@ruaruababa/vibe-kit 1.0.0

package/skills/mtls-configuration/SKILL.md

@@ -0,0 +1,359 @@
+---
+name: mtls-configuration
+description: Configure mutual TLS (mTLS) for zero-trust service-to-service communication. Use when implementing zero-trust networking, certificate management, or securing internal service communication.
+---
+
+# mTLS Configuration
+
+Comprehensive guide to implementing mutual TLS for zero-trust service mesh communication.
+
+## Do not use this skill when
+
+- The task is unrelated to mtls configuration
+- You need a different domain or tool outside this scope
+
+## Instructions
+
+- Clarify goals, constraints, and required inputs.
+- Apply relevant best practices and validate outcomes.
+- Provide actionable steps and verification.
+- If detailed examples are required, open `resources/implementation-playbook.md`.
+
+## Use this skill when
+
+- Implementing zero-trust networking
+- Securing service-to-service communication
+- Certificate rotation and management
+- Debugging TLS handshake issues
+- Compliance requirements (PCI-DSS, HIPAA)
+- Multi-cluster secure communication
+
+## Core Concepts
+
+### 1. mTLS Flow
+
+```
+┌─────────┐                              ┌─────────┐
+│ Service │                              │ Service │
+│    A    │                              │    B    │
+└────┬────┘                              └────┬────┘
+     │                                        │
+┌────┴────┐      TLS Handshake          ┌────┴────┐
+│  Proxy  │◄───────────────────────────►│  Proxy  │
+│(Sidecar)│  1. ClientHello             │(Sidecar)│
+│         │  2. ServerHello + Cert      │         │
+│         │  3. Client Cert             │         │
+│         │  4. Verify Both Certs       │         │
+│         │  5. Encrypted Channel       │         │
+└─────────┘                              └─────────┘
+```
+
+### 2. Certificate Hierarchy
+
+```
+Root CA (Self-signed, long-lived)
+    │
+    ├── Intermediate CA (Cluster-level)
+    │       │
+    │       ├── Workload Cert (Service A)
+    │       └── Workload Cert (Service B)
+    │
+    └── Intermediate CA (Multi-cluster)
+            │
+            └── Cross-cluster certs
+```
+
+## Templates
+
+### Template 1: Istio mTLS (Strict Mode)
+
+```yaml
+# Enable strict mTLS mesh-wide
+apiVersion: security.istio.io/v1beta1
+kind: PeerAuthentication
+metadata:
+  name: default
+  namespace: istio-system
+spec:
+  mtls:
+    mode: STRICT
+---
+# Namespace-level override (permissive for migration)
+apiVersion: security.istio.io/v1beta1
+kind: PeerAuthentication
+metadata:
+  name: default
+  namespace: legacy-namespace
+spec:
+  mtls:
+    mode: PERMISSIVE
+---
+# Workload-specific policy
+apiVersion: security.istio.io/v1beta1
+kind: PeerAuthentication
+metadata:
+  name: payment-service
+  namespace: production
+spec:
+  selector:
+    matchLabels:
+      app: payment-service
+  mtls:
+    mode: STRICT
+  portLevelMtls:
+    8080:
+      mode: STRICT
+    9090:
+      mode: DISABLE  # Metrics port, no mTLS
+```
+
+### Template 2: Istio Destination Rule for mTLS
+
+```yaml
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: default
+  namespace: istio-system
+spec:
+  host: "*.local"
+  trafficPolicy:
+    tls:
+      mode: ISTIO_MUTUAL
+---
+# TLS to external service
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: external-api
+spec:
+  host: api.external.com
+  trafficPolicy:
+    tls:
+      mode: SIMPLE
+      caCertificates: /etc/certs/external-ca.pem
+---
+# Mutual TLS to external service
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: partner-api
+spec:
