-
Notifications
You must be signed in to change notification settings - Fork 366
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add CORS to SecurityPolicy #2065
Changes from 5 commits
00d5270
8497f86
fc2b8ca
244afe8
74f5b8d
983c794
47d4fb2
d1cdc42
7942e7b
81e3312
5210f73
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -41,8 +41,74 @@ type SecurityPolicySpec struct { | |
// for this Policy to have effect and be applied to the Gateway. | ||
// TargetRef | ||
TargetRef gwapiv1a2.PolicyTargetReferenceWithSectionName `json:"targetRef"` | ||
|
||
// CORS defines the configuration for Cross-Origin Resource Sharing (CORS). | ||
CORS *CORS `json:"cors,omitempty"` | ||
} | ||
|
||
// CORS defines the configuration for Cross-Origin Resource Sharing (CORS). | ||
type CORS struct { | ||
// AllowOrigins defines the origins that are allowed to make requests. | ||
AllowOrigins []StringMatch `json:"allowOrigins,omitempty" yaml:"allowOrigins,omitempty"` | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. min length for There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think an empty AllowOrigins could be useful if the backend service allows CORS but we want to explicitly disable it at the Gateway. I remember we discussed this at the ir PR. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. not setting There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes, it's a bit tricky. Maybe we should add some comments on the API. |
||
// AllowMethods defines the methods that are allowed to make requests. | ||
AllowMethods []string `json:"allowMethods,omitempty" yaml:"allowMethods,omitempty"` | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. what happens when There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. None, just like empty AllowOrigins. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I did some experiments, the CORS filter won't set "Access-Control-Request-Headers" in the preflight response if
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. cool, so its opt in, thanks for running the test |
||
// AllowHeaders defines the headers that are allowed to be sent with requests. | ||
AllowHeaders []string `json:"allowHeaders,omitempty" yaml:"allowHeaders,omitempty"` | ||
// ExposeHeaders defines the headers that can be exposed in the responses. | ||
ExposeHeaders []string `json:"exposeHeaders,omitempty" yaml:"exposeHeaders,omitempty"` | ||
// MaxAge defines how long the results of a preflight request can be cached. | ||
MaxAge *metav1.Duration `json:"maxAge,omitempty" yaml:"maxAge,omitempty"` | ||
} | ||
|
||
// StringMatch defines how to match any strings. | ||
// This is a general purpose match condition that can be used by other EG APIs | ||
// that need to match against a string. | ||
type StringMatch struct { | ||
// Type specifies how to match against a string. | ||
// | ||
// +optional | ||
// +kubebuilder:default=Exact | ||
Type *MatchType `json:"type,omitempty"` | ||
|
||
// Value specifies the string value that the match must have. | ||
// | ||
// +kubebuilder:validation:MinLength=1 | ||
// +kubebuilder:validation:MaxLength=1024 | ||
Value string `json:"value"` | ||
|
||
// IgnoreCase specifies whether the match should be case insensitive. | ||
// This has no effect for the safe_regex match. | ||
// Defaults to false. | ||
// +optional | ||
IgnoreCase bool `json:"caseSensitive,omitempty"` | ||
zhaohuabing marked this conversation as resolved.
Show resolved
Hide resolved
|
||
} | ||
|
||
// MatchType specifies the semantics of how a string value should be compared. | ||
// Valid MatchType values are "Exact", "Prefix", "Suffix", "Contains", "RegularExpression". | ||
// | ||
// +kubebuilder:validation:Enum=Exact;Prefix;Suffix;Contains;RegularExpression | ||
type MatchType string | ||
|
||
const ( | ||
// MatchExact :the input string must match exactly the match value. | ||
MatchExact MatchType = "Exact" | ||
|
||
// MatchPrefix :the input string must start with the match value. | ||
MatchPrefix MatchType = "Prefix" | ||
|
||
// MatchSuffix :the input string must end with the match value. | ||
MatchSuffix MatchType = "Suffix" | ||
|
||
// MatchContains :the input string must contain the match value. | ||
zhaohuabing marked this conversation as resolved.
Show resolved
Hide resolved
|
||
MatchContains MatchType = "Contains" | ||
|
||
// MatchRegularExpression :The input string must match the regular expression | ||
// specified in the match value. | ||
// The regex string must adhere to the syntax documented in | ||
// https://github.com/google/re2/wiki/Syntax. | ||
MatchRegularExpression MatchType = "RegularExpression" | ||
) | ||
|
||
// SecurityPolicyStatus defines the state of SecurityPolicy | ||
type SecurityPolicyStatus struct { | ||
// Conditions describe the current conditions of the SecurityPolicy. | ||
|
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you open an issue to track this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
#2067