fantoccini VS vouch-proxy

You can run the binary yourself. I'm using the following code with https://github.com/jonhoo/fantoccini, but I suspect it would work with thirtyfour too (thirtyfour builds on top of fantoccini):

Look at how much easier the code is to read (and how much less error-prone it is) with the diff though!

You'll need a web driver to parse and execute the client-side JS scripts. I would recommend fantoccini for a web driver API.

https://github.com/jonhoo/fantoccini is inspired by Puppeteer.

Look into vouch proxy

Vouch proxy is designed for this usage: https://github.com/vouch/vouch-proxy I don't think there are any nice UIs to configure it though so you'll need to be familiar with running it yourself.

Not sure this is a "best practice", but it lets me keep control of the Ingress resources inside their YAML configs. I've also layered Vouch Proxy into the ingress configurations to require SSO/MFA auth to access the resources behind the Ingress. Cloudflare has the ability to do this, but I found it cumbersome to keep track of the configs outside the K8s cluster.

I've used vouch proxy for my own stuff previously, before more recently moving to Cloudflare Access. vouch can be slightly janky at times to get working right, but once set up, it's been solid.

For example: nginx -> Vouch proxy -> KeyCloak -> Jellyfin

While this works, we were hoping to make access a bit easier with say an OpenID Connect SSO and reverse-proxy solution. I've seen Vouch Proxy, https://github.com/vouch/vouch-proxy which is really just SSO on top of nginx, but I'm wondering if there's a simpler way to do this.

You seem to be quite knowledgeable and a minimal provider with just the bare minimum would suffice for you. Have a look at Vouch Proxy, it does one thing and it does it well.