+  host: api.partner.com
+  trafficPolicy:
+    tls:
+      mode: MUTUAL
+      clientCertificate: /etc/certs/client.pem
+      privateKey: /etc/certs/client-key.pem
+      caCertificates: /etc/certs/partner-ca.pem
+```
+
+### Template 3: Cert-Manager with Istio
+
+```yaml
+# Install cert-manager issuer for Istio
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: istio-ca
+spec:
+  ca:
+    secretName: istio-ca-secret
+---
+# Create Istio CA secret
+apiVersion: v1
+kind: Secret
+metadata:
+  name: istio-ca-secret
+  namespace: cert-manager
+type: kubernetes.io/tls
+data:
+  tls.crt: <base64-encoded-ca-cert>
+  tls.key: <base64-encoded-ca-key>
+---
+# Certificate for workload
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: my-service-cert
+  namespace: my-namespace
+spec:
+  secretName: my-service-tls
+  duration: 24h
+  renewBefore: 8h
+  issuerRef:
+    name: istio-ca
+    kind: ClusterIssuer
+  commonName: my-service.my-namespace.svc.cluster.local
+  dnsNames:
+    - my-service
+    - my-service.my-namespace
+    - my-service.my-namespace.svc
+    - my-service.my-namespace.svc.cluster.local
+  usages:
+    - server auth
+    - client auth
+```
+
+### Template 4: SPIFFE/SPIRE Integration
+
+```yaml
+# SPIRE Server configuration
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: spire-server
+  namespace: spire
+data:
+  server.conf: |
+    server {
+      bind_address = "0.0.0.0"
+      bind_port = "8081"
+      trust_domain = "example.org"
+      data_dir = "/run/spire/data"
+      log_level = "INFO"
+      ca_ttl = "168h"
+      default_x509_svid_ttl = "1h"
+    }
+
+    plugins {
+      DataStore "sql" {
+        plugin_data {
+          database_type = "sqlite3"
+          connection_string = "/run/spire/data/datastore.sqlite3"
+        }
+      }
+
+      NodeAttestor "k8s_psat" {
+        plugin_data {
+          clusters = {
+            "demo-cluster" = {
+              service_account_allow_list = ["spire:spire-agent"]
+            }
+          }
+        }
+      }
+
+      KeyManager "memory" {
+        plugin_data {}
+      }
+
+      UpstreamAuthority "disk" {
+        plugin_data {
+          key_file_path = "/run/spire/secrets/bootstrap.key"
+          cert_file_path = "/run/spire/secrets/bootstrap.crt"
+        }
+      }
+    }
+---
+# SPIRE Agent DaemonSet (abbreviated)
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: spire-agent
+  namespace: spire
+spec:
+  selector:
+    matchLabels:
+      app: spire-agent
+  template:
+    spec:
+      containers:
+        - name: spire-agent
+          image: ghcr.io/spiffe/spire-agent:1.8.0
+          volumeMounts:
+            - name: spire-agent-socket
+              mountPath: /run/spire/sockets
+      volumes:
+        - name: spire-agent-socket
+          hostPath:
+            path: /run/spire/sockets
+            type: DirectoryOrCreate
+```
+
+### Template 5: Linkerd mTLS (Automatic)
+
+```yaml
+# Linkerd enables mTLS automatically
+# Verify with:
+# linkerd viz edges deployment -n my-namespace
+
+# For external services without mTLS
+apiVersion: policy.linkerd.io/v1beta1
+kind: Server
+metadata:
+  name: external-api
+  namespace: my-namespace
+spec:
+  podSelector:
+    matchLabels:
+      app: my-app
+  port: external-api
+  proxyProtocol: HTTP/1  # or TLS for passthrough
+---
+# Skip TLS for specific port
+apiVersion: v1
+kind: Service
+metadata:
+  name: my-service
+  annotations:
+    config.linkerd.io/skip-outbound-ports: "3306"  # MySQL
+```
+
+## Certificate Rotation
+
+```bash
+# Istio - Check certificate expiry
