The Kubernetes integration requires an Insight Point running within the cluster to discover RBAC entities. When adding the integration, you will specify the cluster details and the Insight Point to use. Veza provides a helm chart to simplify the process of deploying and managing the Insight Point.

Configuration Options

The Insight Point Helm chart accepts the following configuration parameters via --set flags. Typically only key is required.

• key is your unique Insight Point registration key, generated in the Veza UI.

  • Create a key in Veza: Integrations > Insight Points > Create

  • Store this value securely as it cannot be recovered if lost

• skipVerify (TLS_INSECURE_SKIP_VERIFY) should only be set to true to disable certificate validation for testing/troubleshooting.

Configuring Proxy CA Certificates

When using an HTTPS inspection proxy:

• Set to addrto your proxy's address if different from the Veza endpoint. This value overrides the default request authority.

• Ensure your proxy can connect to your Veza deployment.

• authority specifies the domain name to use for TLS certificate validation and is only required when addr points to a proxy instead of directly to Veza. Must be a specific domain (wildcards not supported).

To trust an HTTPS proxy, you will need to modify the Helm chart to add a volume for the proxy's CA certificate, mount it into the container, and configure the certificate path:

spec:
  template:
    spec:
      volumes:
        - name: proxy-ca-certs
          secret:
            secretName: proxy-ca-cert
      containers:
        - name: {{ .Chart.Name }}
          volumeMounts:
            - name: proxy-ca-certs
              mountPath: /etc/ssl/certs/proxy
              readOnly: true

Requirements

A Kubernetes Helm chart is a package format used to define, install, and upgrade applications in Kubernetes. Helm is often referred to as a package manager for Kubernetes. To install the chart, you will need:

• System Resources: Ensure your Kubernetes cluster has sufficient resources to meet the Insight Point system requirements (minimum: 2 CPU cores, 4 GB RAM per Insight Point pod).

• Insight Point Key: You will need to generate a secret key for the Insight Point. To create one, go to Veza Integrations > Insight Point > Create.

• Insight Point Version: Note the most recent Insight Point version (e.g. 2024.8.12-9) from Veza's OCI repository.

• Access to the Kubernetes Cluster: Ensure you have the necessary permissions and access credentials to interact with the target Kubernetes cluster.

• Helm Installed: Ensure Helm version 3.8 or greater is installed on your local machine. You can install Helm by following the official documentation: Helm Installation.

• Your organization security policies must allow chart installation from the VEZA ECR public.ecr.aws/veza

Install Insight Point (Helm Chart)

1. Customize Values and Install the Insight Point:

   Use the helm install command to install the Insight Point into the Kubernetes cluster. Replace <NAME>, <VERSION>, <KEY>, and key with your specific values:

   Copy

   helm install <NAME> oci://public.ecr.aws/veza/helm-chart/insight-point --version <VERSION> --namespace <NAMESPACE> --create-namespace  --set key=<KEY>

   • --namespace <NAMESPACE>: required if installing the Insight Point into a different namespace than the default.

   • --create-namespace: required if the namespace does not exist yet.

   • --set enableSecrets=true: optional field, required to enable Kubernetes Secrets extraction. Secrets will not be extracted by default.

   An Veza Insight Point Key must be provided. To do this, you can specify the value with the --set key=<registration-key> option when installing the chart.

   Example:

   Copy

   helm install veza-insight-point oci://public.ecr.aws/veza/helm-chart/insight-point --version 2024.1.29-1 --namespace veza --create-namespace --set enableSecrets=true --set key=key

2. Verify Installation:

   Verify the status of the installation by running:

   Copy

   helm list -n <NAMESPACE>

   This command will return a list of Helm releases, including the Insight Point you just installed. Ensure the STATUS is "DEPLOYED."

3. Get Insight Point Logs:

   If the Insight Point fails to initialize or can't connect to Veza, you can get more details by reviewing the container logs. You can retrieve this using the terminal:

   Copy

   kubectl logs -l app=<veza-insight-point> -n <NAMESPACE>

4. Upgrade and Maintain:

   Over time, you may need to upgrade the Insight Point to newer versions or adjust its configuration. Use the helm upgrade command to make these changes.

