PaperclipOrg
Claude Agent Skill · by Wshobson

Istio Traffic Management

This tackles the gnarly parts of Istio traffic management with ready-to-use YAML templates for canary deployments, circuit breakers, and traffic mirroring. It c

Install
Terminal · npx
$npx skills add https://github.com/wshobson/agents --skill istio-traffic-management
Works with Paperclip

How Istio Traffic Management fits into a Paperclip company.

Istio Traffic Management drops into any Paperclip agent that handles this kind of work. Assign it to a specialist inside a pre-configured PaperclipOrg company and the skill becomes available on every heartbeat — no prompt engineering, no tool wiring.

S
SaaS FactoryPaired

Pre-configured AI company — 18 agents, 18 skills, one-time purchase.

$27$59
Explore pack
Source file
SKILL.md321 lines
Expand
---name: istio-traffic-managementdescription: Configure Istio traffic management including routing, load balancing, circuit breakers, and canary deployments. Use when implementing service mesh traffic policies, progressive delivery, or resilience patterns.--- # Istio Traffic Management Comprehensive guide to Istio traffic management for production service mesh deployments. ## When to Use This Skill - Configuring service-to-service routing- Implementing canary or blue-green deployments- Setting up circuit breakers and retries- Load balancing configuration- Traffic mirroring for testing- Fault injection for chaos engineering ## Core Concepts ### 1. Traffic Management Resources | Resource            | Purpose                       | Scope         || ------------------- | ----------------------------- | ------------- || **VirtualService**  | Route traffic to destinations | Host-based    || **DestinationRule** | Define policies after routing | Service-based || **Gateway**         | Configure ingress/egress      | Cluster edge  || **ServiceEntry**    | Add external services         | Mesh-wide     | ### 2. Traffic Flow ```Client → Gateway → VirtualService → DestinationRule → Service                   (routing)        (policies)        (pods)``` ## Templates ### Template 1: Basic Routing ```yamlapiVersion: networking.istio.io/v1beta1kind: VirtualServicemetadata:  name: reviews-route  namespace: bookinfospec:  hosts:    - reviews  http:    - match:        - headers:            end-user:              exact: jason      route:        - destination:            host: reviews            subset: v2    - route:        - destination:            host: reviews            subset: v1---apiVersion: networking.istio.io/v1beta1kind: DestinationRulemetadata:  name: reviews-destination  namespace: bookinfospec:  host: reviews  subsets:    - name: v1      labels:        version: v1    - name: v2      labels:        version: v2    - name: v3      labels:        version: v3``` ### Template 2: Canary Deployment ```yamlapiVersion: networking.istio.io/v1beta1kind: VirtualServicemetadata:  name: my-service-canaryspec:  hosts:    - my-service  http:    - route:        - destination:            host: my-service            subset: stable          weight: 90        - destination:            host: my-service            subset: canary          weight: 10---apiVersion: networking.istio.io/v1beta1kind: DestinationRulemetadata:  name: my-service-drspec:  host: my-service  trafficPolicy:    connectionPool:      tcp:        maxConnections: 100      http:        h2UpgradePolicy: UPGRADE        http1MaxPendingRequests: 100        http2MaxRequests: 1000  subsets:    - name: stable      labels:        version: stable    - name: canary      labels:        version: canary``` ### Template 3: Circuit Breaker ```yamlapiVersion: networking.istio.io/v1beta1kind: DestinationRulemetadata:  name: circuit-breakerspec:  host: my-service  trafficPolicy:    connectionPool:      tcp:        maxConnections: 100      http:        http1MaxPendingRequests: 100        http2MaxRequests: 1000        maxRequestsPerConnection: 10        maxRetries: 3    outlierDetection:      consecutive5xxErrors: 5      interval: 30s      baseEjectionTime: 30s      maxEjectionPercent: 50      minHealthPercent: 30``` ### Template 4: Retry and Timeout ```yamlapiVersion: networking.istio.io/v1beta1kind: VirtualServicemetadata:  name: ratings-retryspec:  hosts:    - ratings  http:    - route:        - destination:            host: ratings      timeout: 10s      retries:        attempts: 3        perTryTimeout: 3s        retryOn: connect-failure,refused-stream,unavailable,cancelled,retriable-4xx,503        retryRemoteLocalities: true``` ### Template 5: Traffic Mirroring ```yamlapiVersion: networking.istio.io/v1beta1kind: VirtualServicemetadata:  name: mirror-trafficspec:  hosts:    - my-service  http:    - route:        - destination:            host: my-service            subset: v1      mirror:        host: my-service        subset: v2      mirrorPercentage:        value: 100.0``` ### Template 6: Fault Injection ```yamlapiVersion: networking.istio.io/v1beta1kind: VirtualServicemetadata:  name: fault-injectionspec:  hosts:    - ratings  http:    - fault:        delay:          percentage:            value: 10          fixedDelay: 5s        abort:          percentage:            value: 5          httpStatus: 503      route:        - destination:            host: ratings``` ### Template 7: Ingress Gateway ```yamlapiVersion: networking.istio.io/v1beta1kind: Gatewaymetadata:  name: my-gatewayspec:  selector:    istio: ingressgateway  servers:    - port:        number: 443        name: https        protocol: HTTPS      tls:        mode: SIMPLE        credentialName: my-tls-secret      hosts:        - "*.example.com"---apiVersion: networking.istio.io/v1beta1kind: VirtualServicemetadata:  name: my-vsspec:  hosts:    - "api.example.com"  gateways:    - my-gateway  http:    - match:        - uri:            prefix: /api/v1      route:        - destination:            host: api-service            port:              number: 8080``` ## Load Balancing Strategies ```yamlapiVersion: networking.istio.io/v1beta1kind: DestinationRulemetadata:  name: load-balancingspec:  host: my-service  trafficPolicy:    loadBalancer:      simple: ROUND_ROBIN # or LEAST_CONN, RANDOM, PASSTHROUGH---# Consistent hashing for sticky sessionsapiVersion: networking.istio.io/v1beta1kind: DestinationRulemetadata:  name: sticky-sessionsspec:  host: my-service  trafficPolicy:    loadBalancer:      consistentHash:        httpHeaderName: x-user-id        # or: httpCookie, useSourceIp, httpQueryParameterName``` ## Best Practices ### Do's - **Start simple** - Add complexity incrementally- **Use subsets** - Version your services clearly- **Set timeouts** - Always configure reasonable timeouts- **Enable retries** - But with backoff and limits- **Monitor** - Use Kiali and Jaeger for visibility ### Don'ts - **Don't over-retry** - Can cause cascading failures- **Don't ignore outlier detection** - Enable circuit breakers- **Don't mirror to production** - Mirror to test environments- **Don't skip canary** - Test with small traffic percentage first ## Debugging Commands ```bash# Check VirtualService configurationistioctl analyze # View effective routesistioctl proxy-config routes deploy/my-app -o json # Check endpoint discoveryistioctl proxy-config endpoints deploy/my-app # Debug trafficistioctl proxy-config log deploy/my-app --level debug```