Boundary
Worker stanza
The worker
stanza configures Boundary worker-specific parameters.
All workers within Boundary use certificates and encryption keys to identify themselves and protect data in transit. However, there are three different ways to register them so that registration of workers can fit into any workflow; controller-led, worker-led, and via external KMS.
The differences in how they are configured are in the sub-pages linked at the bottom of this page.
Workers registered via the worker-led or controller-led methods must be registered in the system via an API call, and require storage on disk to store the current set of credentials. Workers registering via an external KMS auto-register after successful authentication, making them an easy mechanism to use for automatic scaling. This also means they are not required to store credentials locally; each time they connect the KMS is used to reauthenticate them.
Prior to version 0.15 of Boundary, there were two different types of workers, PKI & KMS workers.
If you are using pre-0.15 workers, with pre-0.15 upstreams please be sure to switch the documentation
version to 0.13.x
- 0.14.x
for correct information.
Common worker parameters
Regardless of registration mechanism, the following fields are supported.
worker {
public_addr = "5.1.23.198"
# Local storage path required if session recording is enabled
recording_storage_path = "tmp/boundary/"
# Mutually exclusive with hcp_boundary_cluster_id
initial_upstreams = [
"10.0.0.1",
"10.0.0.2",
]
tags {
type = ["prod", "webservers"]
region = ["us-east-1"]
}
# HCP Boundary only
# hcp_boundary_cluster_id = "....."
}
public_addr
- Specifies the public host or IP address (and optionally port) at which the worker can be reached by clients for proxying. This defaults to the address of the listener marked forproxy
purpose. This is especially useful for cloud environments that do not bind a publicly accessible IP to a NIC on the host directly, such as an Amazon EIP.This value can reference any of the following:
- a direct address string
- a file on disk (file://) from which an address will be read
- an env var (env://) from which the address will be read
initial_upstreams
- A list of hosts/IP addresses and optionally ports for reaching the boundary cluster. The port will default to:9201
if not specified. This value can be a direct access string array with the addresses, or it can refer to a file on disk (file://
) from which the addresses will be read, or an env var (env://
) from which the addresses will be read. When using env or file, their contents must formatted as a JSON array:["127.0.0.1", "192.168.0.1", "10.0.0.1"]
HCP Boundary workers require the
hcp_boundary_cluster_id
parameter instead ofinitial upstreams
. If you configure an HCP worker withinitial_upstreams
, the worker configuration fails.hcp_boundary_cluster_id
- A string required to configure workers using worker-led or controller-led registration to connect to your HCP Boundary cluster rather than specifyinginitial_upstreams
. This parameter is currently only valid for workers using the worker-led or controller-led registration method and for workers directly connected to HCP Boundary.recording_storage_path
- A path to the local storage for recorded sessions. Session recordings are stored in the local storage while they are in progress. When the session is complete, Boundary moves the local session recording to remote storage and deletes the local copy.tags
- A map of key-value pairs where values are an array of strings. Most commonly used for filtering targets a worker can proxy via worker tags. OnSIGHUP
, the tags set here will be re-parsed and new values used. It can also be a string referring to a file on disk (file://
) or an env var (env://
).
Signals
The SIGHUP
signal causes a worker to reload its configuration file to pick up any updates for the initial_upstreams
and tags
values.
Any other updated values are ignored.
The SIGTERM
and SIGINT
signals initiate a graceful shutdown on a worker. The worker waits for any sessions to drain
before shutting down. Workers in a graceful shutdown state do not receive any new work, including session proxying, from the control plane.
Multi-hop worker capabilities
Enterprise
This feature requires HCP Boundary or Boundary Enterprise
Multi-hop capabilities, including multi-hop sessions and Vault private access, is when a session or Vault credential request goes through more than one worker. To enable this, two or more workers must be connected to each other in some configuration. There are no limits on the amount of workers allowed in a multi-hop session configuration.
It helps to think of “upstream” and “downstream” nodes in the context of multi-hop. If you view controllers as the “top” node of a multi-hop chain, any worker connected to a node is "downstream" of that node; the node that any particular worker connects to (whether another worker or a controller) is the "upstream" of that node. For example, in the diagram below, Worker 2’s upstream is Worker 1, and its downstream is Worker 3.
You can deploy multi-hop workers in scenarios where inbound network traffic is not allowed. A worker in a private network can send outbound communication to its upstream worker, and create a reverse proxy to establish a session.
You can configure target worker filters with multi-hop workers to allow for fine-grained control on which workers handle ingress and egress for session traffic to a target. Ingress worker filters determine which workers you connect with to initiate a session, and egress worker filters determine which workers are used to access targets.
Multi-hop worker requirements
When you configure multi-hop sessions, there is an "ingress" worker, an "egress" worker, and any number of intermediary workers. Ingress, egress, and intermediary workers have the following requirements.
Ingress worker requirements
To proxy target connections, ingress workers require outbound access to the Boundary control plane and inbound access from clients.
Intermediary worker requirements
Intermediary workers require outbound access to an upstream worker. The upstream worker may be an ingress worker or another intermediary worker. Intermediary workers also require inbound access from a downstream worker. The downstream worker may be an egress worker or another intermediary worker.
Egress worker requirements
To proxy target connections, egress workers require outbound access to an upstream worker and outbound access to the destination host or service.
Complete configuration example
listener "tcp" {
purpose = "proxy"
tls_disable = true
address = "127.0.0.1"
}
worker {
# Path for worker storage, assuming worker-led or controller-led registration. Must be unique across workers
auth_storage_path="/boundary/demo-worker-1"
# Local storage path required if session recording is enabled
recording_storage_path = "tmp/boundary/"
# Workers typically need to reach upstreams on :9201
initial_upstreams = [
"10.0.0.1",
"10.0.0.2",
"10.0.0.3",
]
public_addr = "myhost.mycompany.com"
tags {
type = ["prod", "webservers"]
region = ["us-east-1"]
}
}
# The following KMS config is an example only
# Use a production KMS such as AWS KMS for production installs
kms "aead" {
purpose = "worker-auth-storage"
aead_type = "aes-gcm"
key = "X+IJMVT6OnsrIR6G/9OTcJSX+lM9FSPN"
key_id = "worker-auth-storage"
}
Tutorials
Refer to the Self-Managed Worker Registration with HCP Boundary tutorial to learn how to register and manage Workers.
Refer to the Manage Multi-Hop Sessions with HCP Boundary tutorial to learn how to configure a multi-hop session.