kubernetes-sigs / gateway-api

Repository for the next iteration of composite service (e.g. Ingress) and load balancing APIs.
https://gateway-api.sigs.k8s.io
Apache License 2.0
1.86k stars 484 forks source link

GEP: Add support for CORS #1767

Open arkodg opened 1 year ago

arkodg commented 1 year ago

What would you like to be added: The ability to configure CORS policies on a HTTPRoute

Why this is needed: CORS is needed to relax specific restrictions of SOP associated with requests sent from a web browser.

To learn more visit https://enable-cors.org/index.html

How some common data plane implementations that do this today

Here is an example of existing high level APIs

Relates to https://github.com/envoyproxy/gateway/issues/567

Xunzhuo commented 1 year ago

/assign

youngnick commented 1 year ago

I think that this one could either be done with a Policy or with fields. A Policy design should probably wait for #1565 to merge, but a review of implementations and what CORS configuration they support, and what's common between them (like I did for #1744) should allow us to have a better design here.

Xunzhuo commented 1 year ago

Yes, this needs more infros before getting it started, I am going to resolve other assigned high priority issues first.

youngnick commented 1 year ago

I think for this one, we need to talk about how to do it first, before we start, which will need probably a small GEP. @Xunzhuo, I'm going to unassign this for now, as it's reasonably large, and you've got a lot on your plate.

arkodg commented 1 year ago

related https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#enable-cors

shaneutt commented 1 year ago

We've marked this one as v1.0.0 and placed it on the road to ga as something to do next. For this to actually make it in GA however, we probably need an owner/champion for it to start driving it forward and starting a GEP fairly soon. Is anyone up for that task?

/help

k8s-ci-robot commented 1 year ago

@shaneutt: This request has been marked as needing help from a contributor.

Guidelines

Please ensure that the issue body includes answers to the following questions:

For more details on the requirements of such an issue, please see here and ensure that they are met.

If this request no longer meets these requirements, the label can be removed by commenting with the /remove-help command.

In response to [this](https://github.com/kubernetes-sigs/gateway-api/issues/1767): >We've marked this one as `v1.0.0` and placed it on [the road to ga](https://github.com/orgs/kubernetes-sigs/projects/30) as something to do next. For this to actually make it in GA however, we probably need an owner/champion for it to start driving it forward and starting a GEP _fairly soon_. Is anyone up for that task? > >/help Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
ckopparthi commented 1 year ago

@youngnick Do we have any roadmap for this feature. When will this be available.

shaneutt commented 1 year ago

@youngnick Do we have any roadmap for this feature. When will this be available.

As per the previous message we are still in need of someone from the community to champion this issue and bring it forward, until then we have no roadmap or timeline for it. We did mark it as wanted for v1.0.0 but it's not considered a release-blocker so if nobody drives it forward very soon it will likely be pushed to post-GA.

zhaohuabing commented 1 year ago

Just added CORS to the SecurityPolicy in Envoy Gateway. I can try to come up with an initial GEP from what we have learned from Envoy Gateway. @youngnick @shaneutt

tao12345666333 commented 1 year ago

CORS is a common requirement, as we have implemented in the Kubernetes Ingress-NGINX project. However, I believe that Policy Attachment could be a more flexible and practical option for certain scenarios.

lianglli commented 8 months ago

It would be great if HTTPRouteFilter had a field (E.g., HTTPRouteFilterCORS) to set CORS config (i.e., enable_cors, cors_allow_origin, cors_allow_methods, cors_allow_headers, cors_max_age, cors_allow_credentials and cors_expose_headers).

Then, if a HTTPRoute has the HTTPRouteFilterCORS, the gateway will :

lianglli commented 8 months ago

We've marked this one as v1.0.0 and placed it on the road to ga as something to do next. For this to actually make it in GA however, we probably need an owner/champion for it to start driving it forward and starting a GEP fairly soon. Is anyone up for that task?

/help

@shaneutt It is a common feature for HTTP gateway. If this requires a GEP, I would be like to start working on it.

lianglli commented 8 months ago

/assign @lianglli

lianglli commented 8 months ago

The CORS was discussed at Kubecon last week. @mikemorris @arkodg I will start a GEP for CORS that focuses on background and past implementations first.

k8s-triage-robot commented 5 months ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

TJKkking commented 4 months ago

/remove-lifecycle stale

shaneutt commented 4 months ago

Hi @TJKkking! We noticed you changed the lifecycle on this, are you by chance interested in working on this?

youngnick commented 3 months ago

Earlier on this issue I suggested that it would require work on the how to do this, which is true but misleading.

CORS is a reasonably complex feature that may be different between data paths (that is the proxies that actually pass the traffic).

So the next steps for this GEP (which can proceed at any time and is not affected by the Gateway API release cycle) are:

Lastly, whoever does take this on should not feel obligated to push this feature all the way to Experimental or beyond! It's totally fine to come in and do the initial background and Introduction for the GEP and then move on to something else. Of course, if you're passionate about the feature and want to push it forward, that's how features make it into Standard eventually!

Marking as good-first-issue with this todo list.

/good-first-issue

k8s-ci-robot commented 3 months ago

@youngnick: This request has been marked as suitable for new contributors.

Guidelines

Please ensure that the issue body includes answers to the following questions:

For more details on the requirements of such an issue, please see here and ensure that they are met.

If this request no longer meets these requirements, the label can be removed by commenting with the /remove-good-first-issue command.

In response to [this](https://github.com/kubernetes-sigs/gateway-api/issues/1767): >Earlier on this issue I suggested that it would require work on the _how_ to do this, which is true but misleading. > >CORS is a reasonably complex feature that may be different between data paths (that is the proxies that actually pass the traffic). > >So the next steps for this GEP (which can proceed at _any time_ and is not affected by the Gateway API release cycle) are: > >* Someone requests to have the work assigned to them on this issue (I've removed the current assignee because there have been no updates for some time). >* That person generates a new PR to the `geps/` directory in the repo. This PR must do a few things: > * copy the template in the `gep-696` directory to a new `gep-1767` directory > * update all references to GEP-696 to GEP-1767, in both the Markdown and YAML files in there > * Mark this new GEP as the `Provisional` state, both in the Markdown and the YAML files > * Fill out the title (`CORS Support`), TLDR, Goals, Non-Goals and Introduction sections of the GEP _only_. Other sections can be left as they are in the template or filled out with "To be completed later" or similar. > * The most important part of this update is the Introduction. This section should explain what CORS is and why people want to be able to configure it, and, even more importantly, explain what each relevant data plane (proxy) does to configure CORS today. See [GEP-1742](https://gateway-api.sigs.k8s.io/geps/gep-1742/) for a similar example, although this CORS GEP should also include checking if any Gateway API implementations support CORS already, and how they configure it (I believe that Envoy Gateway and Istio already do, but I'm not sure). > > The purpose of this initial Provisional update is to ensure that everyone talking about CORS in Gateway API has the same understanding of the current state of the art around configuring and using CORS in both Gateway API implementations and their underlying data plane proxies. This will mean that, at a future date, we can look at doing the further work to push this GEP to Implementable and Experimental (which _will_ be subject to the usual planning cycle and freeze periods). Up until the Provisional state is finished, though, all updates to this GEP document will _not_ be covered by Gateway API change freezes. > >Marking as good-first-issue with this todo list. > >/good-first-issue > Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.
youngnick commented 3 months ago

/remove-lifecycle stale

lianglli commented 3 months ago

/assign @lianglli

Sorry for the late update. I will create a GEP asap.