Install Self-Managed Workers
HCP Boundary allows organizations to register and manage their own PKI workers. You can deploy these self-managed workers in private networks, and they can communicate with an upstream HCP Boundary cluster.
For a step-by-step example of configuring a self-managed worker instance, refer to the self-managed workers tutorial.
To install and configure a self-managed worker, complete the procedures below.
Download the Boundary Enterprise binary
Navigate to the Boundary releases page and download the latest Boundary Enterprise binary for your operating system.
For Linux there are multiple versions of the binary available, based on distro and architecture. Select the correct package to download the zip to your local machine. Then, extract the
boundary
binary.Alternatively, refer to the examples below for installing the latest version of the
boundary-enterprise
package using a package manager.After downloading the binary, ensure the
boundary
version matches the HCP Boundary control plane's version in order to benefit from the latest HCP Boundary features.Use the following command to verify the version:
Create the self-managed worker configuration file
Next, create a self-managed worker configuration file. Refer to the complete configuration example to view all valid configuration options.
Create a new file to store the worker configuration.
Open the
pki-worker.hcl
file with a text editor, such as Vi. Paste the following configuration information into thepki-worker.hcl
file:pki-worker.hcl1 2 3 4 5 6 7 8 9 101112131415
Update the configuration fields in the
pki-worker.hcl
file as necessary. You can specify the following configuration fields for self-managed workers:The
hcp_boundary_cluster_id
field accepts a Boundary cluster ID and is used by the worker when it initially connects to HCP Boundary. You configure this field externally to theworker
stanza.The cluster ID is the UUID in the HCP Boundary cluster URL. For example, the cluster ID is
c3a7a20a-f663-40f3-a8e3-1b2f69b36254
, if your cluster URL is:https://c3a7a20a-f663-40f3-a8e3-1b2f69b36254.boundary.hashicorp.cloud
The
listener
stanza in the example above sets theaddress
port to0.0.0.0:9202
. This port should already be configured by the AWS security group for this instance to accept inbound TCP connections. If you want to use a custom listener port, you can specify it in this field.The
public_addr
field should match the public IP or DNS name of your self-managed worker instance. In the unlikely event that you deploy the Boundary client and worker on the same local machine, you should omit thepublic_addr
attribute.For an example of the Boundary client and worker being deployed on the same local machine, refer to the Configure the PKI Worker section of the self-managed worker tutorial.
The
auth_storage_path
is a local path where the worker stores its PKI credentials. You should not share storage between workers. This field should match the full path to the/worker/
directory, such as:/home/ubuntu/worker
The
initial_upstreams
value indicates the address or addresses a worker uses when initially connecting to Boundary. You can useinitial_upstreams
in theworker
stanza as an alternative to thehcp_boundary_cluster_id
.For most use cases, the
hcp_boundary_cluster_id
is sufficient for ensuring that connectivity is always available, even if the HCP-managed upstream workers change. You should only configure aninitial_upstreams
value if you want to connect to another self-managed worker. Make sure to usehcp_boundary_cluster_id
to connect PKI workers to HCP Boundary.The example above uses the
auth_storage_path
and thehcp_boundary_cluster_id
values. If you want to configureinitial_upstreams
instead, you should omit thehcp_boundary_cluster_id
.
Save the
pki-worker.hcl
file.
Start the self-managed worker
Once the configuration file is created, you can start the worker server. Use the
following command to start the server. You must provide the full path to the
worker configuration file, for example /home/pki-worker.hcl
.
Note the Worker Auth Registration Request:
value on line 12. You can also
locate this value in the auth_request_token
file. You must provide this value
when you Register a new worker with
HCP.
Enter the following command to start the worker:
1 2 3 4 5 6 7 8 9 101112131415161718
The worker starts and outputs its authorization token as Worker Auth
Registration Request
.
It is also saved to a file, auth_request_token
,
defined by the auth_storage_path
in the worker configuration file.
After you install and start the self-managed worker, you must register it with HCP in your environment's admin console.