diff --git a/CHANGES.rst b/CHANGES.rst index 5d29183e..cca1df18 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -10,6 +10,8 @@ Unreleased * Bump ``sql_exporter`` to ``0.16.0`` +* Set CORS annotations in ``grand-central`` ingress. + 2.42.0 (2024-10-02) ------------------- diff --git a/crate/operator/grand_central.py b/crate/operator/grand_central.py index 9a3ee0ef..f01292b0 100644 --- a/crate/operator/grand_central.py +++ b/crate/operator/grand_central.py @@ -307,7 +307,12 @@ def get_grand_central_ingress( name: str, labels: LabelType, hostname: str, + spec: kopf.Spec, ) -> V1Ingress: + allow_origin = ( + spec["cluster"].get("settings", {}).get("http.cors.allow-origin") + or "$http_origin" + ) return V1Ingress( metadata=V1ObjectMeta( name=f"{GRAND_CENTRAL_RESOURCE_PREFIX}-{name}", @@ -325,17 +330,22 @@ def get_grand_central_ingress( more_set_headers "X-XSS-Protection: 1;mode=block" "X-Frame-Options: DENY" "X-Content-Type-Options: nosniff" - "Access-Control-Allow-Origin: $http_origin" - "Access-Control-Allow-Headers: Content-Type,Authorization" - "Access-Control-Allow-Credentials: true" - "Access-Control-Max-Age: 7200" - "Access-Control-Allow-Methods: GET,POST,PUT,PATCH,OPTIONS,DELETE" "Referrer-Policy: strict-origin-when-cross-origin" ; """ # noqa ), "nginx.ingress.kubernetes.io/proxy-buffer-size": "64k", "nginx.ingress.kubernetes.io/ssl-redirect": "true", + "nginx.ingress.kubernetes.io/enable-cors": "true", + "nginx.ingress.kubernetes.io/cors-allow-credentials": "true", + "nginx.ingress.kubernetes.io/cors-allow-origin": allow_origin, + "nginx.ingress.kubernetes.io/cors-allow-methods": ( + "GET,POST,PUT,PATCH,OPTIONS,DELETE" + ), + "nginx.ingress.kubernetes.io/cors-allow-headers": ( + "Content-Type,Authorization" + ), + "nginx.ingress.kubernetes.io/cors-max-age": "7200", }, ), spec=V1IngressSpec( @@ -427,7 +437,9 @@ async def create_grand_central_backend( logger, continue_on_conflict=True, namespace=namespace, - body=get_grand_central_ingress(owner_references, name, labels, hostname), + body=get_grand_central_ingress( + owner_references, name, labels, hostname, spec + ), ) diff --git a/tests/test_create_grand_central.py b/tests/test_create_grand_central.py index b738b2ab..701cc343 100644 --- a/tests/test_create_grand_central.py +++ b/tests/test_create_grand_central.py @@ -168,6 +168,32 @@ async def test_create_grand_central(faker, namespace, kopf_runner, api_client): ingress.metadata.annotations["external-dns.alpha.kubernetes.io/hostname"] == "my-crate-cluster.gc.aks1.eastus.azure.cratedb-dev.net" ) + assert ( + ingress.metadata.annotations[ + "nginx.ingress.kubernetes.io/cors-allow-credentials" + ] + == "true" + ) + assert ( + ingress.metadata.annotations["nginx.ingress.kubernetes.io/enable-cors"] + == "true" + ) + assert ( + ingress.metadata.annotations["nginx.ingress.kubernetes.io/cors-allow-origin"] + == "$http_origin" + ) + assert ( + ingress.metadata.annotations["nginx.ingress.kubernetes.io/cors-allow-methods"] + == "GET,POST,PUT,PATCH,OPTIONS,DELETE" + ) + assert ( + ingress.metadata.annotations["nginx.ingress.kubernetes.io/cors-allow-headers"] + == "Content-Type,Authorization" + ) + assert ( + ingress.metadata.annotations["nginx.ingress.kubernetes.io/cors-max-age"] + == "7200" + ) await assert_wait_for( True,