Hashicorp Boundary

docker-compose.yml

version: "3.8"

services:

  db:
    image: postgres
    container_name: db
    restart: always
#    ports:
#      - 5432:5432
    environment:
      - POSTGRES_DB=boundary
      - POSTGRES_USER=postgres
      - POSTGRES_PASSWORD=V88nRb9rTaVZ7gUcUNM5
    network_mode: "host"
    volumes:
      - ./db-data:/var/lib/postgresql/data
    healthcheck:
      test: [ "CMD-SHELL", "pg_isready -U postgres" ]
      interval: 3s
      timeout: 20s
      retries: 15


  db-init:
    image: hashicorp/boundary
    container_name: db-init
    command:
      [
        "database",
        "init",
        "-config",
        "/boundary/boundary.hcl"
      ]
    volumes:
      - "./boundary-data/:/boundary:ro,z"
    environment:
      - BOUNDARY_POSTGRES_URL=postgresql://postgres:V88nRb9rTaVZ7gUcUNM5@172.12.27.7/boundary?sslmode=disable
    cap_add:
      - IPC_LOCK
    network_mode: "host"
    depends_on:
      db:
        condition: service_healthy


  boundary:
    image: hashicorp/boundary
    restart: always
    container_name: boundary
    command: [ "server", "-config", "/boundary/boundary.hcl" ]
    volumes:
      - "./boundary-data/:/boundary/"
#    ports:
#      - "9200:9200"
#      - "9201:9201"
#      - "9202:9202"
#      - "5000:5000"
    environment:
      - BOUNDARY_POSTGRES_URL=postgresql://postgres:V88nRb9rTaVZ7gUcUNM5@172.12.27.7/boundary?sslmode=disable
      - HOSTNAME=boundary
    cap_add:
      - IPC_LOCK
    network_mode: "host"
    depends_on:
      db-init:
        condition: service_completed_successfully
    healthcheck:
      test: [ "CMD", "wget", "-O-", "http://172.12.27.7:9200" ]
      interval: 3s
      timeout: 20s
      retries: 15

Hashicorp Boundary - docker-compose + boundary.hcl

1- change password
2- docker-compose up -d
3- after docker-compose up -d comment all part of init-db out to prevent initing db in next times

In boundary clients need to connect to API (9200) and worker (9201) to be able to proxy to targets

Hashicorp Boundary docker boundary.hcl

disable_mlock = true

controller {
  name = "docker-controller"
  description = "Docker-Controller"
  database {
      url = "env://BOUNDARY_POSTGRES_URL"
  }
}

worker {
  name = "docker-worker"
  description = "Docker-Worker"
#  controllers = [
#    "192.168.111.11"
#  ]
  public_addr = "192.168.111.11"  # address which client connects to (if behind NAT)
}

listener "tcp" {
  address = "172.12.27.7" # real address of server (docker host not container) 
  purpose = "api"
  tls_disable = true 
}

listener "tcp" {
  address = "172.12.27.7"
  purpose = "cluster"
  tls_disable = true 
}

listener "tcp" {
  address = "172.12.27.7"
  purpose = "proxy"
  tls_disable = true
}

// Yoy can generate the keys by 
// `python3 kyegen.py`
// Ref: https://www.boundaryproject.io/docs/configuration/kms/aead

kms "aead" {
  purpose = "root"
  aead_type = "aes-gcm"
  key = "IVDvkRcDLv7xS4rlQaJfTHGPw63LYkz9Ouj5471Am6M="
  key_id = "global_root"
}

kms "aead" {
  purpose = "worker-auth"
  aead_type = "aes-gcm"
  key = "p5vSHEYcGWyVIxnNPOP3EUf+HnI8YkhGsfqJ3PBOpHo="
  key_id = "global_worker-auth"
}

kms "aead" {
  purpose = "recovery"
  aead_type = "aes-gcm"
  key = "U3CQB6sOfW33zZIpcrAF4ZwZsbLpVe+X1M7kZag9DIs="
  key_id = "global_recovery"
}

keygen.py

import base64
import os

def generate_encryption_key(name):
    key = os.urandom(32)
    encoded_key = base64.b64encode(key).decode("utf-8")
    print("Base 64 encoded encryption key for {}: {}".format(name,encoded_key))

keys=["global", "worker", "recovery"]
for key in keys:
    generate_encryption_key(key)