Changing client to use a different Worker port

I am running Boundary in K8s with an Ingress which is only listening on ports 80/443, I think my current issue is that the client is trying to connect using https://boundary.dev.local:9202/v1/proxy . Is it possible to tell the client to use port 443 and my ingress route anything for path /v1/proxy goes to the worker port on the backend?

Hmm. It might be possible, but it’ll depend on a few things.

  • you’ll need to set the public_addr of the worker behind the Ingress to the host and port of the Ingress gateway
  • the gateway needs a rule that directs all traffic on the /v1/proxy path to the same path at the worker
  • you may need to change the Ingress gateway config and not all Ingress gateways may work (the Boundary worker uses WebSockets for proxying so your Ingress needs to support that)

It may also be the case that because of mTLS considerations, you can only have one worker per Ingress per host route (i.e. multiple workers behind a single Ingress gateway would each need a unique host route config on the gateway with the worker configured for a specific route’s host using public_addr). I’m not sure on that; I haven’t tried it myself yet.

  1. I will play with this, not sure how to configure based on docs
  2. I already have this setup
  3. I have already enabled Websockets for this path

Currently I am only running a single instance of boundary (both controller and worker in the same pod). Once I figure out how to get it working I will look into scaling, then I think what you mention about mTLS will be a concern.

public_addr can be set either as a config directive in a boundary server config file, or by using the -worker-public-addr flag or BOUNDARY_DEV_WORKER_PUBLIC_ADDRESS environment variable when executing boundary dev.

Hi @cten
We are trying to achieve the same goal (make Client connect to worker via Ingress ).
Did you successfully configure it ? If yes please share your configuration .

Thank you in advance !

I was able to get this working with this config

worker {
  name        = "kubernetes-worker"
  description = "Boundary worker"
  address     = "localhost"
  initial_upstreams = ["localhost"]
  public_addr = "boundary-worker.infra.local:443"
}

Then setup a separate ingress for that domain, setup as tls passthrough

1 Like