Skip to content

internal: add HTTProxy CORS support #2890

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
skriss merged 1 commit into from
Sep 25, 2020
Merged

internal: add HTTProxy CORS support #2890

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 34 additions & 0 deletions apis/projectcontour/v1/httpproxy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -207,6 +207,9 @@ type VirtualHost struct {
//
// +optional
Authorization *AuthorizationServer `json:"authorization,omitempty"`
// Specifies the cross-origin policy to apply to the VirtualHost.
// +optional
CORSPolicy *CORSPolicy `json:"corsPolicy,omitempty"`
}

// TLS describes tls properties. The SNI names that will be matched on
Expand Down Expand Up @@ -241,6 +244,37 @@ type TLS struct {
EnableFallbackCertificate bool `json:"enableFallbackCertificate,omitempty"`
}

// CORSHeaderValue specifies the value of the string headers returned by a cross-domain request.
// +kubebuilder:validation:Pattern="^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$"
type CORSHeaderValue string

// CORSPolicy allows setting the CORS policy
type CORSPolicy struct {
// Specifies whether the resource allows credentials.
// +optional
AllowCredentials bool `json:"allowCredentials,omitempty"`
// AllowOrigin specifies the origins that will be allowed to do CORS requests. "*" means
// allow any origin.
// +kubebuilder:validation:Required
AllowOrigin []string `json:"allowOrigin"`
// AllowMethods specifies the content for the *access-control-allow-methods* header.
// +kubebuilder:validation:Required
AllowMethods []CORSHeaderValue `json:"allowMethods"`
// AllowHeaders specifies the content for the *access-control-allow-headers* header.
// +optional
AllowHeaders []CORSHeaderValue `json:"allowHeaders,omitempty"`
// ExposeHeaders Specifies the content for the *access-control-expose-headers* header.
// +optional
ExposeHeaders []CORSHeaderValue `json:"exposeHeaders,omitempty"`
// MaxAge indicates for how long the results of a preflight request can be cached.
// MaxAge durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration).
// Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
// Only positive values are allowed while 0 disables the cache requiring a preflight OPTIONS
// check for all cross-origin requests.
// +optional
MaxAge string `json:"maxAge,omitempty"`
}

// Route contains the set of routes for a virtual host.
type Route struct {
// Conditions are a set of rules that are applied to a Route.
Expand Down
40 changes: 40 additions & 0 deletions apis/projectcontour/v1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

39 changes: 39 additions & 0 deletions examples/contour/01-crds.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -864,6 +864,45 @@ spec:
required:
- extensionRef
type: object
corsPolicy:
description: Specifies the cross-origin policy to apply to the VirtualHost.
properties:
allowCredentials:
description: Specifies whether the resource allows credentials.
type: boolean
allowHeaders:
description: AllowHeaders specifies the content for the *access-control-allow-headers* header.
items:
description: CORSHeaderValue specifies the value of the string headers returned by a cross-domain request.
pattern: ^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$
type: string
type: array
allowMethods:
description: AllowMethods specifies the content for the *access-control-allow-methods* header.
items:
description: CORSHeaderValue specifies the value of the string headers returned by a cross-domain request.
pattern: ^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$
type: string
type: array
allowOrigin:
description: AllowOrigin specifies the origins that will be allowed to do CORS requests. "*" means allow any origin.
items:
type: string
type: array
exposeHeaders:
description: ExposeHeaders Specifies the content for the *access-control-expose-headers* header.
items:
description: CORSHeaderValue specifies the value of the string headers returned by a cross-domain request.
pattern: ^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$
type: string
type: array
maxAge:
description: MaxAge indicates for how long the results of a preflight request can be cached. MaxAge durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". Only positive values are allowed while 0 disables the cache requiring a preflight OPTIONS check for all cross-origin requests.
type: string
required:
- allowMethods
- allowOrigin
type: object
fqdn:
description: The fully qualified domain name of the root of the ingress tree all leaves of the DAG rooted at this object relate to the fqdn.
type: string
Expand Down
39 changes: 39 additions & 0 deletions examples/render/contour.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -982,6 +982,45 @@ spec:
required:
- extensionRef
type: object
corsPolicy:
description: Specifies the cross-origin policy to apply to the VirtualHost.
properties:
allowCredentials:
description: Specifies whether the resource allows credentials.
type: boolean
allowHeaders:
description: AllowHeaders specifies the content for the *access-control-allow-headers* header.
items:
description: CORSHeaderValue specifies the value of the string headers returned by a cross-domain request.
pattern: ^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$
type: string
type: array
allowMethods:
description: AllowMethods specifies the content for the *access-control-allow-methods* header.
items:
description: CORSHeaderValue specifies the value of the string headers returned by a cross-domain request.
pattern: ^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$
type: string
type: array
allowOrigin:
description: AllowOrigin specifies the origins that will be allowed to do CORS requests. "*" means allow any origin.
items:
type: string
type: array
exposeHeaders:
description: ExposeHeaders Specifies the content for the *access-control-expose-headers* header.
items:
description: CORSHeaderValue specifies the value of the string headers returned by a cross-domain request.
pattern: ^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$
type: string
type: array
maxAge:
description: MaxAge indicates for how long the results of a preflight request can be cached. MaxAge durations are expressed in the Go [Duration format](https://godoc.org/time#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". Only positive values are allowed while 0 disables the cache requiring a preflight OPTIONS check for all cross-origin requests.
type: string
required:
- allowMethods
- allowOrigin
type: object
fqdn:
description: The fully qualified domain name of the root of the ingress tree all leaves of the DAG rooted at this object relate to the fqdn.
type: string
Expand Down
30 changes: 24 additions & 6 deletions internal/contour/v2/route.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -156,8 +156,14 @@ func (v *routeVisitor) onVirtualHost(vh *dag.VirtualHost) {
if len(routes) > 0 {
sortRoutes(routes)