+istioctl proxy-config secret deploy/my-app -o json | \
+  jq '.dynamicActiveSecrets[0].secret.tlsCertificate.certificateChain.inlineBytes' | \
+  tr -d '"' | base64 -d | openssl x509 -text -noout
+
+# Force certificate rotation
+kubectl rollout restart deployment/my-app
+
+# Check Linkerd identity
+linkerd identity -n my-namespace
+```
+
+## Debugging mTLS Issues
+
+```bash
+# Istio - Check if mTLS is enabled
+istioctl authn tls-check my-service.my-namespace.svc.cluster.local
+
+# Verify peer authentication
+kubectl get peerauthentication --all-namespaces
+
+# Check destination rules
+kubectl get destinationrule --all-namespaces
+
+# Debug TLS handshake
+istioctl proxy-config log deploy/my-app --level debug
+kubectl logs deploy/my-app -c istio-proxy | grep -i tls
+
+# Linkerd - Check mTLS status
+linkerd viz edges deployment -n my-namespace
+linkerd viz tap deploy/my-app --to deploy/my-backend
+```
+
+## Best Practices
+
+### Do's
+- **Start with PERMISSIVE** - Migrate gradually to STRICT
+- **Monitor certificate expiry** - Set up alerts
+- **Use short-lived certs** - 24h or less for workloads
+- **Rotate CA periodically** - Plan for CA rotation
+- **Log TLS errors** - For debugging and audit
+
+### Don'ts
+- **Don't disable mTLS** - For convenience in production
+- **Don't ignore cert expiry** - Automate rotation
+- **Don't use self-signed certs** - Use proper CA hierarchy
+- **Don't skip verification** - Verify the full chain
+
+## Resources
+
+- [Istio Security](https://istio.io/latest/docs/concepts/security/)
+- [SPIFFE/SPIRE](https://spiffe.io/)
+- [cert-manager](https://cert-manager.io/)
+- [Zero Trust Architecture (NIST)](https://www.nist.gov/publications/zero-trust-architecture)

package/skills/multi-cloud-architecture/SKILL.md

@@ -0,0 +1,189 @@
+---
+name: multi-cloud-architecture
+description: Design multi-cloud architectures using a decision framework to select and integrate services across AWS, Azure, and GCP. Use when building multi-cloud systems, avoiding vendor lock-in, or leveraging best-of-breed services from multiple providers.
+---
+
+# Multi-Cloud Architecture
+
+Decision framework and patterns for architecting applications across AWS, Azure, and GCP.
+
+## Do not use this skill when
+
+- The task is unrelated to multi-cloud architecture
+- You need a different domain or tool outside this scope
+
+## Instructions
+
+- Clarify goals, constraints, and required inputs.
+- Apply relevant best practices and validate outcomes.
+- Provide actionable steps and verification.
+- If detailed examples are required, open `resources/implementation-playbook.md`.
+
+## Purpose
+
+Design cloud-agnostic architectures and make informed decisions about service selection across cloud providers.
+
+## Use this skill when
+
+- Design multi-cloud strategies
+- Migrate between cloud providers
+- Select cloud services for specific workloads
+- Implement cloud-agnostic architectures
+- Optimize costs across providers
+
+## Cloud Service Comparison
+
+### Compute Services
+
+| AWS | Azure | GCP | Use Case |
+|-----|-------|-----|----------|
+| EC2 | Virtual Machines | Compute Engine | IaaS VMs |
+| ECS | Container Instances | Cloud Run | Containers |
+| EKS | AKS | GKE | Kubernetes |
+| Lambda | Functions | Cloud Functions | Serverless |
+| Fargate | Container Apps | Cloud Run | Managed containers |
+
+### Storage Services
+
+| AWS | Azure | GCP | Use Case |
+|-----|-------|-----|----------|
+| S3 | Blob Storage | Cloud Storage | Object storage |
+| EBS | Managed Disks | Persistent Disk | Block storage |
+| EFS | Azure Files | Filestore | File storage |
