@sylix/coworker 2.0.11 → 2.0.14
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/commands/slash/config.d.ts.map +1 -1
- package/dist/commands/slash/config.js +22 -4
- package/dist/commands/slash/config.js.map +1 -1
- package/dist/core/CoWorkerAgent.d.ts.map +1 -1
- package/dist/core/CoWorkerAgent.js +6 -3
- package/dist/core/CoWorkerAgent.js.map +1 -1
- package/dist/skills/defaults/accessibility/screen-reader-testing.md +545 -0
- package/dist/skills/defaults/accessibility/wcag-audit-patterns.md +555 -0
- package/dist/skills/defaults/ai-ml/rag.md +276 -0
- package/dist/skills/defaults/backend-development/api-design-principles.md +528 -0
- package/dist/skills/defaults/backend-development/api-design.md +285 -0
- package/dist/skills/defaults/backend-development/architecture-patterns.md +494 -0
- package/dist/skills/defaults/backend-development/async-python.md +237 -0
- package/dist/skills/defaults/backend-development/auth-implementation-patterns.md +638 -0
- package/dist/skills/defaults/backend-development/bazel-build-optimization.md +387 -0
- package/dist/skills/defaults/backend-development/billing-automation/SKILL.md +566 -0
- package/dist/skills/defaults/backend-development/code-review-excellence.md +538 -0
- package/dist/skills/defaults/backend-development/cqrs-implementation.md +554 -0
- package/dist/skills/defaults/backend-development/database-design.md +305 -0
- package/dist/skills/defaults/backend-development/debugging-strategies.md +536 -0
- package/dist/skills/defaults/backend-development/e2e-testing-patterns.md +544 -0
- package/dist/skills/defaults/backend-development/error-handling-patterns.md +641 -0
- package/dist/skills/defaults/backend-development/fastapi-templates.md +559 -0
- package/dist/skills/defaults/backend-development/fastapi.md +309 -0
- package/dist/skills/defaults/backend-development/git-advanced-workflows.md +405 -0
- package/dist/skills/defaults/backend-development/microservices-patterns.md +595 -0
- package/dist/skills/defaults/backend-development/microservices.md +284 -0
- package/dist/skills/defaults/backend-development/monorepo-management.md +623 -0
- package/dist/skills/defaults/backend-development/nodejs-backend-patterns.md +1048 -0
- package/dist/skills/defaults/backend-development/nx-workspace-patterns.md +457 -0
- package/dist/skills/defaults/backend-development/paypal-integration/SKILL.md +478 -0
- package/dist/skills/defaults/backend-development/pci-compliance/SKILL.md +480 -0
- package/dist/skills/defaults/backend-development/python-anti-patterns.md +349 -0
- package/dist/skills/defaults/backend-development/python-background-jobs.md +364 -0
- package/dist/skills/defaults/backend-development/python-code-style.md +360 -0
- package/dist/skills/defaults/backend-development/python-configuration.md +368 -0
- package/dist/skills/defaults/backend-development/python-design-patterns.md +296 -0
- package/dist/skills/defaults/backend-development/python-error-handling.md +323 -0
- package/dist/skills/defaults/backend-development/python-packaging.md +887 -0
- package/dist/skills/defaults/backend-development/python-performance-optimization.md +874 -0
- package/dist/skills/defaults/backend-development/python-project-structure.md +252 -0
- package/dist/skills/defaults/backend-development/python-resilience.md +376 -0
- package/dist/skills/defaults/backend-development/python-resource-management.md +421 -0
- package/dist/skills/defaults/backend-development/python-type-safety.md +428 -0
- package/dist/skills/defaults/backend-development/sql-optimization-patterns.md +509 -0
- package/dist/skills/defaults/backend-development/stripe-integration/SKILL.md +522 -0
- package/dist/skills/defaults/backend-development/turborepo-caching.md +376 -0
- package/dist/skills/defaults/blockchain/defi-protocol-templates.md +430 -0
- package/dist/skills/defaults/blockchain/nft-standards.md +364 -0
- package/dist/skills/defaults/blockchain/solidity-security.md +514 -0
- package/dist/skills/defaults/blockchain/web3-testing.md +360 -0
- package/dist/skills/defaults/business/competitive-landscape/SKILL.md +527 -0
- package/dist/skills/defaults/business/market-sizing-analysis/SKILL.md +451 -0
