Expose Istio

In this section you will expose Istio and the services running behind it using the NGINX Ingress Controller. TLS termination will happen at the ALB in front of NGINX.


  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:/# cd ~/ops/deployments
  2. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml and use ingress-nginx instead of arrikto as the base overlay:

    #- ../arrikto
    - ../ingress-nginx


    TLS termination takes place on the ALB with an ACM certificate, and thus you will create a plain HTTP ingress.

  3. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml and uncomment the trusted-front-proxies.yaml resource:

    #- ../arrikto
    - ../ingress-nginx
    # Trusted front proxies in front of Istio IngressGateway. This is needed in
    # order to handle XFF-related headers correctly. If running Istio IngressGateway
    # behind a trusted proxy (e.g., ALB, NGINX, etc.), include this YAML and set
    # the `xff_trusted_hops` value to the number of trusted proxies in front of the
    # Gateway.
    - trusted-front-proxies.yaml
  4. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/trusted-front-proxies.yaml and set xff_num_trusted_hops to 2:

    # Number of trusted proxies in front of the Gateway.
    xff_num_trusted_hops: 2


    ALB acts as a L7 edge proxy so you have two proxies in front of Istio: ALB and NGINX.

  5. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml and enable only the ingress-host patch by uncommenting the corresponding snippet, including the toplevel patches directive. The final result will look like this:

    - path: patches/ingress-host.yaml
        kind: Ingress
        name: istio-ingress
    #- path: patches/ingress-tls.yaml
    #- path: patches/certificate.yaml


    There may be cases where you have more that one patches directives in your kustomization, including (but not limited to) the case where you have followed the Patch All Images for Your Deployment document. In cases like this, you need to merge the two patches: sections before you save the file, so you end up with only a single patches: section, a single list of patches. To do so:

    1. Delete the extra patches line so that only one remains.

    2. Cut and paste the rest of the lines under the remaining patches directive. The final result will look like this:

      - path: patches/ingress-host.yaml
          kind: Ingress
          name: istio-ingress
      # Generated by rok-image-patch
      - target:
          kind: ConfigMap
          name: istio-sidecar-injector
        path: patches/image-patch-istio-sidecar-injector.yaml
    3. Ensure that you have only one toplevel patches directive:

      root@rok-tools:~/ops/deployments# grep ^patches: rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml | wc -l
  6. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/patches/ingress-host.yaml and set value to the FQDN of your Load Balancer:

    - op: replace
      path: /spec/rules/0/host
      value: arrikto-cluster.apps.example.com  # <-- Update this line with your SUBDOMAIN
  7. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Expose Istio via an NGINX Ingress"
  8. Apply the kustomization:

    root@rok-tools:~/ops/deployments# rok-deploy --apply rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy


  1. Verify that you have successfully created the Ingress object for Istio. The HOSTS field should match your SUBDOMAIN. Wait until the ADDRESS field shows the hostname of your Load Balancer:

    root@rok-tools:~/ops/deployments# kubectl -n istio-system get ingress
    NAME            HOSTS                              ADDRESS                                                                 PORTS   AGE
    istio-ingress   arrikto-cluster.apps.example.com   e53a524a-ingressnginx-ingr-8872-592794601.us-east-1.elb.amazonaws.com   80      1m
  2. Open your browser, and go to the Rok UI at


    Replace <YOUR_SUBDOMAIN> with your sub-domain. For example:



You have successfully configured Istio and exposed Rok to the outside world.

What’s Next

Optionally, you can integrate Rok and Arrikto EKF with external platforms or projects.