To authenticate with Boundary, you can use the following command:

~ boundary authenticate password -login-name=jeff -password=foofoofoo -auth-method-id=ampw_5Aiqy1zvF5

Upon successful authentication, you will receive details such as:

  • Account ID: apw_nDkJsApfym
  • Auth Method ID: ampw_5Aiqy1zvF5
  • Expiration Time: Wed, 10 Mar 2021 14:49:42 JST
  • Token: at_p0itAjmn67_s12TzikoWGGZfA4vtNy17Za2jqYPhntRZgSt6fV1daQYReBR5Vmz52jFa5mZdy6kDmmkRerGngNK2RBpyUeuzcGoBTF7YiUohcmyRdngWdRbdT
  • User ID: u_mPihJkaNsc

However, if you encounter an error while trying to connect to a target instance using:

boundary connect ssh -target-id ttcp_bNARIi1qIZ

You might see an error message similar to:

Error dialing the worker: failed to WebSocket dial: failed to send handshake request: Get "https://boundary.dev.mydomain.cloud:9202/v1/proxy": dial tcp 10.0.16.28:9202: connect: operation timed out
kex_exchange_identification: read: Connection reset by peer

To resolve this issue, consider checking the following:

  1. Ensure that the Boundary controller and worker are correctly configured and running.
  2. Verify network connectivity between the client and the worker.
  3. Check firewall settings that might be blocking the connection.

Configuration Files

Here is an example of a controller.hcl configuration:

disable_mlock = true

controller {
    name = "kubernetes-controller"
    description = "A controller for a Kubernetes demo!"
    database {
        url = "env://BOUNDARY_PG_URL"
    }
    public_cluster_addr = "boundary.boundary.svc.cluster.local:9201"
}

listener "tcp" {
    address = "0.0.0.0"
    purpose = "api"
    tls_disable = true
}

listener "tcp" {
    address = "0.0.0.0"
    purpose = "cluster"
    tls_disable = true
}

kms "aead" {
    purpose = "root"
    aead_type = "aes-gcm"
    key = "sP1fnF5Xz85RrXyELHFeZg9Ad2qt4Z4bgNHVGtD6ung="
    key_id = "global_root"
}

kms "aead" {
    purpose = "worker-auth"
    aead_type = "aes-gcm"
    key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
    key_id = "global_worker-auth"
}

kms "aead" {
    purpose = "recovery"
    aead_type = "aes-gcm"
    key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
    key_id = "global_recovery"
}

And here is an example of a worker.hcl configuration:

disable_mlock = true

worker {
    # Ensure the name is unique among workers
    name = "kubernetes-boundary-worker"
    description = "Boundary worker running in Kubernetes"
    controllers = ["boundary.boundary.svc.cluster.local:9201"]
    public_addr = "boundary.dev.mydomain.cloud"
}

listener "tcp" {
    address = "0.0.0.0"
    purpose = "proxy"
    tls_disable = true
}

kms "aead" {
    purpose = "root"
    aead_type = "aes-gcm"
    key = "sP1fnF5Xz85RrXyELHFeZg9Ad2qt4Z4bgNHVGtD6ung="
    key_id = "global_root"
}

kms "aead" {
    purpose = "worker-auth"
    aead_type = "aes-gcm"
    key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
    key_id = "global_worker-auth"
}

kms "aead" {
    purpose = "recovery"
    aead_type = "aes-gcm"
    key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
    key_id = "global_recovery"
}

Additional Context

In this setup, Kubernetes is being utilized with Istio, and both the worker and controller are deployed in separate containers within a single deployment. If further details are required, please do not hesitate to ask.