Yu Wang created FLINK-27900:
-------------------------------
Summary: Decouple the advertisedAddress and rest.bind-address
Key: FLINK-27900
URL: https://issues.apache.org/jira/browse/FLINK-27900
Project: Flink
Issue Type: Improvement
Components: Runtime / REST
Affects Versions: 1.14.4, 1.13.6, 1.11.6, 1.12.0, 1.10.3
Environment: Flink 1.13, 1.12, 1.11, 1.10
Deploy Flink in Kubernetes pod with a nginx sidecar for auth
Reporter: Yu Wang
Currently the Flink Rest api does not have authentication, according to the doc
[https://nightlies.apache.org/flink/flink-docs-release-1.15/docs/deployment/security/security-ssl/#external--rest-connectivity]
# We set up the Flink cluster in k8s
# We set up a nginx sidecar to enable auth for Flink Rest api.
# We set *rest.bind-address* to localhost to hide the original Flink address
and port
# We enable the ssl for the Flink Rest api
It works fine wen the client tried to call the Flink Rest api with *https*
scheme.
But if the client using *http* scheme, the *RedirectingSslHandler* will try to
redirect the address to the advertised url. According to the code of
{*}RestServerEndpoint{*}, Flink will use the value of *rest.bind-address* as
the {*}advertisedAddress{*}. So the client will be redirect to *127.0.0.1* and
failed to connect the url.
So we hope the advertisedAddress can be decoupled with rest.bind-addres, to
provide more flexibility to the Flink deployment.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
