[
https://issues.apache.org/jira/browse/FLINK-27900?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Yu Wang updated FLINK-27900:
----------------------------
Environment:
Flink 1.13, 1.12, 1.11, 1.10 with ssl
Deploy Flink in Kubernetes pod with a nginx sidecar for auth
was:
Flink 1.13, 1.12, 1.11, 1.10
Deploy Flink in Kubernetes pod with a nginx sidecar for auth
> Decouple the advertisedAddress and rest.bind-address
> ----------------------------------------------------
>
> Key: FLINK-27900
> URL: https://issues.apache.org/jira/browse/FLINK-27900
> Project: Flink
> Issue Type: Improvement
> Components: Runtime / REST
> Affects Versions: 1.10.3, 1.12.0, 1.11.6, 1.13.6, 1.14.4
> Environment: Flink 1.13, 1.12, 1.11, 1.10 with ssl
> Deploy Flink in Kubernetes pod with a nginx sidecar for auth
> Reporter: Yu Wang
> Priority: Minor
>
> Currently the Flink Rest api does not have authentication, according to the
> doc
> [https://nightlies.apache.org/flink/flink-docs-release-1.15/docs/deployment/security/security-ssl/#external--rest-connectivity]
> # We set up the Flink cluster in k8s
> # We set up a nginx sidecar to enable auth for Flink Rest api.
> # We set *rest.bind-address* to localhost to hide the original Flink address
> and port
> # We enabled the ssl for the Flink Rest api
> It works fine wen the client tried to call the Flink Rest api with *https*
> scheme.
> But if the client using *http* scheme, the *RedirectingSslHandler* will try
> to redirect the address to the advertised url. According to
> {*}RestServerEndpoint{*}, Flink will use the value of *rest.bind-address* as
> the {*}advertisedAddress{*}. So the client will be redirected to *127.0.0.1*
> and failed to connect the url.
> So we hope the advertisedAddress can be decoupled with rest.bind-addres, to
> provide more flexibility to the Flink deployment.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
