support HTTPCORSFilter

Signed-off-by: Huabing (Robin) Zhao <[email protected]>

Author: zhaohuabing

internal/gatewayapi/filters.go

@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"regexp"
 	"strings"
+	"time"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/utils/ptr"
@@ -59,6 +60,8 @@ type HTTPFilterIR struct {
 
 	Mirrors []*ir.MirrorPolicy
 
+	CORS *ir.CORS
+
 	ExtensionRefs []*ir.UnstructuredRef
 }
 
@@ -98,6 +101,8 @@ func (t *Translator) ProcessHTTPFilters(parentRef *RouteParentContext,
 			t.processResponseHeaderModifierFilter(filter.ResponseHeaderModifier, httpFiltersContext)
 		case gwapiv1.HTTPRouteFilterRequestMirror:
 			err = t.processRequestMirrorFilter(i, filter.RequestMirror, httpFiltersContext, resources)
+		case gwapiv1.HTTPRouteFilterCORS:
+			t.processCORSFilter(filter.CORS, httpFiltersContext)
 		case gwapiv1.HTTPRouteFilterExtensionRef:
 			t.processExtensionRefHTTPFilter(filter.ExtensionRef, httpFiltersContext, resources)
 		default:
@@ -891,6 +896,54 @@ func (t *Translator) processRequestMirrorFilter(
 	return nil
 }
 
+func (t *Translator) processCORSFilter(
+	corsFilter *gwapiv1.HTTPCORSFilter,
+	filterContext *HTTPFiltersContext,
+) {
+	// Make sure the config actually exists
+	if corsFilter == nil {
+		return
+	}
+
+	var allowOrigins []*ir.StringMatch
+	for _, origin := range corsFilter.AllowOrigins {
+		if containsWildcard(string(origin)) {
+			regexStr := wildcard2regex(string(origin))
+			allowOrigins = append(allowOrigins, &ir.StringMatch{
+				SafeRegex: &regexStr,
+			})
+		} else {
+			allowOrigins = append(allowOrigins, &ir.StringMatch{
+				Exact: (*string)(&origin),
+			})
+		}
+	}
+
+	var allowMethods []string
+	for _, method := range corsFilter.AllowMethods {
+		allowMethods = append(allowMethods, string(method))
+	}
+
+	var allowHeaders []string
+	for _, header := range corsFilter.AllowHeaders {
+		allowHeaders = append(allowHeaders, string(header))
+	}
+
+	var exposeHeaders []string
+	for _, header := range corsFilter.ExposeHeaders {
+		exposeHeaders = append(exposeHeaders, string(header))
+	}
+
+	filterContext.CORS = &ir.CORS{
+		AllowOrigins:     allowOrigins,
+		AllowMethods:     allowMethods,
+		AllowHeaders:     allowHeaders,
+		ExposeHeaders:    exposeHeaders,
+		MaxAge:           ptr.To(metav1.Duration{Duration: time.Duration(corsFilter.MaxAge) * time.Second}),
+		AllowCredentials: bool(corsFilter.AllowCredentials),
+	}
+}
+
 func (t *Translator) processUnresolvedHTTPFilter(errMsg string, filterContext *HTTPFiltersContext) {
 	routeStatus := GetRouteStatus(filterContext.Route)
 	status.SetRouteStatusCondition(routeStatus,

internal/gatewayapi/helpers.go

@@ -175,7 +175,8 @@ func ValidateHTTPRouteFilter(filter *gwapiv1.HTTPRouteFilter, extGKs ...schema.G
 		filter.Type == gwapiv1.HTTPRouteFilterURLRewrite ||
 		filter.Type == gwapiv1.HTTPRouteFilterRequestRedirect ||
 		filter.Type == gwapiv1.HTTPRouteFilterRequestHeaderModifier ||
-		filter.Type == gwapiv1.HTTPRouteFilterResponseHeaderModifier:
+		filter.Type == gwapiv1.HTTPRouteFilterResponseHeaderModifier ||
+		filter.Type == gwapiv1.HTTPRouteFilterCORS:
 		return nil
 	case filter.Type == gwapiv1.HTTPRouteFilterExtensionRef:
 		switch {

internal/gatewayapi/route.go

@@ -504,6 +504,9 @@ func applyHTTPFiltersContextToIRRoute(httpFiltersContext *HTTPFiltersContext, ir
 	if httpFiltersContext.Mirrors != nil {
 		irRoute.Mirrors = httpFiltersContext.Mirrors
 	}
+	if httpFiltersContext.CORS != nil {
+		irRoute.CORS = httpFiltersContext.CORS
+	}
 
