[BUG] CORS error with SSL enabled

[FelipePavan]

Describe the bug

I'm deploying Flyte Core chart on Microk8s. I'm port-forwarding to be able to access the components locally. I installed without SSL enabled and everything worked. I want to add SSL so I can move to deploying on the cloud but I can't make it work yet, in the moment because of a CORS error.

I generated a self signed certificate to use on both admin and console components.
Trying to make SSL work I added the following configurations on the values files:

Admin values:

    adminServer:
        security:
          secure: true
          ssl:
            certificateFile: "/etc/tls/tls.crt"
            keyFile: "/etc/tls/tls.key"
          useAuth: false
          allowCors: true
          allowedOrigins:
            - 'http://localhost:8088'
            - 'https://localhost:8088'
          allowedHeaders:
            - "Content-Type"
            - "flyte-authorization"

Console configmap:

    console:
      BASE_URL: /console
      CONFIG_DIR: /etc/flyte/config
      ADMIN_API_URL: https://localhost:8089
      ADMIN_API_USE_SSL: https
      CERTIFICATE_PATH: /etc/tls # doesn't change anything

I also edited the console deployment manually to mount the key and certificate because I didn't find another way to do it. I mounted the files on /scripts/certificate after finding in the console application code where it looks for it. The CERTIFICATE_PATH variable above doesn't affect the behavior.

Now I'm able to access the console on https://localhost:8088 and the admin API on https://localhost:8089 (both insecure). But the console gets a CORS error when doing requests to the admin API:

Access to XMLHttpRequest at 'https://locahost:8089/api/v1/projects' from origin 'https://localhost:8088' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Given the admin configuration for CORS, why would I still get a CORS error?

These are the headers on the response:

content-length: 388
content-type: application/octet-stream
date: Tue, 01 Oct 2024 13:24:28 GMT
grpc-metadata-content-type: application/grpc
grpc-metadata-trailer: Grpc-Status
grpc-metadata-trailer: Grpc-Message

grpc-metadata-trailer: Grpc-Status-Details-Bin

I'm not experienced with web applications, so a noob question: should be an Access-Control-Allow-Origin header in the response headers?

Suppose I resolve this CORS error, can the console make https requests without verifying the admin API certificate? How do I configure it to skip certificate verification?

Expected behavior

Enable SSL with self signed certificated

Additional context to reproduce

No response

Screenshots

No response

Are you sure this issue hasn't been raised already?

• Yes

Have you read the Code of Conduct?

• Yes

[welcome]

Thank you for opening your first issue here! 🛠

[eapolinario]

@FelipePavan , thanks for the report, especially the part about the missing CORS headers, that lead me directly to #5855.

[eapolinario]

@FelipePavan , Flyte 1.13.3 is out and contains this fix. Can you give it a try?