From bf4a612a2bc74d54f70d77430111191289aa914e Mon Sep 17 00:00:00 2001 From: Louis Ruch Date: Tue, 18 Nov 2025 14:39:42 -0800 Subject: [PATCH 1/3] Update Boundary Worker docs with ssh_known_hosts_path --- content/boundary/v0.21.x/content/docs/workers/index.mdx | 2 +- .../workers/common-worker-parameters.mdx | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/content/boundary/v0.21.x/content/docs/workers/index.mdx b/content/boundary/v0.21.x/content/docs/workers/index.mdx index 41bac5d425..213bcf687f 100644 --- a/content/boundary/v0.21.x/content/docs/workers/index.mdx +++ b/content/boundary/v0.21.x/content/docs/workers/index.mdx @@ -30,7 +30,7 @@ If you are using pre-0.15 workers with pre-0.15 upstream configurations, please ## Signals -The `SIGHUP` signal causes a worker to reload its configuration file to pick up any updates for the `initial_upstreams` and `tags` values. +The `SIGHUP` signal causes a worker to reload its configuration file to pick up any updates for the `initial_upstreams`, `tags` and `ssh_known_hosts_path` values. Boundary ignores other updated values. The `SIGTERM` and `SIGINT` signals initiate a graceful shutdown on a worker. The worker waits for any sessions to drain diff --git a/content/boundary/v0.21.x/content/partials/configuration-reference/workers/common-worker-parameters.mdx b/content/boundary/v0.21.x/content/partials/configuration-reference/workers/common-worker-parameters.mdx index f22e681f80..c41065a097 100644 --- a/content/boundary/v0.21.x/content/partials/configuration-reference/workers/common-worker-parameters.mdx +++ b/content/boundary/v0.21.x/content/partials/configuration-reference/workers/common-worker-parameters.mdx @@ -55,6 +55,11 @@ worker { `initial_upstreams`. This parameter is valid only for workers using the worker-led or controller-led registration method and for workers directly connected to HCP Boundary. +- `ssh_known_hosts_path` - Specifies the path of the `known_hosts` file to be used by the worker for + SSH host key verification of an SSH target. The path must already exist. If not provided the + worker will skip host key verification. On `SIGHUP`, the `known_hosts` file is re-parsed and new values used. + SSH targets and SSH credential injection are Enterprise-only features. + - `recording_storage_path` - A path to the local storage for recorded sessions. Boundary stores session recordings in the local storage while they are in progress. When the session is complete, Boundary moves the local session recording to remote storage and deletes the local copy. From 41d7f238dd61b20013867d6f076f73ff858d410e Mon Sep 17 00:00:00 2001 From: Louis Ruch Date: Wed, 19 Nov 2025 10:33:49 -0800 Subject: [PATCH 2/3] Update content/boundary/v0.21.x/content/docs/workers/index.mdx Co-authored-by: Dan Heath <76443935+Dan-Heath@users.noreply.github.com> --- content/boundary/v0.21.x/content/docs/workers/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/boundary/v0.21.x/content/docs/workers/index.mdx b/content/boundary/v0.21.x/content/docs/workers/index.mdx index 213bcf687f..6fa080d16b 100644 --- a/content/boundary/v0.21.x/content/docs/workers/index.mdx +++ b/content/boundary/v0.21.x/content/docs/workers/index.mdx @@ -30,7 +30,7 @@ If you are using pre-0.15 workers with pre-0.15 upstream configurations, please ## Signals -The `SIGHUP` signal causes a worker to reload its configuration file to pick up any updates for the `initial_upstreams`, `tags` and `ssh_known_hosts_path` values. +The `SIGHUP` signal causes a worker to reload its configuration file to pick up any updates for the `initial_upstreams`, `tags`, and `ssh_known_hosts_path` values. Boundary ignores other updated values. The `SIGTERM` and `SIGINT` signals initiate a graceful shutdown on a worker. The worker waits for any sessions to drain From 67be540a1f9690a49b15a092a474f441b051a18c Mon Sep 17 00:00:00 2001 From: Louis Ruch Date: Wed, 19 Nov 2025 10:34:29 -0800 Subject: [PATCH 3/3] Update content/boundary/v0.21.x/content/partials/configuration-reference/workers/common-worker-parameters.mdx Co-authored-by: Dan Heath <76443935+Dan-Heath@users.noreply.github.com> --- .../workers/common-worker-parameters.mdx | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/content/boundary/v0.21.x/content/partials/configuration-reference/workers/common-worker-parameters.mdx b/content/boundary/v0.21.x/content/partials/configuration-reference/workers/common-worker-parameters.mdx index c41065a097..226973b365 100644 --- a/content/boundary/v0.21.x/content/partials/configuration-reference/workers/common-worker-parameters.mdx +++ b/content/boundary/v0.21.x/content/partials/configuration-reference/workers/common-worker-parameters.mdx @@ -55,9 +55,8 @@ worker { `initial_upstreams`. This parameter is valid only for workers using the worker-led or controller-led registration method and for workers directly connected to HCP Boundary. -- `ssh_known_hosts_path` - Specifies the path of the `known_hosts` file to be used by the worker for - SSH host key verification of an SSH target. The path must already exist. If not provided the - worker will skip host key verification. On `SIGHUP`, the `known_hosts` file is re-parsed and new values used. +- `ssh_known_hosts_path` - Specifies the path of the `known_hosts` file that the worker uses to verify an SSH target's SSH host key. The path must already exist. If you do not provide a path, the + worker skips host key verification. On `SIGHUP`, the `known_hosts` file is reparsed and the new values are used. SSH targets and SSH credential injection are Enterprise-only features. - `recording_storage_path` - A path to the local storage for recorded sessions.