 	if len(httpFiltersContext.ExtensionRefs) > 0 {
 		irRoute.ExtensionRefs = httpFiltersContext.ExtensionRefs
@@ -779,28 +782,9 @@ func (t *Translator) processHTTPRouteParentRefListener(route RouteContext, route
 				// Remove dots from the hostname before appending it to the IR Route name
 				// since dots are special chars used in stats tag extraction in Envoy
 				underscoredHost := strings.ReplaceAll(host, ".", "_")
-				hostRoute := &ir.HTTPRoute{
-					Name:                  fmt.Sprintf("%s/%s", routeRoute.Name, underscoredHost),
-					Metadata:              routeRoute.Metadata,
-					Hostname:              host,
-					PathMatch:             routeRoute.PathMatch,
-					HeaderMatches:         routeRoute.HeaderMatches,
-					QueryParamMatches:     routeRoute.QueryParamMatches,
-					AddRequestHeaders:     routeRoute.AddRequestHeaders,
-					RemoveRequestHeaders:  routeRoute.RemoveRequestHeaders,
-					AddResponseHeaders:    routeRoute.AddResponseHeaders,
-					RemoveResponseHeaders: routeRoute.RemoveResponseHeaders,
-					Destination:           routeRoute.Destination,
-					Redirect:              routeRoute.Redirect,
-					DirectResponse:        routeRoute.DirectResponse,
-					URLRewrite:            routeRoute.URLRewrite,
-					Mirrors:               routeRoute.Mirrors,
-					ExtensionRefs:         routeRoute.ExtensionRefs,
-					IsHTTP2:               routeRoute.IsHTTP2,
-					SessionPersistence:    routeRoute.SessionPersistence,
-					Timeout:               routeRoute.Timeout,
-					Retry:                 routeRoute.Retry,
-				}
+				hostRoute := routeRoute.DeepCopy()
+				hostRoute.Name = fmt.Sprintf("%s/%s", routeRoute.Name, underscoredHost)
+				hostRoute.Hostname = host
 				perHostRoutes = append(perHostRoutes, hostRoute)
 			}
 		}

internal/gatewayapi/securitypolicy.go

@@ -600,7 +600,7 @@ func (t *Translator) buildCORS(cors *egv1a1.CORS) *ir.CORS {
 	var allowOrigins []*ir.StringMatch
 
 	for _, origin := range cors.AllowOrigins {
-		if isWildcard(string(origin)) {
+		if containsWildcard(string(origin)) {
 			regexStr := wildcard2regex(string(origin))
 			allowOrigins = append(allowOrigins, &ir.StringMatch{
 				SafeRegex: &regexStr,
@@ -622,7 +622,7 @@ func (t *Translator) buildCORS(cors *egv1a1.CORS) *ir.CORS {
 	}
 }
 
-func isWildcard(s string) bool {
+func containsWildcard(s string) bool {
 	return strings.ContainsAny(s, "*")
 }
 

internal/gatewayapi/testdata/httproute-with-cors-filter.in.yaml

@@ -0,0 +1,84 @@
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+  kind: Gateway
+  metadata:
+    namespace: envoy-gateway
+    name: gateway-1
+  spec:
+    gatewayClassName: envoy-gateway-class
+    listeners:
+    - name: http
+      protocol: HTTP
+      port: 80
+      hostname: "*.envoyproxy.io"
+      allowedRoutes:
+        namespaces:
+          from: All
+httpRoutes:
+- apiVersion: gateway.networking.k8s.io/v1
+  kind: HTTPRoute
+  metadata:
+    namespace: default
+    name: httproute-cors-exact
+  spec:
+    hostnames:
+    - gateway.envoyproxy.io
+    parentRefs:
+    - namespace: envoy-gateway
+      name: gateway-1
+      sectionName: http
+    rules:
+    - matches:
+      - path:
+          value: "/foo"
+      backendRefs:
+      - name: service-1
+        port: 8080
+      filters:
+      - type: CORS
+        cors:
+          allowOrigins:
+          - "https://gateway.envoyproxy.io"
+          allowMethods:
+          - GET
+          - POST
+          - PUT
+          - DELETE
+          allowHeaders:
+          - header1
+          - header2
+          exposeHeaders:
+          - header3
+          - header4
+          allowCredentials: true
+          maxAge: 1000
+
+- apiVersion: gateway.networking.k8s.io/v1
+  kind: HTTPRoute
+  metadata:
+    namespace: default
+    name: httproute-cors-wildcard
+  spec:
+    hostnames:
+    - gateway.envoyproxy.io
+    parentRefs:
+    - namespace: envoy-gateway
+      name: gateway-1
+      sectionName: http
+    rules:
+    - matches:
+      - path:
+          value: "/bar"
+      backendRefs:
+      - name: service-1
+        port: 8080
+      filters:
+      - type: CORS
+        cors:
+          allowOrigins:
+          - "https://*.envoyproxy.io"
+          allowMethods:
+          - "*"
+          - POST
+          - PUT
+          - DELETE