Expose Istio

In this section you will expose Istio and the services running behind it using the NGINX Ingress Controller.


  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:/# cd ~/ops/deployments
  2. Compute the FQDN for your Azure Load Balancer:

    root@rok-tools:~/ops/deployments# echo ${AZURELB_DNS_NAME_LABEL?}.${AZURE_DEFAULTS_LOCATION?}.cloudapp.azure.com arrikto-cluster.eastus.cloudapp.azure.com
  3. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml and use the ingress-nginx-tls resource instead of arrikto:

    resources: #- ../arrikto - ../ingress-nginx-tls
  4. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml and uncomment the trusted-front-proxies.yaml resource:

    resources: #- ../arrikto - ../ingress-nginx-tls # Trusted front proxies in front of Istio IngressGateway. This is needed in # order to handle XFF-related headers correctly. If running Istio IngressGateway # behind a trusted proxy (e.g., ALB, NGINX, etc.), include this YAML and set # the `xff_trusted_hops` value to the number of trusted proxies in front of the # Gateway. - trusted-front-proxies.yaml
  5. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml and uncomment the ingress-host.yaml, ingress-tls.yaml and certificate.yaml patches:

    patches: - path: patches/ingress-host.yaml target: kind: Ingress name: istio-ingress - path: patches/ingress-tls.yaml - path: patches/certificate.yaml
  6. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/patches/ingress-host.yaml and set value to the FQDN for your Azure Load Balancer from step 2:

    - op: replace path: /spec/rules/0/host value: arrikto-cluster.eastus.cloudapp.azure.com
  7. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/patches/ingress-tls.yaml and set hosts to the FQDN for your Azure Load Balancer:

    spec: tls: - hosts: - arrikto-cluster.eastus.cloudapp.azure.com
  8. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/patches/certificate.yaml and set both commonName and dnsNames to the FQDN for your Azure Load Balancer:

    spec: commonName: arrikto-cluster.eastus.cloudapp.azure.com dnsNames: - arrikto-cluster.eastus.cloudapp.azure.com
  9. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/trusted-front-proxies.yaml and set xff_num_trusted_hops to 1:

    # Number of trusted proxies in front of the Gateway. xff_num_trusted_hops: 1
  10. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Expose Istio via an NGINX Ingress"
  11. Apply the kustomization:

    root@rok-tools:~/ops/deployments# rok-deploy --apply rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy


  1. Verify that you have successfully created the Ingress object for Istio. The HOSTS field should match your Azure Load Balancer FQDN:

    root@rok-tools:~/ops/deployments# kubectl -n istio-system get ingress NAME HOSTS ADDRESS PORTS AGE istio-ingress arrikto-cluster.eastus.cloudapp.azure.com 80 1m
  2. Open your browser, and go to the Rok UI at https://arrikto-cluster.eastus.cloudapp.azure.com/rok/.


You have successfully configured Istio and exposed Rok to the outside world. With this, you have successfully completed the whole installation process.

What’s Next

The next step is to expose your KFServing Models to the outside world.