   Example:

   Copy

   helm upgrade <veza-insight-point> oci://public.ecr.aws/veza/helm-chart/insight-point --version <VERSION> --namespace <NAMESPACE>

5. Uninstall the Insight Point:

   If you need to uninstall the Insight Point, you can do so using the helm uninstall command:

   Copy

   helm uninstall <veza-insight-point> --namespace <NAMESPACE>

What is a Veza Insight Point?

An Insight Point is a lightweight connector running in your environment to enable the secure gathering of authorization metadata for resources that Veza cannot access directly. An Insight Point is typically deployed as a Docker container or VM OVA.

Typically, you will want an Insight Point to enable secure discovery of services (such as Active Directory, Oracle Database, or SQL Server) that require connectivity from within your corporate network. The Insight Point will run within your network to query the internal-only data sources for authorization metadata and push that information to Veza securely.

When do I need an Insight Point?

Deploying an Insight Point for Veza is usually not required, but might be necessary:

• When the resources to discover are not exposed publicly.

• To discover databases and other services that do not have cloud-native APIs.

• If your organization prohibits 3rd-party programmatic access to cloud service providers.

• To discover on-premise Active Directory and SQL Server.

Installation Options

• Veza provides an installation script to install an Insight Point for common Linux distributions.

• The Insight Point is also available as an OVA image suitable for Oracle Virtualbox or VMWare VSphere. This option can be preferable to Docker for Windows-based environments.

• For AWS environments, see Deploy with AWS EC2 for instructions to start an Insight Point on AWS EC2.

After deploying the Insight Point, you can specify it when configuring an integration. Veza will use the Insight Point for secure collection and transmission of entity metadata.

System Requirements

Before deploying an Insight Point, ensure your environment meets the following minimum requirements:

Note: These are minimum requirements for typical deployments. For large data sources, see Known Issues for additional resource recommendations. If you experience performance issues or timeouts during data collection, consider increasing CPU and memory allocation. Contact Veza support for guidance on resource scaling for your specific environment.

Generating an Insight Point key

Log in to Veza with an administrator account, and create a registration key by browsing to Integrations > Insight Points:

1. Click Create

2. Enter a Name

3. Click Generate Key

4. Copy the key for use when running the docker image

Save the Insight Point key in a secure location. If lost, there is no way to recover it.

Known Issues

Large Data Source Extractions

When connecting to very large data sources—such as Active Directory domains with 100,000+ users or databases with extensive metadata—Insight Points may experience instability during data extraction. In this case, standard minimum resources may be insufficient, leading to performance issues or service interruptions.

If the Insight Point becomes unresponsive during extraction jobs, requires manual restart to resume operation, or extraction jobs timeout before completing, these symptoms typically indicate that the Insight Point is struggling with resource constraints when processing data.

To address these issues, consider increasing resource allocation significantly beyond the minimum requirements. For Active Directory environments with 300,000+ entities, use a minimum of 8 GB RAM, 2 CPU cores, and 40 GB storage. Monitor the Insight Point container logs for memory exhaustion or resource-related errors that can help identify the root cause of stability issues.

• Ensure the network connection between the Insight Point and target systems is stable throughout long-running extraction processes. Network interruptions can cause extraction failures that require restarting the entire process.

• For organizations with 9 or more Active Directory domains, consider deploying multiple Insight Points to distribute processing load across instances.

• For particularly large environments, contact Veza support for specific resource sizing recommendations and potential optimizations tailored to your deployment.

Troubleshooting

• Insufficient Resources: Ensure the Insight Point meets the system requirements. The instance must have at least 2 CPU cores and 4 GB RAM allocated.

Refer to specific deployment guides for troubleshooting steps.

• Install Script

Checking connectivity

The Insight Point automatically checks for connectivity on container start. This includes steps to resolve the DNS and verify TCP and HTTP communication. If there are connection problems, the container logs will indicate if a connection was refused, a host could not be found, or there is another issue.

Monitoring Insight Point availability

The Veza platform emits an Insight Point Unavailable event after the Insight Point is unavailable for several minutes. To reduce the number of times this event triggers, the task manager will not re-emit the event for 24h hours. An administrator can configure event subscriptions to get email notifications when connectivity issues impact Veza data collection.

Note: If the Insight Point task manager service is restarted, the event can be emitted sooner than the 24-hour window.

