diff --git a/_topic_map.yml b/_topic_map.yml index cf4f029ce9..702515a1e6 100644 --- a/_topic_map.yml +++ b/_topic_map.yml @@ -245,6 +245,9 @@ Topics: - Name: Syncing LDAP groups File: ldap-syncing Distros: openshift-enterprise,openshift-origin +- Name: Allowing JavaScript-based access to the API server from additional hosts + File: allowing-javascript-access-api-server + Distros: openshift-enterprise,openshift-origin --- Name: Networking Dir: networking @@ -420,7 +423,7 @@ Topics: File: using-images-overview - Name: Configuring Jenkins images File: images-other-jenkins - - Name: Jenkins agent + - Name: Jenkins agent File: images-other-jenkins-agent --- Name: Applications diff --git a/authentication/allowing-javascript-access-api-server.adoc b/authentication/allowing-javascript-access-api-server.adoc new file mode 100644 index 0000000000..b53c0c5639 --- /dev/null +++ b/authentication/allowing-javascript-access-api-server.adoc @@ -0,0 +1,8 @@ +[id="allowing-javascript-based-access-api-server"] += Allowing JavaScript-based access to the API server from additional hosts +include::modules/common-attributes.adoc[] +:context: auth-allowed-origins + +toc::[] + +include::modules/auth-allowing-javascript-access-api-server.adoc[leveloffset=+1] diff --git a/modules/auth-allowing-javascript-access-api-server.adoc b/modules/auth-allowing-javascript-access-api-server.adoc new file mode 100644 index 0000000000..62c39780a3 --- /dev/null +++ b/modules/auth-allowing-javascript-access-api-server.adoc @@ -0,0 +1,61 @@ +// Module included in the following assemblies: +// +// * authentication/configuring-corsallowedorigins.adoc + +[id="auth-allowing-javascript-access-api-server_{context}"] += Allowing JavaScript-based access to the API server from additional hosts + +The default {product-title} configuration only allows the OpenShift web console to send requests to the API server. + +If you need to access the API server or OAuth server from a JavaScript +application using a different host name, you can configure additional host names +to allow. + +.Prerequisites + +* Access to the cluster as a user with the `cluster-admin` role. + +.Procedure + +. Edit the API servers resource: ++ +---- +$ oc edit apiserver.config.openshift.io cluster +---- ++ +. Add the `additionalCORSAllowedOrigins` field under the `spec` section and +specify one or more additional host names: ++ +[source,yaml] +---- +apiVersion: config.openshift.io/v1 +kind: APIServer +metadata: + annotations: + release.openshift.io/create-only: "true" + creationTimestamp: "2019-07-11T17:35:37Z" + generation: 1 + name: cluster + resourceVersion: "907" + selfLink: /apis/config.openshift.io/v1/apiservers/cluster + uid: 4b45a8dd-a402-11e9-91ec-0219944e0696 +spec: + additionalCORSAllowedOrigins: + - (?i)//my\.subdomain\.domain\.com(:|\z) <1> +---- +<1> The host name is specified as a link:https://github.com/google/re2/wiki/Syntax[Golang regular expression] that matches +against CORS headers from HTTP requests against the API server and OAuth server. ++ +[NOTE] +==== +This example uses the following syntax: + +* The `(?i)` makes it case-insensitive. +* The `//` pins to the beginning of the domain and matches the double slash +following `http:` or `https:`. +* The `\.` escapes dots in the domain name. +* The `(:|\z)` matches the end of the domain name `(\z)` or a port separator +`(:)`. +==== + +. Save the file to apply the changes.