fix(dex): CORS for *.oceanbox.io

2026-03-14 17:39:15 +01:00
parent 98dde62710
commit c0cc05f0dd
1 changed files with 5 additions and 3 deletions
@@ -157,10 +157,12 @@ ingress:
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/backend-protocol: HTTP
    # CORS: allow browser-based OIDC flows (e.g. token introspection, JWKS fetch)
-    # cors-allow-credentials=true causes nginx-ingress to reflect $http_origin instead of "*"
+    # nginx-ingress treats non-"*" cors-allow-origin values as a regex pattern used in:
-    # (browsers reject Access-Control-Allow-Origin: * when credentials are present)
+    #   if ($http_origin ~* "PATTERN") { add_header 'Access-Control-Allow-Origin' $http_origin; }
-    # TODO: migrate to Gateway API HTTPRoute with ResponseHeaderModifier filter when cilium gateway supports it cluster-wide
+    # This is required because browsers reject Access-Control-Allow-Origin: * with credentialed requests.
    # TODO: migrate to Gateway API HTTPRoute with ResponseHeaderModifier + cors policy filter when cilium gateway supports it cluster-wide
    nginx.ingress.kubernetes.io/enable-cors: "true"
    nginx.ingress.kubernetes.io/cors-allow-origin: "https://.*\\.oceanbox\\.io"
    nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
    nginx.ingress.kubernetes.io/cors-allow-methods: "GET, POST, OPTIONS"
    nginx.ingress.kubernetes.io/cors-allow-headers: "Authorization, Content-Type"