To enable email alerts when an Insight Point is unavailable:

1. Use the Veza navigation menu to open Administration > Event Subscriptions

2. Click Create Subscription

3. On the Details tab, enter a descriptive name to communicate the alert purpose.

4. On the Conditions tab:

   • Set Event Type to "Insight Point Unavailable"

   • Set Severity to "Error"

   • Set Category to "Integrations"

5. On the Action → Send Alert tab, select or create an email Veza Action

6. Click Create to save the subscription

Changing an Insight Point

When modifying the Insight Point associated with an integration — for example, if the registration key is lost — you will need to re-enter the credentials and secrets for that integration configuration.

• Follow the instructions to start another Insight Point with a new deployment key

• On the Integrations page, edit the integration configuration to re-enter the credentials for each affected integration.

Ports and connectivity

The Insight Point will communicate out from the container VM to the Veza Tenant and targeted systems. Your implementation must enable traffic to and from the host on the required ports.

Also, the host must be able to communicate out to the ECR repository hosting the insight point image.

• The Insight Point must be able to communicate with https://<your-org>.vezacloud.com on outbound port 443. Ensure that firewalls allow outbound traffic to the Veza tenant domain.

• For Active Directory and SQL Server: The Insight Point must be allowed to communicate with Active Directory Domain Controllers on port 636, and SQL Servers on port 1433.

• For AWS RDS and Trino: To discover AWS RDS or Trino instances, you will need to add the Insight Point egress IP to the Security Groups Inbound rules. Do this for each of the instances to discover.

To add an entry for AWS RDS:

1. Log in to the AWS account containing the resources to discover, and go to RDS > Databases

2. Click the DB identifier and go to Connectivity & security > Security > VPC security groups

3. Click Inbound rules > Edit inbound rules to set the IP address entry

4. Click Add rule > Type (MySQL, Aurora or PostgreSQL) > Source (Custom)

5. Enter the Insight Point egress IP

6. Optionally enter a description and click Save rules

To add an entry for Trino:

1. Log in to the AWS account containing the resources to discover, and go to EC2 > Security Groups

2. Click the Security Group associated with your Trino instances and go to 'Inbound rules' > 'Edit inbound rules' to set the IP address entry

3. Click 'Add rule' > Type (Custom TCP) > Port Range (8080 or your custom port) > Source (Custom) > enter the Insight Point egress IP

4. Optionally enter a description, and save the rules

Veza recommends deploying an Insight Point within Microsoft Azure for a secure connection to PostgreSQL for Azure Database resources. This document includes instructions to run an Insight Point with an Azure Container Instance.

Step 1: Create a Container Instance resource

Log in to your Azure Tenant and go to Container Instances. Create a new resource:

Step 2: Configure the container specifications

In the creation wizard, configure the container to meet the Insight Point system requirements:

1. Size: Ensure the container instance has at least 2 CPU cores and 4 GB memory allocated

2. Image Source: Select Other registry and add the path to Insight Point image: public.ecr.aws/veza/insight_point:latest

Step 3: Assign an appropriate virtual network

Add the Insight Point to the virtual network. Choose Private and enter the virtual network assigned to other resources the Insight Point will connect to:

Step 4: Configure the Registration Key

In the advanced settings, configure the Insight Point registration key:

1. Navigate to the Advanced tab.

2. In the Environment Variables section, add the Insight Point provisioning key to the DP_REGISTER_KEY variable.

3. To generate a new registration key, visit the Integrations -> Insight Point page in the Veza console.

Confirm your settings by clicking Review + create, then deploy the container by selecting Create.

Step 5: Update the Azure integration to use the Insight Point

Finally, update the integration configuration in Veza so that the connection is made using the new Insight Point, instead of the Veza SaaS platform:

1. Log in to Veza, go to the Integrations page, and find the Azure integration on the list of providers.

2. Click Edit to open the configuration.

3. Change the Insight Point from (default) to the one you created.

4. Save the integration.

You can run an on the virtual machine service of your choice with a Veza-provided OVA image. The file includes a full Linux environment within a single file that can run on VMWare vSphere, Oracle Virtualbox, or another VM manager.

Compatibility

• The virtual appliance supports VMware vSphere 6.5+, and as Oracle VM Virtualbox 6.0+.

• The virtual appliance runs Alpine Linux.

