I’m following the “HCP Boundary Vault Credential Brokering Quickstart” tutorial but implementing it locally using Docker Compose. My setup includes several containers: one for Vault, one for Boundary, another for the database, one for the Boundary worker, and another for initialization scripts for each service.
I’ve successfully connected Boundary and Vault using KMS and created a transit in Vault. Here are my configurations:
Boundary Configuration:
disable_mlock = true
controller {
name = “demo-controller”
description = “A default controller created for demonstration”database {
url = “postgresql://postgres:secret@database-service:5432/northwind?sslmode=disable”
}public_cluster_addr = “boundary-server:9202”
}listener “tcp” {
address = “0.0.0.0:9200”
purpose = “api”
tls_disable = true
}listener “tcp” {
address = “0.0.0.0:9202”
purpose = “cluster”
tls_disable = true
}listener “tcp” {
address = “0.0.0.0:9201”
purpose = “proxy”
tls_disable = true
}vault {
address = …
token = “s.oLa7Cf6m2L9RhCYmL61aiSRY”
}kms “transit” {
purpose = “root”
address = …
token = “s.oLa7Cf6m2L9RhCYmL61aiSRY”
mount_path = “transit”
key_name = “boundary-root”
}kms “transit” {
purpose = “recovery”
address = …
token = “s.oLa7Cf6m2L9RhCYmL61aiSRY”
mount_path = “transit”
key_name = “boundary-recovery”
}
Vault Configuration:
storage “file” {
path = “/vault/data”
}listener “tcp” {
address = “0.0.0.0:8200”
tls_disable = true
}ui = true
api_addr = …
Worker Configuration:
disable_mlock = true
proxy {
target = “database-service:5432”
}worker {
name = “worker-1” # Nombre único del trabajador
public_addr = “boundary-worker:9203”
initial_upstreams = [“boundary-server:9202”]
tags {
type = [“worker1”, “upstream”]
}
}listener “tcp” {
address = “0.0.0.0:9203”
purpose = “proxy”
tls_disable = true
}listener “tcp” {
address = “0.0.0.0:9204”
purpose = “cluster”
tls_disable = true
}vault {
address = …
token = “s.oLa7Cf6m2L9RhCYmL61aiSRY”
}kms “transit” {
purpose = “worker-auth”
address = …
token = “s.oLa7Cf6m2L9RhCYmL61aiSRY”
mount_path = “transit”
key_name = “boundary-worker-auth”
}log_level = “info”
This is how I am running the worker:
update-rc.d boundary-worker defaults
service boundary-worker start
boundary-worker:
BOUNDARY_BIN=/usr/bin/boundary
CONFIG_FILE=/server/boundary-worker.hclstart() {
echo “Starting Boundary Worker…”
$BOUNDARY_BIN server -config $CONFIG_FILE &
}stop() {
echo “Stopping Boundary Worker…”
pkill -f “boundary server”
}case “$1” in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
status)
if pgrep -f “boundary server” > /dev/null
then
echo “Boundary Worker is running”
else
echo “Boundary Worker is stopped”
fi
;;
*)
echo “Usage: $0 {start|stop|restart|status}”
exit 1
;;
esacexit 0
Problem:
I successfully connected Vault to the database service, generating time-limited credentials. However, when trying to connect to the database through a Boundary target and host, I encounter the following error
boundary connect postgres -target-id ttcp_jfs1FSR8KJ -username postgres
psql: error: connection to server at “127.0.0.1”, port 40221 failed: server closed the connection unexpectedly
This probably means the server terminated abnormally before or while processing the request.
I expected Boundary to connect to database-service on port 5432 according to the target configuration, but it tries to connect to 127.0.0.1 on a random port.
Proxy Listening Information:
Address: 127.0.0.1
Connection Limit: 0
Expiration: Mon, 29 Jul 2024 06:44:00 UTC
Port: 37715
Protocol: tcp
Session ID: s_cmdGH4VYlo
Request for Help:
Has anyone faced this issue and found a solution? How can I ensure Boundary connects correctly to database-service on port 5432 instead of 127.0.0.1 on a random port? Any advice or suggestions would be greatly appreciated.
Note: Unable to access to Postgres Using Boundary CLI - #7 by omkensey
I was guided by this post to see if I could solve it with the solution they propose there but I had the configuration at -1 to accept multiple connections