quarkus: CORS broken?

Describe the bug

I’m not sure how far this goes back, but I started noticing it in Quarkus 3.1.x and it still exists in 3.2.x. There seems to be something broken with CORS.

Expected behavior

I would expect since rest-fights has

quarkus.http.cors=true
quarkus.http.cors.origins=*

in it’s application.properties that all requests would pass CORS, but that doesn’t seem to be the case.

Actual behavior

In the Quarkus superheroes app if I deploy all the apps in the same namespace everything is fine, but if I move the UI app out to another namespace or to a different cluster, the Angular app can no longer communicate with the rest-fights app.

@holly-cummins and I originally thought it was something we/she did when we moved the UI image from Node.js to Quarkus Quinoa, but I’ve heard reports of others seeing similar issues.

The UI gets a 500 error back from rest-fights with this:

ui-super-heroes-supes.apps.cluster-rpfcn.rpfcn.sandbox1370.opentlc.com/:1  Access to XMLHttpRequest at 'http://rest-fights-supes.apps.cluster-rpfcn.rpfcn.sandbox1370.opentlc.com/api/fights/randomfighters' from origin 'http://ui-super-heroes-supes.apps.cluster-rpfcn.rpfcn.sandbox1370.opentlc.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

(That cluster with those URLs are long gone - I just saved the error from the last time I saw it)

the rest-fights app has this config in it’s application.properties:

quarkus.http.cors=true
quarkus.http.cors.origins=*

How to Reproduce?

Deploy the Quarkus Superheroes somewhere where the UI app is on a different host than the rest-fights app and configure the UI URL accordingly.

Output of uname -a or ver

No response

Output of java -version

No response

GraalVM version (if different from Java)

No response

Quarkus version or git rev

3.1.x, but not sure if this existed in previous versions.

Build tool (ie. output of mvnw --version or gradlew --version)

No response

Additional information

No response