Deploying an Insight Point using the install script

Generic instructions for running an Insight Point as a Docker container on Debian / Ubuntu / Amazon Linux / RedHat Linux.

Veza maintains a script you can use to quickly install and run an Insight Point with Docker. Follow these steps to set up your environment, run the latest install script, and manage the deployment.

The Insight Point installation script includes automatic features to reduce manual configuration steps:

  • Proxy Inheritance: HTTP proxy settings from the host environment are automatically applied to new installations

  • Certificate Detection: Host certificate bundles are automatically detected and mounted for new installations

  • Enhanced Connectivity Feedback: Improved connectivity testing includes proxy information display and dedicated status scripts

Note: Feature availability may vary by Veza release version. Some automatic features apply to new installations and may require reinstallation for existing Insight Points.

Prerequisites

  • Systemd

  • Docker (or Podman with Docker compatibility)

  • System resources meeting the Insight Point requirements (minimum: 2 CPU cores, 4 GB RAM)

Install Docker

sudo dnf install -y docker
sudo systemctl enable docker
sudo systemctl start docker

Install

Generate an Insight Point key from the Veza Integrations > Insight Point page. Store it as an environment variable before downloading and executing the script:

INSIGHT_POINT_KEY="<key>" bash -c "$(curl -fsSL https://veza-releases.s3.us-east-1.amazonaws.com/insightpoint/install.sh)"

or

export INSIGHT_POINT_KEY="<key>"
bash -c "$(curl -fsSL https://veza-releases.s3.us-east-1.amazonaws.com/insightpoint/install.sh)"

Post-Installation

The Insight Point automatically performs a connectivity test when the container starts. Recent enhancements provide improved feedback:

  • HTTP proxy information is now included in connectivity test output for easier debugging

  • Connectivity test results are available via the status script for streamlined troubleshooting

Viewing Connectivity Results:

# Use the status script (recommended)
/opt/veza-insight-point/bin/status

# Or check recent service logs
journalctl -u veza-insight-point.service -n 50

The connectivity test output includes connection status to your Veza tenant, HTTP proxy information (if configured), certificate bundle configuration status, and any connectivity issues or configuration recommendations.

Remove

Uninstall

Uninstall will remove all components of the Insight Point but will not remove the configuration in /etc/veza-insight-point.

bash -c "$(curl -fsSL https://veza-releases.s3.us-east-1.amazonaws.com/insightpoint/install.sh)" -- uninstall

Remove

Remove will remove all components of the Insight Point and the configuration in /etc/veza-insight-point. The Insight Point Key will be lost (if not backed up).

bash -c "$(curl -fsSL https://veza-releases.s3.us-east-1.amazonaws.com/insightpoint/install.sh)" -- remove

Advanced Configuration

Pull from a different registry

The Insight Point image must be pulled from a pull-through cache or private registry (where the image is mirrored). You can override the image repository with the IMAGE_REPOSITORY config setting.

Create or edit the configuration in /etc/veza-insight-point/service.env to set the IMAGE_REPOSITORY configuration:

IMAGE_REPOSITORY="registry.example.com/veza/insight-point"

If pulling some other image version than the default image tag (latest), you need to configure the override using the IMAGE_TAG option:

IMAGE_TAG="myversion1"

After the changes have been made and saved, restart the Insight Point service:

sudo systemctl restart veza-insight-point

Check that the service has started successfully by running the following command:

systemctl status veza-insight-point

Using a proxy server

Automatic Proxy Detection (Recommended)

For new Insight Point installations, HTTP proxy settings are automatically inherited from the host system's HTTP_PROXY environment variable. This eliminates the need for manual proxy configuration in most environments.

To verify automatic proxy detection is working:

  1. Ensure the host system has HTTP_PROXY set in the environment

  2. Run the installation script

  3. Check the connectivity test output for proxy information

Manual Proxy Configuration

If you need to use a different proxy configuration or disable automatic detection, you can manually configure proxy settings.

To disable automatic proxy inheritance, create or edit /etc/veza-insight-point/config.env and add:

# Set to 0 to disable automatic proxy detection, 1 to enable (default for new installations)
HTTP_PROXY_HOST_CONFIG=0

To manually configure proxy settings, add these lines to /etc/veza-insight-point/config.env:

HTTP_PROXY=http://proxy.local:8080
HTTPS_PROXY=http://proxy.local:8080
NO_PROXY=*.domain.local,*.domain2.local

Proxy Information Display

Connectivity tests display current proxy configuration details including:

  • Current proxy configuration being used by the Insight Point

  • Whether proxy settings were inherited from the host or manually configured

  • Any proxy-related connectivity issues

To configure custom certificates, see the Using custom certificates section.

