diff --git a/api/v1alpha1/cors_types.go b/api/v1alpha1/cors_types.go index 34a415f903b..2831a372d6d 100644 --- a/api/v1alpha1/cors_types.go +++ b/api/v1alpha1/cors_types.go @@ -21,4 +21,7 @@ type CORS struct { ExposeHeaders []string `json:"exposeHeaders,omitempty" yaml:"exposeHeaders,omitempty"` // MaxAge defines how long the results of a preflight request can be cached. MaxAge *metav1.Duration `json:"maxAge,omitempty" yaml:"maxAge,omitempty"` + // AllowCredentials indicates whether a request can include user credentials + // like cookies, authentication headers, or TLS client certificates. + AllowCredentials *bool `json:"allowCredentials,omitempty" yaml:"allowCredentials,omitempty"` } diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 2654e070a27..78360fa1282 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -181,6 +181,11 @@ func (in *CORS) DeepCopyInto(out *CORS) { *out = new(v1.Duration) **out = **in } + if in.AllowCredentials != nil { + in, out := &in.AllowCredentials, &out.AllowCredentials + *out = new(bool) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CORS. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml index 944672a9a99..7c75d345b08 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml @@ -101,6 +101,11 @@ spec: description: CORS defines the configuration for Cross-Origin Resource Sharing (CORS). properties: + allowCredentials: + description: AllowCredentials indicates whether a request can + include user credentials like cookies, authentication headers, + or TLS client certificates. + type: boolean allowHeaders: description: AllowHeaders defines the headers that are allowed to be sent with requests. diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index 70dad753ef4..edd06f6c4e5 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -413,11 +413,12 @@ func (t *Translator) buildCORS(cors *egv1a1.CORS) (*ir.CORS, error) { } return &ir.CORS{ - AllowOrigins: allowOrigins, - AllowMethods: cors.AllowMethods, - AllowHeaders: cors.AllowHeaders, - ExposeHeaders: cors.ExposeHeaders, - MaxAge: cors.MaxAge, + AllowOrigins: allowOrigins, + AllowMethods: cors.AllowMethods, + AllowHeaders: cors.AllowHeaders, + ExposeHeaders: cors.ExposeHeaders, + MaxAge: cors.MaxAge, + AllowCredentials: cors.AllowCredentials != nil && *cors.AllowCredentials, }, nil } diff --git a/internal/ir/xds.go b/internal/ir/xds.go index de252ca6140..b485fdc637a 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -328,6 +328,8 @@ type CORS struct { ExposeHeaders []string `json:"exposeHeaders,omitempty" yaml:"exposeHeaders,omitempty"` // MaxAge defines how long the results of a preflight request can be cached. MaxAge *metav1.Duration `json:"maxAge,omitempty" yaml:"maxAge,omitempty"` + // AllowCredentials indicates whether a request can include user credentials. + AllowCredentials bool `json:"allowCredentials,omitempty" yaml:"allowCredentials,omitempty"` } // JWT defines the schema for authenticating HTTP requests using diff --git a/internal/xds/translator/cors.go b/internal/xds/translator/cors.go index 50ead8f3d2e..a7fe606d03e 100644 --- a/internal/xds/translator/cors.go +++ b/internal/xds/translator/cors.go @@ -140,6 +140,7 @@ func (*cors) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error { if irRoute.CORS.MaxAge != nil { maxAge = strconv.Itoa(int(irRoute.CORS.MaxAge.Seconds())) } + allowCredentials = &wrappers.BoolValue{Value: irRoute.CORS.AllowCredentials} routeCfgProto := &corsv3.CorsPolicy{ AllowOriginStringMatch: allowOrigins, diff --git a/internal/xds/translator/testdata/in/xds-ir/cors.yaml b/internal/xds/translator/testdata/in/xds-ir/cors.yaml index 6887b75f9c3..d7af9c71192 100644 --- a/internal/xds/translator/testdata/in/xds-ir/cors.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/cors.yaml @@ -32,4 +32,5 @@ http: exposeHeaders: - "x-header-3" - "x-header-4" + allowCredentials: true maxAge: 1000s diff --git a/internal/xds/translator/testdata/out/xds-ir/cors.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/cors.routes.yaml index 681285a8d7e..fc0fdea378e 100755 --- a/internal/xds/translator/testdata/out/xds-ir/cors.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/cors.routes.yaml @@ -13,6 +13,7 @@ typedPerFilterConfig: envoy.filters.http.cors: '@type': type.googleapis.com/envoy.extensions.filters.http.cors.v3.CorsPolicy + allowCredentials: true allowHeaders: x-header-1, x-header-2 allowMethods: GET, POST allowOriginStringMatch: diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 62789bcf949..dc11cd57a0c 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -123,6 +123,7 @@ _Appears in:_ | `allowHeaders` _string array_ | AllowHeaders defines the headers that are allowed to be sent with requests. | | `exposeHeaders` _string array_ | ExposeHeaders defines the headers that can be exposed in the responses. | | `maxAge` _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#duration-v1-meta)_ | MaxAge defines how long the results of a preflight request can be cached. | +| `allowCredentials` _boolean_ | AllowCredentials indicates whether a request can include user credentials like cookies, authentication headers, or TLS client certificates. | #### ClaimToHeader