Veirox Connect is a tiny, signed, egress-only connector that pairs any Linux host, Kubernetes cluster, or edge device with your Veirox workspace over mTLS.
One enrollment token works for any target. The connector dials out to Veirox — nothing new to expose.
For Ubuntu, Debian, RHEL, Alma, Rocky, Amazon Linux, Fedora, SUSE. Any modern Linux with systemd and glibc ≥ 2.31.
veirox-connector userOpen the Veirox console → Connectors → Mint enrollment token. The token is shown once and is one-time.
Open Console →# On the target host, as root: curl -fsSL https://veirox.com/install.sh | sudo bash -s -- \ --token veirox_enr_... \ --backend https://veirox.com
The installer verifies its own signature against a pinned cosign key, drops the binary at /usr/local/bin/veirox-connector, installs a systemd unit, and starts it. Nothing left for you to wire up.
sudo systemctl is-active veirox-connector sudo journalctl -u veirox-connector -n 30 --no-pager
Expect active (running) and a log line tunnel_broker_registered connector_id=.... The connector should appear in the Veirox UI within 30 seconds.
Full guide: docs/connect/INSTALL-systemd.md — covers corporate CA bundles, HTTPS proxies, offline installs, uninstall.
One Helm chart, three RBAC presets, multi-cloud. Pick your cluster type:
CONTEXT="gke_<project>_<region>_<cluster>" kubectl --context="$CONTEXT" create namespace veirox kubectl --context="$CONTEXT" -n veirox create secret generic veirox-connector-token \ --from-literal=token=veirox_enr_... helm install veirox-connector \ oci://ghcr.io/msrashed2018/charts/veirox-connector \ --kube-context="$CONTEXT" \ --namespace veirox \ --set backendUrl=https://veirox.com \ --set rbacPreset=readOnly
Full guide (Workload Identity, Cloud NAT, Autopilot PSA, Gatekeeper): INSTALL-helm-gke.md
aws eks update-kubeconfig --name <cluster> --region <region> kubectl create namespace veirox kubectl -n veirox create secret generic veirox-connector-token \ --from-literal=token=veirox_enr_... helm install veirox-connector \ oci://ghcr.io/msrashed2018/charts/veirox-connector \ --namespace veirox \ --set backendUrl=https://veirox.com \ --set rbacPreset=readOnly
Full guide (IRSA, Security Groups for Pods, private API endpoint, Fargate): INSTALL-helm-eks.md
az aks get-credentials -g <rg> -n <cluster> kubectl create namespace veirox kubectl -n veirox create secret generic veirox-connector-token \ --from-literal=token=veirox_enr_... helm install veirox-connector \ oci://ghcr.io/msrashed2018/charts/veirox-connector \ --namespace veirox \ --set backendUrl=https://veirox.com \ --set rbacPreset=readOnly
Full guide (Workload Identity, ACR pull, Azure Policy exemptions): INSTALL-helm-aks.md
kubectl create namespace veirox kubectl -n veirox create secret generic veirox-connector-token \ --from-literal=token=veirox_enr_... # If behind a TLS-inspecting proxy, also: kubectl -n veirox create secret generic veirox-corp-ca \ --from-file=ca.pem=/path/to/corp-ca.pem helm install veirox-connector \ oci://ghcr.io/msrashed2018/charts/veirox-connector \ --namespace veirox \ --set backendUrl=https://veirox.customer.com \ --set rbacPreset=readOnly \ --set extraCaBundle.enabled=true
Full guide (private registry mirror, MITM CA, PSA, NetworkPolicy CIDR pinning, OpenShift SCC): INSTALL-helm-onprem.md
get/list/watch. Safe default.For dev laptops, bastion VMs, or single-host installs. No systemd required.
curl -fsSL https://veirox.com/install/docker-compose.yml -o docker-compose.yml curl -fsSL https://veirox.com/install/.env.example -o .env
.envVEIROX_BACKEND_URL=https://veirox.com VEIROX_ENROLLMENT_TOKEN=veirox_enr_... VEIROX_CONNECTOR_TAG=0.2.0-minimal
docker compose up -d docker compose logs -f veirox-connector --tail=30
Full guide: docs/connect/INSTALL-compose.md
For hosts that can reach the Veirox backend once (to enroll) but can't download the installer. Ship a signed tarball out-of-band.
Note: Veirox Connect requires outbound 443 to the backend at runtime — the reverse-WebSocket architecture needs a live connection. If your environment has zero outbound at any time, the tunnel connector is the wrong fit; use the MCP-server connector model.
# On a release host: make connector-offline-bundle # → agent/dist/bin/veirox-connector-0.2.0-x86_64.tar.gz # Ship tarball out-of-band (signed USB, S3, etc.) # Then on the airgapped host: sudo env \ VEIROX_BACKEND_URL=https://veirox.customer.com \ VEIROX_ENROLLMENT_TOKEN=veirox_enr_... \ bash <(tar -xzOf /tmp/veirox-connector-0.2.0-x86_64.tar.gz \ veirox-connector-0.2.0-x86_64/install-offline.sh) \ /tmp/veirox-connector-0.2.0-x86_64.tar.gz
The tarball is self-verifying: install-offline.sh pins a cosign public key and refuses to proceed if the signed manifest doesn't match.
Full guide: docs/connect/INSTALL-airgap.md
For Raspberry Pi, industrial gateways, BusyBox-only hosts. No systemd, no glibc required — the binary is fully statically linked against musl.
# Pick the right arch: ARCH=$(uname -m | sed 's/amd64/x86_64/; s/arm64/aarch64/') curl -fsSL https://veirox.com/install/edge/veirox-connector-${ARCH} \ -o /usr/local/bin/veirox-connector chmod +x /usr/local/bin/veirox-connector nohup /usr/local/bin/veirox-connector run \ --backend https://veirox.com \ --token veirox_enr_... \ > /var/log/veirox-connector.log 2>&1 &
Use a supervision tool like runit, openrc, or s6-overlay for production edge deployments.
Full guide: docs/connect/INSTALL-edge.md
Every release is signed with cosign keyless, logged in the Rekor transparency log, and ships with an SPDX SBOM + SLSA provenance attestation.
# Verify the image before pulling cosign verify docker.io/msrashed/veirox-connector:0.2.0-k8s \ --certificate-identity-regexp "^https://github.com/veirox-cloud/veirox-cli/.github/workflows/release.yml@" \ --certificate-oidc-issuer https://token.actions.githubusercontent.com
Every install path has a detailed guide. If something still doesn't work, open an issue on GitHub or reach out in-app.