Under 5 minutes, from zero to connected

Connect your infrastructure
to Veirox.

Veirox Connect is a tiny, signed, egress-only connector that pairs any Linux host, Kubernetes cluster, or edge device with your Veirox workspace over mTLS.

Cosign-signed releases
SBOM + SLSA provenance
Egress-only, no inbound

Pick your platform

One enrollment token works for any target. The connector dials out to Veirox — nothing new to expose.

Linux VM (systemd)

For Ubuntu, Debian, RHEL, Alma, Rocky, Amazon Linux, Fedora, SUSE. Any modern Linux with systemd and glibc ≥ 2.31.

Prereq
systemd + curl + sudo
Footprint
~20 MB binary, ~50 MB RAM
Privileges
Runs as veirox-connector user
1

Mint an enrollment token

Open the Veirox console → Connectors → Mint enrollment token. The token is shown once and is one-time.

Open Console →
2

Run the installer

# On the target host, as root:
curl -fsSL https://veirox.com/install.sh | sudo bash -s -- \
  --token veirox_enr_... \
  --backend https://connect.veirox.com

The installer verifies its own signature against a pinned cosign key, drops the binary at /usr/local/bin/veirox-connector, installs a systemd unit, and starts it. Nothing left for you to wire up.

3

Verify

sudo systemctl is-active veirox-connector
sudo journalctl -u veirox-connector -n 30 --no-pager

Expect active (running) and a log line tunnel_broker_registered connector_id=.... The connector should appear in the Veirox UI within 30 seconds.

Full guide: docs/connect/INSTALL-systemd.md — covers corporate CA bundles, HTTPS proxies, offline installs, uninstall.

Kubernetes (Helm)

One Helm chart, three RBAC presets, multi-cloud. Pick your cluster type:

Google Kubernetes Engine — Standard or Autopilot

CONTEXT="gke_<project>_<region>_<cluster>"

kubectl --context="$CONTEXT" create namespace veirox
kubectl --context="$CONTEXT" -n veirox create secret generic veirox-connector-token \
  --from-literal=token=veirox_enr_...

helm install veirox-connector \
  oci://ghcr.io/veirox-cloud/charts/veirox-connector \
  --kube-context="$CONTEXT" \
  --namespace veirox \
  --set backendUrl=https://connect.veirox.com \
  --set rbacPreset=readOnly

Full guide (Workload Identity, Cloud NAT, Autopilot PSA, Gatekeeper): INSTALL-helm-gke.md

Amazon EKS

aws eks update-kubeconfig --name <cluster> --region <region>

kubectl create namespace veirox
kubectl -n veirox create secret generic veirox-connector-token \
  --from-literal=token=veirox_enr_...

helm install veirox-connector \
  oci://ghcr.io/veirox-cloud/charts/veirox-connector \
  --namespace veirox \
  --set backendUrl=https://connect.veirox.com \
  --set rbacPreset=readOnly

Full guide (IRSA, Security Groups for Pods, private API endpoint, Fargate): INSTALL-helm-eks.md

Azure AKS

az aks get-credentials -g <rg> -n <cluster>

kubectl create namespace veirox
kubectl -n veirox create secret generic veirox-connector-token \
  --from-literal=token=veirox_enr_...

helm install veirox-connector \
  oci://ghcr.io/veirox-cloud/charts/veirox-connector \
  --namespace veirox \
  --set backendUrl=https://connect.veirox.com \
  --set rbacPreset=readOnly

Full guide (Workload Identity, ACR pull, Azure Policy exemptions): INSTALL-helm-aks.md

Self-managed (kubeadm, RKE2, k3s, OpenShift)

kubectl create namespace veirox
kubectl -n veirox create secret generic veirox-connector-token \
  --from-literal=token=veirox_enr_...

# If behind a TLS-inspecting proxy, also:
kubectl -n veirox create secret generic veirox-corp-ca \
  --from-file=ca.pem=/path/to/corp-ca.pem

helm install veirox-connector \
  oci://ghcr.io/veirox-cloud/charts/veirox-connector \
  --namespace veirox \
  --set backendUrl=https://veirox.customer.com \
  --set rbacPreset=readOnly \
  --set extraCaBundle.enabled=true

Full guide (private registry mirror, MITM CA, PSA, NetworkPolicy CIDR pinning, OpenShift SCC): INSTALL-helm-onprem.md

RBAC presets
  • readOnly — cluster-wide get/list/watch. Safe default.
  • nsAdmin — full verbs, scoped to the release namespace only.
  • clusterAdmin — cluster-admin. Reviewed per-connector policy is your last line of defence.

