Regression: Cors Origin Comma Separated Lists Don't Work

[w-h37]

Summary

The cors mapping resource no longer supports comma separated lists, only YAML array lists. This change came about with the AES update from 1.9 to 1.10. The following configurations written will show in detail what is and is not allowed regarding configurations with lists:

(Example of comma separated list, as seen in origins. This is not supported)

---
apiVersion: getambassador.io/v2
kind: Mapping
metadata:
  name: cors
spec:
  prefix: /cors/
  service: quote
    origins: http://foo.example,http://bar.example
    methods: POST, GET, OPTIONS
    headers: Content-Type
    credentials: true
    exposed_headers: X-Custom-Header
    max_age: "86400"

(Example of YAML array separated list, as seen in origins. This is supported)

---
apiVersion: getambassador.io/v2
kind: Mapping
metadata:
  name: cors
spec:
  prefix: /cors/
  service: quote
    origins: 
    - http://foo.example
    - http://bar.example
    methods: POST, GET, OPTIONS
    headers: Content-Type
    credentials: true
    exposed_headers: X-Custom-Header
    max_age: "86400"

It is worth noting that AMBASSADOR_LEGACY_MODE does allow the use of comma separated lists, and does serve as a workaround to this issue.

Required Feature

Cors mapping resources should include the ability to read lists of origins using a comma to separate objects

Replicator

AES 1.13.8 installed with Helm

1. Deploy the quote service from the AES quickstart guide

2. Create a cors mapping resource:

---
apiVersion: getambassador.io/v2
kind: Mapping
metadata:
  name: cors
spec:
  prefix: /cors/
  service: quote
    origins: http://foo.example,http://bar.example
    methods: POST, GET, OPTIONS
    headers: Content-Type
    credentials: true
    exposed_headers: X-Custom-Header
    max_age: "86400"

3. Test the cors mapping using the following command:
   curl -kv https://{AES_LOADBALANCER_EXTERNAL_IP}/cors/ -H "Origin: http://foo.example"
   You should get a fair bit of information printed back, but specifically pay attention to the part listed below, found right above the response from the server:

< x-envoy-upstream-service-time: 0
< server: envoy

In the previous step, had the comma separated list been read correctly, you should have gotten the following response back from the curl statement:

< x-envoy-upstream-service-time: 0
< access-control-allow-origin: http://foo.example
< access-control-credentials: true
< access-control-expose-headers: X-Custom-Header
< server: envoy

If curious about testing, you can either switch to AMBASSADOR_LEGACY_MODE or AES version 1.9, and test this mapping with the curl statements, and get the above output.

Versions:

• Ambassador: 1.13.8
• Kubernetes environment: Kubeception
• Version 1.17

Notes

Nothing additional to report at this time

[efunk]

Resolved in the 1.13.10 GA release.