Enable CORS for APIs via CRs¶
You need to attach an APIPolicy with the cORSPolicy configuration to enable CORS for an API. Make sure the targetRef property is set to the API that you want to enable CORS. Refer the following example APIPolicy that enables CORS for the sample-api.
APIPolicy Resource with CORS Configuration¶
apiVersion: dp.wso2.com/v1alpha1
kind: APIPolicy
metadata:
name: sample-api-policy
spec:
override:
cORSPolicy:
enabled: true
accessControlAllowCredentials: true
accessControlAllowOrigins:
- "*"
accessControlAllowHeaders:
- authorization
accessControlAllowMethods:
- GET
- POST
accessControlExposeHeaders:
- "*"
targetRef:
group: dp.wso2.com
kind: API
name: sample-api
Configuration Definition¶
| Configuration | Description | Sample Values |
|---|---|---|
enabled |
Determines whether or not the API Gateway should enable CORS for the API. If the value is set to true, the API Gateway will set the CORS headers in the response. | true, false |
accessControlAllowCredentials |
Determines whether or not the response to the request can be exposed to the page. It can be exposed when the header value is true. The header value can be set to true/false by enabling/disabling the Access Control Allow Credentials configuration. | true, false |
accessControlAllowOrigins |
Determines whether a resource can be shared with the resource of a given origin. The API Gateway validates the origin request header value against the list of origins defined under the Access Control Allow Origins configuration (this can be All Allow Origins or a specific value like localhost). If the host is in the allowed origin list, it will be set as the Access-Control-Allow-Origin response header in the response. | * (allow all origins), localhost, *.wso2.com |
accessControlAllowHeaders |
Determines, as part of the response to a preflight request (a request that checks to see if the CORS protocol is understood), which header field names can be used during the actual request. The Gateway will set the header values defined under Access Control Allow Headers configurations. | authorization, Access-Control-Allow-Origin, Content-type, SOAPAction, apikey, Internal-Key |
accessControlAllowMethods |
Determines the method(s) allowed when accessing the resource in response to a preflight request. Required methods can be defined under the Access Control Allow Method configuration. | GET, PUT, POST, DELETE, PATCH, OPTIONS |
accessControlExposeHeaders |
Determines the headers that are safe to expose to the API. The Gateway will set the header values defined under Access Control Expose Headers configurations. | *, Cache-Control, Content-Language, Content-Length, Content-Type |
Create an API using CRs with CORS configurations¶
Follow the instructions below to add CORS configurations to an API via CRs:
Before you begin
- Install the prerequisites that are required to run WSO2 APK.
- Start WSO2 APK.
Step 1 - Define the CRs
-
Create the following Custom Resource (CR).
- Resource API CR.
- Production and/or Sandbox HTTPRoute CR.
-
CR that defines the service for the API backend.
Note
- You can find a sample set of CRs in the
<APK-HOME>/samples/directory. - The backend of the sample REST API is https://httpbin.org/
- You can find a sample set of CRs in the
-
Define the required CORS configurations in an APIPolicy CR. The following is an example CR.
apiVersion: dp.wso2.com/v1alpha1
kind: APIPolicy
metadata:
name: sample-api-policy
spec:
override:
cORSPolicy:
enabled: true
accessControlAllowCredentials: true
accessControlAllowOrigins:
- "*"
accessControlAllowHeaders:
- authorization
accessControlAllowMethods:
- GET
- POST
accessControlExposeHeaders:
- "*"
targetRef:
group: dp.wso2.com
kind: API
name: sample-api
Step 2 - Apply the CRs
Apply CRs to the Kubernetes API server using the kubectl.
kubectl apply -f <path-to-crs>
kubectl apply -f samples/
Note
- The APIs should be created in the APK deployment namespace.