[jira] [Commented] (FLINK-27900) Decouple the advertisedAddress and rest.bind-address

Thu, 16 Mar 2023 02:10:04 -0700 


    [ 
https://issues.apache.org/jira/browse/FLINK-27900?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17701048#comment-17701048
 ] 

Yu Wang commented on FLINK-27900:
---------------------------------

[~Wencong Liu] Thanks for the reply.

But I have some different view about the advertisedAddress. By checking some 
other open source products, I think the advertise listener(host) is able to 
change. Just to list two of what I know, 
Kafka([https://kafka.apache.org/documentation/#brokerconfigs_advertised.listeners])
 and Pulsar 
([https://pulsar.apache.org/docs/2.11.x/concepts-multiple-advertised-listeners/#advertised-listeners])

And for the aspect of *RedirectingSslHandler.* If we need to put Flink service 
in the internal network and expose the service by a proxy, as the advertised 
address must be same as bind-address, the redirecting handler will always 
return the address that cannot be accessed from the external.

> Decouple the advertisedAddress and rest.bind-address
> ----------------------------------------------------
>
>                 Key: FLINK-27900
>                 URL: https://issues.apache.org/jira/browse/FLINK-27900
>             Project: Flink
>          Issue Type: Improvement
>          Components: Runtime / REST
>    Affects Versions: 1.10.3, 1.12.0, 1.11.6, 1.13.6, 1.14.4
>         Environment: Flink 1.13, 1.12, 1.11, 1.10 with ssl
> Deploy Flink in Kubernetes pod with a nginx sidecar for auth
>            Reporter: Yu Wang
>            Priority: Minor
>
> Currently the Flink Rest api does not have authentication, according to the 
> doc 
> [https://nightlies.apache.org/flink/flink-docs-release-1.15/docs/deployment/security/security-ssl/#external--rest-connectivity]
>  # We set up the Flink cluster in k8s
>  # We set up a nginx sidecar to enable auth for Flink Rest api.
>  # We set *rest.bind-address* to localhost to hide the original Flink address 
> and port
>  # We enabled the ssl for the Flink Rest api
> It works fine wen the client tried to call the Flink Rest api with *https* 
> scheme.
> But if the client using *http* scheme, the *RedirectingSslHandler* will try 
> to redirect the address to the advertised url. According to 
> {*}RestServerEndpoint{*}, Flink will use the value of *rest.bind-address* as 
> the {*}advertisedAddress{*}. So the client will be redirected to *127.0.0.1* 
> and failed to connect the url.
> So we hope the advertisedAddress can be decoupled with rest.bind-addres, to 
> provide more flexibility to the Flink deployment.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to