Deploying the Virtual Appliance

Download the current Insight Point build from

Note: The virtual appliance is preconfigured to meet the with minimum CPU (2 cores), RAM (4 GB), and storage values. Unless instructed otherwise by Veza support, do not adjust the default values.

VMware

From the VMware Host Client Inventory screen, follow these steps to import the virtual appliance:

1. Right-click Host in the VMware Host client inventory and select Create/Register VM

2. In the New Virtual Machine window that appears, on the Select creation type page, select Deploy a virtual machine from an OVF or OVA and click Next

3. On the Select OVF and VMDK files page, provide a unique name for the virtual machine (ex: veza_insight_point)

4. Click the blue pane to begin browsing to the location of the veza_insight_point_v2.ova file on your local system storage

5. Browse to and select the veza_insight_point_v2.ova file, then click Open

6. The file appears in the blue pane in the New Virtual Machine wizard; click Next

7. On the Select storage page, select the storage type (Standard) and choose a datastore for the virtual machine, then click Next

8. On the Deployment options page, select network mappings, disk provisioning, and power-on settings, then click Next

9. On the Ready to complete page, review the virtual machine details and click Finish

Oracle VM Virtualbox

In the Oracle VM VirtualBox Manager, follow these steps to import the virtual appliance:

1. In the File menu, click Import Appliance

2. In the Appliance Import Wizard window that appears, click Choose to select the location of the veza_insight_point_v2.ova file

3. Browse to the location of the veza_insight_point_v2.ova file and click Open

4. Review the Appliance Import Settings displayed in the window and click Import

Generate an Insight Point Registration Key

The Insight Point requires a registration key to authenticate with the Veza platform. To generate an Insight Point registration key, follow these steps:

1. Browse to your Veza Instance and log in as an administrative user.

2. In the left navigation pane, locate Configuration, then click Insight Point in the subpane.

3. Click Generate New Key in the upper-right corner of the main pane.

4. Provide a name for the new Insight Point and set an expiration date and time.

5. Click Generate Key

6. Make note of the key value that is returned; this will be required for configuring the Insight Point below

Configuring the Virtual Appliance

Once the virtual appliance is deployed and powered on, complete the initial configuration from the hypervisor console or using SSH.

Default Credentials

Log in to the virtual appliance with the root account. This account has no password when initially deployed.

Configuration

From the shell prompt, run setup-veza to configure the system. The Message of the Day banner refers to this command when logging in.

After invoking the setup-veza command, follow the prompts:

1. Set the timezone for the virtual machine

   Note: Communication between the Insight Point and the Veza SaaS platform is sensitive to time drift. Ensure that the virtual machine's clock matches the local time.

2. Set an appropriate hostname for the virtual appliance

3. Configure the eth0 interface to use DHCP or static values

4. If using static interface values, configure DNS settings

5. Set a password for the root account

6. Enter the Insight Point Registration Key

   Note: This value is a long base64-encoded string; copy it from the Veza platform and paste the value here

7. The docker daemon will pull the most recent Insight Point image; this might take several seconds to initialize without screen output

8. The command will return to the shell prompt after the Insight Point deploys.

Operation and Troubleshooting

After the Insight Point deploys, verify that it has successfully connected to the Veza platform. Log in to the Veza platform and follow these steps:

1. On the left navigation pane, under Configuration, click Insight Point

2. Verify that a new Insight Point has registered with the platform.

Note: One Insight Point will be named "Veza Insight Point" by default. Ensure at least two are present.

Verifying Container Status

If the newly deployed Insight Point does not appear on the Veza platform, verify the status of the container on the virtual machine:

1. Log into the virtual machine console or use SSH

2. List running Docker processes with the command: docker ps -a --filter="name=veza-insight-point"

3. Examine the output

The Insight Point's container ID should include a Status column showing Running.

Accessing Insight Point Logs

If the Insight Point does not appear to be running, or if requested by Veza support, follow these steps to access the Insight Point logs:

1. Log into the virtual machine console or use SSH

2. Run the following command to output the Insight Point logs: docker logs veza-insight-point

3. The logs are in JSON format and can be output to a file or copied from the terminal for debugging

Operation and Troubleshooting

After the Insight Point deploys, verify that it has successfully connected to the Veza platform. Log in to the Veza platform and follow these steps:

1. On the left navigation pane, under Configuration, click Insight Point

2. Verify that a new Insight Point has registered with the platform.

Note: One Insight Point will exist by default, named "Veza Insight Point".

