playbooks

home / skills / dexploarer / hyper-forge / service-mesh-integrator

service-mesh-integrator skill

/.claude/skills/service-mesh-integrator

This skill configures enterprise service mesh for Istio, Linkerd, or Consul, enabling secure mTLS, traffic routing, canaries, and observability.

npx playbooks add skill dexploarer/hyper-forge --skill service-mesh-integrator

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
3.3 KB
---
name: service-mesh-integrator
description: Configure service mesh solutions including Istio, Linkerd, and Consul for traffic management, security, and observability in microservices. Activates for service mesh setup, mTLS, traffic routing, and mesh configuration.
allowed-tools: [Read, Write, Edit, Bash, Grep, Glob]
---

# Service Mesh Integrator

Configure enterprise service mesh for secure, observable microservices communication.

## When to Use

- Setting up Istio, Linkerd, or Consul service mesh
- Implementing mTLS between services
- Configuring traffic routing and load balancing
- Setting up canary deployments
- Implementing circuit breakers and retries
- Configuring observability (metrics, tracing, logging)

## Istio Configuration

```yaml
# Install Istio
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  name: istio-control-plane
spec:
  profile: production
  components:
    pilot:
      k8s:
        resources:
          requests:
            cpu: 500m
            memory: 2Gi
    ingressGateways:
      - name: istio-ingressgateway
        enabled: true
        k8s:
          replicas: 3

---
# Virtual Service for traffic routing
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: user-service
spec:
  hosts:
    - user-service
  http:
    - match:
        - headers:
            version:
              exact: v2
      route:
        - destination:
            host: user-service
            subset: v2
          weight: 100
    - route:
        - destination:
            host: user-service
            subset: v1
          weight: 90
        - destination:
            host: user-service
            subset: v2
          weight: 10

---
# Destination Rule
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: user-service
spec:
  host: user-service
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
    connectionPool:
      tcp:
        maxConnections: 100
      http:
        http1MaxPendingRequests: 50
        http2MaxRequests: 100
    outlierDetection:
      consecutive5xxErrors: 5
      interval: 30s
      baseEjectionTime: 30s
  subsets:
    - name: v1
      labels:
        version: v1
    - name: v2
      labels:
        version: v2
      trafficPolicy:
        loadBalancer:
          simple: ROUND_ROBIN
```

## mTLS Configuration

```yaml
# Enable mTLS globally
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: istio-system
spec:
  mtls:
    mode: STRICT

---
# Authorization policy
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: user-service-authz
spec:
  selector:
    matchLabels:
      app: user-service
  rules:
    - from:
        - source:
            principals:
              - cluster.local/ns/default/sa/order-service
      to:
        - operation:
            methods: ["GET", "POST"]
            paths: ["/api/v1/users/*"]
```

## Best Practices

- ✅ Enable mTLS for all service-to-service communication
- ✅ Use traffic splitting for canary deployments
- ✅ Configure circuit breakers and retries
- ✅ Implement rate limiting per service
- ✅ Use observability features (tracing, metrics)
- ✅ Regular security policy audits

## Related Skills

- `microservices-orchestrator`
- `distributed-tracing-setup`
- `sla-monitor-generator`

Overview

This skill configures and integrates service mesh solutions (Istio, Linkerd, Consul) to secure, route, and observe microservice traffic. It provides practical manifests and configuration patterns for mTLS, traffic routing, load balancing, and observability. Use it to implement production-ready mesh features like canaries, circuit breakers, and authorization policies.

How this skill works

The skill generates and validates mesh configuration: control plane installs, VirtualService/DestinationRule equivalents, PeerAuthentication/AuthorizationPolicy for mTLS and access control, and traffic-splitting rules for canary releases. It inspects service labels, namespaces, and existing policies to recommend least-privilege mTLS and routing rules, and outputs YAML snippets ready for kubectl/apply. It can also suggest observability hooks (metrics, tracing) and resilience settings (retries, outlier detection).

When to use it

  • Bootstrapping a service mesh (Istio, Linkerd, or Consul) in a Kubernetes cluster
  • Enforcing mTLS and service-to-service encryption across namespaces
  • Creating traffic routing for canary, A/B testing, and weighted rollouts
  • Applying circuit breakers, retry policies, and outlier detection for resilience
  • Configuring observability: metrics, tracing, and centralized logging

Best practices

  • Enable mTLS globally with namespace-aware PeerAuthentication and verify service accounts before strict mode
  • Use traffic-splitting for gradual rollouts and keep health checks enabled for canaries
  • Define DestinationRule-level connectionPool and outlierDetection to protect backends
  • Limit AuthorizationPolicy scope using selectors and principals, follow least privilege
  • Instrument services for tracing and export metrics to a central backend (Prometheus/Jaeger)

Example use cases

  • Install Istio control plane with production profile and scale ingress gateways for high traffic
  • Create a VirtualService to route 10% of traffic to v2 for a canary deployment and adjust weights dynamically
  • Apply strict mTLS and an AuthorizationPolicy allowing only specific service accounts to call user APIs
  • Configure destination-level connection pools and outlier detection to reduce cascading failures
  • Add tracing headers and metrics annotations to services for end-to-end observability

FAQ

Which mesh should I choose: Istio, Linkerd, or Consul?

Choose based on operational needs: Istio for advanced traffic control and policy, Linkerd for lightweight, performance-focused meshes, and Consul if you need multi-cluster service discovery and platform-agnostic features.

How do I roll back a canary if issues appear?

Shift weights back to the stable subset in the VirtualService (or equivalent) and revert any cluster-level policy changes; automate rollback with monitoring alerts and CI/CD hooks.