mirror of
https://github.com/wshobson/agents.git
synced 2026-03-18 09:37:15 +00:00
47a5dbc3f9
Remove references to non-existent resource files (references/, assets/, scripts/, examples/) from 115 skill SKILL.md files. These sections pointed to directories and files that were never created, causing confusion when users install skills. Also fix broken Code of Conduct links in issue templates to use absolute GitHub URLs instead of relative paths that 404.
322 lines
6.7 KiB
Markdown
322 lines
6.7 KiB
Markdown
---
|
|
name: istio-traffic-management
|
|
description: Configure Istio traffic management including routing, load balancing, circuit breakers, and canary deployments. Use when implementing service mesh traffic policies, progressive delivery, or resilience patterns.
|
|
---
|
|
|
|
# Istio Traffic Management
|
|
|
|
Comprehensive guide to Istio traffic management for production service mesh deployments.
|
|
|
|
## When to Use This Skill
|
|
|
|
- Configuring service-to-service routing
|
|
- Implementing canary or blue-green deployments
|
|
- Setting up circuit breakers and retries
|
|
- Load balancing configuration
|
|
- Traffic mirroring for testing
|
|
- Fault injection for chaos engineering
|
|
|
|
## Core Concepts
|
|
|
|
### 1. Traffic Management Resources
|
|
|
|
| Resource | Purpose | Scope |
|
|
| ------------------- | ----------------------------- | ------------- |
|
|
| **VirtualService** | Route traffic to destinations | Host-based |
|
|
| **DestinationRule** | Define policies after routing | Service-based |
|
|
| **Gateway** | Configure ingress/egress | Cluster edge |
|
|
| **ServiceEntry** | Add external services | Mesh-wide |
|
|
|
|
### 2. Traffic Flow
|
|
|
|
```
|
|
Client → Gateway → VirtualService → DestinationRule → Service
|
|
(routing) (policies) (pods)
|
|
```
|
|
|
|
## Templates
|
|
|
|
### Template 1: Basic Routing
|
|
|
|
```yaml
|
|
apiVersion: networking.istio.io/v1beta1
|
|
kind: VirtualService
|
|
metadata:
|
|
name: reviews-route
|
|
namespace: bookinfo
|
|
spec:
|
|
hosts:
|
|
- reviews
|
|
http:
|
|
- match:
|
|
- headers:
|
|
end-user:
|
|
exact: jason
|
|
route:
|
|
- destination:
|
|
host: reviews
|
|
subset: v2
|
|
- route:
|
|
- destination:
|
|
host: reviews
|
|
subset: v1
|
|
---
|
|
apiVersion: networking.istio.io/v1beta1
|
|
kind: DestinationRule
|
|
metadata:
|
|
name: reviews-destination
|
|
namespace: bookinfo
|
|
spec:
|
|
host: reviews
|
|
subsets:
|
|
- name: v1
|
|
labels:
|
|
version: v1
|
|
- name: v2
|
|
labels:
|
|
version: v2
|
|
- name: v3
|
|
labels:
|
|
version: v3
|
|
```
|
|
|
|
### Template 2: Canary Deployment
|
|
|
|
```yaml
|
|
apiVersion: networking.istio.io/v1beta1
|
|
kind: VirtualService
|
|
metadata:
|
|
name: my-service-canary
|
|
spec:
|
|
hosts:
|
|
- my-service
|
|
http:
|
|
- route:
|
|
- destination:
|
|
host: my-service
|
|
subset: stable
|
|
weight: 90
|
|
- destination:
|
|
host: my-service
|
|
subset: canary
|
|
weight: 10
|
|
---
|
|
apiVersion: networking.istio.io/v1beta1
|
|
kind: DestinationRule
|
|
metadata:
|
|
name: my-service-dr
|
|
spec:
|
|
host: my-service
|
|
trafficPolicy:
|
|
connectionPool:
|
|
tcp:
|
|
maxConnections: 100
|
|
http:
|
|
h2UpgradePolicy: UPGRADE
|
|
http1MaxPendingRequests: 100
|
|
http2MaxRequests: 1000
|
|
subsets:
|
|
- name: stable
|
|
labels:
|
|
version: stable
|
|
- name: canary
|
|
labels:
|
|
version: canary
|
|
```
|
|
|
|
### Template 3: Circuit Breaker
|
|
|
|
```yaml
|
|
apiVersion: networking.istio.io/v1beta1
|
|
kind: DestinationRule
|
|
metadata:
|
|
name: circuit-breaker
|
|
spec:
|
|
host: my-service
|
|
trafficPolicy:
|
|
connectionPool:
|
|
tcp:
|
|
maxConnections: 100
|
|
http:
|
|
http1MaxPendingRequests: 100
|
|
http2MaxRequests: 1000
|
|