- package/dist/skills/defaults/business/startup-financial-modeling/SKILL.md +494 -0
- package/dist/skills/defaults/business/startup-metrics-framework/SKILL.md +564 -0
- package/dist/skills/defaults/business/team-composition-analysis.md +437 -0
- package/dist/skills/defaults/compliance/employment-contract-templates/SKILL.md +527 -0
- package/dist/skills/defaults/compliance/gdpr-data-handling/SKILL.md +630 -0
- package/dist/skills/defaults/data-engineering/airflow-dag-patterns.md +436 -0
- package/dist/skills/defaults/data-engineering/airflow.md +519 -0
- package/dist/skills/defaults/data-engineering/data-quality.md +583 -0
- package/dist/skills/defaults/data-engineering/dbt-transformation-patterns.md +482 -0
- package/dist/skills/defaults/data-engineering/dbt.md +556 -0
- package/dist/skills/defaults/data-engineering/ml-pipeline-workflow/SKILL.md +247 -0
- package/dist/skills/defaults/data-engineering/spark-optimization.md +348 -0
- package/dist/skills/defaults/data-engineering/spark.md +411 -0
- package/dist/skills/defaults/database/postgresql.md +202 -0
- package/dist/skills/defaults/debugging/systematic-debugging.md +249 -0
- package/dist/skills/defaults/devops/architecture-decision-records.md +448 -0
- package/dist/skills/defaults/devops/changelog-automation.md +580 -0
- package/dist/skills/defaults/devops/cicd.md +314 -0
- package/dist/skills/defaults/devops/cloud.md +263 -0
- package/dist/skills/defaults/devops/code-review-excellence.md +299 -0
- package/dist/skills/defaults/devops/cost-optimization.md +295 -0
- package/dist/skills/defaults/devops/deployment-pipeline-design.md +356 -0
- package/dist/skills/defaults/devops/docker.md +281 -0
- package/dist/skills/defaults/devops/git-workflows.md +205 -0
- package/dist/skills/defaults/devops/github-actions.md +311 -0
- package/dist/skills/defaults/devops/gitlab-ci-patterns.md +266 -0
- package/dist/skills/defaults/devops/hybrid-cloud-networking.md +241 -0
- package/dist/skills/defaults/devops/istio-traffic-management.md +327 -0
- package/dist/skills/defaults/devops/kubernetes.md +339 -0
- package/dist/skills/defaults/devops/linkerd-patterns.md +311 -0
- package/dist/skills/defaults/devops/multi-cloud-architecture.md +181 -0
- package/dist/skills/defaults/devops/observability.md +243 -0
- package/dist/skills/defaults/devops/openapi-spec-generation.md +1024 -0
- package/dist/skills/defaults/devops/postmortem-writing.md +396 -0
- package/dist/skills/defaults/devops/prometheus-configuration.md +265 -0
- package/dist/skills/defaults/devops/secrets-management.md +341 -0
- package/dist/skills/defaults/devops/service-mesh-observability.md +385 -0
- package/dist/skills/defaults/devops/terraform-module-library.md +244 -0
- package/dist/skills/defaults/finance/backtesting-frameworks/SKILL.md +663 -0
- package/dist/skills/defaults/finance/risk-metrics-calculation/SKILL.md +557 -0
- package/dist/skills/defaults/frontend/accessibility-compliance.md +420 -0
- package/dist/skills/defaults/frontend/design-system-patterns.md +337 -0
- package/dist/skills/defaults/frontend/interaction-design.md +327 -0
- package/dist/skills/defaults/frontend/javascript.md +311 -0
- package/dist/skills/defaults/frontend/modern-javascript-patterns.md +927 -0
- package/dist/skills/defaults/frontend/react-native-design.md +440 -0
- package/dist/skills/defaults/frontend/react.md +345 -0
- package/dist/skills/defaults/frontend/responsive-design.md +472 -0
- package/dist/skills/defaults/frontend/tailwind-design-system.md +337 -0
- package/dist/skills/defaults/frontend/typescript-advanced-types.md +724 -0
- package/dist/skills/defaults/frontend/typescript.md +334 -0
- package/dist/skills/defaults/frontend/visual-design-foundations.md +326 -0
- package/dist/skills/defaults/frontend/web-component-design.md +279 -0
- package/dist/skills/defaults/game-development/godot-gdscript-patterns.md +188 -0
- package/dist/skills/defaults/game-development/unity-ecs-patterns.md +594 -0
- package/dist/skills/defaults/kubernetes/gitops-workflow.md +285 -0
- package/dist/skills/defaults/kubernetes/gitops.md +280 -0
- package/dist/skills/defaults/kubernetes/helm-chart-scaffolding.md +553 -0
- package/dist/skills/defaults/kubernetes/helm.md +343 -0
- package/dist/skills/defaults/kubernetes/k8s-manifest-generator.md +501 -0
- package/dist/skills/defaults/kubernetes/k8s-security-policies.md +342 -0
- package/dist/skills/defaults/kubernetes/manifests.md +330 -0
- package/dist/skills/defaults/kubernetes/security.md +337 -0
- package/dist/skills/defaults/llm-application/embedding-strategies.md +608 -0
- package/dist/skills/defaults/llm-application/hybrid-search-implementation.md +570 -0
- package/dist/skills/defaults/llm-application/hybrid-search.md +570 -0
- package/dist/skills/defaults/llm-application/langchain-architecture.md +666 -0
- package/dist/skills/defaults/llm-application/langchain.md +259 -0
- package/dist/skills/defaults/llm-application/llm-evaluation.md +695 -0
- package/dist/skills/defaults/llm-application/prompt-engineering-patterns.md +449 -0
- package/dist/skills/defaults/llm-application/prompt-engineering.md +219 -0
- package/dist/skills/defaults/llm-application/rag-implementation.md +434 -0
- package/dist/skills/defaults/llm-application/similarity-search-patterns.md +560 -0
- package/dist/skills/defaults/llm-application/similarity-search.md +560 -0
- package/dist/skills/defaults/llm-application/vector-index-tuning.md +523 -0
- package/dist/skills/defaults/mobile/mobile-android-design.md +440 -0
- package/dist/skills/defaults/mobile/mobile-ios-design.md +266 -0
- package/dist/skills/defaults/monitoring/distributed-tracing.md +436 -0
- package/dist/skills/defaults/monitoring/grafana-dashboards.md +370 -0
- package/dist/skills/defaults/monitoring/prometheus-configuration.md +379 -0
- package/dist/skills/defaults/monitoring/slo-implementation.md +323 -0
- package/dist/skills/defaults/refactoring/code-refactoring.md +349 -0
- package/dist/skills/defaults/security/anti-reversing-techniques/SKILL.md +559 -0
- package/dist/skills/defaults/security/auditor.md +168 -0
- package/dist/skills/defaults/security/binary-analysis-patterns/SKILL.md +438 -0
- package/dist/skills/defaults/security/memory-forensics/SKILL.md +483 -0
- package/dist/skills/defaults/security/mtls-configuration.md +349 -0
- package/dist/skills/defaults/security/protocol-reverse-engineering/SKILL.md +520 -0
- package/dist/skills/defaults/security/sast-configuration.md +182 -0
- package/dist/skills/defaults/security/security.md +313 -0
- package/dist/skills/defaults/security/stride-analysis.md +273 -0
- package/dist/skills/defaults/security/threat-mitigation-mapping.md +290 -0
- package/dist/skills/defaults/systems/bash-defensive-patterns/SKILL.md +539 -0
- package/dist/skills/defaults/systems/bats-testing-patterns/SKILL.md +631 -0
- package/dist/skills/defaults/systems/go-concurrency-patterns.md +657 -0
- package/dist/skills/defaults/systems/memory-safety-patterns.md +605 -0
- package/dist/skills/defaults/systems/rust-async-patterns.md +519 -0
- package/dist/skills/defaults/systems/shellcheck-configuration/SKILL.md +456 -0
- package/dist/skills/defaults/team-collaboration/multi-reviewer-patterns.md +126 -0
- package/dist/skills/defaults/team-collaboration/parallel-feature-development.md +151 -0
- package/dist/skills/defaults/testing/javascript-testing-patterns.md +1021 -0
- package/dist/skills/defaults/testing/python-testing-patterns.md +351 -0
- package/dist/skills/defaults/testing/testing.md +332 -0
- package/dist/skills/defaults/workflows/context-driven-development.md +384 -0
- package/dist/skills/defaults/workflows/track-management.md +592 -0
- package/dist/skills/defaults/workflows/workflow-patterns.md +622 -0
- package/dist/skills/index.d.ts +11 -0
- package/dist/skills/index.d.ts.map +1 -0
- package/dist/skills/index.js +129 -0
- package/dist/skills/index.js.map +1 -0
- package/dist/utils/character.js +4 -4
- package/dist/utils/character.js.map +1 -1
- package/dist/utils/inputbar.d.ts.map +1 -1
- package/dist/utils/inputbar.js +7 -0
- package/dist/utils/inputbar.js.map +1 -1
- package/package.json +1 -1
|
@@ -0,0 +1,349 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: mtls-configuration
|
|
3
|
+
description: Configure mutual TLS (mTLS) for zero-trust service-to-service communication. Use when implementing zero-trust networking, certificate management, or securing internal service communication.
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# mTLS Configuration
|
|
7
|
+
|
|
8
|
+
Comprehensive guide to implementing mutual TLS for zero-trust service mesh communication.
|
|
9
|
+
|
|
10
|
+
## When to Use This Skill
|
|
11
|
+
|
|
12
|
+
- Implementing zero-trust networking
|
|
13
|
+
- Securing service-to-service communication
|
|
14
|
+
- Certificate rotation and management
|
|
15
|
+
- Debugging TLS handshake issues
|
|
16
|
+
- Compliance requirements (PCI-DSS, HIPAA)
|
|
17
|
+
- Multi-cluster secure communication
|
|
18
|
+
|
|
19
|
+
## Core Concepts
|
|
20
|
+
|
|
21
|
+
### 1. mTLS Flow
|
|
22
|
+
|
|
23
|
+
```
|
|
24
|
+
┌─────────┐ ┌─────────┐
|
|
25
|
+
│ Service │ │ Service │
|
|
26
|
+
│ A │ │ B │
|
|
27
|
+
└────┬────┘ └────┬────┘
|
|
28
|
+
│ │
|
|
29
|
+
┌────┴────┐ TLS Handshake ┌────┴────┐
|
|
30
|
+
│ Proxy │◄───────────────────────────►│ Proxy │
|
|
31
|
+
│(Sidecar)│ 1. ClientHello │(Sidecar)│
|
|
32
|
+
│ │ 2. ServerHello + Cert │ │
|
|
33
|
+
│ │ 3. Client Cert │ │
|
|
34
|
+
│ │ 4. Verify Both Certs │ │
|
|
35
|
+
│ │ 5. Encrypted Channel │ │
|
|
36
|
+
└─────────┘ └─────────┘
|
|
37
|
+
```
|
|
38
|
+
|
|
39
|
+
### 2. Certificate Hierarchy
|
|
40
|
+
|
|
41
|
+
```
|
|
42
|
+
Root CA (Self-signed, long-lived)
|
|
43
|
+
│
|
|
44
|
+
├── Intermediate CA (Cluster-level)
|
|
45
|
+
│ │
|
|
46
|
+
│ ├── Workload Cert (Service A)
|
|
47
|
+
│ └── Workload Cert (Service B)
|
|
48
|
+
│
|
|
49
|
+
└── Intermediate CA (Multi-cluster)
|
|
50
|
+
│
|
|
51
|
+
└── Cross-cluster certs
|
|
52
|
+
```
|
|
53
|
+
|
|
54
|
+
## Templates
|
|
55
|
+
|
|
56
|
+
### Template 1: Istio mTLS (Strict Mode)
|
|
57
|
+
|
|
58
|
+
```yaml
|
|
59
|
+
# Enable strict mTLS mesh-wide
|
|
60
|
+
apiVersion: security.istio.io/v1beta1
|
|
61
|
+
kind: PeerAuthentication
|
|
62
|
+
metadata:
|
|
63
|
+
name: default
|
|
64
|
+
namespace: istio-system
|
|
65
|
+
spec:
|
|
66
|
+
mtls:
|
|
67
|
+
mode: STRICT
|
|
68
|
+
---
|
|
69
|
+
# Namespace-level override (permissive for migration)
|
|
70
|
+
apiVersion: security.istio.io/v1beta1
|
|
71
|
+
kind: PeerAuthentication
|
|
72
|
+
metadata:
|
|
73
|
+
name: default
|
|
74
|
+
namespace: legacy-namespace
|
|
75
|
+
spec:
|
|
76
|
+
mtls:
|
|
77
|
+
mode: PERMISSIVE
|
|
78
|
+
---
|
|
79
|
+
# Workload-specific policy
|
|
80
|
+
apiVersion: security.istio.io/v1beta1
|
|
81
|
+
kind: PeerAuthentication
|
|
82
|
+
metadata:
|
|
83
|
+
name: payment-service
|
|
84
|
+
namespace: production
|
|
85
|
+
spec:
|
|
86
|
+
selector:
|
|
87
|
+
matchLabels:
|
|
88
|
+
app: payment-service
|
|
89
|
+
mtls:
|
|
90
|
+
mode: STRICT
|
|
91
|
+
portLevelMtls:
|
|
92
|
+
8080:
|
|
93
|
+
mode: STRICT
|
|
94
|
+
9090:
|
|
95
|
+
mode: DISABLE # Metrics port, no mTLS
|
|
96
|
+
```
|
|
97
|
+
|
|
98
|
+
### Template 2: Istio Destination Rule for mTLS
|
|
99
|
+
|
|
100
|
+
```yaml
|
|
101
|
+
apiVersion: networking.istio.io/v1beta1
|
|
102
|
+
kind: DestinationRule
|
|
103
|
+
metadata:
|
|
104
|
+
name: default
|
|
105
|
+
namespace: istio-system
|
|
106
|
+
spec:
|
|
107
|
+
host: "*.local"
|
|
108
|
+
trafficPolicy:
|
|
109
|
+
tls:
|
|
110
|
+
mode: ISTIO_MUTUAL
|
|
111
|
+
---
|
|
112
|
+
# TLS to external service
|
|
113
|
+
apiVersion: networking.istio.io/v1beta1
|
|
114
|
+
kind: DestinationRule
|
|
115
|
+
metadata:
|
|
116
|
+
name: external-api
|
|
117
|
+
spec:
|
|
118
|
+
host: api.external.com
|
|
119
|
+
trafficPolicy:
|
|
120
|
+
tls:
|
|
121
|
+
mode: SIMPLE
|
|
122
|
+
caCertificates: /etc/certs/external-ca.pem
|
|
123
|
+
---
|
|
124
|
+
# Mutual TLS to external service
|
|
125
|
+
apiVersion: networking.istio.io/v1beta1
|
|
126
|
+
kind: DestinationRule
|
|
127
|
+
metadata:
|
|
128
|
+
name: partner-api
|
|
129
|
+
spec:
|
|
130
|
+
host: api.partner.com
|
|
131
|
+
trafficPolicy:
|
|
132
|
+
tls:
|
|
133
|
+
mode: MUTUAL
|
|
134
|
+
clientCertificate: /etc/certs/client.pem
|
|
135
|
+
privateKey: /etc/certs/client-key.pem
|
|
136
|
+
caCertificates: /etc/certs/partner-ca.pem
|
|
137
|
+
```
|
|
138
|
+
|
|
139
|
+
### Template 3: Cert-Manager with Istio
|
|
140
|
+
|
|
141
|
+
```yaml
|
|
142
|
+
# Install cert-manager issuer for Istio
|
|
143
|
+
apiVersion: cert-manager.io/v1
|
|
144
|
+
kind: ClusterIssuer
|
|
145
|
+
metadata:
|
|
146
|
+
name: istio-ca
|
|
147
|
+
spec:
|
|
148
|
+
ca:
|
|
149
|
+
secretName: istio-ca-secret
|
|
150
|
+
---
|
|
151
|
+
# Create Istio CA secret
|
|
152
|
+
apiVersion: v1
|
|
153
|
+
kind: Secret
|
|
154
|
+
metadata:
|
|
155
|
+
name: istio-ca-secret
|
|
156
|
+
namespace: cert-manager
|
|
157
|
+
type: kubernetes.io/tls
|
|
158
|
+
data:
|
|
159
|
+
tls.crt: <base64-encoded-ca-cert>
|
|
160
|
+
tls.key: <base64-encoded-ca-key>
|
|
161
|
+
---
|
|
162
|
+
# Certificate for workload
|
|
163
|
+
apiVersion: cert-manager.io/v1
|
|
164
|
+
kind: Certificate
|
|
165
|
+
metadata:
|
|
166
|
+
name: my-service-cert
|
|
167
|
+
namespace: my-namespace
|
|
168
|
+
spec:
|
|
169
|
+
secretName: my-service-tls
|
|
170
|
+
duration: 24h
|
|
171
|
+
renewBefore: 8h
|
|
172
|
+
issuerRef:
|
|
173
|
+
name: istio-ca
|
|
174
|
+
kind: ClusterIssuer
|
|
175
|
+
commonName: my-service.my-namespace.svc.cluster.local
|
|
176
|
+
dnsNames:
|
|
177
|
+
- my-service
|
|
178
|
+
- my-service.my-namespace
|
|
179
|
+
- my-service.my-namespace.svc
|
|
180
|
+
- my-service.my-namespace.svc.cluster.local
|
|
181
|
+
usages:
|
|
182
|
+
- server auth
|
|
183
|
+
- client auth
|
|
184
|
+
```
|
|
185
|
+
|
|
186
|
+
### Template 4: SPIFFE/SPIRE Integration
|
|
187
|
+
|
|
188
|
+
```yaml
|
|
189
|
+
# SPIRE Server configuration
|
|
190
|
+
apiVersion: v1
|
|
191
|
+
kind: ConfigMap
|
|
192
|
+
metadata:
|
|
193
|
+
name: spire-server
|
|
194
|
+
namespace: spire
|
|
195
|
+
data:
|
|
196
|
+
server.conf: |
|
|
197
|
+
server {
|
|
198
|
+
bind_address = "0.0.0.0"
|
|
199
|
+
bind_port = "8081"
|
|
200
|
+
trust_domain = "example.org"
|
|
201
|
+
data_dir = "/run/spire/data"
|
|
202
|
+
log_level = "INFO"
|
|
203
|
+
ca_ttl = "168h"
|
|
204
|
+
default_x509_svid_ttl = "1h"
|
|
205
|
+
}
|
|
206
|
+
|
|
207
|
+
plugins {
|
|
208
|
+
DataStore "sql" {
|
|
209
|
+
plugin_data {
|
|
210
|
+
database_type = "sqlite3"
|
|
211
|
+
connection_string = "/run/spire/data/datastore.sqlite3"
|
|
212
|
+
}
|
|
213
|
+
}
|
|
214
|
+
|
|
215
|
+
NodeAttestor "k8s_psat" {
|
|
216
|
+
plugin_data {
|
|
217
|
+
clusters = {
|
|
218
|
+
"demo-cluster" = {
|
|
219
|
+
service_account_allow_list = ["spire:spire-agent"]
|
|
220
|
+
}
|
|
221
|
+
}
|
|
222
|
+
}
|
|
223
|
+
}
|
|
224
|
+
|
|
225
|
+
KeyManager "memory" {
|
|
226
|
+
plugin_data {}
|
|
227
|
+
}
|
|
228
|
+
|
|
229
|
+
UpstreamAuthority "disk" {
|
|
230
|
+
plugin_data {
|
|
231
|
+
key_file_path = "/run/spire/secrets/bootstrap.key"
|
|
232
|
+
cert_file_path = "/run/spire/secrets/bootstrap.crt"
|
|
233
|
+
}
|
|
234
|
+
}
|
|
235
|
+
}
|
|
236
|
+
---
|
|
237
|
+
# SPIRE Agent DaemonSet (abbreviated)
|
|
238
|
+
apiVersion: apps/v1
|
|
239
|
+
kind: DaemonSet
|
|
240
|
+
metadata:
|
|
241
|
+
name: spire-agent
|
|
242
|
+
namespace: spire
|
|
243
|
+
spec:
|
|
244
|
+
selector:
|
|
245
|
+
matchLabels:
|
|
246
|
+
app: spire-agent
|
|
247
|
+
template:
|
|
248
|
+
spec:
|
|
249
|
+
containers:
|
|
250
|
+
- name: spire-agent
|
|
251
|
+
image: ghcr.io/spiffe/spire-agent:1.8.0
|
|
252
|
+
volumeMounts:
|
|
253
|
+
- name: spire-agent-socket
|
|
254
|
+
mountPath: /run/spire/sockets
|
|
255
|
+
volumes:
|
|
256
|
+
- name: spire-agent-socket
|
|
257
|
+
hostPath:
|
|
258
|
+
path: /run/spire/sockets
|
|
259
|
+
type: DirectoryOrCreate
|
|
260
|
+
```
|
|
261
|
+
|
|
262
|
+
### Template 5: Linkerd mTLS (Automatic)
|
|
263
|
+
|
|
264
|
+
```yaml
|
|
265
|
+
# Linkerd enables mTLS automatically
|
|
266
|
+
# Verify with:
|
|
267
|
+
# linkerd viz edges deployment -n my-namespace
|
|
268
|
+
|
|
269
|
+
# For external services without mTLS
|
|
270
|
+
apiVersion: policy.linkerd.io/v1beta1
|
|
271
|
+
kind: Server
|
|
272
|
+
metadata:
|
|
273
|
+
name: external-api
|
|
274
|
+
namespace: my-namespace
|
|
275
|
+
spec:
|
|
276
|
+
podSelector:
|
|
277
|
+
matchLabels:
|
|
278
|
+
app: my-app
|
|
279
|
+
port: external-api
|
|
280
|
+
proxyProtocol: HTTP/1 # or TLS for passthrough
|
|
281
|
+
---
|
|
282
|
+
# Skip TLS for specific port
|
|
283
|
+
apiVersion: v1
|
|
284
|
+
kind: Service
|
|
285
|
+
metadata:
|
|
286
|
+
name: my-service
|
|
287
|
+
annotations:
|
|
288
|
+
config.linkerd.io/skip-outbound-ports: "3306" # MySQL
|
|
289
|
+
```
|
|
290
|
+
|
|
291
|
+
## Certificate Rotation
|
|
292
|
+
|
|
293
|
+
```bash
|
|
294
|
+
# Istio - Check certificate expiry
|
|
295
|
+
istioctl proxy-config secret deploy/my-app -o json | \
|
|
296
|
+
jq '.dynamicActiveSecrets[0].secret.tlsCertificate.certificateChain.inlineBytes' | \
|
|
297
|
+
tr -d '"' | base64 -d | openssl x509 -text -noout
|
|
298
|
+
|
|
299
|
+
# Force certificate rotation
|
|
300
|
+
kubectl rollout restart deployment/my-app
|
|
301
|
+
|
|
302
|
+
# Check Linkerd identity
|
|
303
|
+
linkerd identity -n my-namespace
|
|
304
|
+
```
|
|
305
|
+
|
|
306
|
+
## Debugging mTLS Issues
|
|
307
|
+
|
|
308
|
+
```bash
|
|
309
|
+
# Istio - Check if mTLS is enabled
|
|
310
|
+
istioctl authn tls-check my-service.my-namespace.svc.cluster.local
|
|
311
|
+
|
|
312
|
+
# Verify peer authentication
|
|
313
|
+
kubectl get peerauthentication --all-namespaces
|
|
314
|
+
|
|
315
|
+
# Check destination rules
|
|
316
|
+
kubectl get destinationrule --all-namespaces
|
|
317
|
+
|
|
318
|
+
# Debug TLS handshake
|
|
319
|
+
istioctl proxy-config log deploy/my-app --level debug
|
|
320
|
+
kubectl logs deploy/my-app -c istio-proxy | grep -i tls
|
|
321
|
+
|
|
322
|
+
# Linkerd - Check mTLS status
|
|
323
|
+
linkerd viz edges deployment -n my-namespace
|
|
324
|
+
linkerd viz tap deploy/my-app --to deploy/my-backend
|
|
325
|
+
```
|
|
326
|
+
|
|
327
|
+
## Best Practices
|
|
328
|
+
|
|
329
|
+
### Do's
|
|
330
|
+
|
|
331
|
+
- **Start with PERMISSIVE** - Migrate gradually to STRICT
|
|
332
|
+
- **Monitor certificate expiry** - Set up alerts
|
|
333
|
+
- **Use short-lived certs** - 24h or less for workloads
|
|
334
|
+
- **Rotate CA periodically** - Plan for CA rotation
|
|
335
|
+
- **Log TLS errors** - For debugging and audit
|
|
336
|
+
|
|
337
|
+
### Don'ts
|
|
338
|
+
|
|
339
|
+
- **Don't disable mTLS** - For convenience in production
|
|
340
|
+
- **Don't ignore cert expiry** - Automate rotation
|
|
341
|
+
- **Don't use self-signed certs** - Use proper CA hierarchy
|
|
342
|
+
- **Don't skip verification** - Verify the full chain
|
|
343
|
+
|
|
344
|
+
## Resources
|
|
345
|
+
|
|
346
|
+
- [Istio Security](https://istio.io/latest/docs/concepts/security/)
|
|
347
|
+
- [SPIFFE/SPIRE](https://spiffe.io/)
|
|
348
|
+
- [cert-manager](https://cert-manager.io/)
|
|
349
|
+
- [Zero Trust Architecture (NIST)](https://www.nist.gov/publications/zero-trust-architecture)
|