Docker Compose

For dev laptops, bastion VMs, or single-host installs. No systemd required.

1

Download the compose file

curl -fsSL https://www.veirox.com/install/docker-compose.yml -o docker-compose.yml
curl -fsSL https://www.veirox.com/install/.env.example -o .env
2

Edit .env

VEIROX_BACKEND_URL=https://connect.veirox.com
VEIROX_ENROLLMENT_TOKEN=veirox_enr_...
VEIROX_CONNECTOR_TAG=0.3.0
3

Bring it up

docker compose up -d
docker compose logs -f veirox-connector --tail=30

Airgapped install

For hosts that can reach the Veirox backend once (to enroll) but can't download the installer. Ship a signed tarball out-of-band.

Note: Veirox Connect requires outbound 443 to the backend at runtime — the reverse-WebSocket architecture needs a live connection. If your environment has zero outbound at any time, the tunnel connector is the wrong fit; use the MCP-server connector model.

# 1. On a host with internet, download the signed tarball + its cosign signature:
VER=0.3.0
curl -fsSLO https://github.com/veirox-cloud/veirox-dist/releases/download/v${VER}/veirox-connector_${VER}_linux_x86_64.tar.gz
curl -fsSLO https://github.com/veirox-cloud/veirox-dist/releases/download/v${VER}/veirox-connector_${VER}_linux_x86_64.tar.gz.sig
curl -fsSLO https://github.com/veirox-cloud/veirox-dist/releases/download/v${VER}/veirox-connector_${VER}_linux_x86_64.tar.gz.pem

# 2. Ship the three files out-of-band (signed USB, S3, internal artifact store).

# 3. On the airgapped host — verify, extract, install:
cosign verify-blob \
  --certificate veirox-connector_${VER}_linux_x86_64.tar.gz.pem \
  --signature   veirox-connector_${VER}_linux_x86_64.tar.gz.sig \
  --certificate-identity-regexp '^https://github.com/veirox-cloud/veirox-connector/.github/workflows/release.yml@refs/tags/v.+' \
  --certificate-oidc-issuer    'https://token.actions.githubusercontent.com' \
  veirox-connector_${VER}_linux_x86_64.tar.gz

tar -xz -C /tmp -f veirox-connector_${VER}_linux_x86_64.tar.gz
install -m 0755 /tmp/veirox-connector /usr/local/bin/veirox-connector

# 4. Enroll + run (your airgapped host still needs a one-time outbound HTTPS to enroll):
mkdir -p /etc/veirox-connector
VEIROX_BACKEND_URL=https://connect.veirox.customer.com \
  /usr/local/bin/veirox-connector enroll --token veirox_enr_...

Cosign keyless signatures are bound to the GitHub Actions workflow that produced them — you can verify provenance offline without trusting our infrastructure.

Edge device

For Raspberry Pi, industrial gateways, BusyBox-only hosts. No systemd, no glibc required — the binary is fully statically linked against musl.

# 1. Pick the right arch and download the musl-static binary:
ARCH=$(uname -m | sed 's/amd64/x86_64/; s/arm64/aarch64/')
VER=0.3.0

curl -fsSL https://github.com/veirox-cloud/veirox-dist/releases/download/v${VER}/veirox-connector_${VER}_linux_${ARCH}.tar.gz \
  | tar -xz -C /tmp
install -m 0755 /tmp/veirox-connector /usr/local/bin/veirox-connector

# 2. Enroll once (writes credential to /etc/veirox-connector/):
mkdir -p /etc/veirox-connector
VEIROX_BACKEND_URL=https://connect.veirox.com \
  /usr/local/bin/veirox-connector enroll --token veirox_enr_...

# 3. Run under your supervisor (runit/openrc/s6 example below):
nohup env VEIROX_BACKEND_URL=https://connect.veirox.com \
  /usr/local/bin/veirox-connector run \
  > /var/log/veirox-connector.log 2>&1 &

Use a supervision tool like runit, openrc, or s6-overlay for production edge deployments.

Verify before you trust

Every release is signed with cosign keyless, logged in the Rekor transparency log, and ships with an SPDX SBOM + SLSA provenance attestation.

# Verify the image before pulling
cosign verify ghcr.io/veirox-cloud/veirox-connector:0.3.0-k8s \
  --certificate-identity-regexp "^https://github.com/veirox-cloud/veirox-connector/.github/workflows/release.yml@" \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com
Identity
release.yml on our GitHub repo
Transparency log
Full walkthrough

Stuck?

Every install path has a detailed guide. If something still doesn't work, open an issue on GitHub or reach out in-app.