After making configuration changes, restart the Insight Point service:

sudo systemctl restart veza-insight-point

Check that the service has started successfully by running the following command:

systemctl status veza-insight-point

Configuring Insight Point to forward connections to Veza (early access)

An Insight Point can proxy connections to Veza, allowing you to send Open Authorization API (OAA) payloads to a locally accessible server within a VPC instead of directly over the internet.

When a proxy port is enabled in the configuration, applications can push to the Insight Point's internal network address (e.g., http://localhost:8080/api/v1/providers/custom/...), instead of making API calls directly to Veza's cloud service (https://$VEZA_URL/api/v1/providers/custom/...).

Create or edit the configuration file /etc/veza-insight-point/service.env to set the proxy port:

PROXY_PORT=8080

Save the changes. Then, restart the Insight Point service:

sudo systemctl restart veza-insight-point

Proxy server is supported since Veza release 2025.5.x. For older Insight Points, you will need to reinstall before you can enable a proxy port:

bash -c "$(curl -fsSL https://veza-releases.s3.us-east-1.amazonaws.com/insightpoint/install.sh)" -- reinstall

Using custom certificates

Automatic Certificate Bundle Detection (Recommended)

For new Insight Point installations, the system automatically detects and mounts the host's certificate bundle to the container. This removes the manual certificate configuration step for properly configured hosts, such as those using Zscaler or other enterprise certificate management systems.

The automatic certificate detection locates the host system's certificate bundle and mounts it to the Insight Point container. This works with common enterprise certificate management solutions and eliminates manual certificate configuration in most environments.

Manual Certificate Configuration

If automatic certificate detection doesn't work for your environment or you need to use a specific certificate bundle, you can manually configure certificates.

Create or edit the configuration file /etc/veza-insight-point/service.env to mount custom certificates to the Insight Point container:

CONTAINER_FLAGS="-v /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt"

For custom certificate bundle locations, adjust the path accordingly:

CONTAINER_FLAGS="-v /path/to/your/custom-ca-bundle.crt:/etc/ssl/certs/ca-certificates.crt"

After making configuration changes, restart the Insight Point service:

sudo systemctl restart veza-insight-point

Check that the service has started successfully by running the following command:

systemctl status veza-insight-point

Troubleshooting

The Insight Point installation includes a dedicated status script for health checking without requiring log inspection. This script is the recommended first step for troubleshooting.

Run the status script to check Insight Point health:

/opt/veza-insight-point/bin/status

The status script checks:

  • Service Status: Whether the Insight Point service is running

  • Health Endpoint: Whether the service is responding to health checks

  • Connectivity Test: Network connectivity to your Veza tenant

  • Configuration: Current proxy and certificate settings

This script provides immediate feedback on common issues and is ideal for iterative troubleshooting when making configuration changes.

Service Status

Retrieve the status of the Insight Point systemd service:

systemctl status veza-insight-point.service

Connectivity Testing

Connectivity test results are displayed in the terminal. For ongoing troubleshooting, use the status script above or check recent logs for connectivity information.

Logs

For detailed troubleshooting when the status script indicates issues, examine the service logs:

Retrieve last 500 log lines for the Insight Point service:

journalctl -n 500 -u veza-insight-point.service

Follow logs for the Insight Point service:

journalctl -u veza-insight-point.service -f

Reinstall

Reinstall will remove the currently installed Insight Point service and install it again. All configuration in /etc/veza-insight-point will be preserved.

bash -c "$(curl -fsSL https://veza-releases.s3.us-east-1.amazonaws.com/insightpoint/install.sh)" -- reinstall

Tips & Best Practices

Using the Status Script for Iterative Troubleshooting

When configuring proxy settings or troubleshooting connectivity issues, use the status script to quickly verify changes without examining logs:

# Make configuration changes
sudo systemctl restart veza-insight-point

# Check if the changes resolved the issue
/opt/veza-insight-point/bin/status

This approach is much faster than manually inspecting service logs and provides immediate feedback on whether configuration changes are working.

When Manual Configuration is Still Needed

While automatic features handle most scenarios, manual configuration may be required for:

  • Custom Proxy Settings: When the desired proxy differs from the host's HTTP_PROXY setting

  • Specific Certificate Bundles: When using certificates in non-standard locations

  • Enterprise Environments: Where automatic detection may not work due to security policies

  • Legacy Installations: Older Insight Points may not have all automatic features

Troubleshooting Automatic Features

If automatic proxy or certificate detection isn't working:

  1. Check the connectivity test output for configuration details

  2. Verify the host system's environment variables (echo $HTTP_PROXY)

  3. Use the status script to see current configuration

  4. Fall back to manual configuration if needed

Last updated

Was this helpful?