marcogschmidt
commented
3 years ago Adding some context and initial thoughts. We currently set CORS configuration on the Gloo Edge VirtualService that is generated for an Environment only if any of the API product versions included in that Environment are published in one or more Portal resources. This is done in order for the "Try it out" feature in the interactive docs for those APIs to work in portal applications (as the requests sent from there are cross-origin). Specifically, we set the following CORS configuration:
# The domains of the relevant portals (each with both http and https schemes)
allowOrigin: []
# Regular expressions for the domains of the relevant portals
# that contain DNS wildcards (each with both http and https schemes)
allowOriginRegex: []
allowCredentials: true
allowHeaders:
- api-key
- AuthorizationAlthough we allow users to set a wide array of options on the generated VirtualService, we currently do not allow setting custom CORS policies in not to conflict with these automatically added ones (see docs here). I think the best solution would be to relax this constraint and allow users to provide their custom CORS config using the existing options fields.
If we go with approach, to not break the current behavior (where we automatically set the CORS config to have the "try it out" feature work), Gloo Portal could merge the CORS configuration above into the user-defined one. If it turns out that users do not want the automatic behavior, we could easily add a flag to disable it in the future.
To give a concrete example, this is what the configuration might look like:
apiVersion: portal.gloo.solo.io/v1beta1
kind: APIProduct
metadata:
name: test
namespace: gloo-portal
spec:
versions:
- name: v1
apis: [ ] # omitted for brevity
gatewayConfig:
route:
inlineRoute:
backends: [ ] # omitted for brevity
options:
# Custom CORS config for this whole API product version
# Currently this would result in an error.
cors:
allowHeaders:
- foo
allowOrigin:
- custom.app.com
---
apiVersion: portal.gloo.solo.io/v1beta1
kind: Environment
metadata:
name: test-environment
namespace: gloo-portal
spec:
domains:
- api.com
apiProducts:
- namespaces:
- "*"
gatewayConfig:
# New flag to disable the automatic setting of CORS based on portals for this env
disableAutoCors: false
---
apiVersion: portal.gloo.solo.io/v1beta1
kind: Portal
metadata:
name: test
namespace: gloo-portal
spec:
domains:
- portal.com
publishedEnvironments:
- name: test-environment
namespace: gloo-portalThe above would result in the following CORS config on the generated VirtualService/RouteTable:
apiVersion: gateway.solo.io/v1
kind: VirtualService
metadata:
name: test-environment
namespace: gloo-portal
spec:
virtualHost:
domains:
- api.com
routes:
- delegateAction:
selector:
labels: [ ] # omitted, selects table below
matchers:
- prefix: /
options:
# No more CORS options here
cors: { }
---
apiVersion: gateway.solo.io/v1
kind: RouteTable
metadata:
name: test.v1
namespace: gloo-portal
spec:
routes:
- matchers:
- prefix: '/'
options:
# Result of merging the custom + autogenerated CORS config
cors:
allowOrigin:
- http://portal.com
- https://portal.com
- custom.app.com
allowCredentials: true
allowHeaders:
- api-key
- Authorization
- foo
routeAction: {} # omitted
Is your feature request related to a problem? Please describe. The VirtualService generated by Gloo Portal includes a CORS configuration but:
content-typeisn't part of theallowHeadersallowOrigincan't be customizedDescribe the solution you'd like We need to either provide a way for the user to provide its own CORS configuration or at least some entries they want to add to the
allowHeadersandallowOriginarrays.