问题描述

在istio-ingressgateway目标上配置Jwt策略时，Cors预检请求不起作用。

Cors preflight requests do not work when a Jwt Policy is configured on the istio-ingressgateway target.

网关

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: api-gateway
  namespace: foo
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
    - port:
        number: 80
        name: http
        protocol: HTTP
      hosts:
        - "api.example.com"
      tls:
        httpsRedirect: true # sends 301 redirects for http requests
    - port:
        number: 443
        name: https
        protocol: HTTPS
      tls:
        mode: SIMPLE
        serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
        privateKey: /etc/istio/ingressgateway-certs/tls.key
      hosts:
        - "api.example.com"

虚拟服务

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: backend-vs
  namespace: foo
spec:
  hosts:
    - "api.example.com"
  gateways:
    - api-gateway
  http:
    - match:
        - uri:
            prefix: /api/v1/info
      route:
        - destination:
            host: backend.foo.svc.cluster.local
      corsPolicy:
        allowOrigin:
          - "https://app.example.com"
        allowMethods:
          - POST
          - GET
          - PUT
          - DELETE
          - PATCH
          - OPTIONS
        allowHeaders:
          - authorization
          - content-type
          - accept
          - origin
          - user-agent
        allowCredentials: true
        maxAge: 300s

安全性

apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
  name: "jwt-example"
  namespace: foo
spec:
  selector:
    matchLabels:
      app: backend
  jwtRules:
    - issuer: "http://keycloak.foo/auth/realms/example"
      jwksUri: "http://keycloak.foo/auth/realms/example/protocol/openid-connect/certs"
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: require-jwt-example
  namespace: foo
spec:
  selector:
    matchLabels:
      app: backend
  action: ALLOW
  rules:
    - from:
        - source:
            requestPrincipals: ["http://keycloak.foo/auth/realms/example/http://keycloak.foo/auth/realms/example"]
      when:
        - key: request.auth.claims[groups]
          values: ["group1"]

当我测试网络应用程序时在Firefox中运行正常，但在其他浏览器（如歌剧，chrome，safari）中，失败并显示以下错误：

when I test the web application in firefox it works fine, but in other browsers like opera, chrome, safari, it fails with the following error:

在以下位置访问XMLHttpRequest来源'https://app.example.com'的'https://api.example.com/api/v1/info'已被CORS政策阻止：对预检请求的响应未通过访问控制检查：否所请求的资源上存在 Access-Control-Allow-Origin标头。

让我更加体贴的是，在Firefox中它可以工作很好，但是在其他浏览器中失败了

What makes me more thoughtful is because in firefox it works well but in other browsers it fails

注意：：要验证istio中的cors策略正确，我所做的就是在istio并在firefox中进行测试以查看发生了什么，结果是确实出现了cors问题，但是当我在Firefox中重新运行时在istio中重新启用cors时，请求运行正常。

NOTE: To validate that the cors policy was correct in istio, what I did was disable this policy in istio and test in firefox to see what was happening, the result was that a problem with cors did indeed come out, but when I re-enabled the cors in istio when rerunning in firefox the request works fine.

推荐答案

在执行分段测试并查看导致错误的原因之后，我发现d当我创建在同一服务端口（backend.example.com）上运行的keycloak网关（keycloak.example.com）时出现了问题，默认情况下，https为443，http为80。

Good after doing segmented tests and see what was causing the error, I found that the problem appeared when I created the keycloak gateway (keycloak.example.com) that was running on the same service port (backend.example.com) , which by default for https is 443 and for http is 80.

我所做的是将密钥斗篷暴露给网关上的另一个端口（ ingressgateway ）。通过上面的内容和有角度的应用程序，我不再提出cors问题。

What I did was expose keycloak to another port on the gateway (ingressgateway). with the above and the angular application I stop putting problem of the cors.

这篇关于Istio 1.5 Cors无法正常工作-对预检请求的响应未通过访问控制检查的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！