mirror of
https://github.com/wshobson/agents.git
synced 2026-03-18 17:47:16 +00:00
47a5dbc3f9
Remove references to non-existent resource files (references/, assets/, scripts/, examples/) from 115 skill SKILL.md files. These sections pointed to directories and files that were never created, causing confusion when users install skills. Also fix broken Code of Conduct links in issue templates to use absolute GitHub URLs instead of relative paths that 404.
306 lines
7.7 KiB
Markdown
306 lines
7.7 KiB
Markdown
---
|
|
name: linkerd-patterns
|
|
description: Implement Linkerd service mesh patterns for lightweight, security-focused service mesh deployments. Use when setting up Linkerd, configuring traffic policies, or implementing zero-trust networking with minimal overhead.
|
|
---
|
|
|
|
# Linkerd Patterns
|
|
|
|
Production patterns for Linkerd service mesh - the lightweight, security-first service mesh for Kubernetes.
|
|
|
|
## When to Use This Skill
|
|
|
|
- Setting up a lightweight service mesh
|
|
- Implementing automatic mTLS
|
|
- Configuring traffic splits for canary deployments
|
|
- Setting up service profiles for per-route metrics
|
|
- Implementing retries and timeouts
|
|
- Multi-cluster service mesh
|
|
|
|
## Core Concepts
|
|
|
|
### 1. Linkerd Architecture
|
|
|
|
```
|
|
┌─────────────────────────────────────────────┐
|
|
│ Control Plane │
|
|
│ ┌─────────┐ ┌──────────┐ ┌──────────────┐ │
|
|
│ │ destiny │ │ identity │ │ proxy-inject │ │
|
|
│ └─────────┘ └──────────┘ └──────────────┘ │
|
|
└─────────────────────────────────────────────┘
|
|
│
|
|
┌─────────────────────────────────────────────┐
|
|
│ Data Plane │
|
|
│ ┌─────┐ ┌─────┐ ┌─────┐ │
|
|
│ │proxy│────│proxy│────│proxy│ │
|
|
│ └─────┘ └─────┘ └─────┘ │
|
|
│ │ │ │ │
|
|
│ ┌──┴──┐ ┌──┴──┐ ┌──┴──┐ │
|
|
│ │ app │ │ app │ │ app │ │
|
|
│ └─────┘ └─────┘ └─────┘ │
|
|
└─────────────────────────────────────────────┘
|
|
```
|
|
|
|
### 2. Key Resources
|
|
|
|
| Resource | Purpose |
|
|
| ----------------------- | ------------------------------------ |
|
|
| **ServiceProfile** | Per-route metrics, retries, timeouts |
|
|
| **TrafficSplit** | Canary deployments, A/B testing |
|
|
| **Server** | Define server-side policies |
|
|
| **ServerAuthorization** | Access control policies |
|
|
|
|
## Templates
|
|
|
|
### Template 1: Mesh Installation
|
|
|
|
```bash
|
|
# Install CLI
|
|
curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/install | sh
|
|
|
|
# Validate cluster
|
|
linkerd check --pre
|
|
|
|
# Install CRDs
|
|
linkerd install --crds | kubectl apply -f -
|
|
|
|
# Install control plane
|
|
linkerd install | kubectl apply -f -
|
|
|
|
# Verify installation
|
|
linkerd check
|
|
|
|
# Install viz extension (optional)
|
|
linkerd viz install | kubectl apply -f -
|
|
```
|
|
|
|
### Template 2: Inject Namespace
|
|
|
|
```yaml
|
|
# Automatic injection for namespace
|
|
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
name: my-app
|
|
annotations:
|
|
linkerd.io/inject: enabled
|
|
---
|
|
# Or inject specific deployment
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: my-app
|
|
annotations:
|
|
linkerd.io/inject: enabled
|
|
spec:
|
|
template:
|
|
metadata:
|
|
annotations:
|
|
linkerd.io/inject: enabled
|
|
```
|
|
|
|
### Template 3: Service Profile with Retries
|
|
|
|
```yaml
|
|
apiVersion: linkerd.io/v1alpha2
|
|
kind: ServiceProfile
|
|
metadata:
|
|
name: my-service.my-namespace.svc.cluster.local
|
|
namespace: my-namespace
|
|
spec:
|
|
routes:
|
|
- name: GET /api/users
|
|
condition:
|
|
method: GET
|
|
pathRegex: /api/users
|
|
responseClasses:
|
|
- condition:
|
|
status:
|
|
min: 500
|
|
max: 599
|
|
isFailure: true
|
|
isRetryable: true
|
|
- name: POST /api/users
|
|
condition:
|
|
method: POST
|
|
pathRegex: /api/users
|
|
# POST not retryable by default
|
|
isRetryable: false
|
|
- name: GET /api/users/{id}
|
|
condition:
|
|
method: GET
|
|
pathRegex: /api/users/[^/]+
|
|
