Insight Point (Helm Chart)

Deploy an Insight Point to a Kubernetes cluster.

The Kubernetes integration requires an Insight Point running within the cluster to discover RBAC entities. When adding the integration, you will specify the cluster details and the Insight Point to use. Veza provides a helm chart to simplify the process of deploying and managing the Insight Point.

Configuration Options

The Insight Point Helm chart accepts the following configuration parameters via --set flags. Typically only key is required.

Parameter

Description

Default

Example

key

Insight Point Registration key for connecting to Veza

""

--set key=abc123

addr

Address for Veza API connection, overriding the one provided by the key

""

--set addr=customer.vezacloud.com

skipVerify

Disable TLS certificate validation

false

--set skipVerify=true

authority

Overrides the request authority for certificate validation

""

--set authority=veza.example.com

key is your unique Insight Point registration key, generated in the Veza UI.
- Create a key in Veza: Integrations > Insight Points > Create
- Store this value securely as it cannot be recovered if lost
skipVerify (TLS_INSECURE_SKIP_VERIFY) should only be set to true to disable certificate validation for testing/troubleshooting.

Configuring Proxy CA Certificates

When using an HTTPS inspection proxy:

Set to addrto your proxy's address if different from the Veza endpoint. This value overrides the default request authority.
Ensure your proxy can connect to your Veza deployment.
authority specifies the domain name to use for TLS certificate validation and is only required when addr points to a proxy instead of directly to Veza. Must be a specific domain (wildcards not supported).

To trust an HTTPS proxy, you will need to modify the Helm chart to add a volume for the proxy's CA certificate, mount it into the container, and configure the certificate path:

spec:
  template:
    spec:
      volumes:
        - name: proxy-ca-certs
          secret:
            secretName: proxy-ca-cert
      containers:
        - name: {{ .Chart.Name }}
          volumeMounts:
            - name: proxy-ca-certs
              mountPath: /etc/ssl/certs/proxy
              readOnly: true

Requirements

A Kubernetes Helm chart is a package format used to define, install, and upgrade applications in Kubernetes. Helm is often referred to as a package manager for Kubernetes. To install the chart, you will need:

System Resources: Ensure your Kubernetes cluster has sufficient resources to meet the Insight Point system requirements (minimum: 2 CPU cores, 4 GB RAM per Insight Point pod).
Insight Point Key: You will need to generate a secret key for the Insight Point. To create one, go to Veza Integrations > Insight Point > Create.
Insight Point Version: Note the most recent Insight Point version (e.g. 2024.8.12-9) from Veza's OCI repository.
Access to the Kubernetes Cluster: Ensure you have the necessary permissions and access credentials to interact with the target Kubernetes cluster.
Helm Installed: Ensure Helm version 3.8 or greater is installed on your local machine. You can install Helm by following the official documentation: Helm Installation.
Your organization security policies must allow chart installation from the VEZA ECR public.ecr.aws/veza

Install Insight Point (Helm Chart)

Customize Values and Install the Insight Point:
Use the helm install command to install the Insight Point into the Kubernetes cluster. Replace <NAME>, <VERSION>, <KEY>, and key with your specific values:
```
helm install <NAME> oci://public.ecr.aws/veza/helm-chart/insight-point --version <VERSION> --namespace <NAMESPACE> --create-namespace  --set key=<KEY>
```
- --namespace <NAMESPACE>: required if installing the Insight Point into a different namespace than the default.
- --create-namespace: required if the namespace does not exist yet.
- --set enableSecrets=true: optional field, required to enable Kubernetes Secrets extraction. Secrets will not be extracted by default.
An Veza Insight Point Key must be provided. To do this, you can specify the value with the --set key=<registration-key> option when installing the chart.
Example:
```
helm install veza-insight-point oci://public.ecr.aws/veza/helm-chart/insight-point --version 2024.1.29-1 --namespace veza --create-namespace --set enableSecrets=true --set key=key
```
Verify Installation:
Verify the status of the installation by running:
```
helm list -n <NAMESPACE>
```
This command will return a list of Helm releases, including the Insight Point you just installed. Ensure the STATUS is "DEPLOYED."
Get Insight Point Logs:
If the Insight Point fails to initialize or can't connect to Veza, you can get more details by reviewing the container logs. You can retrieve this using the terminal:
```
kubectl logs -l app=<veza-insight-point> -n <NAMESPACE>
```
Upgrade and Maintain:
Over time, you may need to upgrade the Insight Point to newer versions or adjust its configuration. Use the helm upgrade command to make these changes.
Example:
```
helm upgrade <veza-insight-point> oci://public.ecr.aws/veza/helm-chart/insight-point --version <VERSION> --namespace <NAMESPACE>
```
Uninstall the Insight Point:
If you need to uninstall the Insight Point, you can do so using the helm uninstall command:
```
helm uninstall <veza-insight-point> --namespace <NAMESPACE>
```

PreviousDeploy with Azure Container Instances NextSecrets Vaults

Last updated 2 months ago

Was this helpful?

