CtrlK
BlogDocsLog inGet started
Tessl Logo

configuring-service-meshes

Configure this skill configures service meshes like istio and linkerd for microservices. it generates production-ready configurations, implements best practices, and ensures a security-first approach. use this skill when the user asks to "configure service ... Use when appropriate context detected. Trigger with relevant phrases based on skill purpose.

45

Quality

33%

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

Optimize this skill with Tessl

npx tessl skill review --optimize ./plugins/devops/service-mesh-configurator/skills/configuring-service-meshes/SKILL.md
SKILL.md
Quality
Evals
Security

Configuring Service Meshes

Overview

Configure service meshes (Istio, Linkerd, Consul Connect) for Kubernetes microservices architectures. Generate mTLS configurations, traffic management rules (routing, splitting, mirroring), observability integrations (distributed tracing, metrics), and resilience patterns (retries, circuit breakers, timeouts).

Prerequisites

  • Kubernetes cluster accessible via kubectl with admin permissions
  • Service mesh CLI installed: istioctl, linkerd, or consul
  • Helm 3+ for service mesh installation charts
  • Understanding of microservice communication patterns and dependencies
  • Observability backend available (Jaeger, Zipkin, or Prometheus/Grafana) for tracing and metrics

Instructions

  1. Select the service mesh based on requirements: Istio for full-featured L7 control, Linkerd for lightweight simplicity, Consul Connect for multi-platform
  2. Install the control plane: istioctl install --set profile=production or linkerd install | kubectl apply -f -
  3. Enable sidecar injection for target namespaces: label namespaces with istio-injection=enabled or linkerd.io/inject=enabled
  4. Configure mTLS: set PeerAuthentication to STRICT mode for zero-trust inter-service communication
  5. Define traffic management rules: VirtualService for routing, DestinationRule for load balancing and circuit breaking
  6. Set up traffic splitting for canary deployments: route a percentage of traffic to the new version
  7. Configure retry policies and timeouts to improve resilience against transient failures
  8. Integrate observability: connect to Jaeger/Zipkin for distributed tracing, Prometheus for metrics, and Kiali for visualization
  9. Validate the mesh: verify sidecar injection, mTLS status, and traffic routing with istioctl analyze or linkerd check

Output

  • Service mesh installation manifests or Helm values
  • PeerAuthentication and AuthorizationPolicy manifests for mTLS and RBAC
  • VirtualService and DestinationRule manifests for traffic management
  • ServiceEntry manifests for external service access
  • Observability integration configuration (Jaeger, Prometheus, Kiali)

Error Handling

ErrorCauseSolution
sidecar not injectedNamespace not labeled for injection or pod has annotation to skipAdd istio-injection=enabled label to namespace; check pod annotations
mTLS handshake failedMismatched TLS settings between services or missing certificatesSet PeerAuthentication to PERMISSIVE temporarily; check istioctl proxy-status
503 Service UnavailableCircuit breaker tripped or upstream connection pool exhaustedReview DestinationRule connection pool settings; increase maxConnections and http2MaxRequests
traffic not splitting correctlyVirtualService weight percentages misconfiguredVerify weights sum to 100; check VirtualService is bound to the correct gateway/host
high latency after mesh installSidecar proxy adding overhead or misconfigured timeoutsTune proxy resources; review timeout settings; check if services are using HTTP/2

Examples

  • "Install Istio with strict mTLS on a production cluster and configure a VirtualService for canary routing: 90% to v1, 10% to v2."
  • "Set up Linkerd on a microservices cluster with automatic retries (3 attempts, 500ms timeout) and integrate with Prometheus for golden signal metrics."
  • "Configure an Istio AuthorizationPolicy that allows only the frontend service to call the API gateway, blocking all other inter-service traffic."

Resources

  • Istio documentation: https://istio.io/latest/docs/
  • Linkerd documentation: https://linkerd.io/2/overview/
  • Consul Connect: https://developer.hashicorp.com/consul/docs/connect
  • Kiali (service mesh observability): https://kiali.io/docs/
Repository
jeremylongshore/claude-code-plugins-plus-skills
Commit

c8a915c

Last updated
Created

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.

Claim skill