maxRequestsPerConnection: 10
|
|
maxRetries: 3
|
|
outlierDetection:
|
|
consecutive5xxErrors: 5
|
|
interval: 30s
|
|
baseEjectionTime: 30s
|
|
maxEjectionPercent: 50
|
|
minHealthPercent: 30
|
|
```
|
|
|
|
### Template 4: Retry and Timeout
|
|
|
|
```yaml
|
|
apiVersion: networking.istio.io/v1beta1
|
|
kind: VirtualService
|
|
metadata:
|
|
name: ratings-retry
|
|
spec:
|
|
hosts:
|
|
- ratings
|
|
http:
|
|
- route:
|
|
- destination:
|
|
host: ratings
|
|
timeout: 10s
|
|
retries:
|
|
attempts: 3
|
|
perTryTimeout: 3s
|
|
retryOn: connect-failure,refused-stream,unavailable,cancelled,retriable-4xx,503
|
|
retryRemoteLocalities: true
|
|
```
|
|
|
|
### Template 5: Traffic Mirroring
|
|
|
|
```yaml
|
|
apiVersion: networking.istio.io/v1beta1
|
|
kind: VirtualService
|
|
metadata:
|
|
name: mirror-traffic
|
|
spec:
|
|
hosts:
|
|
- my-service
|
|
http:
|
|
- route:
|
|
- destination:
|
|
host: my-service
|
|
subset: v1
|
|
mirror:
|
|
host: my-service
|
|
subset: v2
|
|
mirrorPercentage:
|
|
value: 100.0
|
|
```
|
|
|
|
### Template 6: Fault Injection
|
|
|
|
```yaml
|
|
apiVersion: networking.istio.io/v1beta1
|
|
kind: VirtualService
|
|
metadata:
|
|
name: fault-injection
|
|
spec:
|
|
hosts:
|
|
- ratings
|
|
http:
|
|
- fault:
|
|
delay:
|
|
percentage:
|
|
value: 10
|
|
fixedDelay: 5s
|
|
abort:
|
|
percentage:
|
|
value: 5
|
|
httpStatus: 503
|
|
route:
|
|
- destination:
|
|
host: ratings
|
|
```
|
|
|
|
### Template 7: Ingress Gateway
|
|
|
|
```yaml
|
|
apiVersion: networking.istio.io/v1beta1
|
|
kind: Gateway
|
|
metadata:
|
|
name: my-gateway
|
|
spec:
|
|
selector:
|
|
istio: ingressgateway
|
|
servers:
|
|
- port:
|
|
number: 443
|
|
name: https
|
|
protocol: HTTPS
|
|
tls:
|
|
mode: SIMPLE
|
|
credentialName: my-tls-secret
|
|
hosts:
|
|
- "*.example.com"
|
|
---
|
|
apiVersion: networking.istio.io/v1beta1
|
|
kind: VirtualService
|
|
metadata:
|
|
name: my-vs
|
|
spec:
|
|
hosts:
|
|
- "api.example.com"
|
|
gateways:
|
|
- my-gateway
|
|
http:
|
|
- match:
|
|
- uri:
|
|
prefix: /api/v1
|
|
route:
|
|
- destination:
|
|
host: api-service
|
|
port:
|
|
number: 8080
|
|
```
|
|
|
|
## Load Balancing Strategies
|
|
|
|
```yaml
|
|
apiVersion: networking.istio.io/v1beta1
|
|
kind: DestinationRule
|
|
metadata:
|
|
name: load-balancing
|
|
spec:
|
|
host: my-service
|
|
trafficPolicy:
|
|
loadBalancer:
|
|
simple: ROUND_ROBIN # or LEAST_CONN, RANDOM, PASSTHROUGH
|
|
---
|
|
# Consistent hashing for sticky sessions
|
|
apiVersion: networking.istio.io/v1beta1
|
|
kind: DestinationRule
|
|
metadata:
|
|
name: sticky-sessions
|
|
spec:
|
|
host: my-service
|
|
trafficPolicy:
|
|
loadBalancer:
|
|
consistentHash:
|
|
httpHeaderName: x-user-id
|
|
# or: httpCookie, useSourceIp, httpQueryParameterName
|
|
```
|
|
|
|
## Best Practices
|
|
|
|
### Do's
|
|
|
|
- **Start simple** - Add complexity incrementally
|
|
- **Use subsets** - Version your services clearly
|
|
- **Set timeouts** - Always configure reasonable timeouts
|
|
- **Enable retries** - But with backoff and limits
|
|
- **Monitor** - Use Kiali and Jaeger for visibility
|
|
|
|
### Don'ts
|
|
|
|
- **Don't over-retry** - Can cause cascading failures
|
|
- **Don't ignore outlier detection** - Enable circuit breakers
|
|
- **Don't mirror to production** - Mirror to test environments
|
|
- **Don't skip canary** - Test with small traffic percentage first
|
|
|
|
## Debugging Commands
|
|
|
|
```bash
|
|
# Check VirtualService configuration
|
|
istioctl analyze
|
|
|
|
# View effective routes
|
|
istioctl proxy-config routes deploy/my-app -o json
|
|
|
|
# Check endpoint discovery
|
|
istioctl proxy-config endpoints deploy/my-app
|
|
|
|
# Debug traffic
|
|
istioctl proxy-config log deploy/my-app --level debug
|
|
```
|