npm - @sylix/coworker - Versions diffs - 2.0.11 → 2.0.14 - Mend

@sylix/coworker 2.0.11 → 2.0.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (169) hide show

package/dist/skills/defaults/kubernetes/k8s-manifest-generator.md ADDED Viewed

@@ -0,0 +1,501 @@
+---
+name: k8s-manifest-generator
+description: Create production-ready Kubernetes manifests for Deployments, Services, ConfigMaps, and Secrets following best practices and security standards. Use when generating Kubernetes YAML manifests, creating K8s resources, or implementing production-grade Kubernetes configurations.
+---
+# Kubernetes Manifest Generator
+Step-by-step guidance for creating production-ready Kubernetes manifests including Deployments, Services, ConfigMaps, Secrets, and PersistentVolumeClaims.
+## Purpose
+This skill provides comprehensive guidance for generating well-structured, secure, and production-ready Kubernetes manifests following cloud-native best practices and Kubernetes conventions.
+## When to Use This Skill
+Use this skill when you need to:
+- Create new Kubernetes Deployment manifests
+- Define Service resources for network connectivity
+- Generate ConfigMap and Secret resources for configuration management
+- Create PersistentVolumeClaim manifests for stateful workloads
+- Follow Kubernetes best practices and naming conventions
+- Implement resource limits, health checks, and security contexts
+- Design manifests for multi-environment deployments
+## Step-by-Step Workflow
+### 1. Gather Requirements
+**Understand the workload:**
+- Application type (stateless/stateful)
+- Container image and version
+- Environment variables and configuration needs
+- Storage requirements
+- Network exposure requirements (internal/external)
+- Resource requirements (CPU, memory)
+- Scaling requirements
+- Health check endpoints
+**Questions to ask:**
+- What is the application name and purpose?
+- What container image and tag will be used?
+- Does the application need persistent storage?
+- What ports does the application expose?
+- Are there any secrets or configuration files needed?
+- What are the CPU and memory requirements?
+- Does the application need to be exposed externally?
+### 2. Create Deployment Manifest
+**Follow this structure:**
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: <app-name>
+  namespace: <namespace>
+  labels:
+    app: <app-name>
+    version: <version>
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: <app-name>
+  template:
+    metadata:
+      labels:
+        app: <app-name>
+        version: <version>
+    spec:
+      containers:
+        - name: <container-name>
+          image: <image>:<tag>
+          ports:
+            - containerPort: <port>
+              name: http
+          resources:
+            requests:
+              memory: "256Mi"
+              cpu: "250m"
+            limits:
+              memory: "512Mi"
+              cpu: "500m"
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: http
+            initialDelaySeconds: 30
+            periodSeconds: 10
+          readinessProbe:
+            httpGet:
+              path: /ready
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 5
+          env:
+            - name: ENV_VAR
+              value: "value"
+          envFrom:
+            - configMapRef:
+                name: <app-name>-config
+            - secretRef:
+                name: <app-name>-secret
+```
+**Best practices to apply:**
+- Always set resource requests and limits
+- Implement both liveness and readiness probes
+- Use specific image tags (never `:latest`)
+- Apply security context for non-root users
+- Use labels for organization and selection
+- Set appropriate replica count based on availability needs
+### 3. Create Service Manifest
+**Choose the appropriate Service type:**
+**ClusterIP (internal only):**
+```yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: <app-name>
+  namespace: <namespace>
+  labels:
+    app: <app-name>
+spec:
+  type: ClusterIP
+  selector:
+    app: <app-name>
+  ports:
+    - name: http
+      port: 80
+      targetPort: 8080
+      protocol: TCP
+```
+**LoadBalancer (external access):**
+```yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: <app-name>
+  namespace: <namespace>
+  labels:
+    app: <app-name>
+  annotations:
+    service.beta.kubernetes.io/aws-load-balancer-type: nlb
+spec:
+  type: LoadBalancer
+  selector:
+    app: <app-name>
+  ports:
+    - name: http
+      port: 80
+      targetPort: 8080
+      protocol: TCP
+```
+### 4. Create ConfigMap
+**For application configuration:**
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: <app-name>-config
+  namespace: <namespace>
+data:
+  APP_MODE: production
+  LOG_LEVEL: info
+  DATABASE_HOST: db.example.com
+  # For config files
+  app.properties: |
+    server.port=8080
+    server.host=0.0.0.0
+    logging.level=INFO
+```
+**Best practices:**
+- Use ConfigMaps for non-sensitive data only
+- Organize related configuration together
+- Use meaningful names for keys
+- Consider using one ConfigMap per component
+- Version ConfigMaps when making changes
+### 5. Create Secret
+**For sensitive data:**
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: <app-name>-secret
+  namespace: <namespace>
+type: Opaque
+stringData:
+  DATABASE_PASSWORD: "changeme"
+  API_KEY: "secret-api-key"
+  # For certificate files
+  tls.crt: |
+    -----BEGIN CERTIFICATE-----
+    ...
+    -----END CERTIFICATE-----
+  tls.key: |
+    -----BEGIN PRIVATE KEY-----
+    ...
+    -----END PRIVATE KEY-----
+```
+**Security considerations:**
+- Never commit secrets to Git in plain text
+- Use Sealed Secrets, External Secrets Operator, or Vault
+- Rotate secrets regularly
+- Use RBAC to limit secret access
+- Consider using Secret type: `kubernetes.io/tls` for TLS secrets
+### 6. Create PersistentVolumeClaim (if needed)
+**For stateful applications:**
+```yaml
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: <app-name>-data
+  namespace: <namespace>
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: gp3
+  resources:
+    requests:
+      storage: 10Gi
+```
+**Mount in Deployment:**
+```yaml
+spec:
+  template:
+    spec:
+      containers:
+        - name: app
+          volumeMounts:
+            - name: data
+              mountPath: /var/lib/app
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: <app-name>-data
+```
+**Storage considerations:**
+- Choose appropriate StorageClass for performance needs
+- Use ReadWriteOnce for single-pod access
+- Use ReadWriteMany for multi-pod shared storage
+- Consider backup strategies
+- Set appropriate retention policies
+### 7. Apply Security Best Practices
+**Add security context to Deployment:**
+```yaml
+spec:
+  template:
+    spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        fsGroup: 1000
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+        - name: app
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+                - ALL
+```
+**Security checklist:**
+- [ ] Run as non-root user
+- [ ] Drop all capabilities
+- [ ] Use read-only root filesystem
+- [ ] Disable privilege escalation
+- [ ] Set seccomp profile
+- [ ] Use Pod Security Standards
+### 8. Add Labels and Annotations
+**Standard labels (recommended):**
+```yaml
+metadata:
+  labels:
+    app.kubernetes.io/name: <app-name>
+    app.kubernetes.io/instance: <instance-name>
+    app.kubernetes.io/version: "1.0.0"
+    app.kubernetes.io/component: backend
+    app.kubernetes.io/part-of: <system-name>
+    app.kubernetes.io/managed-by: kubectl
+```
+**Useful annotations:**
+```yaml
+metadata:
+  annotations:
+    description: "Application description"
+    contact: "team@example.com"
+    prometheus.io/scrape: "true"
+    prometheus.io/port: "9090"
+    prometheus.io/path: "/metrics"
+```
+### 9. Organize Multi-Resource Manifests
+**File organization options:**
+**Option 1: Single file with `---` separator**
+```yaml
+# app-name.yaml
+---
+apiVersion: v1
+kind: ConfigMap
+...
+---
+apiVersion: v1
+kind: Secret
+...
+---
+apiVersion: apps/v1
+kind: Deployment
+...
+---
+apiVersion: v1
+kind: Service
+...
+```
+**Option 2: Separate files**
+```
+manifests/
+├── configmap.yaml
+├── secret.yaml
+├── deployment.yaml
+├── service.yaml
+└── pvc.yaml
+```
+**Option 3: Kustomize structure**
+```
+base/
+├── kustomization.yaml
+├── deployment.yaml
+├── service.yaml
+└── configmap.yaml
+overlays/
+├── dev/
+│   └── kustomization.yaml
+└── prod/
+    └── kustomization.yaml
+```
+### 10. Validate and Test
+**Validation steps:**
+```bash
+# Dry-run validation
+kubectl apply -f manifest.yaml --dry-run=client
+# Server-side validation
+kubectl apply -f manifest.yaml --dry-run=server
+# Validate with kubeval
+kubeval manifest.yaml
+# Validate with kube-score
+kube-score score manifest.yaml
+# Check with kube-linter
+kube-linter lint manifest.yaml
+```
+**Testing checklist:**
+- [ ] Manifest passes dry-run validation
+- [ ] All required fields are present
+- [ ] Resource limits are reasonable
+- [ ] Health checks are configured
+- [ ] Security context is set
+- [ ] Labels follow conventions
+- [ ] Namespace exists or is created
+## Common Patterns
+### Pattern 1: Simple Stateless Web Application
+**Use case:** Standard web API or microservice
+**Components needed:**
+- Deployment (3 replicas for HA)
+- ClusterIP Service
+- ConfigMap for configuration
+- Secret for API keys
+- HorizontalPodAutoscaler (optional)
+### Pattern 2: Stateful Database Application
+**Use case:** Database or persistent storage application
+**Components needed:**
+- StatefulSet (not Deployment)
+- Headless Service
+- PersistentVolumeClaim template
+- ConfigMap for DB configuration
+- Secret for credentials
+### Pattern 3: Background Job or Cron
+**Use case:** Scheduled tasks or batch processing
+**Components needed:**
+- CronJob or Job
+- ConfigMap for job parameters
+- Secret for credentials
+- ServiceAccount with RBAC
+### Pattern 4: Multi-Container Pod
+**Use case:** Application with sidecar containers
+**Components needed:**
+- Deployment with multiple containers
+- Shared volumes between containers
+- Init containers for setup
+- Service (if needed)
+## Best Practices Summary
+1. **Always set resource requests and limits** - Prevents resource starvation
+2. **Implement health checks** - Ensures Kubernetes can manage your application
+3. **Use specific image tags** - Avoid unpredictable deployments
+4. **Apply security contexts** - Run as non-root, drop capabilities
+5. **Use ConfigMaps and Secrets** - Separate config from code
+6. **Label everything** - Enables filtering and organization
+7. **Follow naming conventions** - Use standard Kubernetes labels
+8. **Validate before applying** - Use dry-run and validation tools
+9. **Version your manifests** - Keep in Git with version control
+10. **Document with annotations** - Add context for other developers
+## Troubleshooting
+**Pods not starting:**
+- Check image pull errors: `kubectl describe pod <pod-name>`
+- Verify resource availability: `kubectl get nodes`
+- Check events: `kubectl get events --sort-by='.lastTimestamp'`
+**Service not accessible:**
+- Verify selector matches pod labels: `kubectl get endpoints <service-name>`
+- Check service type and port configuration
+- Test from within cluster: `kubectl run debug --rm -it --image=busybox -- sh`
+**ConfigMap/Secret not loading:**
+- Verify names match in Deployment
+- Check namespace
+- Ensure resources exist: `kubectl get configmap,secret`
+## Related Skills
+- `helm-chart-scaffolding` - For templating and packaging
+- `gitops-workflow` - For automated deployments
+- `k8s-security-policies` - For advanced security configurations