Kubernetes Ingress: CORS annotations and controller differences

NGINX Ingress often uses snippet annotations; validate upgrade notes because security policies may block custom snippets.

Traefik middleware can centralize CORS for many routes—keep allowlists in Git and sync via CI.

Wildcard certificates do not imply wildcard CORS; still enumerate trusted browser origins explicitly.

Test preflight through the same hostname users hit, including www vs apex differences.