Set up a ConfigHub worker. Default: a server worker (cub worker create --is-server-worker) — no process to run, and all that OCI / ConfigHub Targets need. Run an external worker (cub worker run / install) only to host custom worker functions. Phrases: set up a worker, do I need to run a worker, add custom functions. Not for creating Targets (use target-bind).
76
—
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Get a ConfigHub worker in place so Targets can function. In the common case there is nothing to run.
Confirm verbs and flags with cub <verb> --help before composing.
OCI and ConfigHub Targets are served by server workers — bridges hosted inside the ConfigHub server. You do not run a process to create or use them. A worker entity is still required (a Target references one), but for delivery it's a one-line --is-server-worker create.
You only run an external worker to host custom worker functions — your own function implementations that aren't built into the server.
So pick the path:
| Goal | Path |
|---|---|
| Publish Units to OCI for Argo/Flux, or apply ConfigHub-native config | Server worker (below) — no process |
| Provide custom worker functions of your own | External worker (below) — runs a process |
target-bind (Targets reference a worker but are a separate step).cub-apply.cub auth status succeeds — it contacts the server's /me endpoint to confirm the token is still valid (not just local login state). If it fails, ask the user to run cub auth login (an interactive browser sign-in an agent cannot complete).kubectl config current-context points at the intended cluster (if installing in-cluster), or you have a host to run cub worker run on.cub worker create --space <space> --allow-exists --is-server-worker server-worker--allow-exists makes it idempotent. Place it in any Space (default is a common home); reference cross-Space as <space>/server-worker.--use-user-identity if the worker should operate as the requesting user (required for some ConfigHub-provider operations).--change-desc — workers aren't versioned configuration data.That's it. Hand off to target-bind to create an OCI or ConfigHub Target against <space>/server-worker.
Run an external worker when you need it to host custom worker functions. Create the entity, then run or install it, then confirm it advertises its functions.
cub worker create --space <space> <worker-slug> # the entity (no --is-server-worker)Run locally (simplest for development):
cub worker run --space <space> <worker-slug> # see `cub worker run --help` for type/function flagsInstall into a cluster (cub worker install generates the manifest — Deployment, ServiceAccount, RBAC, credential Secret — it does not apply it):
# Direct install (bootstrap):
cub worker install <worker-slug> --space <space> --namespace confighub --export --include-secret | kubectl apply -f -
# Or store the manifest as a ConfigHub-managed Unit and apply it via cub-apply:
cub worker install <worker-slug> --space <space> --namespace confighub --export > /tmp/worker-manifest.yaml
cub unit create --space <space> <worker-slug>-manifest /tmp/worker-manifest.yaml -o mutations \
--change-desc "Store worker manifest as a ConfigHub-managed Unit.
User prompt: <verbatim>
Clarifications: <condensed>"The credential Secret is redacted by default; use --include-secret only when you genuinely need it inlined, and keep credentials in an external SecretStore rather than Unit data (see references/yaml-patterns.md). Image defaults to the pinned ghcr.io/confighubai/confighub-worker release.
Verify it's healthy and advertising the expected custom functions:
cub worker get --space <space> <worker-slug> # condition: Ready
cub worker status --space <space> <worker-slug> # recent heartbeat
cub worker list-function --space <space> <worker-slug> # custom functions presentPod-level fallback for an in-cluster worker that won't start: kubectl -n confighub describe pod <worker-pod> + cub worker logs --space <space> <worker-slug>.
cub worker create (incl. --is-server-worker), cub worker install/upgrade/update, cub unit create/update for the managed-manifest variant.cub worker get/list/logs/status/list-function, cub worker get-envs/get-secret, kubectl get/describe/logs on the worker namespace.kubectl apply/edit/delete against worker resources except the documented direct-install pipe; otherwise flow through a Unit.kubectl config current-context disagrees with the intended cluster — reconcile first.CrashLoopBackOff) — collect kubectl describe pod + cub worker logs, surface the error, stop.cub worker get --space <space> server-worker shows it exists; that's all a delivery Target needs.cub worker status (recent heartbeat) + cub worker list-function (custom functions present).cub worker get --space <space> <worker-slug> --web — worker details in the GUI.cub unit get --space <space> <worker-slug>-manifest --web — for the managed-manifest variant.cub worker create --help, cub worker run --help, cub worker install --help — authoritative flags.https://docs.confighub.com/markdown/guide/workers.md.references/cub-cli.md — CLI conventions.references/yaml-patterns.md — Secret handling in Units.target-bind (create the OCI / ConfigHub Target against the worker), cub-apply (apply/publish).82d0282
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.