Verifying Container Status

If the newly deployed Insight Point does not appear on the Veza platform, verify the status of the container on the virtual machine:

1. Log into the virtual machine console or use SSH

2. List running Docker processes with the command: docker ps -a

3. Examine the output

The Insight Point's container ID should include a Status column showing Running.

Accessing Insight Point Logs

If the Insight Point does not appear to be in a running state, or if requested by Veza support, follow these steps to access the Insight Point logs:

1. Log into the virtual machine console or use SSH

2. Run the following command: docker ps -a

3. Note the value in the Container ID field

4. Run the following command to output the Insight Point logs: docker logs <container_id>, substituting the actual container ID

5. The logs are in JSON format and can be output to a file or copied from the terminal for debugging

Veza maintains a script you can use to quickly install and run an Insight Point with Docker. Follow these steps to set up your environment, run the latest install script, and manage the deployment.

The Insight Point installation script includes automatic features to reduce manual configuration steps:

• Proxy Inheritance: HTTP proxy settings from the host environment are automatically applied to new installations

• Certificate Detection: Host certificate bundles are automatically detected and mounted for new installations

• Enhanced Connectivity Feedback: Improved connectivity testing includes proxy information display and dedicated status scripts

Note: Feature availability may vary by Veza release version. Some automatic features apply to new installations and may require reinstallation for existing Insight Points.

Prerequisites

• Systemd

• Docker (or Podman with Docker compatibility)

• System resources meeting the (minimum: 2 CPU cores, 4 GB RAM)

Install Docker

Install

Generate an Insight Point key from the Veza Integrations > Insight Point page. Store it as an environment variable before downloading and executing the script:

or

Post-Installation

The Insight Point automatically performs a connectivity test when the container starts. Recent enhancements provide improved feedback:

• HTTP proxy information is now included in connectivity test output for easier debugging

• Connectivity test results are available via the status script for streamlined troubleshooting

Viewing Connectivity Results:

The connectivity test output includes connection status to your Veza tenant, HTTP proxy information (if configured), certificate bundle configuration status, and any connectivity issues or configuration recommendations.

Remove

Uninstall

Uninstall will remove all components of the Insight Point but will not remove the configuration in /etc/veza-insight-point.

Remove

Remove will remove all components of the Insight Point and the configuration in /etc/veza-insight-point. The Insight Point Key will be lost (if not backed up).

Advanced Configuration

Pull from a different registry

The Insight Point image must be pulled from a pull-through cache or private registry (where the image is mirrored). You can override the image repository with the IMAGE_REPOSITORY config setting.

Create or edit the configuration in /etc/veza-insight-point/service.env to set the IMAGE_REPOSITORY configuration:

If pulling some other image version than the default image tag (latest), you need to configure the override using the IMAGE_TAG option:

After the changes have been made and saved, restart the Insight Point service:

Check that the service has started successfully by running the following command:

Using a proxy server

Automatic Proxy Detection (Recommended)

For new Insight Point installations, HTTP proxy settings are automatically inherited from the host system's HTTP_PROXY environment variable. This eliminates the need for manual proxy configuration in most environments.

To verify automatic proxy detection is working:

1. Ensure the host system has HTTP_PROXY set in the environment

2. Run the installation script

3. Check the connectivity test output for proxy information

Manual Proxy Configuration

If you need to use a different proxy configuration or disable automatic detection, you can manually configure proxy settings.

To disable automatic proxy inheritance, create or edit /etc/veza-insight-point/config.env and add:

To manually configure proxy settings, add these lines to /etc/veza-insight-point/config.env:

Proxy Information Display

Connectivity tests display current proxy configuration details including:

• Current proxy configuration being used by the Insight Point

• Whether proxy settings were inherited from the host or manually configured

• Any proxy-related connectivity issues

To configure custom certificates, see the section.

After making configuration changes, restart the Insight Point service:

Check that the service has started successfully by running the following command:

Configuring Insight Point to forward connections to Veza (early access)

An Insight Point can proxy connections to Veza, allowing you to send Open Authorization API (OAA) payloads to a locally accessible server within a VPC instead of directly over the internet.

