[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"skill-ecb65afd-f989-46d5-8c98-bb25ee907cd7":3,"$f493F8QEASw0EUDRIZo60vcgaV319WfVbjks2rkCxGSE":43},{"id":4,"title":5,"description":6,"categoryId":7,"moduleId":8,"tags":9,"prompt":10,"icon":11,"source":12,"sourceUrl":13,"authorId":14,"authorName":15,"isPublic":16,"stars":17,"runs":18,"createdAt":19,"updatedAt":19,"module":20,"category":27,"packages":34},"ecb65afd-f989-46d5-8c98-bb25ee907cd7","mtls-configuration","配置双向TLS（mTLS）以实现零信任服务间通信。在实施零信任网络、证书管理或保护内部服务通信时使用。","cat_life_career","mod_other","sickn33,other","---\nname: mtls-configuration\ndescription: \"Configure mutual TLS (mTLS) for zero-trust service-to-service communication. Use when implementing zero-trust networking, certificate management, or securing internal service communication.\"\nrisk: unknown\nsource: community\ndate_added: \"2026-02-27\"\n---\n\n# mTLS Configuration\n\nComprehensive guide to implementing mutual TLS for zero-trust service mesh communication.\n\n## Do not use this skill when\n\n- The task is unrelated to mtls configuration\n- You need a different domain or tool outside this scope\n\n## Instructions\n\n- Clarify goals, constraints, and required inputs.\n- Apply relevant best practices and validate outcomes.\n- Provide actionable steps and verification.\n- If detailed examples are required, open `resources\u002Fimplementation-playbook.md`.\n\n## Use this skill when\n\n- Implementing zero-trust networking\n- Securing service-to-service communication\n- Certificate rotation and management\n- Debugging TLS handshake issues\n- Compliance requirements (PCI-DSS, HIPAA)\n- Multi-cluster secure communication\n\n## Core Concepts\n\n### 1. mTLS Flow\n\n```\n┌─────────┐                              ┌─────────┐\n│ Service │                              │ Service │\n│    A    │                              │    B    │\n└────┬────┘                              └────┬────┘\n     │                                        │\n┌────┴────┐      TLS Handshake          ┌────┴────┐\n│  Proxy  │◄───────────────────────────►│  Proxy  │\n│(Sidecar)│  1. ClientHello             │(Sidecar)│\n│         │  2. ServerHello + Cert      │         │\n│         │  3. Client Cert             │         │\n│         │  4. Verify Both Certs       │         │\n│         │  5. Encrypted Channel       │         │\n└─────────┘                              └─────────┘\n```\n\n### 2. Certificate Hierarchy\n\n```\nRoot CA (Self-signed, long-lived)\n    │\n    ├── Intermediate CA (Cluster-level)\n    │       │\n    │       ├── Workload Cert (Service A)\n    │       └── Workload Cert (Service B)\n    │\n    └── Intermediate CA (Multi-cluster)\n            │\n            └── Cross-cluster certs\n```\n\n## Templates\n\n### Template 1: Istio mTLS (Strict Mode)\n\n```yaml\n# Enable strict mTLS mesh-wide\napiVersion: security.istio.io\u002Fv1beta1\nkind: PeerAuthentication\nmetadata:\n  name: default\n  namespace: istio-system\nspec:\n  mtls:\n    mode: STRICT\n---\n# Namespace-level override (permissive for migration)\napiVersion: security.istio.io\u002Fv1beta1\nkind: PeerAuthentication\nmetadata:\n  name: default\n  namespace: legacy-namespace\nspec:\n  mtls:\n    mode: PERMISSIVE\n---\n# Workload-specific policy\napiVersion: security.istio.io\u002Fv1beta1\nkind: PeerAuthentication\nmetadata:\n  name: payment-service\n  namespace: production\nspec:\n  selector:\n    matchLabels:\n      app: payment-service\n  mtls:\n    mode: STRICT\n  portLevelMtls:\n    8080:\n      mode: STRICT\n    9090:\n      mode: DISABLE  # Metrics port, no mTLS\n```\n\n### Template 2: Istio Destination Rule for mTLS\n\n```yaml\napiVersion: networking.istio.io\u002Fv1beta1\nkind: DestinationRule\nmetadata:\n  name: default\n  namespace: istio-system\nspec:\n  