+| Glacier | Archive Storage | Archive Storage | Cold storage |
+
+### Database Services
+
+| AWS | Azure | GCP | Use Case |
+|-----|-------|-----|----------|
+| RDS | SQL Database | Cloud SQL | Managed SQL |
+| DynamoDB | Cosmos DB | Firestore | NoSQL |
+| Aurora | PostgreSQL/MySQL | Cloud Spanner | Distributed SQL |
+| ElastiCache | Cache for Redis | Memorystore | Caching |
+
+**Reference:** See `references/service-comparison.md` for complete comparison
+
+## Multi-Cloud Patterns
+
+### Pattern 1: Single Provider with DR
+
+- Primary workload in one cloud
+- Disaster recovery in another
+- Database replication across clouds
+- Automated failover
+
+### Pattern 2: Best-of-Breed
+
+- Use best service from each provider
+- AI/ML on GCP
+- Enterprise apps on Azure
+- General compute on AWS
+
+### Pattern 3: Geographic Distribution
+
+- Serve users from nearest cloud region
+- Data sovereignty compliance
+- Global load balancing
+- Regional failover
+
+### Pattern 4: Cloud-Agnostic Abstraction
+
+- Kubernetes for compute
+- PostgreSQL for database
+- S3-compatible storage (MinIO)
+- Open source tools
+
+## Cloud-Agnostic Architecture
+
+### Use Cloud-Native Alternatives
+
+- **Compute:** Kubernetes (EKS/AKS/GKE)
+- **Database:** PostgreSQL/MySQL (RDS/SQL Database/Cloud SQL)
+- **Message Queue:** Apache Kafka (MSK/Event Hubs/Confluent)
+- **Cache:** Redis (ElastiCache/Azure Cache/Memorystore)
+- **Object Storage:** S3-compatible API
+- **Monitoring:** Prometheus/Grafana
+- **Service Mesh:** Istio/Linkerd
+
+### Abstraction Layers
+
+```
+Application Layer
+    ↓
+Infrastructure Abstraction (Terraform)
+    ↓
+Cloud Provider APIs
+    ↓
+AWS / Azure / GCP
+```
+
+## Cost Comparison
+
+### Compute Pricing Factors
+
+- **AWS:** On-demand, Reserved, Spot, Savings Plans
+- **Azure:** Pay-as-you-go, Reserved, Spot
+- **GCP:** On-demand, Committed use, Preemptible
+
+### Cost Optimization Strategies
+
+1. Use reserved/committed capacity (30-70% savings)
+2. Leverage spot/preemptible instances
+3. Right-size resources
+4. Use serverless for variable workloads
+5. Optimize data transfer costs
+6. Implement lifecycle policies
+7. Use cost allocation tags
+8. Monitor with cloud cost tools
+
+**Reference:** See `references/multi-cloud-patterns.md`
+
+## Migration Strategy
+
+### Phase 1: Assessment
+- Inventory current infrastructure
+- Identify dependencies
+- Assess cloud compatibility
+- Estimate costs
+
+### Phase 2: Pilot
+- Select pilot workload
+- Implement in target cloud
+- Test thoroughly
+- Document learnings
+
+### Phase 3: Migration
+- Migrate workloads incrementally
+- Maintain dual-run period
+- Monitor performance
+- Validate functionality
+
+### Phase 4: Optimization
+- Right-size resources
+- Implement cloud-native services
+- Optimize costs
+- Enhance security
+
+## Best Practices
+
+1. **Use infrastructure as code** (Terraform/OpenTofu)
+2. **Implement CI/CD pipelines** for deployments
+3. **Design for failure** across clouds
+4. **Use managed services** when possible
+5. **Implement comprehensive monitoring**
+6. **Automate cost optimization**
+7. **Follow security best practices**
+8. **Document cloud-specific configurations**
+9. **Test disaster recovery** procedures
+10. **Train teams** on multiple clouds
+
+## Reference Files
+
+- `references/service-comparison.md` - Complete service comparison
+- `references/multi-cloud-patterns.md` - Architecture patterns
+
+## Related Skills
+
+- `terraform-module-library` - For IaC implementation
+- `cost-optimization` - For cost management
+- `hybrid-cloud-networking` - For connectivity