When a proxy port is enabled in the configuration, applications can push to the Insight Point's internal network address (e.g., http://localhost:8080/api/v1/providers/custom/...), instead of making API calls directly to Veza's cloud service (https://$VEZA_URL/api/v1/providers/custom/...).

Create or edit the configuration file /etc/veza-insight-point/service.env to set the proxy port:

Save the changes. Then, restart the Insight Point service:

Proxy server is supported since Veza release 2025.5.x. For older Insight Points, you will need to reinstall before you can enable a proxy port:

Using custom certificates

Automatic Certificate Bundle Detection (Recommended)

For new Insight Point installations, the system automatically detects and mounts the host's certificate bundle to the container. This removes the manual certificate configuration step for properly configured hosts, such as those using Zscaler or other enterprise certificate management systems.

The automatic certificate detection locates the host system's certificate bundle and mounts it to the Insight Point container. This works with common enterprise certificate management solutions and eliminates manual certificate configuration in most environments.

Manual Certificate Configuration

If automatic certificate detection doesn't work for your environment or you need to use a specific certificate bundle, you can manually configure certificates.

Create or edit the configuration file /etc/veza-insight-point/service.env to mount custom certificates to the Insight Point container:

For custom certificate bundle locations, adjust the path accordingly:

After making configuration changes, restart the Insight Point service:

Check that the service has started successfully by running the following command:

Troubleshooting

Status Script (Recommended)

The Insight Point installation includes a dedicated status script for health checking without requiring log inspection. This script is the recommended first step for troubleshooting.

Run the status script to check Insight Point health:

The status script checks:

• Service Status: Whether the Insight Point service is running

• Health Endpoint: Whether the service is responding to health checks

• Connectivity Test: Network connectivity to your Veza tenant

• Configuration: Current proxy and certificate settings

This script provides immediate feedback on common issues and is ideal for iterative troubleshooting when making configuration changes.

Service Status

Retrieve the status of the Insight Point systemd service:

Connectivity Testing

Connectivity test results are displayed in the terminal. For ongoing troubleshooting, use the status script above or check recent logs for connectivity information.

Logs

For detailed troubleshooting when the status script indicates issues, examine the service logs:

Retrieve last 500 log lines for the Insight Point service:

Follow logs for the Insight Point service:

Reinstall

Reinstall will remove the currently installed Insight Point service and install it again. All configuration in /etc/veza-insight-point will be preserved.

Tips & Best Practices

Using the Status Script for Iterative Troubleshooting

When configuring proxy settings or troubleshooting connectivity issues, use the status script to quickly verify changes without examining logs:

This approach is much faster than manually inspecting service logs and provides immediate feedback on whether configuration changes are working.

When Manual Configuration is Still Needed

While automatic features handle most scenarios, manual configuration may be required for:

• Custom Proxy Settings: When the desired proxy differs from the host's HTTP_PROXY setting

• Specific Certificate Bundles: When using certificates in non-standard locations

• Enterprise Environments: Where automatic detection may not work due to security policies

• Legacy Installations: Older Insight Points may not have all automatic features

Troubleshooting Automatic Features

If automatic proxy or certificate detection isn't working:

1. Check the connectivity test output for configuration details

2. Verify the host system's environment variables (echo $HTTP_PROXY)

3. Use the status script to see current configuration

4. Fall back to manual configuration if needed

This document provides instructions to start an AWS EC2 virtual machine and run an Insight Point as a Docker image.

Installation

Follow the instructions to launch a new AWS EC2 instance, install prerequisites, and download and run the Insight Point. You can opt to use an existing EC2 instance, provided that the docker version is 19.09 or later.

• Start an EC2 instance

  • Open the AWS EC2 Console

  • Ensure that the region where you want to initialize the instance is selected

  • Click Launch Instance

  • Add a name for the instance ("Veza Insight Point")

  • Choose Amazon Linux 2023 OS image

  • Configure instance size to meet the Insight Point system requirements (minimum: 2 CPU cores, 4 GB RAM)

  • Choose an existing key pair or create a new one

• Install Insight Point

• To discover standalone RDS or Trino databases, ensure that Security Group Inbound Rules allow communication to and from the Insight Point's outbound IP address.