Enable CORS settings on OTLP HTTP endpoint

[pmuls99]

Which problem is this PR solving?

• Resolves [Feature]: Support CORS headers on OTEL HTTP endpoint #4459

Short description of the changes

• Added a new package corscfg to handle the CORS requests on OTLP HTTP Endpoint and Zipkin

[pmuls99]

@yurishkuro , had to close the previous PR, had signed off commits that were not authored by me. I will make the updates on this PR. Sorry for the inconvinience.

[yurishkuro]

That's fine, but please refer to comments on the old PR

[codecov]

Codecov Report

Patch coverage: 100.00% and project coverage change: +0.02 🎉

Comparison is base (587fb74) 97.03% compared to head (1e1994a) 97.05%.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4586      +/-   ##
==========================================
+ Coverage   97.03%   97.05%   +0.02%     
==========================================
  Files         301      302       +1     
  Lines       17839    17853      +14     
==========================================
+ Hits        17310    17328      +18     
+ Misses        424      421       -3     
+ Partials      105      104       -1     

Flag	Coverage Δ
unittests	97.05% <100.00%> (+0.02%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
cmd/collector/app/collector.go	87.90% <100.00%> (-0.10%)	⬇️
cmd/collector/app/flags/flags.go	100.00% <100.00%> (ø)
cmd/collector/app/handler/otlp_receiver.go	100.00% <100.00%> (ø)
cmd/collector/app/server/zipkin.go	92.30% <100.00%> (-0.42%)	⬇️
pkg/config/corscfg/flags.go	100.00% <100.00%> (ø)

... and 2 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

[pmuls99]

@yurishkuro , have added tests and since you had pointed out about the backward compatibility with Zipkin endpoint, fixed that.

[yurishkuro]

please run make fmt

[yurishkuro]

I think this can be done once in corscfg/flags when parsing from Viper

[pmuls99]

Done!

[yurishkuro]

Suggested change

	flags.String(c.Prefix+corsAllowedHeaders, "content-type", "Allowed headers for the HTTP port , default content-type")
	flags.String(c.Prefix+corsAllowedHeaders, "content-type", "Comma-separated CORS allowed headers. Cf. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers")

[yurishkuro]

Use Viperize, e.g.

jaeger/cmd/query/app/flags_test.go

Line 35 in 587fb74

v, command := config.Viperize(AddFlags)

[yurishkuro]

almost done. Please make sure all commits are signed, see CONTRIBUTING

[pmuls99]

Even after signing off previous commits, the DCO check doesnt seem to pass. i.e if I signoff the previous commit, it creates a new commit hash and the previous commit stays on the branch. Is there an alternate strategy you have for this @yurishkuro ?

[yurishkuro]

See CONTRIBUTING_GUIDELINES.md for how to deal with unsigned commits

[pmuls99]

Done, @yurishkuro should I change the default value of Allowed origins to nil ? Previously with Zipkin endpoint , * was the default value , so I had set that. But as you said, that doesnt seem right.

[yurishkuro]

Yes, I would change the default to "". However, I question if we should check for both fields being empty before adding the CORS handler in the first place - if user didn't configure it, maybe they don't need CORS.

[pmuls99]

Yes, we could do that. I checked the implementation of CORS in the confighttp.ServerSettings, they also seem to use cors.New to configure cors. This sets the default value for Origins being All, and Headers being the sensible ones. Should we prompt the user in the usage string regarding the same ?

[yurishkuro]

can you elaborate or point to code?

[pmuls99]

If we absoutely dont want any CORS, we can do that. But if we set the value to "" in the cors flags default string, then here are the default values for them https://github.com/rs/cors/blob/e90f167479505c4dbe1161306c3c977f162c1442/cors.go#L136

[yurishkuro]

what about OTEL receiver? If it's CORS struct is empty, does it still install a CORS handler, with said defaults?

I am ok with going with blank defaults (which for Oorigins seems equivalent to current * in Zipkin handler, based on the code pointer you provided).

[pmuls99]

It doesnt. It does allow default value for Allowed headers if Allowed origins is specified. Else it does not install CORS handler at all.
We can have it similar like Zipkin endpoint as you said.

[yurishkuro]

Let's just go with blank defaults and not over-complicate the logic. Sounds like doing so will be backwards compatible with both Zipkin and OTEL endpoints.

[pmuls99]

Alright!

[yurishkuro]

Thanks!

[vikashpisces]

@pmuls99 While scrolling issues tab for CORS solution, I came across this PR.

I have been strruggling in configuring/ disabling cors for OTEL's http receiver endpoint on port 4318. I'm getting below error on latest all-in-one build:

Access to XMLHttpRequest at 'http://localhost:4318/v1/traces' from origin 'https://localhost:5173' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

I did try configuring over yaml, env and cli option for the flag: --collector.otlp.http.cors.allowed-origins

While the same port 4318 is working fine for sending otel traces from nodejs backend service, however same fails from browser application on the same endpoint http://localhost:4318/v1/traces.

Any help or direction what is going wrong or anything that I'm missing in configuring it.

Thanks in Advance.

[pmuls99]

@vikashpisces , is your nodejs backend hosted somewhere and not running on the local host?

[vikashpisces]

@pmuls99 Never mind, I was only passing allowed_origins and it did'nt work. I had to add allowed_headers as well and it worked, not sure why. Ideally Access-Control-Allow-Origin header should have been added without allowed_headers being not there.

[yurishkuro]

@vikashpisces please post the full command that worked for you so that it's easier for people to reuse when someone comes across this

[blm768]

This worked for me:

jaeger-all-in-one \
  --collector.otlp.http.cors.allowed-origins https://my.origin \
  --collector.otlp.http.cors.allowed-headers '*' \
  --collector.otlp.http.tls.enabled \
  --collector.otlp.http.tls.cert jaeger.crt \
  --collector.otlp.http.tls.key jaeger.key

This didn't.

jaeger-all-in-one \
  --collector.otlp.http.cors.allowed-origins https://my.origin \
  --collector.otlp.http.tls.enabled \
  --collector.otlp.http.tls.cert jaeger.crt \
  --collector.otlp.http.tls.key jaeger.key

The TLS stuff is probably only necessary for setups like mine that have the root page served over HTTPS.