feat: add cors configuration support (#60)

.github/workflows/kubeconform.yaml

@@ -0,0 +1,17 @@
+name: Kubeconform Check
+
+on:
+  pull_request:
+    branches:
+      - main
+jobs:
+  kubeconform:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: azure/[email protected]
+      - run: helm plugin install https://github.com/jtyr/kubeconform-helm
+      - run: helm kubeconform --verbose --summary charts/platform

.github/workflows/lint.yaml

@@ -2,8 +2,6 @@ name: Helm Lint
 
 on:
 
-  workflow_dispatch:
-
   pull_request:
     branches:
       - main

charts/platform/README.md

@@ -305,6 +305,13 @@ realms:
 | server.auth.policy.csv | string | `nil` |  |
 | server.auth.policy.default | string | `nil` |  |
 | server.auth.policy.map | string | `nil` |  |
+| server.cors.allowcredentials | bool | `true` | Allow credentials |
+| server.cors.allowedheaders | list | `["Accept","Authorization","Content-Type","X-CSRF-Token","X-Request-ID"]` | The allowed request headers |
+| server.cors.allowedmethods | list | `["GET","POST","PUT","DELETE","OPTIONS"]` | The allowed request methods |
+| server.cors.allowedorigins | list | `[]` | The allowed origins |
+| server.cors.enabled | bool | `false` | Enable CORS (default: false) |
+| server.cors.exposedheaders | list | `["Link"]` | List of response headers that browsers are allowed to access |
+| server.cors.maxage | int | `3600` | The max age |
 | server.cryptoProvider.standard.keys | list | `[{"alg":"rsa:2048","cert":"/etc/platform/kas/kas-cert.pem","kid":"r1","private":"/etc/platform/kas/kas-private.pem"},{"alg":"ec:secp256r1","cert":"/etc/platform/kas/kas-ec-cert.pem","kid":"e1","private":"/etc/platform/kas/kas-ec-private.pem"}]` | List of key pairs to load into the platform. (Currently only leveraged by KAS) |
 | server.disableHealthChecks | bool | `false` | Disable Kubernetes Health Checks. (Useful for debugging) |
 | server.grpc.reflectionEnabled | bool | `true` | Enables grpc reflection (https://github.com/grpc/grpc/blob/master/doc/server-reflection.md) |

charts/platform/templates/config.yaml

@@ -21,6 +21,18 @@ data:
         {{- .Values.services.authorization | toYaml | nindent 8 }}
     server:
       port: {{ .Values.server.port | quote }}
+      cors:
+        enabled: {{ .Values.server.cors.enabled | quote }}
+        allowedorigins:
+          {{- toYaml .Values.server.cors.allowedorigins | nindent 10 }}
+        allowedmethods:
+          {{- toYaml .Values.server.cors.allowedmethods | nindent 10 }}
+        allowedheaders:
+          {{- toYaml .Values.server.cors.allowedheaders | nindent 10 }}
+        exposedheaders:
+          {{- toYaml .Values.server.cors.exposedheaders | nindent 10 }}
+        maxage: {{ .Values.server.cors.maxage | quote }}
+        allowcredentials: {{ .Values.server.cors.allowcredentials | quote }}
       grpc:
         reflectionEnabled: {{ .Values.server.grpc.reflectionEnabled | quote }} # Default is false
       tls:

charts/platform/values.yaml

@@ -157,6 +157,33 @@ db:
 server:
   # -- The server port
   port: 9000
+  cors:
+    # -- Enable CORS (default: false)
+    enabled: false
+    # -- The allowed origins
+    allowedorigins: []
+      # - "*"
+    # -- The allowed request methods
+    allowedmethods: 
+      - "GET"
+      - "POST"
+      - "PUT"
+      - "DELETE"
+      - "OPTIONS"
+    # -- The allowed request headers
+    allowedheaders:
+      - "Accept"
+      - "Authorization"
+      - "Content-Type"
+      - "X-CSRF-Token"
+      - "X-Request-ID"
+    # -- List of response headers that browsers are allowed to access
+    exposedheaders:
+      - Link
+    # -- The max age
+    maxage: 3600
+    # -- Allow credentials
+    allowcredentials: true
   grpc:
     # -- Enables grpc reflection (https://github.com/grpc/grpc/blob/master/doc/server-reflection.md)
     reflectionEnabled: true