GEP: Add support for CORS

[arkodg]

What would you like to be added: The ability to configure CORS policies on a HTTPRoute

Why this is needed: CORS is needed to relax specific restrictions of SOP associated with requests sent from a web browser.

To learn more visit https://enable-cors.org/index.html

How some common data plane implementations that do this today

• Envoy - https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/cors_filter
• NGINX - https://enable-cors.org/server_nginx.html
• Many more in - https://enable-cors.org/server.html

Here is an example of existing high level APIs

• Contour - https://projectcontour.io/docs/v1.21.1/config/cors/
• Istio - https://istio.io/latest/docs/reference/config/networking/virtual-service/#CorsPolicy
• Envoy Gateway - https://gateway.envoyproxy.io/latest/user/cors/
• Ingress NGINX - https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#enable-cors

Relates to https://github.com/envoyproxy/gateway/issues/567

[Xunzhuo]

/assign

[youngnick]

I think that this one could either be done with a Policy or with fields. A Policy design should probably wait for #1565 to merge, but a review of implementations and what CORS configuration they support, and what's common between them (like I did for #1744) should allow us to have a better design here.

[Xunzhuo]

Yes, this needs more infros before getting it started, I am going to resolve other assigned high priority issues first.

[youngnick]

I think for this one, we need to talk about how to do it first, before we start, which will need probably a small GEP. @Xunzhuo, I'm going to unassign this for now, as it's reasonably large, and you've got a lot on your plate.

[arkodg]

related https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#enable-cors

[shaneutt]

We've marked this one as v1.0.0 and placed it on the road to ga as something to do next. For this to actually make it in GA however, we probably need an owner/champion for it to start driving it forward and starting a GEP fairly soon. Is anyone up for that task?

/help

[k8s-ci-robot]

@shaneutt: This request has been marked as needing help from a contributor.

Guidelines

Please ensure that the issue body includes answers to the following questions:

• Why are we solving this issue?
• To address this issue, are there any code changes? If there are code changes, what needs to be done in the code and what places can the assignee treat as reference points?
• Does this issue have zero to low barrier of entry?
• How can the assignee reach out to you for help?

For more details on the requirements of such an issue, please see here and ensure that they are met.

If this request no longer meets these requirements, the label can be removed by commenting with the /remove-help command.

In response to [this](https://github.com/kubernetes-sigs/gateway-api/issues/1767): >We've marked this one as `v1.0.0` and placed it on [the road to ga](https://github.com/orgs/kubernetes-sigs/projects/30) as something to do next. For this to actually make it in GA however, we probably need an owner/champion for it to start driving it forward and starting a GEP _fairly soon_. Is anyone up for that task? > >/help Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

[ckopparthi]

@youngnick Do we have any roadmap for this feature. When will this be available.

[shaneutt]

@youngnick Do we have any roadmap for this feature. When will this be available.

As per the previous message we are still in need of someone from the community to champion this issue and bring it forward, until then we have no roadmap or timeline for it. We did mark it as wanted for v1.0.0 but it's not considered a release-blocker so if nobody drives it forward very soon it will likely be pushed to post-GA.

[zhaohuabing]

Just added CORS to the SecurityPolicy in Envoy Gateway. I can try to come up with an initial GEP from what we have learned from Envoy Gateway. @youngnick @shaneutt

[tao12345666333]

CORS is a common requirement, as we have implemented in the Kubernetes Ingress-NGINX project. However, I believe that Policy Attachment could be a more flexible and practical option for certain scenarios.

[lianglli]

It would be great if HTTPRouteFilter had a field (E.g., HTTPRouteFilterCORS) to set CORS config (i.e., enable_cors, cors_allow_origin, cors_allow_methods, cors_allow_headers, cors_max_age, cors_allow_credentials and cors_expose_headers).

Then, if a HTTPRoute has the HTTPRouteFilterCORS, the gateway will :

• return HTTP 204 with specific CORS headers to the client for HTTP OPTION based on the HTTPRouteFilterCORS;
• add/set specific CORS headers to the response based on the HTTPRouteFilterCORS.

[lianglli]

We've marked this one as v1.0.0 and placed it on the road to ga as something to do next. For this to actually make it in GA however, we probably need an owner/champion for it to start driving it forward and starting a GEP fairly soon. Is anyone up for that task?

/help

@shaneutt It is a common feature for HTTP gateway. If this requires a GEP, I would be like to start working on it.

[lianglli]

/assign @lianglli

[lianglli]

The CORS was discussed at Kubecon last week. @mikemorris @arkodg I will start a GEP for CORS that focuses on background and past implementations first.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale