CORS on Kubernetes Ingress Nginx

Painless CORS header configuration in Kubernetes

Posted by Craig Johnston on Monday, May 28, 2018
SHARE

Using ingress-nginx on Kubernetes makes adding CORS headers painless. Kubernetes ingress-nginx uses annotations as a quick way to allow you to specify the automatic generation of an extensive list of common nginx configuration options.

Example ingress configuration enabling CORS:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: api
  namespace: fuse
  labels:
    app: api
  annotations:
    nginx.ingress.kubernetes.io/enable-cors: "true"
    nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS"
    nginx.ingress.kubernetes.io/cors-allow-origin: "https://admin.example.com"
    nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
spec:
  rules:
  - host: api.example.com
    http:
      paths:
      - backend:
          serviceName: api-example
          servicePort: 80
        path: /api
  tls:
  - hosts:
    - api.example.com
    secretName: example-tls

You can check the nginx configuration file generated by Kubernetes ingress-nginx on any of the ingress controller pods.

If you set up the standard Kubernetes ingress-nginx on your cluster, you should have one or more controller pods running in the ingress-nginx namespace.

kubectl get pods -n ingress-nginx

NAME                                      READY     STATUS    RESTARTS   AGE
default-http-backend-5c6d95c48-xvs55      1/1       Running   0          26d
nginx-ingress-controller-f5676dc7-5ks6q   1/1       Running   0          26d
nginx-ingress-controller-f5676dc7-cjl6l   1/1       Running   0          26d
nginx-ingress-controller-f5676dc7-kthxn   1/1       Running   0          26d
nginx-ingress-controller-f5676dc7-rvhbv   1/1       Running   0          26d

Pick a controller and cat the nginx configuration:

# pipe the config to less or your favorite text reader
kubectl exec -n ingress-nginx \
    nginx-ingress-controller-f5676dc7-kthxn \
    cat /etc/nginx/nginx.conf | less

You can see that ingress-nginx created some header directives for nginx:

...
more_set_headers 'Access-Control-Allow-Credentials: true';
...

About CORS

CORS, or Cross-origin resource sharing consists of a few HTTP response headers intended to let a web browser know if it’s ok to POST data to a specific endpoint. Before a web browser lets Javascript issue a POST to a URL, then performs a “preflight” request. A preflight request is merely a request to the server with the same URL using the method OPTIONS rather than POST. The web browser checks the HTTP headers for CORS related headers to determine if POSTing data on behalf of the user is ok.

Resources

If you found this article useful, you may want to check out all my articles on Kubernetes, used to build on the Production Hobby Cluster. PHC an excellent environment for developing and testing cloud-native microservices like txToken. While using Minikube or similar environments for testing and developing cloud-native microservices, I find it a much better experience to use a more true-to-production cluster like PHC.

If in a few days you find yourself setting up a Production Hobby Cluster in Japan or Germany on Linode, and another two in Australia and France on vultr, then you may have just joined the PHC (Performance Hobby Clusters) club. Some people tinker late at night on their truck, we benchmark and test the resilience of node failures on our overseas, budget kubernetes clusters. It’s all about going big, on the cheap.

k8s performance hobby clusters


SHARE
FOLLOW