»worker Stanza

The worker stanza configures Boundary worker-specific parameters.

worker {
  name = "example-worker"
  description = "An example worker"
  public_addr = "5.1.23.198"
}
  • name - Specifies a unique name of this worker within the Boundary worker cluster.

  • description - Specifies a friendly description of this worker.

  • public_addr - Specifies the public host or IP address (and optionally port) at which the worker can be reached by clients for proxying. This defaults to the address of the listener marked for proxy purpose. This is especially useful for cloud environments that do not bind a publicly accessible IP to a NIC on the host directly, such as an Amazon EIP.

  • controllers - A list of hosts/IP addresses and optionally ports for reaching controllers. The port will default to :9201 if not specified.

  • KMS block designated for worker-auth - This is the KMS configuration for authentication between the workers and controllers and must be present. Example (not safe for production!):

    purpose = "worker-auth"
    aead_type = "aes-gcm"
    key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
    key_id = "global_worker-auth"
}

»Complete Configuration Example

listener "tcp" {
    purpose = "proxy"
    tls_disable = true
}

worker {
  # Name attr must be unique across workers
  name = "demo-worker-1"
  description = "A default worker created demonstration"

  # Workers must be able to reach controllers on :9202
  controllers = [
    "10.0.0.1",
    "10.0.0.2",
    "10.0.0.3",
  ]

  public_addr = "myhost.mycompany.com"
}

# must be same key as used on controller config
kms "aead" {
    purpose = "worker-auth"
    aead_type = "aes-gcm"
    key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
    key_id = "global_worker-auth"
}