feat: enhance error handling for app-proxy with CORS support in internal router configmap

charts/gitops-runtime/README.md

@@ -187,6 +187,7 @@ sealed-secrets:
 | app-proxy.config.argoWorkflowsInsecure | string | `"true"` |  |
 | app-proxy.config.argoWorkflowsUrl | string | `nil` | Workflows server url. Determined by chart logic. Do not change unless you are certain you need to |
 | app-proxy.config.clusterChunkSize | int | `50` | define cluster list size per request to report the cluster state to platform, e.g. if you have 90 clusters and set clusterChunkSize: 40, it means cron job will report cluster state to platform in 3 iterations (40,40,10) - reduce this value if you have a lot of clusters and the cron job is failing with payload too large error - use 0 to sync all clusters at once |
+| app-proxy.config.cors | string | `"https://g.codefresh.io"` | Cors settings for app-proxy. This is the list of allowed domains for platform. |
 | app-proxy.config.env | string | `"production"` |  |
 | app-proxy.config.logLevel | string | `"info"` | Log Level |
 | app-proxy.config.skipGitPermissionValidation | string | `"false"` | Skit git permissions validation |

charts/gitops-runtime/templates/_components/internal-router/_configmap.yaml

@@ -27,9 +27,31 @@ data:
         proxy_set_header Connection "upgrade";
         chunked_transfer_encoding off;
 
+        error_page 502 = @app_proxy_init_error;
+
         proxy_pass {{ index (get .Values.routing "app-proxy") "internalUrl" }};
       }
 
+      location @app_proxy_init_error {
+        internal;
+
+        if ($request_method = OPTIONS) {
+          add_header 'Access-Control-Allow-Origin' "{{ index .Values "app-proxy" "config" "cors" }}" always;
+          add_header 'Access-Control-Allow-Methods' 'GET,HEAD,PUT,PATCH,POST,DELETE' always;
+          add_header 'Access-Control-Allow-Headers' 'content-type,x-access-token' always;
+          add_header 'Access-Control-Allow-Credentials' 'true' always;
+          add_header 'Content-Length' 0;
+          return 204;
+        }
+
+        add_header 'Access-Control-Allow-Origin' "{{ index .Values "app-proxy" "config" "cors" }}" always;
+        add_header 'Access-Control-Allow-Methods' 'GET,HEAD,PUT,PATCH,POST,DELETE' always;
+        add_header 'Access-Control-Allow-Headers' 'content-type,x-access-token' always;
+        add_header 'Access-Control-Allow-Credentials' 'true' always;
+        return 502;
+
+      }
+
       {{- if .Values.routing.workflows.enabled }}
       location /workflows/ {
         # sse

charts/gitops-runtime/templates/internal-router/config.yaml

@@ -1,5 +1,6 @@
 {{- $internalRouterContext := deepCopy . }}
 {{- $_ := set $internalRouterContext "Values" (deepCopy (get .Values "internal-router")) }}
+{{- $_ := set $internalRouterContext.Values "app-proxy" (deepCopy (get .Values "app-proxy")) }}
 {{- $_ := set $internalRouterContext.Values "global" (deepCopy (get .Values "global")) }}
 {{/*
 Set workflows routing

charts/gitops-runtime/values.yaml

@@ -591,6 +591,8 @@ app-proxy:
     # - reduce this value if you have a lot of clusters and the cron job is failing with payload too large error
     # - use 0 to sync all clusters at once
     clusterChunkSize: 50
+    # -- Cors settings for app-proxy. This is the list of allowed domains for platform.
+    cors: "https://g.codefresh.io"
 
   env: {}