v.routes[ENVOY_HTTP_LISTENER].VirtualHosts = append(v.routes[ENVOY_HTTP_LISTENER].VirtualHosts,
envoyv2.VirtualHost(vh.Name, routes...))
var evh *envoy_api_v2_route.VirtualHost
if cp := envoyv2.CORSPolicy(vh.CORSPolicy); cp != nil {
evh = envoyv2.CORSVirtualHost(vh.Name, cp, routes...)
} else {
evh = envoyv2.VirtualHost(vh.Name, routes...)
}

v.routes[ENVOY_HTTP_LISTENER].VirtualHosts = append(v.routes[ENVOY_HTTP_LISTENER].VirtualHosts, evh)
}
}

Expand Down Expand Up @@ -211,8 +217,14 @@ func (v *routeVisitor) onSecureVirtualHost(svh *dag.SecureVirtualHost) {
v.routes[name] = envoyv2.RouteConfiguration(name)
}

v.routes[name].VirtualHosts = append(v.routes[name].VirtualHosts,
envoyv2.VirtualHost(svh.VirtualHost.Name, routes...))
var evh *envoy_api_v2_route.VirtualHost
if cp := envoyv2.CORSPolicy(svh.CORSPolicy); cp != nil {
evh = envoyv2.CORSVirtualHost(svh.VirtualHost.Name, cp, routes...)
} else {
evh = envoyv2.VirtualHost(svh.VirtualHost.Name, routes...)
}

v.routes[name].VirtualHosts = append(v.routes[name].VirtualHosts, evh)

// A fallback route configuration contains routes for all the vhosts that have the fallback certificate enabled.
// When a request is received, the default TLS filterchain will accept the connection,
Expand All @@ -223,8 +235,14 @@ func (v *routeVisitor) onSecureVirtualHost(svh *dag.SecureVirtualHost) {
v.routes[ENVOY_FALLBACK_ROUTECONFIG] = envoyv2.RouteConfiguration(ENVOY_FALLBACK_ROUTECONFIG)
}

v.routes[ENVOY_FALLBACK_ROUTECONFIG].VirtualHosts = append(v.routes[ENVOY_FALLBACK_ROUTECONFIG].VirtualHosts,
envoyv2.VirtualHost(svh.Name, routes...))
var fvh *envoy_api_v2_route.VirtualHost
if cp := envoyv2.CORSPolicy(svh.CORSPolicy); cp != nil {
fvh = envoyv2.CORSVirtualHost(svh.Name, cp, routes...)
} else {
fvh = envoyv2.VirtualHost(svh.Name, routes...)
}

v.routes[ENVOY_FALLBACK_ROUTECONFIG].VirtualHosts = append(v.routes[ENVOY_FALLBACK_ROUTECONFIG].VirtualHosts, fvh)
}
}
}
Expand Down
Loading