host: \"*.local\"\n  trafficPolicy:\n    tls:\n      mode: ISTIO_MUTUAL\n---\n# TLS to external service\napiVersion: networking.istio.io\u002Fv1beta1\nkind: DestinationRule\nmetadata:\n  name: external-api\nspec:\n  host: api.external.com\n  trafficPolicy:\n    tls:\n      mode: SIMPLE\n      caCertificates: \u002Fetc\u002Fcerts\u002Fexternal-ca.pem\n---\n# Mutual TLS to external service\napiVersion: networking.istio.io\u002Fv1beta1\nkind: DestinationRule\nmetadata:\n  name: partner-api\nspec:\n  host: api.partner.com\n  trafficPolicy:\n    tls:\n      mode: MUTUAL\n      clientCertificate: \u002Fetc\u002Fcerts\u002Fclient.pem\n      privateKey: \u002Fetc\u002Fcerts\u002Fclient-key.pem\n      caCertificates: \u002Fetc\u002Fcerts\u002Fpartner-ca.pem\n```\n\n### Template 3: Cert-Manager with Istio\n\n```yaml\n# Install cert-manager issuer for Istio\napiVersion: cert-manager.io\u002Fv1\nkind: ClusterIssuer\nmetadata:\n  name: istio-ca\nspec:\n  ca:\n    secretName: istio-ca-secret\n---\n# Create Istio CA secret\napiVersion: v1\nkind: Secret\nmetadata:\n  name: istio-ca-secret\n  namespace: cert-manager\ntype: kubernetes.io\u002Ftls\ndata:\n  tls.crt: \u003Cbase64-encoded-ca-cert>\n  tls.key: \u003Cbase64-encoded-ca-key>\n---\n# Certificate for workload\napiVersion: cert-manager.io\u002Fv1\nkind: Certificate\nmetadata:\n  name: my-service-cert\n  namespace: my-namespace\nspec:\n  secretName: my-service-tls\n  duration: 24h\n  renewBefore: 8h\n  issuerRef:\n    name: istio-ca\n    kind: ClusterIssuer\n  commonName: my-service.my-namespace.svc.cluster.local\n  dnsNames:\n    - my-service\n    - my-service.my-namespace\n    - my-service.my-namespace.svc\n    - my-service.my-namespace.svc.cluster.local\n  usages:\n    - server auth\n    - client auth\n```\n\n### Template 4: SPIFFE\u002FSPIRE Integration\n\n```yaml\n# SPIRE Server configuration\napiVersion: v1\nkind: ConfigMap\nmetadata:\n  name: spire-server\n  namespace: spire\ndata:\n  server.conf: |\n    server {\n      bind_address = \"0.0.0.0\"\n      bind_port = \"8081\"\n      trust_domain = \"example.org\"\n      data_dir = \"\u002Frun\u002Fspire\u002Fdata\"\n      log_level = \"INFO\"\n      ca_ttl = \"168h\"\n      default_x509_svid_ttl = \"1h\"\n    }\n\n    plugins {\n      DataStore \"sql\" {\n        plugin_data {\n          database_type = \"sqlite3\"\n          connection_string = \"\u002Frun\u002Fspire\u002Fdata\u002Fdatastore.sqlite3\"\n        }\n      }\n\n      NodeAttestor \"k8s_psat\" {\n        plugin_data {\n          clusters = {\n            \"demo-cluster\" = {\n              service_account_allow_list = [\"spire:spire-agent\"]\n            }\n          }\n        }\n      }\n\n      KeyManager \"memory\" {\n        plugin_data {}\n      }\n\n      UpstreamAuthority \"disk\" {\n        plugin_data {\n          key_file_path = \"\u002Frun\u002Fspire\u002Fsecrets\u002Fbootstrap.key\"\n          cert_file_path = \"\u002Frun\u002Fspire\u002Fsecrets\u002Fbootstrap.crt\"\n        }\n      }\n    }\n---\n# SPIRE Agent DaemonSet (abbreviated)\napiVersion: apps\u002Fv1\nkind: DaemonSet\nmetadata:\n  name: spire-agent\n  namespace: spire\nspec:\n  selector:\n    matchLabels:\n      app: spire-agent\n  template:\n    spec:\n      containers:\n        - name: spire-agent\n          image: ghcr.io\u002Fspiffe\u002Fspire-agent:1.8.0\n          volumeMounts:\n            - name: spire-agent-socket\n              mountPath: \u002Frun\u002Fspire\u002Fsockets\n      volumes:\n        - name: spire-agent-socket\n          hostPath:\n            path: \u002Frun\u002Fspire\u002Fsockets\n            type: DirectoryOrCreate\n```\n\n### Template 5: Linkerd mTLS (Automatic)\n\n```yaml\n# Linkerd enables mTLS automatically\n# Verify with:\n# linkerd viz edges