Boundary cluster/worker TLS config with public certs?

Using public certs for the API listener works great.

I’m a little confused by this configuration in the reference implementation boundary-reference-architecture/controller.hcl.tpl at main · hashicorp/boundary-reference-architecture · GitHub

When I tried using these here, the worker could never establish a session.

[ERROR] worker: error making status request to controller: error="rpc error: code = Unavailable desc

Reading through the documentation it appears that the TLS between controller and worker isn’t based on public KPI at all.

Is this a mistake in the reference implementation, or am I otherwise doing something wrong?

I think it’s a mistake in the reference implementation. However, the code should be ignoring any TLS parameters given. Can you confirm that everything is working fine when those TLS parameters are not included, but fail specifically when that one thing is changed?

@malnick can you update the reference implementation?

Can you confirm that everything is working fine when those TLS parameters are not included, but fail specifically when that one thing is changed?

Yes. Worker works fine without key/cert being set but fails if they are set and pointing to valid publicly-issued certs.

API controller works as expected either way: host-generated cert, or publicly issued one work as expected (warning/none respectively)