Configuration Options

The Insight Point Helm chart accepts the following configuration parameters via --set flags. Typically only key is required.

Parameter

Description

Default

Example

key

Insight Point Registration key for connecting to Veza

""

--set key=abc123

addr

Address for Veza API connection, overriding the one provided by the key

""

--set addr=customer.vezacloud.com

skipVerify

Disable TLS certificate validation

false

--set skipVerify=true

authority

Overrides the request authority for certificate validation

""

--set authority=veza.example.com

key is your unique Insight Point registration key, generated in the Veza UI.

Create a key in Veza: Integrations > Insight Points > Create
Store this value securely as it cannot be recovered if lost

skipVerify (TLS_INSECURE_SKIP_VERIFY) should only be set to true to disable certificate validation for testing/troubleshooting.

Configuring Proxy CA Certificates

When using an HTTPS inspection proxy:

Set to addrto your proxy's address if different from the Veza endpoint. This value overrides the default request authority.

Ensure your proxy can connect to your Veza deployment.

authority specifies the domain name to use for TLS certificate validation and is only required when addr points to a proxy instead of directly to Veza. Must be a specific domain (wildcards not supported).

To trust an HTTPS proxy, you will need to modify the Helm chart to add a volume for the proxy's CA certificate, mount it into the container, and configure the certificate path:

spec:
  template:
    spec:
      volumes:
        - name: proxy-ca-certs
          secret:
            secretName: proxy-ca-cert
      containers:
        - name: {{ .Chart.Name }}
          volumeMounts:
            - name: proxy-ca-certs
              mountPath: /etc/ssl/certs/proxy
              readOnly: true

Requirements

System Resources: Ensure your Kubernetes cluster has sufficient resources to meet the Insight Point system requirements (minimum: 2 CPU cores, 4 GB RAM per Insight Point pod).

Insight Point Key: You will need to generate a secret key for the Insight Point. To create one, go to Veza Integrations > Insight Point > Create.

Insight Point Version: Note the most recent Insight Point version (e.g. 2024.8.12-9) from Veza's OCI repository.

Access to the Kubernetes Cluster: Ensure you have the necessary permissions and access credentials to interact with the target Kubernetes cluster.

Helm Installed: Ensure Helm version 3.8 or greater is installed on your local machine. You can install Helm by following the official documentation: Helm Installation.

Your organization security policies must allow chart installation from the VEZA ECR public.ecr.aws/veza

Install Insight Point (Helm Chart)

Customize Values and Install the Insight Point:

Use the helm install command to install the Insight Point into the Kubernetes cluster. Replace <NAME>, <VERSION>, <KEY>, and key with your specific values:

helm install <NAME> oci://public.ecr.aws/veza/helm-chart/insight-point --version <VERSION> --namespace <NAMESPACE> --create-namespace  --set key=<KEY>

--namespace <NAMESPACE>: required if installing the Insight Point into a different namespace than the default.
--create-namespace: required if the namespace does not exist yet.
--set enableSecrets=true: optional field, required to enable Kubernetes Secrets extraction. Secrets will not be extracted by default.

An Veza Insight Point Key must be provided. To do this, you can specify the value with the --set key=<registration-key> option when installing the chart.

Example:

helm install veza-insight-point oci://public.ecr.aws/veza/helm-chart/insight-point --version 2024.1.29-1 --namespace veza --create-namespace --set enableSecrets=true --set key=key

Verify Installation:

Verify the status of the installation by running:

helm list -n <NAMESPACE>

This command will return a list of Helm releases, including the Insight Point you just installed. Ensure the STATUS is "DEPLOYED."

Get Insight Point Logs:

If the Insight Point fails to initialize or can't connect to Veza, you can get more details by reviewing the container logs. You can retrieve this using the terminal:

kubectl logs -l app=<veza-insight-point> -n <NAMESPACE>

Upgrade and Maintain:

Over time, you may need to upgrade the Insight Point to newer versions or adjust its configuration. Use the helm upgrade command to make these changes.

Example:

helm upgrade <veza-insight-point> oci://public.ecr.aws/veza/helm-chart/insight-point --version <VERSION> --namespace <NAMESPACE>

Uninstall the Insight Point:

If you need to uninstall the Insight Point, you can do so using the helm uninstall command:

helm uninstall <veza-insight-point> --namespace <NAMESPACE>