I'm trying to enable CORS on a GKE cluster with Anthos Service Mesh 1.8 using the Istio ingress gateway, but CORS header aren't returned correctly.
Here the Service configuration
apiVersion: v1
kind: Service
metadata:
name: my-service
spec:
type: ClusterIP
selector:
app: my-service
ports:
- name: http
port: 8080
targetPort: 8080
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-service
spec:
selector:
matchLabels:
app: my-service
template:
metadata:
labels:
app: my-service
spec:
serviceAccountName: ksa
containers:
- name: my-service
image: <my image>
ports:
- name: http-server
containerPort: 8080
and ingress configuration
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: istio-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: istio-ingress
spec:
hosts:
- "*"
gateways:
- istio-gateway
http:
- name: default-public-route
route:
- destination:
host: my-service
corsPolicy:
allowOrigins:
- exact: "*"
allowMethods:
- GET
- POST
- PATCH
- PUT
- DELETE
- OPTIONS
allowCredentials: false
allowHeaders:
- authorization
maxAge: "24h"
I'm also using this online rest client to test the endpoint, and I get different reponses based if i use http prefix or not
with <ingress ip>/mypath I get 403 Forbidden error while with http://<ingress ip>/mypath i get a generic CORS not enabled. If I execute the api from Postman all works correctly but CORS headers are not returned. I also tried to set CORS directly from Flask application but nothing changed.
Any idea on how to solve?
Thanks
This should work, I have just tested it.
In my experience, the Istio CORS options are a rather thin wrapper around generic CORS functionality, so I guess the real problem is not about Istio, but the CORS configuration.
Maybe something is wrong with
allowCredentialsorallowHeaders. Also if you have an IstioAuthorizationPolicy, HTTPOPTIONScalls should probably be allowed for pre-flight requests.