Yu Wang created FLINK-27900: ------------------------------- Summary: Decouple the advertisedAddress and rest.bind-address Key: FLINK-27900 URL: https://issues.apache.org/jira/browse/FLINK-27900 Project: Flink Issue Type: Improvement Components: Runtime / REST Affects Versions: 1.14.4, 1.13.6, 1.11.6, 1.12.0, 1.10.3 Environment: Flink 1.13, 1.12, 1.11, 1.10
Deploy Flink in Kubernetes pod with a nginx sidecar for auth Reporter: Yu Wang Currently the Flink Rest api does not have authentication, according to the doc [https://nightlies.apache.org/flink/flink-docs-release-1.15/docs/deployment/security/security-ssl/#external--rest-connectivity] # We set up the Flink cluster in k8s # We set up a nginx sidecar to enable auth for Flink Rest api. # We set *rest.bind-address* to localhost to hide the original Flink address and port # We enable the ssl for the Flink Rest api It works fine wen the client tried to call the Flink Rest api with *https* scheme. But if the client using *http* scheme, the *RedirectingSslHandler* will try to redirect the address to the advertised url. According to the code of {*}RestServerEndpoint{*}, Flink will use the value of *rest.bind-address* as the {*}advertisedAddress{*}. So the client will be redirect to *127.0.0.1* and failed to connect the url. So we hope the advertisedAddress can be decoupled with rest.bind-addres, to provide more flexibility to the Flink deployment. -- This message was sent by Atlassian Jira (v8.20.7#820007)