Using Cross-Origin Resource Sharing (CORS) in Spring Cloud Gateway for Kubernetes allows restricting access to resources to specific domains and offers two configuration approaches:

• Global configuration: apply a configuration to all routes of Gateway
• Per-route configuration: apply specific settings in concrete routes for fine-grained detail configuration

Global Cross-Origin Resource Sharing (CORS) configuration

The Global CORS configuration requires a map of URL patterns to Spring Framework CorsConfiguration.

apiVersion: "tanzu.vmware.com/v1"
kind: SpringCloudGateway
metadata:
  name: my-gateway
spec:
  api:
    cors:
      allowedOrigins:
        - "https://foo.example.com"
      allowedMethods:
        - "GET"
        - "PUT"
        - "POST"
      allowedHeaders:
        - '*'

These are the parameters that can be configured:

Note To avoid browser calls failing due to duplicated headers (for example, receiving multiple Access-Control-Allow-Origin or multiple Access-Control-Allow-Credentials) because a downstream service is also doing CORS processing, duplicates in these two headers are automatically removed and the one configured in the gateway will always predominate.

Configuring per-route Cross-Origin Resource Sharing (CORS) behavior using metadata

You can define CORS behavior on a specific route using the metadata.cors section, instead of configuring it globally as seen in the previous section.

In this example, the allowedOrigins is set to https://example.com, and the allowedMethods are GET, POST, DELETE.

apiVersion: "tanzu.vmware.com/v1"
kind: SpringCloudGatewayRouteConfig
metadata:
  name: my-gateway-routes
spec:
  routes:
    - uri: https://httpbingo.org
      predicates:
        - Path=/get/**
      metadata:
        cors:
          allowedOrigins: https://example.com
          allowedMethods: [GET, POST, DELETE]

The following example describes all the parameters you can configure in the metadata.cors section:

apiVersion: "tanzu.vmware.com/v1"
kind: SpringCloudGatewayRouteConfig
metadata:
  name: my-gateway-routes
spec:
  routes:
    - uri: https://httpbingo.org
      predicates:
        - Path=/get/**
      metadata:
        cors:
          # Allowed origins to make cross-site requests. The special value "*" allows all domains.
          # These values will be combined with the values from allowedOriginPatterns.
          allowedOrigins: https://example.com
          # Alternative to allowedOrigins that supports more flexible origins patterns with "*" anywhere in the hostname in addition to port lists.
          # These values will be combined with the values from allowedOrigins.
          allowedOriginPatterns: https://*.test.com:8080
          # Allowed HTTP methods on cross-site requests. The special value "*" allows all methods.
          # If not set, "GET" and "HEAD" are allowed by default.
          allowedMethods: [GET, PUT, POST]
          # Allowed headers in cross-site requests. The special value "*" allows actual requests to send any header.
          allowedHeaders: X-Custom-Header
          # How long, in seconds, the response from a pre-flight request can be cached by clients.
          maxAge: 300
          # Whether user credentials are supported on cross-site requests. Valid values: `true`, `false`.
          allowCredentials: true
          # HTTP response headers to expose for cross-site requests.
          exposedHeaders: X-Custom-Header