Istio 1.5 cors 不工作 - 对预检请求的响应未通过访问控制检查

当在 istio-ingressgateway 目标上配置 Jwt 策略时，Cors 预检请求不起作用。

Gateway

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: api-gateway
  namespace: foo
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
    - port:
        number: 80
        name: http
        protocol: HTTP
      hosts:
        - "api.example.com"
      tls:
        httpsRedirect: true # sends 301 redirects for http requests
    - port:
        number: 443
        name: https
        protocol: HTTPS
      tls:
        mode: SIMPLE
        serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
        privateKey: /etc/istio/ingressgateway-certs/tls.key
      hosts:
        - "api.example.com"

虚拟服务

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: backend-vs
  namespace: foo
spec:
  hosts:
    - "api.example.com"
  gateways:
    - api-gateway
  http:
    - match:
        - uri:
            prefix: /api/v1/info
      route:
        - destination:
            host: backend.foo.svc.cluster.local
      corsPolicy:
        allowOrigin:
          - "https://app.example.com"
        allowMethods:
          - POST
          - GET
          - PUT
          - DELETE
          - PATCH
          - OPTIONS
        allowHeaders:
          - authorization
          - content-type
          - accept
          - origin
          - user-agent
        allowCredentials: true
        maxAge: 300s

Security

apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
  name: "jwt-example"
  namespace: foo
spec:
  selector:
    matchLabels:
      app: backend
  jwtRules:
    - issuer: "http://keycloak.foo/auth/realms/example"
      jwksUri: "http://keycloak.foo/auth/realms/example/protocol/openid-connect/certs"
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: require-jwt-example
  namespace: foo
spec:
  selector:
    matchLabels:
      app: backend
  action: ALLOW
  rules:
    - from:
        - source:
            requestPrincipals: ["http://keycloak.foo/auth/realms/example/http://keycloak.foo/auth/realms/example"]
      when:
        - key: request.auth.claims[groups]
          values: ["group1"]

当我在 Firefox 中测试 Web 应用程序时，它工作正常，但在其他浏览器（如 Opera、chrome、safari）中，它会失败并出现以下错误：

Access to XMLHttpRequest at 'https://api.example.com/api/v1/info' from origin 'https://app.example.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

让我更加深思熟虑的是，在 Firefox 中它运行良好，但在其他浏览器中却失败

NOTE:为了验证istio中的cors策略是否正确，我所做的就是在istio中禁用这个策略，并在firefox中进行测试，看看发生了什么，结果是确实出现了cors的问题，但是当我重新启用时在 Firefox 中重新运行时，Istio 中的 cors 请求工作正常。

在进行分段测试并查看导致错误的原因后，我发现问题出现在我创建在同一服务端口 (backend.example.com) 上运行的 keycloak 网关 (keycloak.example.com) 时，该网关由https 的默认值为 443，http 的默认值为 80。

我所做的是将 keycloak 暴露给网关上的另一个端口（入口网关）。通过上述和角度应用，我不再提出 Cors 的问题。