我的书签
添加书签
移除书签worker Stanza
The worker stanza configures Boundary worker-specific parameters.
worker {name = "example-worker"description = "An example worker"public_addr = "5.1.23.198"}
worker { name = "example-worker" description = "An example worker" public_addr = "5.1.23.198"}
name - Specifies a unique name of this worker within the Boundary cluster. This value can be a direct name string, can refer to a file on disk (file://) from which an name will be read; or an env var (env://) from which the name will be read.
description - Specifies a friendly description of this worker.
public_addr - Specifies the public host or IP address (and optionally port) at which the worker can be reached by clients for proxying. This defaults to the address of the listener marked for
proxypurpose. This is especially useful for cloud environments that do not bind a publicly accessible IP to a NIC on the host directly, such as an Amazon EIP.controllers - A list of hosts/IP addresses and optionally ports for reaching controllers. The port will default to :9201 if not specified.
tags - A map of key-value pairs where values are an array of strings. Most commonly used for filtering targets a worker can proxy via worker tags. On
SIGHUP, the tags set here will be re-parsed and new values used..
KMS Configuration
Workers require a KMS block designated for worker-auth. This is the KMS configuration for authentication between the workers and controllers and must be present. Example (not safe for production!):
kms "aead" {purpose = "worker-auth"aead_type = "aes-gcm"key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="key_id = "global_worker-auth"}
kms "aead" { purpose = "worker-auth" aead_type = "aes-gcm" key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ=" key_id = "global_worker-auth"}
This configuration must be the same for the worker-auth configuration for the controller if you’re running the controller and worker as separate servers.
And optionally, a KMS stanza for configuration encryption purpose:
# Configuration encryption block: decrypts sensitive values in the# configuration file. See `boundary config [encrypt|decrypt] -h`.kms "aead" {purpose = "config"`aead_type = "aes-gcm"key = "7xtkEoS5EXPbgynwd+dDLHopaCqK8cq0Rpep4eooaTs="}
# Configuration encryption block: decrypts sensitive values in the# configuration file. See `boundary config [encrypt|decrypt] -h`.kms "aead" { purpose = "config"` aead_type = "aes-gcm" key = "7xtkEoS5EXPbgynwd+dDLHopaCqK8cq0Rpep4eooaTs="}
Boundary supports many kinds of KMS integrations. For a complete guide to all available KMS types, see our KMS documentation.
Complete Configuration Example
listener "tcp" {purpose = "proxy"tls_disable = trueaddress = "127.0.0.1"}worker {# Name attr must be unique across workersname = "demo-worker-1"description = "A default worker created demonstration"# Workers must be able to reach controllers on :9201controllers = ["10.0.0.1","10.0.0.2","10.0.0.3",]public_addr = "myhost.mycompany.com"tags {type = ["prod", "webservers"]region = ["us-east-1"]}}# must be same key as used on controller configkms "aead" {purpose = "worker-auth"aead_type = "aes-gcm"key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="key_id = "global_worker-auth"}
listener "tcp" { purpose = "proxy" tls_disable = true address = "127.0.0.1"}worker { # Name attr must be unique across workers name = "demo-worker-1" description = "A default worker created demonstration"# Workers must be able to reach controllers on :9201 controllers = [ "10.0.0.1", "10.0.0.2", "10.0.0.3", ]public_addr = "myhost.mycompany.com"tags { type = ["prod", "webservers"] region = ["us-east-1"] }}# must be same key as used on controller configkms "aead" { purpose = "worker-auth" aead_type = "aes-gcm" key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ=" key_id = "global_worker-auth"}
