid certificate beforehand. 
+- You can set HTTP-Basic Authentication Attributes under `Authentication settings` for your service here. 
+  - Don't use a `basicAuth` middleware in the apps' ingress settings. Only use this if your app has build in basic auth support. 
+  - Add the attributes in a `authentik` group, then assign any user you want to be able to access the application to this group.
+
+![New-Provider-3](image.png)
+
 - Once done use that new `Provider` you created
 
 ![Create-Applications-3](img/Create-Applications-3.png)
@@ -86,12 +100,19 @@ Once `authentik` is setup and running, you must create a `forwardAuth` inside `T
 
 The main thing about this screen is to use the internal DNS name for simplicity
 
+- I have successfully used an `authentik` instance on a difference host together with `external-service` using this URL: 
+  - `https://authentik-external-service.ix-authentik.svc.cluster.local:9443/outpost.goauthentik.io/auth/traefik`
+- Use `heavyscript dns -a` to get the internal DNS name for your `authentik` instance in that case. 
+- I suggest using the `https` endpoint and port because it is what worked for me.
+
 :::
 
 ```
 http://authentik-http.ix-authentik.svc.cluster.local:10230/outpost.goauthentik.io/auth/traefik
 ```
 
+**Double-check the DNS name and port.**
+
 There's also a list of `authResponseHeaders` inside `authentik` listed for use with `Traefik`, so in case you need them here they are.
 
 - `X-authentik-username`
@@ -106,6 +127,8 @@ There's also a list of `authResponseHeaders` inside `authentik` listed for use w
 - `X-authentik-meta-app`
 - `X-authentik-meta-version`
 
+Add the `authorization` header to pass the HTTP-Basic headers from `authentik` to you application.
+
 ### Add Traefik forwardAuth to Charts
 
 - Once that is done all you need to add the `middleware` to your Charts under the `Ingress section`, as in my case it's called `auth`.