I'm sorry if this is a very ignorant question but is it possible for Ambassador to truly handle CORS headers and pre-flight OPTION responses?
The docs (https://www.getambassador.io/reference/cors) seem kind of ambiguous to me, if there are just hooks to prevent requests, or if it can truly respond on behalf of the services.
Here's my situation: I've got Ambassador in front of all the http requests to some microservices. For [reasons] we now need a separate domain to make requests into the same Ambassador.
I have an AuthService configured, and according to the docs "When you use external authorization, each incoming request is authenticated before routing to its destination, including pre-flight OPTIONS requests." Which makes perfect sense, and that's what I'm seeing. My AuthService is configured to allow things correctly and that seems to be working. The AuthService responds with the appropriate headers, but Ambassador seems to just ignore that and only cares if the AuthService responds with a 200 or not. (Which seems totally reasonable.)
I have this annotated on my ambassador module:
getambassador.io/config: |
---
apiVersion: ambassador/v1
kind: Module
name: ambassador
config:
service_port: 8080
cors:
origins: [my domain here]
credentials: trueAnd that doesn't seem to do what I'd expect, which is handle the CORS headers and pre-flight... instead it forwards it on to the service to handle all the CORS stuff.
Turns out, by specifying headers: "Content-Type" in the cors configuration, things just started to work. Apparently that's not as optional as I thought.
So this is now my module:
getambassador.io/config: |
---
apiVersion: ambassador/v1
kind: Module
name: ambassador
config:
service_port: 8080
cors:
origins: [my domain here]
headers: "Content-Type"
credentials: true