search

solo-io / gloo

The Feature-rich, Kubernetes-native, Next-Generation API Gateway Built on Envoy
https://docs.solo.io/
Apache License 2.0
4.09k stars 441 forks source link

Gloo CORS support is broken #8719

Open suyuee opened 1 year ago

suyuee commented 1 year ago

Gloo Edge Product

Open Source

Gloo Edge Version

v 1.15.1

Kubernetes Version

v 1.27.3

Describe the bug

The CORS policy in virtual host options do not add CORS headers like "Access-Control-Allow-Methods" to response. Would appreciate any help

Sample response (notice no cors headers)

curl -i $(glooctl proxy url)/d0 -XOPTIONS
HTTP/1.1 204 No Content
content-length: 10
content-type: text/plain
date: Tue, 26 Sep 2023 18:47:40 GMT
server: envoy

Expected Behavior

When setting cors policy in virtual service, in request response (OPTIONS or other), there should be headers like allowed methods/origins/headers attached, but there aren't.

Steps to reproduce the bug

  1. install gloo with helm
  2. apply these simple manifests: https://gist.github.com/suyuee/3f6bce4af74b5dcdf121c7ce3fb63c49
  3. curl -i $(glooctl proxy url)/ -XOPTIONS or curl -i $(glooctl proxy url)/d0
  4. notice no cors headers returned

Additional Environment Detail

I have tried both on eks and minikube

Additional Context

No response

suyuee commented 1 year ago

If someone can confirm this is indeed an issue, I can try to put up a fix

phillycheeze commented 2 weeks ago

This is also broken for us when using the directResponseAction config. I'm guessing that it bypasses settings the CORS headers in that scenario.

Actually for us it might be the method Matcher config as outlined in the issue here: https://github.com/solo-io/gloo/issues/3774

Unfortunately CORS support just seems really broken in gloo and no config so far works (as outlined in the issue above, 404 responses don't send cors headers back).