How Mtls Configuration fits into a Paperclip company.

Mtls Configuration drops into any Paperclip agent that handles this kind of work. Assign it to a specialist inside a pre-configured PaperclipOrg company and the skill becomes available on every heartbeat — no prompt engineering, no tool wiring.

SaaS FactoryPaired

Pre-configured AI company — 18 agents, 18 skills, one-time purchase.

$27$59

Explore pack

Source file

SKILL.md342 linesmarkdown

Expand

1---2name: mtls-configuration3description: Configure mutual TLS (mTLS) for zero-trust service-to-service communication. Use when implementing zero-trust networking, certificate management, or securing internal service communication.4---5 6# mTLS Configuration7 8Comprehensive guide to implementing mutual TLS for zero-trust service mesh communication.9 10## When to Use This Skill11 12- Implementing zero-trust networking13- Securing service-to-service communication14- Certificate rotation and management15- Debugging TLS handshake issues16- Compliance requirements (PCI-DSS, HIPAA)17- Multi-cluster secure communication18 19## Core Concepts20 21### 1. mTLS Flow22 23```24┌─────────┐                              ┌─────────┐25│ Service │                              │ Service │26│    A    │                              │    B    │27└────┬────┘                              └────┬────┘28     │                                        │29┌────┴────┐      TLS Handshake          ┌────┴────┐30│  Proxy  │◄───────────────────────────►│  Proxy  │31│(Sidecar)│  1. ClientHello             │(Sidecar)│32│         │  2. ServerHello + Cert      │         │33│         │  3. Client Cert             │         │34│         │  4. Verify Both Certs       │         │35│         │  5. Encrypted Channel       │         │36└─────────┘                              └─────────┘37```38 39### 2. Certificate Hierarchy40 41```42Root CA (Self-signed, long-lived)43    │44    ├── Intermediate CA (Cluster-level)45    │       │46    │       ├── Workload Cert (Service A)47    │       └── Workload Cert (Service B)48    │49    └── Intermediate CA (Multi-cluster)50            │51            └── Cross-cluster certs52```53 54## Templates55 56### Template 1: Istio mTLS (Strict Mode)57 58```yaml59# Enable strict mTLS mesh-wide60apiVersion: security.istio.io/v1beta161kind: PeerAuthentication62metadata:63  name: default64  namespace: istio-system65spec:66  mtls:67    mode: STRICT68---69# Namespace-level override (permissive for migration)70apiVersion: security.istio.io/v1beta171kind: PeerAuthentication72metadata:73  name: default74  namespace: legacy-namespace75spec:76  mtls:77    mode: PERMISSIVE78---79# Workload-specific policy80apiVersion: security.istio.io/v1beta181kind: PeerAuthentication82metadata:83  name: payment-service84  namespace: production85spec:86  selector:87    matchLabels:88      app: payment-service89  mtls:90    mode: STRICT91  portLevelMtls:92    8080:93      mode: STRICT94    9090:95      mode: DISABLE # Metrics port, no mTLS96```97 98### Template 2: Istio Destination Rule for mTLS99 100```yaml101apiVersion: networking.istio.io/v1beta1102kind: DestinationRule103metadata:104  name: default105  namespace: istio-system106spec:107  host: "*.local"108  trafficPolicy:109    tls:110      mode: ISTIO_MUTUAL111---112# TLS to external service113apiVersion: networking.istio.io/v1beta1114kind: DestinationRule115metadata:116  name: external-api117spec:118  host: api.external.com119  trafficPolicy:120    tls:121      mode: SIMPLE122      caCertificates: /etc/certs/external-ca.pem123---124# Mutual TLS to external service125apiVersion: networking.istio.io/v1beta1126kind: DestinationRule127metadata:128  name: partner-api129spec:130  host: api.partner.com131  trafficPolicy:132    tls:133      mode: MUTUAL134      clientCertificate: /etc/certs/client.pem135      privateKey: /etc/certs/client-key.pem136      caCertificates: /etc/certs/partner-ca.pem137```138 139### Template 3: Cert-Manager with Istio140 141```yaml142# Install cert-manager issuer for Istio143apiVersion: cert-manager.io/v1144kind: ClusterIssuer145metadata:146  name: istio-ca147spec:148  ca:149    secretName: istio-ca-secret150---151# Create Istio CA secret152apiVersion: v1153kind: Secret154metadata:155  name: istio-ca-secret156  namespace: cert-manager157type: kubernetes.io/tls158data:159  tls.crt: <base64-encoded-ca-cert>160  tls.key: <base64-encoded-ca-key>161---162# Certificate for workload163apiVersion: cert-manager.io/v1164kind: Certificate165metadata:166  name: my-service-cert167  namespace: my-namespace168spec:169  secretName: my-service-tls170  duration: 24h171  renewBefore: 8h172  issuerRef:173    name: istio-ca174    kind: ClusterIssuer175  commonName: my-service.my-namespace.svc.cluster.local176  dnsNames:177    - my-service178    - my-service.my-namespace179    - my-service.my-namespace.svc180    - my-service.my-namespace.svc.cluster.local181  usages:182    - server auth183    - client auth184```185 186### Template 4: SPIFFE/SPIRE Integration187 188```yaml189# SPIRE Server configuration190apiVersion: v1191kind: ConfigMap192metadata:193  name: spire-server194  namespace: spire195data:196  server.conf: |197    server {198      bind_address = "0.0.0.0"199      bind_port = "8081"200      trust_domain = "example.org"201      data_dir = "/run/spire/data"202      log_level = "INFO"203      ca_ttl = "168h"204      default_x509_svid_ttl = "1h"205    }206 207    plugins {208      DataStore "sql" {209        plugin_data {210          database_type = "sqlite3"211          connection_string = "/run/spire/data/datastore.sqlite3"212        }213      }214 215      NodeAttestor "k8s_psat" {216        plugin_data {217          clusters = {218            "demo-cluster" = {219              service_account_allow_list = ["spire:spire-agent"]220            }221          }222        }223      }224 225      KeyManager "memory" {226        plugin_data {}227      }228 229      UpstreamAuthority "disk" {230        plugin_data {231          key_file_path = "/run/spire/secrets/bootstrap.key"232          cert_file_path = "/run/spire/secrets/bootstrap.crt"233        }234      }235    }236---237# SPIRE Agent DaemonSet (abbreviated)238apiVersion: apps/v1239kind: DaemonSet240metadata:241  name: spire-agent242  namespace: spire243spec:244  selector:245    matchLabels:246      app: spire-agent247  template:248    spec:249      containers:250        - name: spire-agent251          image: ghcr.io/spiffe/spire-agent:1.8.0252          volumeMounts:253            - name: spire-agent-socket254              mountPath: /run/spire/sockets255      volumes:256        - name: spire-agent-socket257          hostPath:258            path: /run/spire/sockets259            type: DirectoryOrCreate260```261 262### Template 5: Linkerd mTLS (Automatic)263 264```yaml265# Linkerd enables mTLS automatically266# Verify with:267# linkerd viz edges deployment -n my-namespace268 269# For external services without mTLS270apiVersion: policy.linkerd.io/v1beta1271kind: Server272metadata:273  name: external-api274  namespace: my-namespace275spec:276  podSelector:277    matchLabels:278      app: my-app279  port: external-api280  proxyProtocol: HTTP/1 # or TLS for passthrough281---282# Skip TLS for specific port283apiVersion: v1284kind: Service285metadata:286  name: my-service287  annotations:288    config.linkerd.io/skip-outbound-ports: "3306" # MySQL289```290 291## Certificate Rotation292 293```bash294# Istio - Check certificate expiry295istioctl proxy-config secret deploy/my-app -o json | \296  jq '.dynamicActiveSecrets[0].secret.tlsCertificate.certificateChain.inlineBytes' | \297  tr -d '"' | base64 -d | openssl x509 -text -noout298 299# Force certificate rotation300kubectl rollout restart deployment/my-app301 302# Check Linkerd identity303linkerd identity -n my-namespace304```305 306## Debugging mTLS Issues307 308```bash309# Istio - Check if mTLS is enabled310istioctl authn tls-check my-service.my-namespace.svc.cluster.local311 312# Verify peer authentication313kubectl get peerauthentication --all-namespaces314 315# Check destination rules316kubectl get destinationrule --all-namespaces317 318# Debug TLS handshake319istioctl proxy-config log deploy/my-app --level debug320kubectl logs deploy/my-app -c istio-proxy | grep -i tls321 322# Linkerd - Check mTLS status323linkerd viz edges deployment -n my-namespace324linkerd viz tap deploy/my-app --to deploy/my-backend325```326 327## Best Practices328 329### Do's330 331- **Start with PERMISSIVE** - Migrate gradually to STRICT332- **Monitor certificate expiry** - Set up alerts333- **Use short-lived certs** - 24h or less for workloads334- **Rotate CA periodically** - Plan for CA rotation335- **Log TLS errors** - For debugging and audit336 337### Don'ts338 339- **Don't disable mTLS** - For convenience in production340- **Don't ignore cert expiry** - Automate rotation341- **Don't use self-signed certs** - Use proper CA hierarchy342- **Don't skip verification** - Verify the full chain

Related skills

Accessibility Compliance

This walks you through implementing proper WCAG 2.2 compliance with real code patterns for screen readers, keyboard navigation, and mobile accessibility. It cov

Airflow Dag Patterns

If you're building data pipelines with Airflow, this skill gives you production-ready DAG patterns that actually work in the real world. It covers TaskFlow API

Angular Migration

Migrating from AngularJS to Angular is notoriously painful, and this skill tackles the practical stuff that makes or breaks these projects. It covers hybrid app