worker Stanza

The worker stanza configures Boundary worker-specific parameters. Boundary supports two different types of workers, differentiated by their means of authentication to Boundary:

PKI Workers use certificates issued by Boundary to authenticate with controllers
KMS Workers use a shared KMS to authenticate with controllers

Different worker types have different configuration requirements, but share the common worker parameters listed below.

Common Worker Parameters

The following fields are supported for all worker types:

worker {
  public_addr = "5.1.23.198"

  initial_upstreams = [
    "10.0.0.1",
    "10.0.0.2",
  ]

  tags {
    type   = ["prod", "webservers"]
    region = ["us-east-1"]
  }
}

public_addr - Specifies the public host or IP address (and optionally port) at which the worker can be reached by clients for proxying. This defaults to the address of the listener marked for proxy purpose. This is especially useful for cloud environments that do not bind a publicly accessible IP to a NIC on the host directly, such as an Amazon EIP.
This value can reference any of the following:
- a direct address string
- a file on disk (file://) from which an address will be read
- an env var (env://) from which the address will be read
initial_upstreams - A list of hosts/IP addresses and optionally ports for reaching the boundary cluster. The port will default to :9201 if not specified. This value can be a direct access string array with the addresses, or it can refer to a file on disk (file://) from which the addresses will be read, or an env var (env://) from which the addresses will be read. When using env or file, their contents must formatted as a JSON array: ["127.0.0.1", "192.168.0.1", "10.0.0.1"]
tags - A map of key-value pairs where values are an array of strings. Most commonly used for filtering targets a worker can proxy via worker tags. On SIGHUP, the tags set here will be re-parsed and new values used. It can also be a string referring to a file on disk (file://) or an env var (env://).