timeout: 5s
|
|
isRetryable: true
|
|
retryBudget:
|
|
retryRatio: 0.2
|
|
minRetriesPerSecond: 10
|
|
ttl: 10s
|
|
```
|
|
|
|
### Template 4: Traffic Split (Canary)
|
|
|
|
```yaml
|
|
apiVersion: split.smi-spec.io/v1alpha1
|
|
kind: TrafficSplit
|
|
metadata:
|
|
name: my-service-canary
|
|
namespace: my-namespace
|
|
spec:
|
|
service: my-service
|
|
backends:
|
|
- service: my-service-stable
|
|
weight: 900m # 90%
|
|
- service: my-service-canary
|
|
weight: 100m # 10%
|
|
```
|
|
|
|
### Template 5: Server Authorization Policy
|
|
|
|
```yaml
|
|
# Define the server
|
|
apiVersion: policy.linkerd.io/v1beta1
|
|
kind: Server
|
|
metadata:
|
|
name: my-service-http
|
|
namespace: my-namespace
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
app: my-service
|
|
port: http
|
|
proxyProtocol: HTTP/1
|
|
---
|
|
# Allow traffic from specific clients
|
|
apiVersion: policy.linkerd.io/v1beta1
|
|
kind: ServerAuthorization
|
|
metadata:
|
|
name: allow-frontend
|
|
namespace: my-namespace
|
|
spec:
|
|
server:
|
|
name: my-service-http
|
|
client:
|
|
meshTLS:
|
|
serviceAccounts:
|
|
- name: frontend
|
|
namespace: my-namespace
|
|
---
|
|
# Allow unauthenticated traffic (e.g., from ingress)
|
|
apiVersion: policy.linkerd.io/v1beta1
|
|
kind: ServerAuthorization
|
|
metadata:
|
|
name: allow-ingress
|
|
namespace: my-namespace
|
|
spec:
|
|
server:
|
|
name: my-service-http
|
|
client:
|
|
unauthenticated: true
|
|
networks:
|
|
- cidr: 10.0.0.0/8
|
|
```
|
|
|
|
### Template 6: HTTPRoute for Advanced Routing
|
|
|
|
```yaml
|
|
apiVersion: policy.linkerd.io/v1beta2
|
|
kind: HTTPRoute
|
|
metadata:
|
|
name: my-route
|
|
namespace: my-namespace
|
|
spec:
|
|
parentRefs:
|
|
- name: my-service
|
|
kind: Service
|
|
group: core
|
|
port: 8080
|
|
rules:
|
|
- matches:
|
|
- path:
|
|
type: PathPrefix
|
|
value: /api/v2
|
|
- headers:
|
|
- name: x-api-version
|
|
value: v2
|
|
backendRefs:
|
|
- name: my-service-v2
|
|
port: 8080
|
|
- matches:
|
|
- path:
|
|
type: PathPrefix
|
|
value: /api
|
|
backendRefs:
|
|
- name: my-service-v1
|
|
port: 8080
|
|
```
|
|
|
|
### Template 7: Multi-cluster Setup
|
|
|
|
```bash
|
|
# On each cluster, install with cluster credentials
|
|
linkerd multicluster install | kubectl apply -f -
|
|
|
|
# Link clusters
|
|
linkerd multicluster link --cluster-name west \
|
|
--api-server-address https://west.example.com:6443 \
|
|
| kubectl apply -f -
|
|
|
|
# Export a service to other clusters
|
|
kubectl label svc/my-service mirror.linkerd.io/exported=true
|
|
|
|
# Verify cross-cluster connectivity
|
|
linkerd multicluster check
|
|
linkerd multicluster gateways
|
|
```
|
|
|
|
## Monitoring Commands
|
|
|
|
```bash
|
|
# Live traffic view
|
|
linkerd viz top deploy/my-app
|
|
|
|
# Per-route metrics
|
|
linkerd viz routes deploy/my-app
|
|
|
|
# Check proxy status
|
|
linkerd viz stat deploy -n my-namespace
|
|
|
|
# View service dependencies
|
|
linkerd viz edges deploy -n my-namespace
|
|
|
|
# Dashboard
|
|
linkerd viz dashboard
|
|
```
|
|
|
|
## Debugging
|
|
|
|
```bash
|
|
# Check injection status
|
|
linkerd check --proxy -n my-namespace
|
|
|
|
# View proxy logs
|
|
kubectl logs deploy/my-app -c linkerd-proxy
|
|
|
|
# Debug identity/TLS
|
|
linkerd identity -n my-namespace
|
|
|
|
# Tap traffic (live)
|
|
linkerd viz tap deploy/my-app --to deploy/my-backend
|
|
```
|
|
|
|
## Best Practices
|
|
|
|
### Do's
|
|
|
|
- **Enable mTLS everywhere** - It's automatic with Linkerd
|
|
- **Use ServiceProfiles** - Get per-route metrics and retries
|
|
- **Set retry budgets** - Prevent retry storms
|
|
- **Monitor golden metrics** - Success rate, latency, throughput
|
|
|
|
### Don'ts
|
|
|
|
- **Don't skip check** - Always run `linkerd check` after changes
|
|
- **Don't over-configure** - Linkerd defaults are sensible
|
|
- **Don't ignore ServiceProfiles** - They unlock advanced features
|
|
- **Don't forget timeouts** - Set appropriate values per route
|