home / skills / doanchienthangdev / omgkit / service-mesh

service-mesh skill

safe

/plugin/skills/microservices/service-mesh

This skill guides you in implementing a service mesh with Istio and Linkerd, improving traffic control, security, and observability.

npx playbooks add skill doanchienthangdev/omgkit --skill service-mesh

Review the files below or copy the command above to add this skill to your agents.

Files (1)

SKILL.md

4.1 KB

---
name: service-mesh
description: Advanced service mesh implementation with Istio, Linkerd, traffic management, mTLS, and observability.
---

# Service Mesh

Advanced service mesh implementation with Istio, Linkerd, traffic management, mTLS, and observability.

## Overview

Service mesh provides infrastructure-level features for service-to-service communication including traffic management, security, and observability without changing application code.

## Key Concepts

### Traffic Management
- **Virtual Services**: Route traffic based on rules
- **Destination Rules**: Configure load balancing, connection pools
- **Gateways**: Manage ingress/egress traffic
- **Service Entries**: Add external services to mesh

### Security
- **mTLS**: Mutual TLS between services
- **Authorization Policies**: Fine-grained access control
- **Peer Authentication**: Identity verification
- **Request Authentication**: JWT validation

### Observability
- **Distributed Tracing**: Automatic trace propagation
- **Metrics**: Automatic metric collection
- **Access Logging**: Request/response logging
- **Service Graph**: Visualization of dependencies

## Istio Patterns

### Traffic Routing
```yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: reviews-route
spec:
  hosts:
    - reviews
  http:
    - match:
        - headers:
            end-user:
              exact: jason
      route:
        - destination:
            host: reviews
            subset: v2
    - route:
        - destination:
            host: reviews
            subset: v1
```

### Canary Deployment
```yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: my-service
spec:
  hosts:
    - my-service
  http:
    - route:
        - destination:
            host: my-service
            subset: v1
          weight: 90
        - destination:
            host: my-service
            subset: v2
          weight: 10
```

### Circuit Breaker
```yaml
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: my-service
spec:
  host: my-service
  trafficPolicy:
    connectionPool:
      tcp:
        maxConnections: 100
      http:
        h2UpgradePolicy: UPGRADE
        http1MaxPendingRequests: 100
        http2MaxRequests: 1000
    outlierDetection:
      consecutive5xxErrors: 5
      interval: 30s
      baseEjectionTime: 30s
      maxEjectionPercent: 50
```

### mTLS Configuration
```yaml
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: istio-system
spec:
  mtls:
    mode: STRICT
```

## Linkerd Patterns

### Service Profile
```yaml
apiVersion: linkerd.io/v1alpha2
kind: ServiceProfile
metadata:
  name: my-service.default.svc.cluster.local
spec:
  routes:
    - name: GET /api/users
      condition:
        method: GET
        pathRegex: /api/users
      responseClasses:
        - condition:
            status:
              min: 500
              max: 599
          isFailure: true
```

### Traffic Split
```yaml
apiVersion: split.smi-spec.io/v1alpha1
kind: TrafficSplit
metadata:
  name: my-service-split
spec:
  service: my-service
  backends:
    - service: my-service-v1
      weight: 900m
    - service: my-service-v2
      weight: 100m
```

## Best Practices

1. **Start with Observability**: Enable tracing before traffic management
2. **Gradual mTLS Rollout**: Use permissive mode first
3. **Circuit Breaker Tuning**: Start conservative, adjust based on data
4. **Avoid Mesh Complexity**: Don't over-engineer routing rules
5. **Resource Limits**: Set appropriate proxy resource limits

## Anti-Patterns

- Putting business logic in routing rules
- Ignoring sidecar resource consumption
- Not monitoring mesh control plane
- Over-complicating traffic policies
- Skipping gradual rollout of mesh features

## When to Use

- Multiple services needing consistent traffic management
- Zero-trust security requirements
- Need for advanced observability without code changes
- Complex deployment strategies (canary, blue-green)

## When NOT to Use

- Simple applications with few services
- When latency is extremely critical (adds ~1ms)
- Teams without Kubernetes expertise
- Tight resource constraints

Overview

This skill delivers an advanced service mesh implementation using Istio and Linkerd to provide traffic management, mutual TLS security, and observability across microservices. It packages common patterns for routing, canary releases, circuit breaking, and telemetry so teams can apply proven configurations quickly. The goal is consistent service-to-service behavior without modifying application code.

How this skill works

The skill installs and configures data plane proxies and control plane components, then applies declarative resources such as VirtualServices, DestinationRules, PeerAuthentications, ServiceProfiles, and TrafficSplits. It configures mTLS, authorization, and telemetry hooks to capture traces, metrics, and access logs automatically. Traffic rules and policies are applied incrementally so you can validate behavior with canaries and progressive rollouts.

When to use it

When many microservices need consistent traffic management and resiliency policies
When you require zero-trust communication with automated mTLS and identity verification
When you want distributed tracing, metrics, and access logging without changing application code
When implementing canary, blue/green, or staged deployments
When you need circuit breakers and connection pool tuning to protect services

Best practices

Enable observability first (tracing + metrics) before changing traffic rules
Roll out mTLS gradually using permissive mode, then enforce strict mode after validation
Start circuit breaker thresholds conservatively and tune with real traffic data
Keep routing rules simple; avoid embedding business logic in mesh configuration
Set resource limits on sidecars and control plane components to prevent resource exhaustion

Example use cases

Route 10% of traffic to a new version for a canary deployment using weighted VirtualService or TrafficSplit
Apply strict mTLS across namespaces after testing in permissive mode to meet compliance
Protect a critical service with a DestinationRule circuit breaker to eject unhealthy endpoints
Create ServiceProfiles and SMI TrafficSplits for fine-grained observability and controlled traffic migration
Use gateways and service entries to manage secure ingress to external APIs while tracing requests end-to-end

FAQ

Will a service mesh require code changes?

No. The mesh provides networking, security, and observability at the infrastructure layer; application code usually does not need changes.

Does a mesh add latency?

Yes, sidecar proxies add small overhead (typically ~1ms), so evaluate latency-sensitive paths before full rollout.