You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@flink.apache.org by "Yu Wang (Jira)" <ji...@apache.org> on 2022/06/06 06:54:00 UTC

[jira] [Created] (FLINK-27900) Decouple the advertisedAddress and rest.bind-address

Yu Wang created FLINK-27900:
-------------------------------

             Summary: Decouple the advertisedAddress and rest.bind-address
                 Key: FLINK-27900
                 URL: https://issues.apache.org/jira/browse/FLINK-27900
             Project: Flink
          Issue Type: Improvement
          Components: Runtime / REST
    Affects Versions: 1.14.4, 1.13.6, 1.11.6, 1.12.0, 1.10.3
         Environment: Flink 1.13, 1.12, 1.11, 1.10

Deploy Flink in Kubernetes pod with a nginx sidecar for auth
            Reporter: Yu Wang


Currently the Flink Rest api does not have authentication, according to the doc [https://nightlies.apache.org/flink/flink-docs-release-1.15/docs/deployment/security/security-ssl/#external--rest-connectivity]
 # We set up the Flink cluster in k8s
 # We set up a nginx sidecar to enable auth for Flink Rest api.
 # We set *rest.bind-address* to localhost to hide the original Flink address and port
 # We enable the ssl for the Flink Rest api

It works fine wen the client tried to call the Flink Rest api with *https* scheme.

But if the client using *http* scheme, the *RedirectingSslHandler* will try to redirect the address to the advertised url. According to the code of {*}RestServerEndpoint{*}, Flink will use the value of *rest.bind-address* as the {*}advertisedAddress{*}. So the client will be redirect to *127.0.0.1* and failed to connect the url.

So we hope the advertisedAddress can be decoupled with rest.bind-addres, to provide more flexibility to the Flink deployment.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)