Ingress Setup for Production Environment#
Most Kubernetes clusters include an in-cluster network that is encapsulated and can typically initiate outbound connections (egress) unless controlled by specific policies. Incoming traffic (ingress) from the external or physical network must typically be routed through a LoadBalancer or NodePort service type.
In bare metal environments, where the cluster network is extended or peered to the top-of-rack switches and is therefore contiguous with the physical network, using an ingress controller or a similar proxy solution is still advisable. With this approach, you manage routing for the services.
Because the NeMo microservices operate at Layer 7 (HTTP-based APIs), implementing a fully HTTP-aware controller—such as an ingress controller or gateway—enables proper routing for building a cohesive system.
The NeMo Microservices Helm Chart comes with default values to route incoming requests appropriately.
You can refer to the ingress object in the values.yaml file for setting up an ingress resource, which you can use with most ingress controllers.
It also provides a virtual service template for cases where you use an Istio Gateway to handle ingress. To use this set ingress.enabled to false and virtualserice.enabled to true.
Domain Names#
Ensure that you define DNS records that will work in your Kubernetes cluster, ideally with TLS certificates.
You need at least three DNS records for the following:
- One for a default host for most of the NeMo microservices. The default path rules for the - defaulthost:- Path (Prefix) - Service - Port Number - /v1/namespaces - nemo-entity-store - 8000 - /v1/projects - nemo-entity-store - 8000 - /v1/datasets - nemo-entity-store - 8000 - /v1/repos - nemo-entity-store - 8000 - /v1/models - nemo-entity-store - 8000 - /v1/customization - nemo-customizer - 8000 - /v1/evaluation - nemo-evaluator - 7331 - /v1/guardrail - nemo-guardrails - 7331 - /v1/deployment - nemo-deployment-management - 8000 
- One for NIM Proxy. The default path rules for - nimProxy:- Path (Prefix) - Service - Port Number - /v1/completions - nemo-nim-proxy - 8000 - /v1/chat - nemo-nim-proxy - 8000 - /v1/models - nemo-nim-proxy - 8000 
- One for NeMo Data Store. The default path rule for - dataStore:- Path (Prefix) - Service - Port Number - / - nemo-data-store - 3000 - For a complete list of the network ports for the NeMo microservices, refer to the Security for NeMo Microservices page. 
For example, assume that you create a domain name called nemo.example.com for the default host, nim.example.com for nimProxy, and datastore.example.com for dataStore.
Create these domain names in your DNS provider. If you use TLS certificates, refer to the documentation from your ingress controller provider about how to correctly configure them in the cluster.
Note
Specify the default host name in the values file only if you already have other ingressed systems in your cluster. Otherwise, it functions as the default destination for requests.
Note
In the current release, the NeMo Entity Store and NIM Proxy services have API endpoints that are both named v1/models. Make sure that you set separate hosts for these services.
The NeMo Entity Store v1/models API endpoint exposes the data representation of uploaded models, such as the model name, version, and other metadata. The models that are discoverable through this API are registered models within the NeMo platform, and not for running inference against directly.
The NIM Proxy v1/models API endpoint is an OpenAI-compatible endpoint. The models discoverable through this endpoint are deployed NIM microservices that are up and running for real-time inference.
In your custom values file for the NeMo Microservices Helm Chart installation, configure the ingress object as follows:
ingress:
  tls: [] #if you have tls configs, enter them here
  hosts:
    default:
      name: nemo.example.com
    nimProxy:
      name: nim.example.com
    dataStore:
      name: datastore.example.com
As long as your ingress controller supports Prefix path types, you might not need to adjust the paths under these hosts. Run helm show values nemo-microservices-helm-chart to view the default ingress object and check if anything doesn’t work.
If any default paths entries need to change in such cases where you overwrite the service names for the NeMo microservices, make sure that you re-enter all the correct paths for the corresponding host in the ingress object.
Annotations#
Use the ingress.annotations value to add any of the annotations you require. Most advanced functionality for ingress controllers is managed via annotations.
Authentication#
The ingress or service mesh layer is the appropriate place to introduce authentication and access control. Such security solutions are implementation-specific. Refer to the documentation from the Kubernetes security solution provider and ingress controller provider you use.