deployment -n my-namespace\n\n# For external services without mTLS\napiVersion: policy.linkerd.io\u002Fv1beta1\nkind: Server\nmetadata:\n  name: external-api\n  namespace: my-namespace\nspec:\n  podSelector:\n    matchLabels:\n      app: my-app\n  port: external-api\n  proxyProtocol: HTTP\u002F1  # or TLS for passthrough\n---\n# Skip TLS for specific port\napiVersion: v1\nkind: Service\nmetadata:\n  name: my-service\n  annotations:\n    config.linkerd.io\u002Fskip-outbound-ports: \"3306\"  # MySQL\n```\n\n## Certificate Rotation\n\n```bash\n# Istio - Check certificate expiry\nistioctl proxy-config secret deploy\u002Fmy-app -o json | \\\n  jq '.dynamicActiveSecrets[0].secret.tlsCertificate.certificateChain.inlineBytes' | \\\n  tr -d '\"' | base64 -d | openssl x509 -text -noout\n\n# Force certificate rotation\nkubectl rollout restart deployment\u002Fmy-app\n\n# Check Linkerd identity\nlinkerd identity -n my-namespace\n```\n\n## Debugging mTLS Issues\n\n```bash\n# Istio - Check if mTLS is enabled\nistioctl authn tls-check my-service.my-namespace.svc.cluster.local\n\n# Verify peer authentication\nkubectl get peerauthentication --all-namespaces\n\n# Check destination rules\nkubectl get destinationrule --all-namespaces\n\n# Debug TLS handshake\nistioctl proxy-config log deploy\u002Fmy-app --level debug\nkubectl logs deploy\u002Fmy-app -c istio-proxy | grep -i tls\n\n# Linkerd - Check mTLS status\nlinkerd viz edges deployment -n my-namespace\nlinkerd viz tap deploy\u002Fmy-app --to deploy\u002Fmy-backend\n```\n\n## Best Practices\n\n### Do's\n- **Start with PERMISSIVE** - Migrate gradually to STRICT\n- **Monitor certificate expiry** - Set up alerts\n- **Use short-lived certs** - 24h or less for workloads\n- **Rotate CA periodically** - Plan for CA rotation\n- **Log TLS errors** - For debugging and audit\n\n### Don'ts\n- **Don't disable mTLS** - For convenience in production\n- **Don't ignore cert expiry** - Automate rotation\n- **Don't use self-signed certs** - Use proper CA hierarchy\n- **Don't skip verification** - Verify the full chain\n\n## Resources\n\n- [Istio Security](https:\u002F\u002Fistio.io\u002Flatest\u002Fdocs\u002Fconcepts\u002Fsecurity\u002F)\n- [SPIFFE\u002FSPIRE](https:\u002F\u002Fspiffe.io\u002F)\n- [cert-manager](https:\u002F\u002Fcert-manager.io\u002F)\n- [Zero Trust Architecture (NIST)](https:\u002F\u002Fwww.nist.gov\u002Fpublications\u002Fzero-trust-architecture)\n\n## Limitations\n- Use this skill only when the task clearly matches the scope described above.\n- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.\n- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.\n","","imported","https:\u002F\u002Fgithub.com\u002Fsickn33\u002Fantigravity-awesome-skills","user_system_seed","SkillOPIC",true,176,2073,"2026-05-16 13:29:42",{"id":8,"name":21,"slug":22,"icon":23,"description":24,"sort":25,"createdAt":26},"其他","other","mdi-page-next-outline","其他类型Skill",5,"2026-05-16 12:53:40",{"id":7,"name":28,"slug":29,"icon":30,"description":31,"moduleId":8,"sort":32,"skillCount":33,"createdAt":26},"职场发展","career","mdi-briefcase-outline","面试准备、简历优化、职业规划",4,575,[35],{"id":36,"skillId":4,"version":37,"fileName":38,"fileSize":39,"filePath":40,"fileHash":41,"manifest":42,"createdAt":19},"0e48551b-b8cc-4a10-98b4-4c26033e5c5a","1.0.0","mtls-configuration.zip",3322,"uploads\u002Fskills\u002Fecb65afd-f989-46d5-8c98-bb25ee907cd7\u002Fmtls-configuration.zip","99b4711eb4e3dad9167352ae201232f9a7defe084de89e05548b88b7c97e1614","[{\"path\":\"SKILL.md\",\"isDirectory\":false,\"size\":9288}]",{"code":44,"message":45,"data":46},200,"success",{"items":47,"stats":48,"page":51},[],{"averageRating":49,"totalRatings":49,"ratingCounts":50},0,[49,49,49,49,49],{"limit":52,"offset":49,"hasMore":53,"nextOffset":52,"ratedOnly":16},15,false]