feat: add CORS to SecurityPolicy (#2065)

* Add CORS to SecurityPolicy

Signed-off-by: huabing zhao <[email protected]>

* follow golang name convention: change Cors to CORS

Signed-off-by: huabing zhao <[email protected]>

* add TODO to refactor string match types

Signed-off-by: huabing zhao <[email protected]>

* fix test

Signed-off-by: huabing zhao <[email protected]>

* fix test

Signed-off-by: huabing zhao <[email protected]>

* address comment

Signed-off-by: huabing zhao <[email protected]>

* address comment

Signed-off-by: huabing zhao <[email protected]>

* fix test

Signed-off-by: huabing zhao <[email protected]>

* set min length for AllowOrigins and AllowMethods

Signed-off-by: huabing zhao <[email protected]>

* fix test

Signed-off-by: huabing zhao <[email protected]>

* fix generate

Signed-off-by: huabing zhao <[email protected]>

---------

Signed-off-by: huabing zhao <[email protected]>

api/v1alpha1/envoyproxy_metric_types.go

@@ -60,7 +60,7 @@ type ProxyPrometheusProvider struct {
 }
 
 // Match defines the stats match configuration.
-type Match struct {
+type Match struct { // TODO: zhaohuabing this type should be renamed to StatsMatch
 	// MatcherType defines the stats matcher type
 	//
 	// +kubebuilder:validation:Enum=RegularExpression;Prefix;Suffix
@@ -70,7 +70,7 @@ type Match struct {
 
 type MatcherType string
 
-const (
+const ( // TODO: zhaohuabing the const types should be prefixed with StatsMatch
 	Prefix            MatcherType = "Prefix"
 	RegularExpression MatcherType = "RegularExpression"
 	Suffix            MatcherType = "Suffix"

api/v1alpha1/ratelimitfilter_types.go

@@ -130,7 +130,7 @@ type SourceMatch struct {
 }
 
 // HeaderMatch defines the match attributes within the HTTP Headers of the request.
-type HeaderMatch struct {
+type HeaderMatch struct { // TODO: zhaohuabing this type could be replaced with a general purpose StringMatch type.
 	// Type specifies how to match against the value of the header.
 	//
 	// +optional

api/v1alpha1/securitypolicy_types.go

@@ -41,8 +41,67 @@ type SecurityPolicySpec struct {
 	// for this Policy to have effect and be applied to the Gateway.
 	// TargetRef
 	TargetRef gwapiv1a2.PolicyTargetReferenceWithSectionName `json:"targetRef"`
+
+	// CORS defines the configuration for Cross-Origin Resource Sharing (CORS).
+	CORS *CORS `json:"cors,omitempty"`
+}
+
+// CORS defines the configuration for Cross-Origin Resource Sharing (CORS).
+type CORS struct {
+	// AllowOrigins defines the origins that are allowed to make requests.
+	// +kubebuilder:validation:MinItems=1
+	AllowOrigins []StringMatch `json:"allowOrigins,omitempty" yaml:"allowOrigins,omitempty"`
+	// AllowMethods defines the methods that are allowed to make requests.
+	// +kubebuilder:validation:MinItems=1
+	AllowMethods []string `json:"allowMethods,omitempty" yaml:"allowMethods,omitempty"`
+	// AllowHeaders defines the headers that are allowed to be sent with requests.
+	AllowHeaders []string `json:"allowHeaders,omitempty" yaml:"allowHeaders,omitempty"`
+	// ExposeHeaders defines the headers that can be exposed in the responses.
+	ExposeHeaders []string `json:"exposeHeaders,omitempty" yaml:"exposeHeaders,omitempty"`
+	// MaxAge defines how long the results of a preflight request can be cached.
+	MaxAge *metav1.Duration `json:"maxAge,omitempty" yaml:"maxAge,omitempty"`
+}
+
+// StringMatch defines how to match any strings.
+// This is a general purpose match condition that can be used by other EG APIs
+// that need to match against a string.
+type StringMatch struct {
+	// Type specifies how to match against a string.
+	//
+	// +optional
+	// +kubebuilder:default=Exact
+	Type *MatchType `json:"type,omitempty"`
+
+	// Value specifies the string value that the match must have.
+	//
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=1024
+	Value string `json:"value"`
 }
 
+// MatchType specifies the semantics of how a string value should be compared.
+// Valid MatchType values are "Exact", "Prefix", "Suffix", "RegularExpression".
+//
+// +kubebuilder:validation:Enum=Exact;Prefix;Suffix;RegularExpression
+type MatchType string
+
+const (
+	// MatchExact :the input string must match exactly the match value.
+	MatchExact MatchType = "Exact"
+
+	// MatchPrefix :the input string must start with the match value.
+	MatchPrefix MatchType = "Prefix"
+
+	// MatchSuffix :the input string must end with the match value.
+	MatchSuffix MatchType = "Suffix"
+
+	// MatchRegularExpression :The input string must match the regular expression
+	// specified in the match value.
+	// The regex string must adhere to the syntax documented in
+	// https://github.com/google/re2/wiki/Syntax.
+	MatchRegularExpression MatchType = "RegularExpression"
+)
+
 // SecurityPolicyStatus defines the state of SecurityPolicy
 type SecurityPolicyStatus struct {
 	// Conditions describe the current conditions of the SecurityPolicy.

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml

@@ -42,6 +42,62 @@ spec:
           spec:
             description: Spec defines the desired state of SecurityPolicy.
             properties:
+              cors:
+                description: CORS defines the configuration for Cross-Origin Resource
+                  Sharing (CORS).
+                properties:
+                  allowHeaders:
+                    description: AllowHeaders defines the headers that are allowed
+                      to be sent with requests.
+                    items:
+                      type: string
+                    type: array
+                  allowMethods:
+                    description: AllowMethods defines the methods that are allowed
+                      to make requests.
+                    items:
+                      type: string
+                    minItems: 1
+                    type: array
+                  allowOrigins:
+                    description: AllowOrigins defines the origins that are allowed
+                      to make requests.
+                    items:
+                      description: StringMatch defines how to match any strings. This
+                        is a general purpose match condition that can be used by other
+                        EG APIs that need to match against a string.
+                      properties:
+                        type:
+                          default: Exact
+                          description: Type specifies how to match against a string.
+                          enum:
+                          - Exact
+                          - Prefix
+                          - Suffix
+                          - RegularExpression
+                          type: string
+                        value:
+                          description: Value specifies the string value that the match
+                            must have.
+                          maxLength: 1024
+                          minLength: 1
+                          type: string
+                      required:
+                      - value
+                      type: object
+                    minItems: 1
+                    type: array
+                  exposeHeaders:
+                    description: ExposeHeaders defines the headers that can be exposed
+                      in the responses.
+                    items:
+                      type: string
+                    type: array
+                  maxAge:
+                    description: MaxAge defines how long the results of a preflight
+                      request can be cached.
+                    type: string
+                type: object
               targetRef:
                 description: TargetRef is the name of the Gateway resource this policy
                   is being attached to. This Policy and the TargetRef MUST be in the