From b0a986807bce38e25f21d6850cc3d0f77f637aae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Moritz=20J=C3=B6rg?= <moritz.jorg@oceanbox.io>
Date: Sat, 14 Mar 2026 17:34:06 +0100
Subject: [PATCH] fix(dex): Fix for options

---
 values/dex/values/values.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/values/dex/values/values.yaml b/values/dex/values/values.yaml
index eff7af7c..684b12da 100644
--- a/values/dex/values/values.yaml
+++ b/values/dex/values/values.yaml
@@ -160,9 +160,11 @@ ingress:
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
     nginx.ingress.kubernetes.io/backend-protocol: HTTP
     # CORS: allow browser-based OIDC flows (e.g. token introspection, JWKS fetch)
+    # cors-allow-credentials=true causes nginx-ingress to reflect $http_origin instead of "*"
+    # (browsers reject Access-Control-Allow-Origin: * when credentials are present)
     # TODO: migrate to Gateway API HTTPRoute with ResponseHeaderModifier filter when cilium gateway supports it cluster-wide
     nginx.ingress.kubernetes.io/enable-cors: "true"
-    nginx.ingress.kubernetes.io/cors-allow-origin: "*"
+    nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
     nginx.ingress.kubernetes.io/cors-allow-methods: "GET, POST, OPTIONS"
     nginx.ingress.kubernetes.io/cors-allow-headers: "Authorization, Content-Type"
   hosts: