@sylix/coworker 2.0.11 → 2.0.14

package/dist/skills/defaults/devops/istio-traffic-management.md

@@ -0,0 +1,327 @@
+---
+name: istio-traffic-management
+description: Configure Istio traffic management including routing, load balancing, circuit breakers, and canary deployments. Use when implementing service mesh traffic policies, progressive delivery, or resilience patterns.
+---
+
+# Istio Traffic Management
+
+Comprehensive guide to Istio traffic management for production service mesh deployments.
+
+## When to Use This Skill
+
+- Configuring service-to-service routing
+- Implementing canary or blue-green deployments
+- Setting up circuit breakers and retries
+- Load balancing configuration
+- Traffic mirroring for testing
+- Fault injection for chaos engineering
+
+## Core Concepts
+
+### 1. Traffic Management Resources
+
+| Resource            | Purpose                       | Scope         |
+| ------------------- | ----------------------------- | ------------- |
+| **VirtualService**  | Route traffic to destinations | Host-based    |
+| **DestinationRule** | Define policies after routing | Service-based |
+| **Gateway**         | Configure ingress/egress      | Cluster edge  |
+| **ServiceEntry**    | Add external services         | Mesh-wide     |
+
+### 2. Traffic Flow
+
+```
+Client → Gateway → VirtualService → DestinationRule → Service
+                    (routing)        (policies)        (pods)
+```
+
+## Templates
+
+### Template 1: Basic Routing
+
+```yaml
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: reviews-route
+  namespace: bookinfo
+spec:
+  hosts:
+    - reviews
+  http:
+    - match:
+        - headers:
+            end-user:
+              exact: jason
+      route:
+        - destination:
+            host: reviews
+            subset: v2
+    - route:
+        - destination:
+            host: reviews
+            subset: v1
+---
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: reviews-destination
+  namespace: bookinfo
+spec:
+  host: reviews
+  subsets:
+    - name: v1
+      labels:
+        version: v1
+    - name: v2
+      labels:
+        version: v2
+    - name: v3
+      labels:
+        version: v3
+```
+
+### Template 2: Canary Deployment
+
+```yaml
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: my-service-canary
+spec:
+  hosts:
+    - my-service
+  http:
+    - route:
+        - destination:
+            host: my-service
+            subset: stable
+          weight: 90
+        - destination:
+            host: my-service
+            subset: canary
+          weight: 10
+---
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: my-service-dr
+spec:
+  host: my-service
+  trafficPolicy:
+    connectionPool:
+      tcp:
+        maxConnections: 100
+      http:
+        h2UpgradePolicy: UPGRADE
+        http1MaxPendingRequests: 100
+        http2MaxRequests: 1000
+  subsets:
+    - name: stable
+      labels:
+        version: stable
+    - name: canary
+      labels:
+        version: canary
+```
+
+### Template 3: Circuit Breaker
+
+```yaml
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: circuit-breaker
+spec:
+  host: my-service
+  trafficPolicy:
+    connectionPool:
+      tcp:
+        maxConnections: 100
+      http:
+        http1MaxPendingRequests: 100
+        http2MaxRequests: 1000
+        maxRequestsPerConnection: 10
+        maxRetries: 3
+    outlierDetection:
+      consecutive5xxErrors: 5
+      interval: 30s
+      baseEjectionTime: 30s
+      maxEjectionPercent: 50
+      minHealthPercent: 30
+```
+
+### Template 4: Retry and Timeout
+
+```yaml
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: ratings-retry
+spec:
+  hosts:
+    - ratings
+  http:
+    - route:
+        - destination:
+            host: ratings
+      timeout: 10s
+      retries:
+        attempts: 3
+        perTryTimeout: 3s
+        retryOn: connect-failure,refused-stream,unavailable,cancelled,retriable-4xx,503
+        retryRemoteLocalities: true
+```
+
+### Template 5: Traffic Mirroring
+
+```yaml
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: mirror-traffic
+spec:
+  hosts:
+    - my-service
+  http:
+    - route:
+        - destination:
+            host: my-service
+            subset: v1
+      mirror:
+        host: my-service
+        subset: v2
+      mirrorPercentage:
+        value: 100.0
+```
+
+### Template 6: Fault Injection
+
+```yaml
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: fault-injection
+spec:
+  hosts:
+    - ratings
+  http:
+    - fault:
+        delay:
+          percentage:
+            value: 10
+          fixedDelay: 5s
+        abort:
+          percentage:
+            value: 5
+          httpStatus: 503
+      route:
+        - destination:
+            host: ratings
+```
+
+### Template 7: Ingress Gateway
+
+```yaml
+apiVersion: networking.istio.io/v1beta1
+kind: Gateway
+metadata:
+  name: my-gateway
+spec:
+  selector:
+    istio: ingressgateway
+  servers:
+    - port:
+        number: 443
+        name: https
+        protocol: HTTPS
+      tls:
+        mode: SIMPLE
+        credentialName: my-tls-secret
+      hosts:
+        - "*.example.com"
+---
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: my-vs
+spec:
+  hosts:
+    - "api.example.com"
+  gateways:
+    - my-gateway
+  http:
+    - match:
+        - uri:
+            prefix: /api/v1
+      route:
+        - destination:
+            host: api-service
+            port:
+              number: 8080
+```
+
+## Load Balancing Strategies
+
+```yaml
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: load-balancing
+spec:
+  host: my-service
+  trafficPolicy:
+    loadBalancer:
+      simple: ROUND_ROBIN # or LEAST_CONN, RANDOM, PASSTHROUGH
+---
+# Consistent hashing for sticky sessions
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: sticky-sessions
+spec:
+  host: my-service
+  trafficPolicy:
+    loadBalancer:
+      consistentHash:
+        httpHeaderName: x-user-id
+        # or: httpCookie, useSourceIp, httpQueryParameterName
+```
+
+## Best Practices
+
+### Do's
+
+- **Start simple** - Add complexity incrementally
+- **Use subsets** - Version your services clearly
+- **Set timeouts** - Always configure reasonable timeouts
+- **Enable retries** - But with backoff and limits
+- **Monitor** - Use Kiali and Jaeger for visibility
+
+### Don'ts
+
+- **Don't over-retry** - Can cause cascading failures
+- **Don't ignore outlier detection** - Enable circuit breakers
+- **Don't mirror to production** - Mirror to test environments
+- **Don't skip canary** - Test with small traffic percentage first
+
+## Debugging Commands
+
+```bash
+# Check VirtualService configuration
+istioctl analyze
+
+# View effective routes
+istioctl proxy-config routes deploy/my-app -o json
+
+# Check endpoint discovery
+istioctl proxy-config endpoints deploy/my-app
+
+# Debug traffic
+istioctl proxy-config log deploy/my-app --level debug
+```
+
+## Resources
+
+- [Istio Traffic Management](https://istio.io/latest/docs/concepts/traffic-management/)
+- [Virtual Service Reference](https://istio.io/latest/docs/reference/config/networking/virtual-service/)
+- [Destination Rule Reference](https://istio.io/latest/docs/reference/config/networking/destination-rule/)

package/dist/skills/defaults/devops/kubernetes.md

@@ -0,0 +1,339 @@
+---
+name: kubernetes
+description: Expert Kubernetes architecture for cloud-native infrastructure, GitOps workflows, and enterprise container orchestration.
+---
+
+# Kubernetes Operations — CoWorker Edition
+
+Build and manage production Kubernetes clusters with confidence.
+
+## When to Use This Skill
+
+- Setting up new Kubernetes clusters
+- Deploying applications to K8s
+- Configuring GitOps workflows
+- Implementing service mesh
+- Managing cluster security
+
+## Core Concepts
+
+### 1. Pod Design
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: api-pod
+  labels:
+    app: api
+    version: v1
+spec:
+  containers:
+    - name: api
+      image: myapp/api:v1.2.3
+      ports:
+        - containerPort: 8080
+      env:
+        - name: DATABASE_URL
+          valueFrom:
+            secretKeyRef:
+              name: db-credentials
+              key: url
+        - name: LOG_LEVEL
+          value: "info"
+      resources:
+        requests:
+          memory: "256Mi"
+          cpu: "250m"
+        limits:
+          memory: "512Mi"
+          cpu: "500m"
+      livenessProbe:
+        httpGet:
+          path: /health
+          port: 8080
+        initialDelaySeconds: 30
+        periodSeconds: 10
+      readinessProbe:
+        httpGet:
+          path: /ready
+          port: 8080
+        initialDelaySeconds: 5
+        periodSeconds: 5
+```
+
+### 2. Deployment Strategies
+
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: api-deployment
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: api
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+  template:
+    metadata:
+      labels:
+        app: api
+        version: v2
+    spec:
+      containers:
+        - name: api
+          image: myapp/api:v2.0.0
+---
+# Canary deployment with Ingress
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: api-ingress
+  annotations:
+    nginx.ingress.kubernetes.io/canary: "true"
+spec:
+  rules:
+    - host: api.example.com
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: api-service-v2
+                port:
+                  number: 80
+```
+
+### 3. Services and Networking
+
+```yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: api-service
+spec:
+  type: ClusterIP
+  selector:
+    app: api
+  ports:
+    - port: 80
+      targetPort: 8080
+---
+# For external access
+apiVersion: v1
+kind: Service
+metadata:
+  name: api-service-lb
+spec:
+  type: LoadBalancer
+  selector:
+    app: api
+  ports:
+    - port: 80
+      targetPort: 8080
+---
+# Network Policy
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: api-network-policy
+spec:
+  podSelector:
+    matchLabels:
+      app: api
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app: frontend
+      ports:
+        - protocol: TCP
+          port: 8080
+  egress:
+    - to:
+        - podSelector:
+            matchLabels:
+              app: database
+      ports:
+        - protocol: TCP
+          port: 5432
+```
+
+### 4. ConfigMaps and Secrets
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: app-config
+data:
+  DATABASE_HOST: "postgres.default.svc.cluster.local"
+  REDIS_HOST: "redis.default.svc.cluster.local"
+  LOG_LEVEL: "info"
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: app-secrets
+type: Opaque
+stringData:
+  DATABASE_PASSWORD: "changeme"
+  API_KEY: "sk-xxx"
+  # Or use base64 for opaque secrets:
+  # echo -n "password" | base64
+```
+
+### 5. Helm Charts
+
+```yaml
+# Chart.yaml
+apiVersion: v2
+name: myapp
+version: 1.0.0
+description: My application
+---
+# values.yaml
+replicaCount: 3
+
+image:
+  repository: myapp/api
+  tag: v1.0.0
+  pullPolicy: IfNotPresent
+
+service:
+  type: ClusterIP
+  port: 80
+
+resources:
+  limits:
+    cpu: 500m
+    memory: 512Mi
+  requests:
+    cpu: 250m
+    memory: 256Mi
+
+ingress:
+  enabled: true
+  annotations:
+    kubernetes.io/ingress.class: nginx
+  hosts:
+    - host: api.example.com
+      paths:
+        - path: /
+          pathType: Prefix
+---
+# deployment.yaml (template)
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "myapp.fullname" . }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "myapp.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "myapp.selectorLabels" . | nindent 8 }}
+    spec:
+      containers:
+        - name: {{ .Chart.Name }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          ports:
+            - name: http
+              containerPort: 80
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+```
+
+### 6. GitOps with ArgoCD
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: myapp
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/myorg/myapp-gitops
+    targetRevision: main
+    path: k8s/overlays/production
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: production
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+```
+
+### 7. Resource Management
+
+```yaml
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: compute-quota
+spec:
+  hard:
+    requests.cpu: "4"
+    requests.memory: 8Gi
+    limits.cpu: "8"
+    limits.memory: 16Gi
+    pods: "20"
+---
+apiVersion: v1
+kind: LimitRange
+metadata:
+  name: compute-limits
+spec:
+  limits:
+    - max:
+        cpu: "2"
+        memory: 1Gi
+      min:
+        cpu: 100m
+        memory: 128Mi
+      default:
+        cpu: 500m
+        memory: 512Mi
+      defaultRequest:
+        cpu: 200m
+        memory: 256Mi
+      type: Container
+```
+
+## Best Practices
+
+1. **Use Deployments** - Never use bare pods
+2. **Resource limits** - Always set requests and limits
+3. **Liveness/Readiness** - Health checks for reliability
+4. **Secrets management** - Use external secrets operators
+5. **Network policies** - Default deny, allow explicit
+6. **GitOps** - ArgoCD or Flux for deployments
+7. **RBAC** - Least privilege principle
+8. **Monitoring** - Prometheus + Grafana + Loki
+
+## Common Mistakes
+
+- No resource limits (OOMKilled)
+- Missing health probes
+- Running as root
+- No network policies
+- Bare pods in production
+- Hard-coded secrets
+- Not using namespaces