[Cherry pick] "Add the support of bypassing JWT authn for CORS requests" to release 1.1#2165
Conversation
googlebot
added
the
cla: yes
|
/cc @procyclinsur |
|
@lei-tang: GitHub didn't allow me to request PR reviews from the following users: procyclinsur. Note that only istio members and repo collaborators can review this PR, and authors cannot review their own PRs. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Can we get someone to restart the checks? It seems like there wasn't vms available to perform them so they failed? |
* Add the support of bypassing JWT authn for CORS requests * Bail out earlier for CORS preflight requests * Use OPTIONS constant value from Envoy * Remove changing to lowercase
lei-tang
force-pushed
the
cherry-pick-cors-bypass-to-release-1.1
branch
from
8ba3ec7 to
485fd6f
Compare
|
I rebased the PR to latest release 1.1 and git pushed the PR to restart the presubmit checks. |
|
The PR has passed all presubmit tests and is waiting for approvals from the reviewers. |
|
@lizan ? |
|
@procyclinsur @lei-tang I need to push back more on 1.1.x PRs. At this point attention should really shift to master and then 1.2. So what are the implications of not merging this? |
@duderino Thank you for the response 😄! It makes sense to concentrate on 1.2, and from a business standpoint (for me) it may not be completely necessary to have this merged into the 1.1 branch if 1.2 will be coming within the next month, and will contain these commits? The technical implications of not merging this commit are that Istio will continue to deny all traffic to cross-site jwt authenticated paths due to the preflight CORS request failing. CORS requests by specification do not/should not contain authentication credentials. Therefore the request is rejected before it even starts. Also, I have been searching for documents describing policy for the Test and Release SIG, and have found nothing regarding release schedule. Does Istio currently have a fixed release schedule? |
|
@fpesce could you give this a security review? It is in master and probably in 1.2 |
|
Not a CORS expert. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: fpesce, lei-tang If they are not already assigned, you can assign the PR to them by writing The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
/approve |
7 participants
What this PR does / why we need it: this PR is for the issue https://github.com/istio/proxy/issues/2160. The two PRs related to "Add the support of bypassing JWT authn for CORS requests" are in the master branch but not in the release 1.1 branch. This PR cherry-picks the two PRs from master branch to release 1.1 branch.
Which issue this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close that issue when PR gets merged): fixes #2160Special notes for your reviewer:
Release note: