feat: CORS so browsers can fetch shell config cross-origin

Apps run on different hostnames (crm.gosec.internal, chronos.gosec.internal, …) so the browser fetch from <AppShell> to shell-api.gosec.internal is cross-origin and was being blocked. Add Fiber's cors middleware. Allowlist: any *.gosec.internal or *.gosec.cloud origin (override via CORS_ORIGINS env if a tighter list is needed). Allow Authorization + Content-Type + If-None-Match on the request side; expose ETag on the response side. Methods limited to GET + OPTIONS. Image: v0.1.4 Verified: curl -X OPTIONS https://shell-api.gosec.internal/api/v1/shell/gsc-crm -H "Origin: https://crm.gosec.internal" → 204 with access-control-allow-origin: https://crm.gosec.internal Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-10 13:24:16 +02:00
parent 7fb24e0452
commit bd62fcb599
3 changed files with 27 additions and 1 deletions
--- a/k8s/deployment.yaml
+++ b/k8s/deployment.yaml
@@ -18,7 +18,7 @@ spec:
    spec:
      containers:
        - name: api
-          image: registry.gosec.internal/gsc-shell-api:v0.1.3
+          image: registry.gosec.internal/gsc-shell-api:v0.1.4
          imagePullPolicy: IfNotPresent
          ports:
            - name: http