Hashicorp Boundary Multi-hop worker KMS configuration clarification

Hi Team, I am trying to setup boundary worker in the below way in different network zones:
ingress worker —> dmz egress worker ----> egress worker ------> Actual target

I am referring here how to specify KMS-led authorization & authentication flow for these above workers:

  • ingress worker hcl file have two KMS blocks: one is worker-auth with same key and purpose as controller has. and second kms block: downstream-worker-auth with its new key.
  • dmz egress worker hcl file have one kms block which is downstream-worker-auth same as ingress worker downstream-worker-auth
  • last egress worker hcl file have kms block: which is same as dmz egress worker or should have different kms block

I ma very confused with these multi-hop worker KMS setup. i have followed the hashicorp provided link for KMS authroization & authenitcation flow:

It is not very clear to me where to configure (controller or which worker) where they say about " For Multi-Hop workers, It is also possible to specify a kms block with the downstream-worker-auth purpose. If specified, this will be a separate KMS that can be used for authenticating new downstream nodes. Blocks with this purpose can be specified multiple times. This allows a single upstream node to authenticate with one key to its own upstream (via the worker-auth purpose) and then serve as an authenticating upstream to nodes across various networks, each with their own separate KMS system or key:"

Please help me to understand step by step.